3. WatchGuard - Take Back Your Application in

Get In Control:
Introducing XTM 11.4
Terry Leung
Regional Director
Southern China
Agenda
•
•
•
•
•
What’s wrong with today’s network security
Users and applications are out of control
WatchGuard’s solution
XTM 11.4 feature overview
Competitive positioning
Networks Lack Adequate Controls
IT is facing…
• Bandwidth use that is growing
unexpectedly
• Advanced malware outbreaks
• Web applications tunneling through
network controls
• Increased occurrence of rogue
networks/endpoints
• Lack of effective security policies
across the organization
How Do You Add Controls Without
Constraining Business Productivity?
Block Skype, Facebook, and
other insecure social
networking apps
Authenticate users to all
networks including Terminal
Services & WLAN
Deploy consistent security
policy with centralized
management templates
Preempt network attacks
with URL filters, web
reputation services, antispam, AV, rogue wireless AP
scans, and strong IPS
See the network and react
quickly with config
history/rollback, auto-email
reports, efficient logging, and
more
Extend the Power of Your Firewall!
Fireware XTM 11.4
Delivers More Control
New Feature
Why YOU Benefit!
Application Control
Limits network resources consumed by insecure and/or
non-business related applications
New IPS Technology (scanning all ports,
global IPS configuration)
Stops MORE threats with LESS administrative effort
Rogue Wireless Access Point Detection
for XTM 2 Series-W
Reduce risk from wireless network threats and comply
with PCI security standards.
More Authentication Options
Better able to adjust network access as appropriate for
specific users or groups
Config History/Rollback
Know your history…control your future…enjoy peace of
mind.
Added Template Options with
Centralized Management
Drive security policy conformance and efficient
management for MSSP and large installations
Logging and reporting enhancements
Auto-email reports and more scalable logging support
more informed network administration
Users and
Applications are
Out of Control!
Unfettered App Use Should Worry You
• You lose countless hours
of productivity to nonbusiness apps
• Many apps tunnel right
past your firewall
• You lack visibility in what
apps do on your network
• Most malware
propagates via 3rd party
and web apps
927,000,000
105,822 man yrs
1575 life spans (per month)
Businesses have GOOD reason to be
concerned about use of applications!
In 2009, malicious web sites increased
by 200% or more
55% of disclosed vulnerabilities affect
web apps
77% of web sites with malcode are
hijacked legitimate sites.
57% of data-stealing happens over the
web
76% of breaches target web apps
Sources: X-Force, Websense, Whitehat Security, Imperva, & 7Scan
What’s Your Web 2.0 Policy?
• A quarter of
companies have
no policy
• IT decides policy
40% of the time
• When you have a
policy, can you
enforce it?
Source: Forrester Research, Forrsights Security Survey, Q3 2010
Current Controls Too Coarse
Already implemented
Ability to block or allow use of a particular
application for the whole company
65%
Ability to block or allow use of a particular
application based on user's identity
Ability to allow specific
functions of the application
Ability to block or allow specific
content within the application
Ability to control extent of use
(e.g., time or bandwidth utilized)
Planning to implement in the next 12 months
15%
54%
17%
40%
38%
30%
40%
17%
40%
Source: Forrester Research, Forrsights Security Survey, Q3 2010
17%
25%
14%
12%
No plans
52%
Introducing Application Control
• Identify, control, and report on 1500+
applications
• Allow or block aren’t your only
options – apply policy-based
scheduling or QoS.
• Granular control of applications
behaviors.
• Not just signature based. Behavioral
detection spots sneaky apps
Application Control Use Cases
WG Application Control lets you:
 Block usage of all peer to peer
applications
 Allow Marketing department access to
Facebook
 Limit streaming media application usage
to restricted hours
 Report on the top 10 applications used
in the company
 Allow MSN Instant Messaging, but
disallow file transfer over MSN Instant
Messaging
Granular Control
Application Control Feature
Customer Benefit
Block specific applications at global,
department, group, and individual levels
Keep productivity high; prevent security threats
Control sub-functions, e.g. allow access to MSN,
but block MSN File Transfer
Balance of permissiveness and threat mitigation
Control access to applications or sub-functions
by department
Create, enforce, and monitor fine-grained
acceptable use policies.
Control access to applications by time of day.
Productivity during key business hours, employee
perks during off-hours.
Control applications by category
Ease of use
Centralized management of Application Control
Enforce a consistent application control policy
across multiple locations.
Automatic updates of application signatures
Maintain a consistent security posture in a world of
dynamic applications
Detailed application usage reporting
Monitor adherence to acceptable use policies—by
user, group, department, etc
Key Applications
2,300 signatures covering 1,500 unique applications
Category
Example Applications
Instant Messaging
QQ; MSN; Yahoo; GoogleTalk
Mail/Collaboration
Hotmail; Gmail; Yahoo; MS Exchange
Web 2.0
Facebook; LinkedIn; Twitter
P2P
Gnutella, Foxy, Thunders, Series, Winny;
Bittorrent;
Remote Access
Terminals
TeamViewer; GoToMyPC
Database
MS SQL; Oracle
File Transfer
Peercast; Megaupload
Voice Over IP
Skype
Streaming Media
QuickTime; YouTube; Hulu
Games
Xbox Live; Second Life
Network Mgt
MS Update; Adobe; Norton; McAfee
Web bypass
Ultrasurf; Avoidr; Circumventor, Tor
Approved applications
Unapproved or harmful
applications
Reputation Enabled
Defense
for HTTP
Reputation Enabled Defense for
HTTP
• Cloud-based analysis of web sites using WatchGuard’s
ReputationAuthority servers
• Improves HTTP performance
• Configured in the Subscription Services menu of Policy Manager
and in your HTTP proxy configuration
• Supported only for XTM devices
16
WatchGuard Training
Reputation Enabled Defense
for HTTP
• URLs are assigned a reputation score with a value between 1 and 100
by the ReputationAuthority
• RED configuration must specify threshold values for “bad reputation”
and “good reputation”
• URLs with a reputation score that exceeds your “bad reputation”
threshold are blocked before any virus scanning occurs, reducing
resource load on device
• URLs with a reputation score that lower than your “good reputation”
threshold bypass virus scanning, improving speed of loading web pages
17
WatchGuard Training
Send Feedback to
ReputationAuthority Servers
• When you enable Reputation Enabled Defense, the default
configuration enables the XTM device to send the results of your
local Gateway AntiVirus scans to WatchGuard servers
• If you have Gateway AntiVirus, but do not have Reputation
Enabled Defense, you can still send Gateway Anti-Virus scan
results to WatchGuard
• Scan results are sent to WatchGuard as encrypted data
18
WatchGuard Training
That’s not all folks….
