WP Next-Generation Firewall Market Analysis The - Firewall Market Analysis: The SonicWALL Difference SonicWALL advantages over Check Point, Cisco, Fortinet, Juniper, and Palo Alto Networks
Next-Generation Firewall Market Analysis: The SonicWALL Difference SonicWALL advantages over Check Point, Cisco, Fortinet, Juniper, and Palo Alto Networks CONTENTS Introduction 2 Application Intelligence 3 Application Visualization (on Box) 3 Application Visualization (off Box) 4 Application Control 4 Architecture and Performance 5 Malware Prevention 5 Technology Ownership 6 Value-add Security Features 7 Breadth of Coverage 7 Distributed Management 8 Conclusion 8 2 Introduction Next-Generation Firewalls (NGFWs) have rapidly become a must-have countermeasure for todays security and compliance conscious organizations. Simply put, this is because NGFWs overcome the deficiencies and challenges of conventional, stateful inspection firewalls that rely solely on IP addresses, ports, and protocols for classifying and controlling network traffic. In particular, by adding application awareness and control, integrated threat prevention, and the ability to account for other contextual information (e.g., user identity) on top of legacy network-layer capabilities, NGFWs: Provide the ability to effectively control exactly which applications are being used on the network, how they are being used, and who is using them while also preventing associated threats, despite the fact that the majority of applications now rely on only a handful of protocols (e.g., HTTP and HTTPS), and the proliferation of evasive techniques such as the use of non-standard ports, protocol tunneling, SSL encryption, and port-hopping Reduce device sprawl, network complexity, and the inevitable gaps in ones defenses by obviating the need for numerous helper products (e.g., standalone network IPS, gateway anti-virus, URL/content filtering, etc.) At least that is the case in theory. As the saying goes, however, the devil is in the details. In reality, there is considerable variation from one product to the next in terms of how NGFW capabilities are being achieved, and, therefore, in terms of how well they deliver on their supposed value propositions. The purpose of this paper is threefold: to expose some of the variability and associated weaknesses of competing products; to arm evaluators with the means to further reveal similar differences and deficiencies; and, to highlight why your organizations next firewall purchase should be a Next-Generation Firewall from SonicWALL. In particular, this paper examines nine crucial areas of NGFW characteristics and capabilities where the SonicWALL NGFW has compelling advantages compared to its primary competitors. In each case, a general description of the area is provided, followed by explanation of SonicWALLs strengths and capabilities in that area, enumeration of competitor shortcomings, and identification of probing questions NGFW purchasers can use to help obtain essential details and reveal the true capabilities of the products they are considering. Competing NGFW Products Check Point Security Gateways Cisco ASA Series Adaptive Security Appliances Fortinet FortiGate Appliances Juniper Networks SRX Series Services Gateways Palo Alto Networks PA-Series Firewalls Areas of Differentiation Application Intelligence Application Visualization (On-Box) Application Visualization (Off-Box) Application Control Architecture and Performance Malware Prevention Technology Ownership Value-Add Security Features Breadth of Coverage Distributed Management 3 Application Intelligence Application intelligence, or awareness, is a foundational component of a Next-Generation Firewall. It is what enables the identification of individual applications within network traffic, ideally irrespective of port, protocol, or evasive tactic. Coverage should be both broad and deep in terms of the variety of applications and specific functions within them that can be distinguished and is typically based on the presence of an extensive application signature library and the resources to maintain it. SonicWALL capabilities and strengths. The SonicWALL Next-Generation Firewall leverages SonicWALLs Reassembly-Free Deep Packet Inspection (RFDPI) and a continuously expanding signature database to scan every packet across every protocol and interface to identify and control over 3,500 applications and individual application functions. This approach has no reliance, dependence, or limitation relative to the ports and protocols being used, and can optionally be extended to SSL encrypted traffic as well. In addition, the SonicWALL Research Team constantly generates new signatures which are automatically delivered and implemented without administrators having to update rules and/or underlying application objects. Organizations can also create their own custom signatures, as needed or desired. In comparison. Check Point, Cisco, and Juniper initially classify all traffic using port and protocol-dependent methods prior to passing it to an IPS-oriented module for application detection and enforcement. characteristic of a solution where application awareness has been bolted on (rather than designed in from the outset), this approach is inherently flawed because it allows traffic that is initially miss-classified based on an unreliable, initial inspection technique to bypass further inspection and control. Cisco, Fortinet, and Juniper also have considerably fewer signatures than the SonicWALL solution, and lack custom signature creation capabilities. Check Points recently released Application Control Software Blade, on the other hand, requires navigation and management of over 50,000 signatures and depends on configuration of non-standard ports for each signature. It also lacks both SSL inspection and custom signature capabilities. Questions purchasers should ask candidates to pursue this topic further include: What are the specific mechanisms used to identify apps and how do they work? What must be done to identify apps regardless of port, protocol, and SSL encryption? Is application identification the primary means for classifying traffic, or has application intelligence and control been retrofitted