Posts

Why Firewall Throughput Numbers Don’t Tell the Whole Story

When choosing a new vehicle, most people consider fuel economy as one of their criteria. Now imagine a new car manufacturer began running ads stating their large SUV achieved 60 mpg (or 25.5 km/l, if you prefer).

That sounds pretty impressive, right? If you found out that that estimate was achieved in a in lab with no simulated wind resistance or road friction, using an engine bolted to a bare chassis — no seats, no upholstery, steering wheels, lights, etc. — you’d probably be much less excited, and rightly so!

Unlike with vehicles and the EPA, however, when it comes to firewalls, there is no one set standard for evaluation. Vendors use a variety of deployments and conditions to collect metrics, with one of the most frequently used in NGFW evaluations being “firewall throughput.”

Firewall Throughput vs. Threat Prevention Throughput

A next-generation firewall (NGFW) is a security device that protects an organization from external as well as internal threats, both known and zero-day. When choosing a firewall for an organization, it is essential to consider the expected network traffic volume and the required security features, ensuring that the selected firewall can handle the network’s current and future demands effectively.

For this reason, a NGFW’s “stats” are often a crucial factor when choosing a NGFW vendor. But some are more useful to the decision-making process than others, as we see when we compare “firewall throughput” and “threat prevention throughput.”

Firewall throughput is the rate at which a stateful packet inspection (SPI) firewall can process and inspect network traffic while maintaining the stateful connection tracking information. SPI is a firewall technology that keeps track of the state of network connections and allows or denies traffic based on the context of those connections.

On the other hand, threat prevention throughput is the packet rate measured with all the security services like Intrusion Prevention (IPS), Anti-Virus, Anti-Spyware and Application Control turned ON.

(For best results, it is essential to actually check the threat inspection throughput, as opposed to just looking at the stated firewall throughput or threat inspection throughput numbers. Load testing and performance evaluations should also be performed to verify that the firewall’s throughput meets your organization’s requirements.)

How SonicWall Measures Up to Other Vendors Under Real-World Conditions

In situations in which other vendors’ threat prevention throughput numbers drop dramatically, SonicWall maintains its threat prevention throughput at a healthy number.

For instance, Vendor A’s threat prevention numbers dropped by 88% on their “Model B,” compared to a drop of 63% on the SonicWall TZ270. Please see below table for more info:

Comparison chart showing SonicWall's superior threat prevention performance.*Based on data publicly published by Vendor A, current as of 9/1/2023

Similarly, Vendor B’s threat prevention numbers dropped by 96% on their “Model A,” compared to a drop of 63% on a TZ270, as outlined in the table below:

Firewall throughput graph illustrating SonicWall's consistent performance.*Based on data publicly published by Vendor B, current as of 9/1/2023

How SonicWall Helps Solve Threat Inspection Requirements

Unlike other proxy-based firewalls, the SonicOS architecture is at the core of every SonicWall physical and virtual firewall, including the TZ, NSa, NSv and NSsp Series.

SonicOS leverages its patented, single-pass, low-latency, Reassembly-Free Deep Packet Inspection (RFDPI) and Real-Time Deep Memory Inspection (RTDMI™) technologies to deliver industry-validated high security effectiveness, SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.

How Does Reassembly-Free Deep Packet Inspection® (RFDPI) Work?

Reassembly-Free Deep Packet Inspection (RFDPI) is a high-performance, proprietary inspection engine that performs stream-based, bi-directional traffic analysis. Best of all, it does so without proxying or buffering, to uncover intrusion attempts and malware and to identify application traffic regardless of port. This architecture includes:

  • Bi-directional inspection
    Scans for threats in both inbound and outbound traffic simultaneously to ensure that the network is not being used to distribute malware. It also ensures that the network does not become a launch platform for attacks in case an infected machine is brought inside.
  • Stream-based inspection:
    Proxy-less and non-buffering inspection technology provides ultra-low latency performance for deep-packet inspection of millions of simultaneous network streams without introducing file and stream size limitations. It can be applied on common protocols as well as raw TCP streams.
  • Highly parallel and scalable single-pass inspection
    The unique design of the RFDPI engine works with the multi-core architecture to provide high DPI throughput and extremely high new session establishment rates to deal with traffic spikes in demanding networks. A single-pass DPI architecture simultaneously scans for malware, intrusions and application identification, drastically reducing DPI latency and ensuring that all threat information is correlated in a single architecture.