More New
Visibility and
Network Control
Features
Enhanced Authentication Features
Businesses are organized in human terms, not computer terms, but
too many security devices ignore this. Fireware XTM 11.4 has a
variety of new authentication features to allow administrators to
construct, enforce, monitor, and report on security policies that are
organized by users and groups rather than by IP subnets, hosts, host
ranges, or network zones.
Terminal Services Authentication
SSO with Manual Authentication
802.1x Authentication
Multiple AD Domain Support
LDAP over SSL Support
Distinguishing Users on
Terminal Services or Citrix
Users may try to hide behind
Terminal Services or Citrix.
Can the right security policy
be applied to them?
Hi! My Name Is
192.168.51.127
• When used in a Terminal Services
or Citrix environment, user identity
is associated with traffic at the
XTM appliance and policy is
applied correctly
• Allows consistent deployment of
security policy across all network
segments, including where thin
clients are used.
Reducing the Insider Risk:
Secure LDAP Traffic
• Secures the LDAP operation
between client and server with
an SSL tunnel.
• Encrypts information (eg.
domain name and password)
that is passed in clear text
during traditional LDAP
authentication - preventing this
key information from being
sniffed and providing better
protection against internal
security breaches.
Supporting Users on
Multiple Platforms
“My company supports both
Windows and Mac users. Can I build
user-based firewall policies for all of
them?”
• Allows users to authenticate
manually (port 4100 over HTTPS)
even when SSO is configured.
• Delivers more comprehensive
support of customer environments,
including access from “offnetwork” domains and nonMicrosoft clients.
Multiple AD Domain Support
Some companies have
multiple Active Directory
domains. Can one firewall
enforce security policies
across all of them?
• Multiple AD domains can be
configured so as to allow
customers to physically segment
user information between groups
(administrators/pupils in a school)
or companies while deploying
common policy at the firewall.
802.1X Authentication:
Tighter Wireless Security
•
Requires authentication prior to
putting users on the WLAN network
– 802.1X enables port-based
network access control.
•
802.1X authenticator support for AP
1, AP2, and wireless guest (select
from WPA Enterprise, WPA2
Enterprise or WPA/WPA2
Enterprise).
•
Authenticate to RADIUS (with EAP
support) or local database.
•
Supports EAP-TLS, EAP-PEAP and
EAP-TTLS.
New IPS: More Coverage, Easy to Use
Businesses need rock-solid
protection against network
attacks!
• New IPS engine and signature
provider
• Global configuration covers all ports
and protocols
• Much easier to configure
• Greater efficacy and faster response
to new threats
Configuration History and Rollback
Sometimes, the admin needs to
turn back the clock!
• Management Server stores previous
versions of device configurations
• Indexed list of configs is timestamped
and shows which configs were sent to
devices (vs. configs created but not
pushed to devices)
• Promotes peace of mind; allows easy
reversion in the event of a
misconfiguration or change in business
needs
Reporting for Better Visibility,
Easier Compliance
Are the key people in the business
getting the information they need,
in a timely manner?
• New report scheduling
• New reports for App Control,
IPS, DHCP lease activity
• Email notification of ready
reports
• Enhancements to systematically
remove diagnostic logs from log
server
How Does It
Stack Up to
Competitors?
Application Control
Company
By the Numbers
Comments
WatchGuard
1500 + Applications
2300 + Signatures
Granular control
Attached to Firewall Policies
Palo Alto Networks
1000 + Applications
•Very Expensive
•Lacks networking features
Fortinet
1200 + Applications
•Closest to WG UI
•IPS service required
Sonicwall
2700 Signatures
•Multiple signatures per
application
•Intermixed with IPS
•Difficult to use
• Battlecards available at the partner portal, including Palo Alto Networks
• Will be updated for 11.4 launch
Today’s WatchGuard
for Today’s Businesses
Fireware XTM 11.4 advances WatchGuard’s vision of extensible threat
management, helping businesses combat threats, enhance productivity, and
focus on business goals.
Superior Security
Superior
Manageability and
Visibility
Enhanced
Authentication
State of the Art
Policy
Enforcement
What does it all mean?
 The Internet is a thorny thicket!
 Businesses face lots of competing pressures
and forces
 WatchGuard products help companies define
their relationship with the Internet
 It all comes down to policy
3 Phases of Policy
 Definition
 Enforcement
 Auditing
WatchGuard has great tools and
products for all three phases of policy!
Conclusion
 Threat Landscape + Design Principles =
WatchGuard Products
 We defeat the threats—and the competition
 WatchGuard is watching out for you!
 …and we greatly value your partnership!