Posts

Top Reasons to Update to SonicWall SonicOS 6.2.5 for Better Network Protection

Like many people, I sometimes pass over or delay software updates, but this one was different. The new SonicOS6.2.5 adds so many critical new features and so much functionality that I updated my SonicWall TZ firewall the moment it was available.

The new SonicOS 6.2.5 also gave me a chance to make more sense out of my network. My wife works from home, so our network carries both business and personal traffic. SonicOS 6.2.5 adds support for SonicWall X-Series switches on the SonicWall TZ300, TZ400, TZ500 and TZ600 next-generation firewalls. So by replacing my old switch with a SonicWall X-Series switch, I now have a secure network that will allow me to expand as I add more technology. Plus, I am confident that both our home and business data is now protected with the same security engine that is used by governments, colleges, hospitals and banks.

Here are a few reasons this update makes sense for any small business:

  1. The TZ firewall does not slow my network down.
  2. I manage everything from the TZ firewall, including the switch and my SonicWall SonicPoint access points
  3. Protection, protection, protection. At the National Retail Federation show in January, I (accurately) predicted 2016 to be the year where businesses will be hit with ransomware attacks. One of the strengths of  SonicWall is how fast it protects me from all new malware (in this case, ransomware). I continue to make backups, but I feel confident that I will not get breached by this particularly insidious type of malware.

And here what is so exciting about this new release for the distributed enterprise:

  1. With GMS, you can centrally manage the entire network infrastructure of a single site (and all distributed remote sites) including firewalls, switches, wireless access points and WAN acceleration devices. Being able to see what is happening on your network and pushing consistent policies to all sites is a compelling reason to upgrade.
  2. Multiple enhancements for more efficient inspection of encrypted traffic (TLS/SSL) with easier troubleshooting, better scalability and enhanced ease of use. Encrypted traffic is on the rise (50% surge according to 2016 SonicWall Security Annual Threat Report). It’s time to up your game and avoid a costly compromise or denial of service.
  3. With SonicOS 6.2.5,  SonicWall firewalls have achieved the prestigious Department of Defense (DoD) certification based on stringent security requirements. If a product with a firmware version is qualified for use by DoD, then it’s a safe (pun-intended) reason to upgrade your products to 6.2.5 now.

There are also additional improvements that anticipate the dynamic malware business. In our recently published Threat Report, we noted a substantial rise in encrypted communication. This is great for your privacy, but it also gives criminals a very easy method to penetrate networks. Most firewalls either do not inspect encrypted sessions or have this feature turned off a big mistake! An easy way to bypass your network’s security is by sending encrypted malware. Encrypted malware is a reality, so be better prepared with this new OS release. With this new release, the improved user interface makes it easier to set up and manage, especially when it comes to excluding inspection on traffic (such as Google searches).

Building a secure network is something that everyone should insist on. With the new SonicOS features I am a little bit closer. The addition of X-Series switch support to the TZ line (and it is only the TZ300, TZ400, TZ500 and TZ600 products at this time), my network is easier to manage, less complex and more secure.

My friend, Sathya Thammanur, product manager for SonicWall TZs, talked in more detail about the new features of SonicOS 6.2.5 in his recent launch blog. If you are looking for more information his comments are a great place to start or you can download our whitepaper: The Distributed Enterprise and the SonicWall TZ – Building a Coordinated Security Perimeter. If you are ready to upgrade your network, give us a call to explain how security does not have to cost you a lot of money or give you a big headache. As the security officer of your small business, your home or your distributed enterprise, SonicWall has a solution to make your life easier.

Managing the Madness of Multiple Management Consoles with SonicWall TZ Firewall and X-Series Switches

With fast emerging technologies, challenges of network design in distributed retail store locations is becoming huge. As retail store and distributed enterprise environments evolve, the underlying network infrastructure must evolve with the transformational changes to embrace new technologies such as mobile and digital media which aim to improve customer experience. Embracing new technological changes in a retail network needs to be carefully thought through by raising the following questions:

  1. Is the network infrastructure scalable?
  2. With the increased scale, is the network still secure?
  3. Are the operating costs increasing with the network expansion?
  4. Above all, is there still sanity prevailing in the management of such an evolved network?