to a traditional firewall? Who is responsible for signature creation, what is the frequency of updates, how are they delivered and implemented, and do they extend to individual app functions? Application Visualization (On-Box) Application visualization refers to the ability for administrators to see what is actually happening on the network which specific applications are being used, by which users, when, to what extent, and so forth. Such information is essential for policy and rule development, troubleshooting and analysis, illustrating the impact of rule enforcement, and illuminating the need for changes over time. SonicWALL capabilities and strengths. SonicWALL provides extensive, on-box visualization and analysis tools. Specifically, the SonicWALL Visualization Dashboard includes the Real-Time Monitor (for viewing summary and system-level information) and the AppFlow Monitor (for viewing granular, real-time data pertaining to applications, users, URLs, initiators, responders, threats, VoIP, VPN, devices, and content). Available data can be viewed in multiple formats (e.g., list, pie chart, graph), subjected to virtually any series of filters, and manipulated multiple ways to maximize its usefulness. 4 In comparison. The Check Point, Cisco, Fortinet, and Juniper solutions all lack an on-box capability for visualizing application data in real time. Neither do they provide forensic analysis tools that deliver an in-depth, real-time understanding of network utilization. Questions purchasers should ask candidates to pursue this topic further include: Does the solution include on-box visualization for real-time investigation of network activity by application, user, bandwidth consumption, URL, and so forth? In what specific ways can the available data be manipulated and analyzed? Application Visualization (Off-Box) SonicWALL capabilities and strengths. Beyond its unique on-box visualization capabilities, the SonicWALL Next-Generation Firewall also supports an open (i.e., industry standard) mechanism IPFIX/NetFlow with Extensions for exporting all of the same in-depth and application-oriented data to external collectors and tools (e.g., Scrutinizer from Plixer International). This allows organizations to leverage a wide range of 3rd-party management applications for longer-term trending and in-depth forensic analysis of network usage and potential, threat-related activities. In comparison. None of SonicWALLs competitors share the ability to export application intelligence information to external IPFIX/NetFlow collectors at the same level of granularity as the SonicWALL Next-Generation Firewall. Questions purchasers should ask candidates to pursue this topic further include: Does the solution enable export of granular application intelligence information via an open (i.e., industry standard) mechanism? Which third party collectors and management tools work provide reporting and analysis capabilities for the NGFW? Application Control The ultimate goal of application intelligence and visibility, application control entails the execution of a response (e.g., block or allow) to network traffic based on the applications it is conveying, as well as attributes such as user and device identity. SonicWALL capabilities and strengths. With the SonicWALL Next-Generation Firewall, administrators can configure highly flexible policies based on application type, specific application, or specific application functionality (e.g., file transfer within IM), while also accounting for a wide range of contextual variables, including user and device identity, the type of content involved, and time of day, week, or month. Moreover, the SonicWALL solution supports numerous actions not just allow, block, and log, but also (and potentially most valuably) bandwidth prioritization and limits. In addition, SonicWALL uniquely enables administrators to create objects of groups of applications, as well as URLs and URL categories, and then apply bandwidth management rules to those objects. For example, an IT manager can select a group of social media applications as well as shopping URL categories and restrict the aggregated bandwidth consumed to 500 kbps. In comparison. Check Point, Cisco, Fortinet, and Juniper lack the granularity of control required in businesses today. For example, a Web application such as Facebook can be seen as both bad and good to a company as a productivity threat, a security threat, and a valuable marketing tool. SonicWALL has the granularity of control to enable a marketing department in a company to have prioritized bandwidth to use Facebook, but at the same time to prevent other departments from using it during working hours and ALL users from accessing Farmville and Mafia Wars. In addition, although these competitors have content 5 filtering capabilities, administrators are forced to manage applications and URLs as separate entities with separate GUIs. In the case of Palo Alto Networks, management of URLs with applications is supported, but the solution fails to enable bandwidth management for the combined objects, thereby negating a central benefit of having a unified architecture. Questions purchasers should ask candidates to pursue this topic further include: What are all of the attributes that can be used to formulate app control policies? What are all of the possible responses/actions that can be configured? Can bandwidth management rules be set on a per user, group, and functionality basis to control how applications consume the network? Can application and content filtering categories be combined into a single object that is then subjected to a single, unified bandwidth management rule? Architecture and Performance The NGFW feature set including application intelligence, content inspection, IPS, and malware prevention is relatively compute intensive. In this regard, a products architecture will play a significant role in terms of achievable throughput and introduced latency. SonicWALL capabilities and strengths. SonicWALL Reassembly-Free Deep Packet Inspection is a highly efficient, single-pass engine. This means of inspection is designed specifically for real-time applications and latency sensitive traffic, delivering