How a Packet Passes Through a Competing NGFW with Proxy-Based Architecture vs. a SonicWall NGFW

The file limitations on other NGFWs can create dangers, because in some cases not all files are being scanned (see Fig. 1).

Stream-based inspection diagram explaining SonicWall's RFDPI technology.

Fig.1

SonicWall’s technology is designed to ensure files are scanned regardless of size (See Fig. 2).

Another stream-based inspection diagram explaining SonicWall's RFDPI technology.
Fig.2

Read the tech brief on RFDPI to learn more about this stream-based inspection technology.

Conclusion

When evaluating firewall vendors, keep in mind the importance of evaluating threat performance with all the security services turned ON. Threat prevention for firewalls is essential to maintain continuous network protection and reduce the risks of potential security incidents. With SonicWall’s NGFWs, threat prevention is enabled and threat prevention throughput numbers are maintained without the huge drops seen with other vendors.

What is Secure SD-WAN and How Can It Save Me Money?

No matter your type of organization — large or small, public or private — cutting expenses is always a key initiative. After all, reducing your OpEx looks good on the books and enables the company to invest in other meaningful initiatives.

One cost every organization faces is internet connectivity. Access to the internet is essential for communications, website hosting, sharing files, serving up apps and a host of other activities. But it can be expensive, especially if your organization has multiple offices, branches or stores.

Today’s broadband users, whether employees or customers, define their experience by performance rather than availability. We don’t just expect to have access to apps and videos, we demand that they perform in real time. Any delay is met with complaints and a call for more bandwidth, which increases expenses.

How to Securely Connect, Network Remote Locations

When you have a distributed network with branch or remote locations, they need to be securely connected with each other and the corporate headquarters. This can be done using several techniques. One common method is multiprotocol label switching (MPLS). Using MPLS, organizations can create a private wide-area network (WAN) to securely send data between locations via the shortest path available without going through the public internet.

“Integrated security features with SD-WAN are table stakes for most enterprises adopting the technology.”

Mike Fratto
Analyst
451

MPLS supports multiple connection types, including T1 and frame relay. The problem? These connections have to support an increasing number of connected devices and bandwidth-intensive applications that demand higher speeds, which means they’re expensive. That’s why many distributed organizations are moving to SD-WAN (software-defined wide-area network).

“For SD-WAN to be a viable alternative to private WANs, enterprises need to ensure they have the same level of inspection and enforcement at the branch and remote sites as they have at the data center,” said Mike Fratto, analyst at 451, in SonicWall’s official launch announcement. “Integrated security features with SD-WAN are table stakes for most enterprises adopting the technology.”

Reduce Costs with Secure SD-WAN

To help organizations reduce their costs while still receiving secure and consistent performance for business-critical applications, SonicWall offers Secure SD-WAN. A feature of SonicOS 6.5.3, the operating system for SonicWall TZ and NSa firewalls, Secure SD-WAN technology enables distributed organizations to build, operate and manage secure, high-performance networks using readily-available, low-cost public internet services, such as DSL, cable and 3G/4G.

An alternative to more expensive WAN connection technologies, including MPLS, Secure SD-WAN enables virtually any organization — retailers, banks, manufacturers and others — to connect sites spread over great distances for the purpose of sharing data, applications and services. Features such as intelligent failover and load balancing help ensure consistent performance and availability of critical business and SaaS applications.

And, unlike solutions from pure-play SD-WAN providers, Secure SD-WAN doesn’t require you to purchase additional hardware or licenses.