The ultimate goal of a network design for any distributed retail location is to create a smart, flexible and easy-to manage platform that can scale to the specific needs of each site, while helping the organization reduce costs and risks. Typical solution of solving any network design expansion is to throw more capacity at the problem. As support for new technology and devices arise, there is overinvestment with added complexity. A new paradigm shift is necessary that can provide a converged infrastructure, simple & easy-to-use management, lower operating costs and can scale to a retail store site’s specific business need.

Let us start by understanding a typical retail store network. A retail store has many components: Point of Sale (POS) devices that require network access to process orders, multiple PoE powered devices such as IP cameras, Network devices such as storage servers & printers, multiple internal backend networks that employees need access to and above all a Guest WiFi requirement that retail customers can benefit from. Taking these attributes into account, a typical retail store design gets broken up into:

  • Multiple internal networks for employee access (for example Sales, Engineering, Finance)
  • Point-of-Sale (POS) network
  • Network devices ““ PoE Cameras, PoE/PoE+ driven Access Points, Storage Servers & Printers
  • Wireless Networks ““ Corporate internal wireless, Guest wireless

The retail network design needs to be secure, fault tolerant and interconnected. Security is typically offered by next-generation firewalls, switches provide the interconnectivity and wireless is offered through multiple access points depending on the store location size. With a scattered management design, an IT administrator is faced with the challenge of managing the network through multiple management consoles. There is the added operating cost of licensing for the various management consoles. A certain madness starts to prevail with the varied management solution as we consider troubleshooting issues in such a network.

With the newly launched SonicOS 6.2.5, SonicWall Security launched a special feature, X-Series integration, that allows for a simplified management of secure converged infrastructure across a distributed retail network by integrating SonicWall X-Series switches into a single consolidated management view that already controls SonicWall firewalls, SonicWall SonicPoints (wireless access points), and SonicWall WAN acceleration devices. Using SonicWall Global Management System (GMS), SonicWall now offers a compelling single-vendor, consolidated secure management solution for distributed retail networks. If you are an existing customer and partner looking for the latest release notes, they are posted here: https://support.software.dell.com/sonicwall-tz-series/release-notes-guides

To learn more about the design of a scalable secure retail network, download our Tech brief: Scalable, consolidated security for retail networks.

Three Core Network Security Tips From a K-12 IT Expert

Every moment of every day, anyone or any organization, government or institution – including K-12 – can fall victim to the latest threats and cyber-attacks. If you’re accountable for the network security of an entire school district, you know your success rests largely on everyone understanding and staying current with today’s complex and dynamic risk environment and how to avoid it.

K-12 IT expert Larry Padgett bears this out: “The most important thing is to get everybody to agree that technology security is everyone’s game, everybody on campus, and every division, department and schools must be fully engaged. Otherwise, it is going to be very difficult to be successful.”

Larry is the Director of IT Infrastructure, System Support, Security, and Governance for the School District of Palm Beach County (SDPBC). A career technology leader for more than 29 years, Larry oversees an IT infrastructure that is considered larger than the Coca-Cola® Company in terms of the number of ports and how his networks are laid out. SDPBC is one of the largest school district in the United States, with 187 schools and 225,000 thousands user accounts under management, including students, faculty, and general staff.

I had the privilege of meeting Larry at the 2015 SonicWall World Conference in Austin, Texas, where I had the opportunity to ask him specifically about the things that he is doing differently that allowed SDPBC to be successful.

Larry explained how security vendors typically talk about security as a layered approach but it can’t end there. He then described SDPBC’s winning approach to security rests on three core pillars: people, process and technology.

You must identify those who are, and who aren’t, fully engaged in exercising cyber hygiene within your district. You are responsible for every PC, servers and applications on your network. You’ll need to know if you are getting support from the board and leadership level down to everyone in the district.