control and protection without the need to proxy connections, execute handoffs to separate modules, or repeat costly packet processing and stream-reassembly routines. In comparison. The Juniper, Fortinet and Check Point architectures attempt to provide a NGFW feature set and anti-malware capabilities by adding proxy/assembly based scanning engines to their solutions an approach which introduces latency to the network. SonicWALLs architecture was designed from the start around Re-assembly Free Deep Packet Inspection to maximize network throughput and to minimize latency. Questions purchasers should ask candidates to pursue this topic further include: Does the solution feature a single, unified software engine, or does it require system-level handoffs to distinctly separate inspection modules? How many times must low-level packet handling and/or stream reassembly routines are repeated to support the entire set of security services? Malware Prevention Next-Generation Firewalls, by definition, include integrated threat prevention capabilities, typically anchored by a robust intrusion prevention feature set. Malware prevention builds on this core strength by adding one or more components focused specifically on the eradication of viruses, spyware, and other forms of malware. SonicWALL capabilities and strengths. The SonicWALL RFDPI engine allows both arbitrarily large files (i.e., there is no size limitation) and large numbers of small files to be scanned for all types of malware while still maintaining high performance. Malware scans are bi-directional (enabling threat detection upon phoning home), and are applicable for all protocols and applications regardless of port. In addition, SonicWALL supplements its onboard signature language with additional malware detection capabilities using its Intelligent Cloud Malware Detection Engine. Flows susceptible to malware infections are tokenized by the RFDPI engine and these tokens are then compared in real-time much like a high-speed DNS query to a cloud database containing millions of malware signatures. 6 In comparison. Cisco, Fortinet, Palo Alto Networks, and Juniper all have file count and/or size limitations for malware scanning that either result in significant performance penalties or traffic being allowed to pass without inspection. Malware scanning technologies for Check Point, Cisco, Fortinet, and Palo Alto Networks are limited to a relatively small subset of protocols. In addition, none of the competing solutions include cloud-based augmentation for malware scanning. Questions purchasers should ask candidates to pursue this topic further include: To what extent does the solution rely on proxy-oriented inspection techniques? What are the performance implications of scanning large files or numerous files? Is malware scanning supported for all protocols and applications? Is it bi-directional? What detection mechanisms are employed and how many signatures are supported? Technology Ownership This area concerns ownership of the individual security components that comprise a NGFW. The need to license one or modules carries an array of potential implications and dependencies, from incomplete integration and sub-optimal performance to delayed updates and lack of in-house research and knowledge for a specific area, which could lead to lower effectiveness such as the inability to thoroughly address blended threats. SonicWALL capabilities and strengths. The SonicWALL Next-Generation Firewall has no dependencies on outside security components. The result is a completely unified and highly optimized solution architecture that maximizes performance and enables the highest level of security effectiveness. Furthermore, SonicWALL maintains its own, extensive threat and application intelligence network (SonicWALL Global Response Intelligent Defense (GRID) Network), as well as its own research lab staffed by a world-renowned security research team. The result is the ability to provide thorough and timely intelligence and content updates (i.e., policies, guidance, URL classifications, and app, threat, and malware signatures), thereby enabling organizations to efficiently and effectively handle the rapidly changing conditions characteristic of todays computing environments. In comparison. With the exception of Fortinet, all other competitors license/obtain one or more security components of their solution from a third party. As discussed above, this arrangement carries with it the significant potential for negative side effects, from poor performance to stale content and feature sets. Questions purchasers should ask candidates to pursue this topic further include: Which components of the NGFW are licensed from third party providers? Specifically how have third party components been integrated, both with the inspection engine/other security modules and the NGFW management solution? Who is responsible for maintaining each component and with what frequency are feature and content updates issued? 7 Value-Add Security Features The basic definition of a NGFW requires stateful inspection, application awareness and control, integrated threat prevention, and the ability to account for additional contextual information, such as user and device identity. Value-add features refer to any significant security functionality offered beyond these foundational capabilities. SonicWALL capabilities and strengths. The SonicWALL NGFW incorporates numerous value-add security features. Three areas, in particular, where the SonicWALL solution stands out are client AV enforcement, Clean Wireless, and the strength of features for its integrated SSL VPN. For an additional layer of protection beyond that provided by gateway based anti-virus, the SonicWALL Enforced Client Anti-Virus and Anti-Spyware option ensures that all endpoints configured with SonicWALL labeled anti-virus/anti-spyware have that software fully updated and active when accessing services beyond a firewall boundary. The SonicWALL Next-Generation Firewall includes an integral wireless access controller/switch (WAC). Operating in conjunction with SonicWALLs own WLAN access points (SonicPoints), the result is a unified solution that allows network administrators