Secure SD-WAN: Safe, Fast & Reliable

Reducing expenses is always a priority for every organization. What else is? Here are some other key issues Secure SD-WAN helps distributed enterprises solve:

  1. Protect your network from cyber criminals. Both encrypted and unencrypted traffic run through a SonicWall next-generation firewall to be scanned for threats, such as malware and ransomware, ensuring maximum threat detection and prevention. If you have a separate SD-WAN-only solution, you’ll need to make sure you also have a way to protect data from modern cyberattacks, such as encrypted threats and ransomware.
  2. Achieve consistent, optimized application performance. Realize faster, more consistent performance for SaaS and business-critical applications, such as VoIP, video and unified communications, through capabilities such as deterministic application performance, which steers the apps over less-congested links to overcome jitter, latency, packet loss and other unfavorable network conditions.
  3. Enhance agility. Using SonicWall Zero-Touch Deployment, bringing up new sites is greatly simplified. Provisioning hardware remotely removes the need to have onsite IT personnel perform the task. In addition, IT administrators can manage the entire network, including devices at SD-WAN-enabled branch/remote locations, through a single pane of glass using Capture Security Center, SonicWall’s cloud-based management and analytics platform.

Learn more about how SonicWall can help your distributed enterprise reduce costs and complexity while enhancing security by switching from expensive MPLS to Secure SD-WAN.

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

Don’t Be Fooled by the Calm After the WannaCry Chaos: Continuously Toughen Your Security

Some consider WannaCry to be the first-ever, self-propagating ransomware attack to wreak havoc across the globe. The chaos that followed is yet another harsh wake-up for many, in a situation far too familiar.  Only this time, the victims are new, the infection spreads more rapidly, the effects are far-reaching and the headlines are bigger.  I am sure you may be feeling overwhelmed with the ongoing news coverage of the EternalBlue exploit, WannaCry ransomware and Adylkuzz malware this past week.   Let us recap a few important observations to help us avoid a replay of history.

The WannaCry crisis was unlike any previous zero-day vulnerabilities and exploits that caused massive cyber-attacks in previous years. The major difference in this event is that there were early warning signs portending this sort of cyber-attacks through a series of leaks by the Shadow Broker, an unidentified hacking entity responsible for putting stolen U.S. National Security Agency (NSA) hacking secrets in the hands of nefarious actors, both foreign and domestic, looking to do us harm. Since the forthcoming threat was public knowledge and organization had ample time to mitigate the risk, why was WannaCry still able to achieve the level of success that it did? The reasons are quite simple and common with most organizations today.

1. Take care of the basics

Winston Churchill once remarked, “We live in the most thoughtless of ages. Every day headlines and short views.” Although the wisdom in these words was uttered many years ago, it seems as though we have yet to change our ways with respect to repeating poor cyber hygiene patterns. There are data security experts who have suggested that poor cyber-hygiene has caused as much as 80% of security incidents. Whether this figure is accurate or not, it is certain that the WannaCry and Adylkuzz attacks are the latest examples to support this statistic. Because of unpatched Microsoft’s Windows systems, victim organizations have allowed a broadly publicized and easily preventable exploit and ransomware to move into their environments simply because some of the most basic security measures were either not established or followed.

To avoid repeating this sort of mistake, organizations must understand that taking care of the basics means standing between being likely breached and likely avoiding one. Therefore, instituting a zero-tolerance policy to patch every system and device in the environment must never be an option. Putting in place auditable workflows and technology that can programmatically check and perform security updates without the need for manual intervention will help organizations move towards a more proactive defense posture.

2. Security staffing an unsolved problem

What we are seeing right now is a serious talent shortage in the security employment industry. Hiring good, affordable security professionals is a huge concern for many organizations across all industries. When organizations do not have adequate security staff or are unable to fill positions, they do not have the capacity necessary to proactively identify and remediate risk areas at the speed needed to avoid a security event like WannaCry. This common, unsolved problem manifests itself with most organizations, especially during major cyber events.