People

  • How do you know if they are knowledgeable about security?
  • Can they identify the risks?
  • Do they all understand the risks?
  • What trial and test do you have in place to measure how knowledgeable they are about security?

If they’re not all engaged, you’re simply not going to be as successful as you could be. If they’re not as knowledgeable as they need to be, you would want to start discussing security as an everyday topic in your staff meetings, in the classrooms and, more importantly, in your executive and board room discussions. If security isn’t one of the top topics on the board agenda, you have much important work to do to get their buy-in, because nowadays, security is a key risk metric. Your ultimate goal is to get everybody to agree that security is everyone’s game so they become proactively involved in helping your institution be successful.

Process

When there are people involved, you also need to have processes in place that would allow you to make sure that you are doing the right things, that they are doing them well and that what they do is actually effective for the state of business you’re currently operating in.

  • What processes are you using?
  • Have you written them down?
  • How do you know if they are being followed?
  • How are they monitored and measured?

These are questions that enable you to think through all of the risks that you’re going to mitigate, and follow-through with implementing robust security policies and practices that can help put you in a better position for success.

Technology

Begin embracing a layered security approach as part of your defense-in-depth framework, because it provides you an effective and proactive way to help fend off today’s advanced threats. At a minimum, the top five security services that you must have as part of your layered security defense are:

  1. A capable intrusion prevention system with threat detection services that can provide complete anti-evasion and inbound anti-spam, anti-phishing and anti-virus protection
  2. SSL inspection to detect and prevent today’s advance evasive tactics and compromised web sites from sneaking malware into your network though the use of encryption
  3. Around-the-clock threat counter-intelligence for your next-generation firewalls and intrusion prevention systems, so you can receive the latest countermeasures to combat new vulnerabilities as they are discovered
  4. Email filtering and encryption to secure both inbound and outbound communications
  5. Security for endpoints, since most network infections begin with a compromised user device

Avoid Making a Costly Network Security Shortlist Decision

Living the life of a chief security officer (CSO), chief information security officer (CISO) or any title with the word “security” in it nowadays is surely a heart-wrenching experience each day. Far too often, yet another data breach in the news reminds you of the obvious notion that it’s not a matter of if but when you’ll be called upon to manage and contain a security incident in your organization. Regardless of its depth and severity, this has to be very disturbing and there seems to be no end. As a result, you find yourself regularly worrying if you’ve done a thorough job at vetting your cyber-defense system, and determining if it is really doing its job to prevent avoidable attacks on your networks. You understand the stakes. If any part of your security strategy is not functioning at its optimal level, you know your organization is susceptible to countless security risks. The bottom line is you don’t ever want to stand in front of the executives explaining why the company is breached, and dealing with the after-math as a result of a failure in one or more of your security layers. There is a way, however, to help you avoid such a disaster.

Limited resources and shortage of security staff can constrain your ability to carry out a rigorous vendor vetting process. The fundamental question then is what alternatives are there to help you efficiently select potential technologies that can put you in a position of strength and success against evolving threats. As a security leader, you’ve been down this road many times. You‘re aware that choosing the right technology partner with capable solutions to support your security strategy for the long-term is one of the most nerve-wracking but crucial task you must undertake. The range of capabilities and factors impacting your choice are overwhelming. You understand very well that making a poor choice could end up costing your organization millions in breach remediation expenses, immeasurable brand damage, loss of public confidence and possibly even your career. To help avoid such a costly decision when shortlisting possible vendors and their solutions for proof of concept (PoC) consideration or making the purchase, there are highly specialized market research companies that are well-recognized by the security industry for their reputable and impartial validation of network security quality and effectiveness that you can confidently use when making your selections.

