Testing Firewalls

8/3/2019 Testing Firewalls

1/16

Evaluating Firewalls in

the 21st Century

Joel Snyder

Opus One

[email protected]

TechTarget


2/16

Feeling that rip-and-replace

urge on your old firewall?

2 TechTarget


3/16

While You Were Out

Firewalls Have Been Rocking and Rolling

3 TechTarget

Enterprise

Firewall

Application

Firewall


4/16

Tip #1

Pay No Attention To The Buzzword

Remember:

No One Wants A

Quarter-Inch Drill Bit!

You dont want a UTM or

an NGFW or a WSG or

an MFA or

Youre not buying a

buzzword, youre solving a

problem

4 TechTarget


5/16

Tip #2

Whatever It Is, It Has To Be A Firewall, First.

Every Enterprise Firewall Should Have

Firewall policies (SIP/DIP/DP/Proto + Allow/Block)

NAT (Network Address Translation)

Site-to-site VPN using IPSec

Basic CoS/QoS bandwidth management features

Enterprise Network Integration: VLANs, link aggregation

High Availability

Speed

You Should Also Look For

- Dynamic routing with OSPF and/or BGP

- IPv6 Support

- Global management

5 TechTarget


6/16

Evaluation Hint

Old Firewalls ProbablyDo This Pretty Well

The Old Guard The New Guys

Astaro (Sophos) 3COM/H3C (HP)

Check Point Palo Alto

Cisco Phion (Barracuda)

Fortinet SourcefireJuniper

Secure Computing (McAfee)

SonicWALL

Stonesoft

WatchGuard

6 TechTarget


7/16

Tip #3

Short-list YourThreat Mitigation Features

Things That Turned Out To Be A

Good Idea

(Winning Features)

Things Someone Thought Would

Be A Good Idea

(Not-so-Winning Features)

Anti-Malware Anti-Spam

Intrusion Prevention DLP/Content Filtering

URL Filtering DDoS Blocking

7 TechTarget


8/16

Evaluation Hint

Its not Efficacy; its Problem Solving

Intrusion Prevention URL Filtering Anti-Malware

Efficacy Hint: firewall

IPS is not as good as

dedicated IPS

Efficacy Hint: We all

know that this only works

most of the time

Efficacy Hint: Firewalls

can help, but end-point

protection is the most

important defense

8 TechTarget

IPS: Differentiate between

clients and servers?

Manage dynamic profiles (

e.g., high priority)

A/M: Does it cover

the protocols you

care about? HTTP?

What else?

Filtering: Differentiateusers by group? By

interface? Different

policies?


9/16

Tip #4

Next Generation is about Widening the Tuple

9 TechTarget

Before:

After:

Application and Authentication are two possibilities.

NGFW vendors are still trying to figure out what we want!


10/16

Evaluation Hint

Divide VISIBILITY from CONTROL

Visibility

Crack the traffic open

(SSL Decryption)

Identify the Traffic

Control the Traffic

TechTarget 10

Control

Visibility is so much more important in

NGFW/Application Control because you

must match vocabularies!


11/16

Tip #5

SSL Decryption is a Must

Before

TechTarget 11

After


12/16

Evaluation Hint

Speeds and Feeds! Speeds and Feeds!

Does it work?

Can the firewall actually

decrypt SSL traffic

- on all ports ?

- normal SSL ?

- Connect (Proxy) ?

- STARTTLS (SMTP) ?

When the firewall is

decrypting SSL traffic, how

fast does it go?

TechTarget 12

Is it fast?

Remember:

Application Control (NGFW) is aUser Protective feature, and

only user traffic will be affected!


13/16

Tip #6

Application Identification Is Hard

TechTarget 13

Thats

Facebook,

right?

Wait, is

there

chatting?Or not?

Is the status

being

updated ?

Or is that

Facebook

Mail?


14/16

Evaluation Hint

Build YourPolicy and Test YourPolicy

Efficacy TestingConsidered Harmful

Your Word of the Day

Sisyphean

TechTarget 14

Actual TestingActually Useful

I dont care about

1314 applications. I

just want to blockPeer-to-Peer


15/16

Firewall Testing:

Same as it EverWas, Only Different

1: You're not buying a buzzword, you're solving a

problem.

2: Firewalls still need to be firewalls, only faster

3: Threat mitigation isn't a question of efficacy, but of

meeting your needs (and check performance!)

4: Visibility into applications is important for next

generation features

5: Bite the bullet on SSL Decryption (and check

performance!)

6: Application Identification is not a race to get the biggest

numbers

TechTarget 15

Six Tips to Success


16/16

16

Evaluating

Firewalls in the

21st Century

Joel Snyder

Opus One

[email protected]

TechTarget

Testing Firewalls

Documents

Transcript of Testing Firewalls