to enforce one consistent and comprehensive set of NGFW-related policies over both wired and wireless networks. The SonicWALL Next-Generation Firewall not only incorporates an SSL VPN solution component, but also includes a number of advanced features typically associated with standalone SSL VPN products such as multi-platform support for layer-3 tunneling, one-time passwords, and a virtual assistance feature that enables remote observation and control of a users computing device. In comparison. None of the competing products offer capabilities comparable to SonicWALL Clean Wireless and SonicWALL Enforced Client Anti-Virus and Anti-Spyware. Integrated SSL VPN capabilities for Cisco, Fortinet, Juniper, and Palo Alto Networks are limited compared to standalone SSL VPN solutions, and lack one or more of the advanced features offered by SonicWALL. Questions purchasers should ask candidates to pursue this topic further include: What value-add security functionality does the solution include? What capabilities are available to help secure WLAN traffic? What differences/limitations does the integral SSL VPN have relative to market-leading, standalone SSL VPN solutions? Breadth of Coverage Most organizations today are distributed, having more than one site with different network size requirements for different sites. Ideally, they require a solution that supports implementing the same, consistent capabilities and policies across all sites, regardless of size or location. Accordingly, this area refers to the availability of different NGFW models suitable, from a price, performance, and capabilities perspective, for deployment in any scenario ranging from small branch offices to large, headquarters facilities. SonicWALL capabilities and strengths. The SonicWALL Next-Generation Firewall product line extends from the TZ 210 (supporting up to 200 Mbps of firewall performance) to the 5-model NSA Series (supporting 600 Mbps to 2.75 Gbps), the 4-model E-Class NSA Series (3.9 to 8.0 Gbps) and the 4-model SuperMassive E10000 Series ( 10 to 40 Gbps). Moreover, the core NGFW feature set remains consistent across models, including full application intelligence, control, and visualization, and the full RFDPI engine for IPS and malware prevention. 8 In comparison. SonicWALL is unique in the range of its product line. The NGFW line for Palo Alto Networks starts at the $5,000 price point. Although this supports mid-sized sites, it forces organizations with smaller offices to deploy a completely separate vendors product line. Check Point, Cisco and Juniper lack suitable NGFW models for branch office implementations. With Juniper, there are also inconsistencies with regard to the availability of deep packet inspection, anti-virus, and onboard URL filtering capabilities across different SRX models. For Cisco, some ASA models lack the ability to run both IPS and gateway anti-virus at the same time. Questions purchasers should ask candidates to pursue this topic further include: What are the prices and performance ratings for the low and high end of the NGFW product line? In what ways do the NGFW features differ across models? Are core NGFW capabilities consistently available? Can all NGFW features be operated simultaneously on all models? Distributed Management A scalable, proven system for managing distributed NGFW units is vital to ensuring consistent, effective enforcement of network security policies and maintaining a reasonable total cost of ownership (TCO). SonicWALL capabilities and strengths. The SonicWALL Global Management System (GMS) provides flexible, powerful, and intuitive tools to centrally manage NGFW configurations across distributed enterprises, view real-time monitoring metrics and integrate policy and compliance reporting. With more than 90,000 devices under management worldwide including deployments of over 5,000 units GMS is a proven, scalable management system. An easy-to-use Web-based tool, SonicWALL ViewPoint complements GMS, providing customizable reports and dashboards that illustrate network activity for troubleshooting, forensic, accounting, and compliance purposes. In comparison. Unlike other solution providers in the market, SonicWALL has multiple customers who have deployed and are each managing more than 1,000 units via single GMS installations. The ability to manage multiple firewalls reduces the cost and complexity of securing a distributed network. Questions purchasers should ask candidates to pursue this topic further include: What is the size of the largest NGFW implementations under management? Does the management system support role-based administration? Does it also support partitioning for multi-tenant configurations? What is the cost structure and representative price points for the management system and any other relevant management applications? Conclusion The Next-Generation Firewall (NGFW) is rapidly becoming an essential element of the modern organizations information security strategy. Not only does it restore control over network activity and provide protection against dynamic threats, it also does so while reducing the cost and complexity of network security infrastructure. However, no two solutions are created equal, and organizations, therefore, must take care when selecting a NGFW product to meet their needs. 9 As discussed herein, the SonicWALL Next-Generation Firewall has compelling advantages compared to its primary competitors in a number of crucial areas, including application intelligence, control, and visualization, as well as performance and threat prevention. A 20-year record in the security industry, a presence in 23 countries, and a global network of over 15,000 partners, resellers, and distributors are just a handful of additional reasons why your next firewall purchase should be a Next-Generation Firewall from SonicWALL. 2011 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Information contained in this document is accurate to the best of our knowledge based upon publicly available information as of Feb 14, 2011. SonicWALL will receive and update this document should any information be found to be out of date. Specifications and descriptions subject to change without notice.