The difficulty here is that there are many market research companies available. Most have specialization in a variety of technologies including network security. And to make things a little more complicated, each has it its own definition, criteria and approach to how vendors are evaluated and graded for their security effectiveness, performance and cost of ownership. The results often vary among them especially those that are vendor-sponsored research. Subsidized research and testing are always skewed to make one vendor’s product more favorable than its rival. And as such, these kind of reports lack objectivity, are seldom reliable from a technical perspective, and should not be viewed as serious research. So who should I depend on? Who do I need to stay clear of? Should I trust its finding completely? Where do I start? These are some good questions to help set clear direction and decision points. From our point of view, a good place to start is to give greater attention to independent research companies that are self-funded, has zero connection to any one vendor and focus exclusively on cyber-security. More importantly, you would also want the research to be fully verified by extensive public testing using different permutation of actual real-world use cases that best match your unique security environment requirements.

One particular company has differentiated itself in the IT security category over the past few years: NSS Labs. It is now broadly recognized as the world’s trusted authority in providing unbiased, independent, security product test reports and security intelligence services. NSS Labs reporting can help you shortlist vendors and their products based on empirical laboratory test results as opposed to fuzzy marketing, product surveys, opinion based analysis and/or peer-to-peer recommendation. The NSS Labs Test report is the ultimate validation of network security performance, resiliency and efficacy under various network traffic mixes and loads that mimic real-world use cases.  Download a free copy of the NSS Labs Test Report to gain knowledge of key performance indicators essential to the success of your cyber-defense strategy.

Are Campus Defenses Keeping Up with Attacks from the Cyber Netherworld?

I took a computer science minor when I was in college. Back then, the school computers were in a heavily secured section of one building, and we accessed them from teletype terminals and punch card readers (no, we did not use charcoal on slates by the fireplace in the log cabin!). There was no reason to worry about the security of our computer work, other than needing to stay on the good side of the staff of the computer center so that they wouldn’t reshuffle our punch cards or “misplace” our printouts.

Fast forward more than a few years, when I was doing graduate work at a public university. I took 30 credits online, using recordings of on-campus classes, regular chat sessions with my instructors and fellow students, and accessing research information, including public and professionals-only data sources, through the school’s online library system and its global connections. I didn’t pay too much attention to the security of my online activities; internet connectivity made them possible, but there weren’t nearly the number of bad actors out on the net that there are today.

Today my son is in college, and it’s natural for him to select a mix of online and in-person classes, even though his school is a short drive away. He relies on his school’s IT infrastructure for classwork, exams, registration, and research, and can access these functions as well as find out anything about what is available on the internet–from his laptop or smartphone. And every one of those transactions takes place in a space that is just seething with cyber muggers, burglars, and every variety of malicious actor you can imagine.

Information is the stock in trade of colleges and universities. Information enables students to pursue their degrees, faculty to teach and research, and staff to keep these institutions running. Much of the information has real value in the cyber netherworld, whether it’s personally identifiable information of students, proprietary research conducted with other schools and industry partners, or financial transactions.

Keeping this information secure is a challenge. In a recent Center for Digital Education survey of higher education IT professionals, 72 percent listed data breaches among their greatest current network security concerns. Their top security concerns for the year ahead? Spam, phishing, and malware. What’s standing in the way of better network security? More than four out of five pointed to budget constraints.

Keeping campus networks secure in the face of ever-increasing growth of data, devices used to access that data, and cyber threats requires more effective and more cost-effective security. To learn more about what’s keeping campus IT leaders up at night, and what they’re doing about it, view our on-demand webcast, Network Security in Education: The changing landscape of campus data security.

The Holiday Online Shopping Season is Coming Is Your Network Prepared?

Now that Halloween is over, it’s time for the holiday online shopping season to kick in, beginning on Black Friday, continuing through Cyber Monday, and finishing up on New Year’s day. For a lot of people it’s time to start spending money.

When we shop for the holidays many of us like to do it online. The National Retail Federation indicates that more than half of U.S. consumers plan to make at least some of their holiday purchases online this year. Why? Well, we can do it from anywhere at any time. It’s convenient. That includes shopping from work.

What does it mean to your organization? Well, there’s a good chance your employees will spend some of their work time shopping online over the next six weeks. Is that a potential problem? If you consider the security of your network, the productivity of your employees and the use of network bandwidth important to your organization, then the answer is yes, and here’s why.