Many of the most significant issues organizations have in common today include the lack of understanding and visibility of:

  • What and where are the at-risk assets
  • Who and where are the at-risk users
  • What and where are the at-risk systems and devices
  • What are the risks and threats to focus on
  • What a proper security response plan looks like are

3. Lack the right tools in place

We have a situation today where exploit kits and ransomware are leveraging SSL/TLS encrypted traffic predominately for evading detection. A recent Ponemon Institute study reported that 62% of respondents say their organizations do not currently decrypt and inspect web traffic. However, the real concern is the fact that half of those respondents, who disclosed they were victims of a cyberattack in the preceding 12 months, claimed attacks leveraged SSL traffic to evade detection. So why is that?

The reasons provided in the same Ponemon study revealed that for those organizations that are not inspecting encrypted traffic:

  • 47% of the respondents said lack of enabling security tools was the top reason
  • 45% divulged that they do not have sufficient resources
  • 45% said they have overwhelming concerns about performance degradation.

Encrypted attacks threatening mobile devices, endpoint systems and data center resources and applications are on the rise. As we move towards an all-encrypted internet, organizations no longer have a choice whether to establish a security model that can decrypt and inspect encrypted traffic to stop hidden threats.

To learn more, here are two relevant informational pieces written by my colleagues on the WannaCry ransomware event that I highly recommend you to read. They offer additional perspectives and insights that can help you solve these security issues and be readily prepared for the next wave of cyber-attacks.

  1. WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network? by Rob Krug, Solution Architect, Security
  2. SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack by Brook Chelmo, Sr. Product Marketing Manager

When the chaos over WannaCry calms, the big question becomes, will you move on from this historic event with the lessons we’ve learned? Your answer is crucial since it will determine if the next major incident yields a more readied response from your organization.

Footnote: Ponemon Study,  Uncovering Hidden Threats within Encrypted Traffic, 2016

Three Ways to Protect Your Business Against Ransomware-as-a-Service

Last week I was at one of our sales offices in Utah. I heard an interesting story about how a dentist office called in to ask for threat prevention against ransomware. The dentist office had been affected by ransomware twice in a short period of time. Twice, they paid the ransom to ensure business continuity and customer retention. This is a common story across many small to medium-sized businesses (SMBs) though we seldom hear about them in the media.

According to a study conducted in June 2016 by Osterman Research Inc., 30 percent of the ransom amounts demanded are $500 or less, reflecting the size of businesses affected by the attacks. SonicWall’s GRID threat research team has seen massive increases in ransomware infections for 2016, mostly coming from small and medium businesses. A new variant of ransomware, Ransomware-as-a-Service (RaaS), designed to be user friendly and deployable by anyone, can simply download the virus either for free or for a simple fee.

Ransomware-as-a-Service

Even simple measures can help protect against ransomware. Here are three ways:

Training

The same study shows that 67 percent of U.S. cyberattacks originate via phishing through emails. Organizations requiring employees to do security awareness training once a year at least are less likely to get infected than companies that do it less frequently. Training alone is not sufficient, but can provide the necessary first line of defense for a lot of businesses.

Data backup

Ransomware exists because organizations keep paying the attackers for their data.  With a good data backup infrastructure, businesses can redeem itself quickly by cleaning up their network and restoring the data from backup.

Technology

Advanced threats like ransomware attack all kinds of businesses. After multiple attacks, a big business can revive itself and get back on track. However, SMBs cannot afford such multiple attacks. Small amounts paid multiple times can quickly add up, and result in closure of a small business. It is even more important today for SMBs to invest in strong and advanced security solutions available through next-generation firewalls.

SonicWall firewalls have been protecting SMBs all over the globe for more than 25 years. With the comprehensive SonicWALL Gateway Security Suite providing gateway anti-virus, URL/web filtering and intrusion prevention services, businesses were protected 24x7x365 against known malware. With the recent increase in unknown malware and zero-day threats, the new Advanced Gateway Security Suite (AGSS) includes SonicWall Capture ATP,  a multi-engine network sandboxing solution, providing advanced threat protection to all SonicWall firewalls including the TZ Series for SMBs.

Discover best practices and download our solution brief: How to protect against ransomware.

Use the Advanced Gateway Security Suite from SonicWall.