Online shopping at work introduces security risks. For example, employees may inadvertently create opportunities for malicious attacks directed at your organization. An “attack or threat vector” is the means a hacker uses to gain access to one or more systems or servers on your network. Through the attack vector, the hacker can compromise systems on your network and deliver a malicious payload, the most common being a virus, worm, trojan or spyware. A common threat vector around the holidays is phishing. Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email instructing recipients to go to the fake website of a reputable business such as FedEx or UPS. The site will attempt to collect personal information such as the user’s name, passwords, social security number and credit card details. Another attack vector you may come across is “malvertising,” or “malicious advertising,” which is a threat that uses online advertising to spread malware. The malware can then capture information from an infected machine, or send probes around the network to find servers and other systems that can be compromised.

The security of your network isn’t the only issue your organization faces during the holiday buying season. Employees are exercising more freedom for personal activities such as online shopping during work hours. This is concerning. Why? Well, they’re shopping on company time so they’re not as productive and it’s likely they’re connecting to sites through the corporate network which could lead to a security risk as well as a misappropriation of valuable bandwidth.

Speaking of your bandwidth, there’s the question of how it’s being used. With likely over half of your employees shopping online at some point during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use such as online shopping, streaming music and watching HD videos which can all have a negative impact on network performance if left unchecked.

What can you do to secure your network, improve employee productivity and get the most out of your bandwidth during the holiday online shopping season? Here are a few tips:

  • Get a next-generation firewall. If you don’t have one already, next-generation firewalls secure inbound and outbound traffic from threats, provide you the tools to determine which websites your employees can and can’t access (hint – online shopping sites) and allow you to identify and control the apps used on your network and how much bandwidth you want to allocate to them. Not only that, with more websites moving to SSL encryption, it’s important that the next-generation firewall be able to decrypt and inspect encrypted traffic for threats.
  • Help your employees learn how to avoid malvertising and recognize phishing emails. Be alert for suspicious emails and links to unknown websites.
  • Educate employees to use different passwords for every account and establish policies for strong passwords.
  • Many attacks are based on known vulnerabilities in recognized browsers, as well as in plug-ins and common apps. Therefore it’s critical to apply updates and patches promptly and reliably.
  • It’s a good idea to use tools that allow IT managers to monitor the use of network applications. It’s called “Application Intelligence” and it can help you determine if anyone is violating company policies or simply visiting sites that have no business purpose such as online shopping.

SonicWall offers a complete range industry-leading next-generation firewalls including the NSA Series that integrate numerous advanced features for deep packet inspection such as Anti-Malware, Intrusion Prevention, Application Intelligence and Control, Content and URL Filtering and SSL Decryption and Inspection.

Increase Your Network Security and Control Through Segmentation

When you think about securing down a network using a next-generation firewall, in most cases the process immediately goes from the Internet to the local area network (LAN). This may be a good way of thinking if you only have hard wired desktop clients. However what if the network includes servers that need inbound access from the Internet or a wireless network? What steps can you take to protect a network that’s a little more sophisticated?

Let’s look at an example of a small network where the user has a few desktop clients connected to the physical LAN, wireless clients and a storage server. For this specific use case the network segmentation is set up in the following way. The LAN network has all of the desktop clients, a wireless LAN (WLAN) network for the wireless clients and a de-militarized zone (DMZ) where the storage server is connected.

From the LAN, clients are allowed to get to the Internet, but access to the other network segments is blocked. This includes the default policy to block all incoming access from the WAN or Internet.

For the wireless users, they can get to the internet but are blocked from accessing any of the other network segments. In order for the wireless users to access other network segments they must authenticate to the firewall. Once authenticated, each wireless user can gain access to the other network segments as needed. This was done to increase security from the WLAN and prevent unauthorized access to the other network segments.

Finally, on the storage server segment, the default policy is to block access to all other network segments. This is done to ensure that if the storage server was to become compromised by a vulnerability to its software it would not allow a hacker gain access or malware to spread to other network segments on the LAN or WLAN. For WAN access, all traffic is blocked, although a specific set of ports is allowed to provide the ability to automatically update the software on the storage server.

Now you may look at this and be thinking this is overkill for such a small network. However being in the security industry for the past 15 years and educating partners and customers on proper network designed I figured it would only benefit my own network security by implementing a security design that limits access between network segments.

While I’m not saying that all networks need to have this level of complexity, it is a good idea to think about network segmentation and not put all connected devices on a single segment just because it’s easy. The network segmentation will help to control traffic not only north and south, but also provide controls for traffic going east and west between network segments.

SonicWall NSA Next-Gen Firewall Series

With the SonicWall firewalls it’s possible to create a wide variety of segments using either physical or logical interfaces or the internal wireless radio if available. Once an interface is defined, you can then apply a zone classification such as LAN, DMZ, WLAN or custom, and from there apply policies to control access between the various segments and limit unauthorized access. For increased security you can also apply authentication requirements as well. To learn more about how SonicWall next-generation firewalls can help secure your network read the “Achieve Deeper Network Security and Control” white paper.

Are You Compromising Your Business Security

As advances in networking continue to provide tremendous benefits, businesses are increasingly challenged by sophisticated attacks designed to disrupt communication, degrade performance and compromise data. Striking the perfect balance between network security and performance is no easy task. Meeting these demands can be especially daunting for small businesses, which usually cannot afford the same degree of protections as their larger counterparts.

The good news is that, with technology, higher performance and superior security are possible. By minimizing the attack surface that a business presents to the world, security can emerge as a differentiator rather than an inhibitor.

The first line of defense for any business “” large or small “” is an updated and properly configured firewall. In fact, if your business is still using a traditional firewall to protect against malicious threats, you may not even realize that you are woefully unprotected. Though firewalls are an essential part of network security, many (especially traditional firewalls) offer limited protection. They can monitor and block traffic based on source and destination information. But they can’t look inside packets to detect malware, identify hacker activity or help you manage what end users are doing on the internet. Even if you have purchased a firewall just a few years ago, it might not be able to inspect encrypted traffic, leaving you exposed to encrypted malware.

Securing the small business

Just because your business is small doesn’t mean you are at any less risk for a security breach than a larger business. The reality is that cyber-criminals use automated scanning programs that don’t care whether your company is big or small; they are only looking for holes in your network security to exploit.

With tight budgets and fewer resources, small businesses need to make sure their firewalls are delivering maximum protection without sacrificing productivity. To achieve this goal, IT administrators should insist on solutions that provide:

  • Blazing-fast performance: Your firewall must not become a network bottleneck. If it holds up network traffic, then users complain about poor performance and slow response times. Administrators respond by easing security restrictions. The result? The business compromises its security to maintain acceptable performance. It’s a dangerous trade-off that should never happen.
  • Exceptional security: Insist on a firewall that includes deep packet inspection (DPI) technology to decrypt and inspect Secure Sockets Layer (SSL) traffic into and out of the network. Unfortunately, traditional firewalls lack this capability, which means hackers and cybercriminals can smuggle malware right through the firewall just by concealing it in SSL traffic. Many say their firewalls do inspect SSL traffic but fail to tell you how this impacts performance.
  • Low total cost of ownership (TCO): Security solutions that operate in silos can result in gaps and complexity that can kill efficiency and squander resources. Look for an integrated firewall that can be quickly set up and fine-tuned. Easy-to-use features, such as graphical interfaces and setup wizards, can save administration time and help reduce operation and maintenance costs.

As small business’ growing use of cloud applications, the security perimeter becomes blurred between your network and the internet so there is nothing as essential as a solution that draws the line to keep out unwanted intrusions. Your network provides access to critical applications and houses sensitive company and customer data. A single network breach can shut down your operations for days, or allow a hacker to steal vital business data. If you are not currently using or evaluating a next-generation firewall, you should be there’s too much at stake.

Thanks to advances in firewall protection technology, achieving robust network security without sacrificing performance is possible and affordable. To read more tips on how to keep your small business network more efficient and secure, read the e-book, “Securing your small business.”

Five Essentials for Best of Breed Next Gen Firewalls

Beyond basic network firewall testing scenarios, the specialized firewall testing tools needed to accurately assess next-generation firewall (NGFW) security effective remain out of reach to any but the largest IT department budgets. Therefore, most organizations look to independent hands-on test results from respected research laboratories such as NSS Labs. NSS Labs uses a very specific testing methodology that is run on each of the NGFWs being tested. Their Next-Generation Firewall Product Analysis Report provides detailed information on how a specific firewall scored when tested in these key essential areas:

  • Security Effectiveness
  • Performance
  • Stability and Reliability
  • Management and Configuration
  • Total Cost of Ownership

Security Effectiveness

Security effectiveness verifies that the firewall being tested is capable of enforcing the security policy effectively. Security effectiveness tests include:

Firewall Policy enforcement

Incremental tests that build configuration from simple to complex real world policy consisting of many addresses, policies, applications, inspection engines, protection from DoS attacks, IP spoofing.

Application Control

Firewall is tested to see if it can correctly determine application regardless of ports/protocols used and enforce appropriate application policy granularity.

User/Group ID aware policies

Correctly determine user/group from deep packet inspection and enforce policy with user awareness.

Intrusion Prevention

Correctly block malicious traffic “out of the box” using the default policy (for this test no IPS tuning is allowed).
Evasion Decode/Block basic obfuscated exploits and provide accurate alert based on the actual attack not be fooled by the evasion technique itself.

How did SonicWall next-generation firewalls do? Passed all criteria. Noteworthy SonicWall results included a 97.9 percent exploit block rate. No NGFW tested achieved 100 percent exploit block rate due to constantly changing NSS Labs test suite. However, over the last three years SonicWall has consistently been rated in the leaders quadrant and has demonstrated consistent improved block rate year over year.

Performance

Measures how well a given NGFW performs when subjected to various traffic conditions. No two networks will have the exact same characteristics but this test does provide metrics to gauge if a given NGFW is appropriate in a given environment.

Raw Packet Processing Performance (UDP packets of various sizes are tested) Measures raw packet processing capability of each of the NGFWs in-line port pairs, packet forwarding rate is measured for highest performance /lowest latency.
Latency (packet loss/average latency) Determine the effect the NGFW has on traffic passing through it under various loads. Traffic passes through all port pairs simultaneously.
Maximum Capacity ( generates TCP session based connections and HTTP transactions) Stress the inspection engine with Multi-Gigabit “Real World” traffic generated to determine expected user response times, max connections per second, concurrent open connections, application transaction per second on a backdrop of a heavily utilized network.
HTTP Capacity ““ No Transaction Delay (uses HTTP GET request) How much HTTP traffic can be passed of varying packet sizes and various connection per second loads.
Application average response time ““ HTTP (across all in-line port pairs simultaneously) Measures average HTTP latency using various packet sizes at 90 percent of max load.
HTTP Capacity with Transaction Delay Same as above except introduces 5 second server response delay, forces a high number of open connections.
Real World Traffic (generates protocol mix usually seen by industry verticals, i.e. Financial, education, Data Center, Mobile Carrier, etc”¦ ) Same as previous test, excepts adds additional protocols and real content.

Stability and Reliability

These tests measure how well a next-generation firewall passes legitimate traffic while under attack. To pass, the NGFW must be able to block and alert on 100 percent of the attacks previously blocked while remaining operational.

Blocking under Extended Attack Measures consistency of Blocking. Sends continuous policy violations at 100Mbps over 8 hours.
Passing Legitimate Traffic Under Extended Attack Same as previous test except legitimate traffic is sent in addition. NGFW must pass all legitimate traffic.
Behavior of State Engine Under Load ( Can the NGFW preserve state across large number of connections over extended time. Must not exhaust resources allocated to state tables or “˜leak’ connections through after theoretical max concurrent connection is reached.
Protocol Fuzzing and Mutation Sends random, unexpected, or invalid data to the NGFW, verifies NGFW remains operational and detects/blocks exploit throughout the test.
Power Fail Power is turned off while passing traffic, NGFW should fail closed after power is cut.
Persistence of Data Measures if NGFW retains policy, configuration, log data when restored from power failure.

Total Cost of Ownership and Value

Measures overall costs over of deployment, maintenance and upkeep over the useful life of the product.

Product Purchase Cost of acquisition
Product Maintenance Fees paid to vendor (hardware maintenance, subscription services, etc”¦)
Installation Time required to make the NGFW operational out of the box.
Upkeep Time required to apply vendor supplied firmware, updates, patches.

How Next Gen Firewalls are Increasing Your Business Profitability

Shrinking or flat IT security budgets and personnel; this is what many organizations of any size are facing daily. However, the security threats and compliance requirements continue to grow and become even more complex.

In response, many companies have implemented single security solutions on a reactive basis. For example, they might have started with a traditional firewall to protect their network, then implemented a web content filtering gateway and then added a dedicated intrusion prevention system (IPS/IDS) solution. Nevertheless, each of these solutions can come at a high cost and requires a single specialist to administer and manage; the overall total cost of ownership (TCO) goes through the roof! And these pain point solutions can leave gaping holes between them, exposing the business to potential security breaches and compliance violations, instead of helping mitigate the risks: this can’t be!

The advent of faster hardware and cores has allowed for the consolidation of once stand alone security solutions into a single appliance – Next Generation Firewalls (NGFWs). They provide dramatic improvements in protection versus traditional firewalls, particularly in dealing with today’s more sophisticated and rapidly changing threat landscape. They allow organizations of all size to do more with less and therefore save money!

In the UK, BskyB’s mobile Wi-Fi service, The Cloud, needed to upgrade the content filtering it provided, as it was becoming increasingly difficult to scale the service, and the performance was at risk. The Cloud selected SonicWall NGFW (SuperMassive 9000 series) with its content filtering service, which reduced upgrade work by 75 percent and ensured cost-effective WiFi service performance, delivering twice the capability at a quarter of the cost. Going forward, The Cloud can also use the additional NGFW security capabilities at no additional costs, and benefit from a more straightforward CapEx forecasting.

In Spain, Benetton looked to enhance store operation and productivity across the country by gaining better control of network connections between its stores and its head office. Efficiency is at the forefront of the company’s goals to deliver enhanced customer services at a lower cost.

The company chose SonicWall NGFW to connect and protect its stores and achieve its business goals. By replacing a traditional firewall with a NGFW technology, Benetton Spain ensures the complete protection of their network, while spending 39 percent less compared to their legacy solution; this is very critical to them, as they are able to fund new IT projects from the savings. Another key benefit of implementing a NGFW is in-store personnel productivity, thanks to the content filtering service and application firewall functionality; now shop assistants can access the Benetton Spain website and other sites that helps them deliver a better service to customers. At the same time, users from the marketing department have access to a full range of sites, including social media, which they need for their job, while protecting the network from potential cyber attacks. Also, as a retailer, Benetton Spain has to comply with numerous safeguards like PCI DSS to protect consumer data and credit card details. Because SonicWall NGFW provides IPsec VPN and a gateway AV service, Benetton Spain can tick the PCI DSS compliance box.

As these two particular examples demonstrate, the financial benefits of the NGFW technology are real and very much tangible, from improving employees’ productivity, to better customer service, operational cost savings and allocating budget to other IT projects, and meeting compliance requirements.

The threat landscape is changing rapidly with new types of malware, cybercriminals have become increasingly sophisticated and coordinated in their attacks. They are out to exploit every vulnerability, and if your organization is not taking advantage of the advanced protection offered by NGFWs, then you are at increased risk of a successful attack. Deploying a NGFW will provide the network protection you need, but will also help you to improve efficiency and save up some money you can re-invest into your business!