Internet

Transcription

Internet

WatchGuard Technologies, Inc.
Fireware XTM
Updated for Fireware XTM 11.6
XTM Portfolio

XTM 2050
CPU : Dual 2.4 GHz 6-Core Xeons
M
Memory
(SDRAM/Fl
(SDRAM/Flash)
h) :
12Gb/2Gb
Fireware XTM runs on
all XTM devices
XTM 1050
CPU : Dual 2.33 GHz Quad Core Xeons
Memory (SDRAM/Flash) : 4Gb/1Gb
8 Series
CPU : 2.66
2 66 GHz Quad Core
Memory (SDRAM/Flash) : 2Gb/1Gb
5 Series
CPU : 2 GHz Single Core
Memory (SDRAM/Flash) : 1GB/1GB
3 Series: XTM 330
CPU : 1 GHz Single Core
Memory (SDRAM/Flash) : 1 GB/512 MB
CPU : Power Architecture Dual Core
Memory (SDRAM/Flash) : 1GB/512
MB
2 Series : XTM 21/22/23
2 Series: XTM 25/26
CPU : 667 MHz Single Core
Memory (SDRAM/Flash) : 256MB/256MB
CPU : Power Architecture Single Core
Memory (SDRAM/Flash) : 512MB/256MB
XTMv
Small / Medium / Large / DataCenter Editions
2
3 Series: XTM 33
WatchGuard System Manager
3

WatchGuard System Manager
(WSM) is a suite of management
tools for XTM appliances

WSM provides client software for
monitoring and configuration

Policy Manager (configuration)

Firebox System Manager
(monitoring)

HostWatch (advanced
(
Monitoring)

Log and Report Manager
((advanced monitoring)
g)
WSM — WatchGuard Server Center

4
You can also install and
WatchGuard servers
and configure them
from the WatchGuard
Server Center

Management
Server

Log Server

Report Server

Quarantine Server

WebBlocker Server
Web Management

5
Any XTM device can also be managed through the
Fireware XTM Web UI
Command Line Interface (CLI)
6

Most configuration and monitoring options are also
available from the command line using SSH client
(port 4118)

Di t access tto th
Direct
the d
device
i without
ith t software
ft

Scriptable

TCPDUMP
Localization

7
Management user interfaces and Help systems are
regularly translated into:

French (France)

Japanese

Latin American Spanish (es-419)

Si lifi d Chinese
Simplified
Chi
(PRC)

Traditional Chinese (Web UI only)

Korean (Web UI only)

Data input fields accept ASCII characters only

Log messages remain in English
Security
y Policies
8
Policy Manager
9

Policy Manager is an
offline.xml editing tool

You can work on a
configuration
fi
ti without
ith t
being connected to a
device

Easy configuration
archiving
Policy Auto-Ordering
10

In Auto-Ordering
Auto Ordering mode
mode, Fireware XTM applies an algorithm to
determine where in the policy list the new policy is inserted

Speeds up configuration

Policy Manager is responsible for maintaining the consistency of the
security policy, without human errors

Easier to maintain when there are several administrators (no need to
check what has been done previously to add a new policy)

Easier to support
Manual Policy Ordering
11

When you disable Auto
Auto-Ordering
Ordering Mode
Mode, you can move the policy
where you want

Adds flexibility for tricky configurations
“From–To”
12

Policy matching is simply the result
of matching the “From” and “To”
fields from the IP packet

A single tab per policy to specify its
source and destination

Source and destination can be
associated to multiple physical
interfaces so the total number of
policies remains as low as possible

Any-Trusted
A
T t d for
f example
l means
any physical interface configured
as “trusted”. There can be multiple
trusted interfaces.
interfaces
Allow or Deny Policies
13

In the Policy tab
tab, the policy
can be Allowed, Denied, or
Denied (send reset)

A Denied policy drops the
traffic

A Denied (send reset) policy
drops the traffic and closes
the TCP connection
Denied Policy
14

Denied policies can be fully
configured by defining the From and
To addresses

You can allow some traffic for the
majority and deny it for specific users
much more easily

In this example,
example all the users can
access the web, except 10.0.0.100
Policy Logging
15

A policy either denies or allows
traffic, so packets appear as
either denied packets or
allowed p
packets in the log
g file.

Log messages can also be
activated in a proxy action
applied to a policy to create
log messages
for reports.
These detailed
transaction log
messages are
available in
proxy policies
li i
and ALGs.
Policy Scheduling
16

You can apply a schedule to
any policy.

For example, you can
configure
fi
a security
it policy
li th
thatt
allows incoming FTP
connections only on Monday
from 8 AM to 10 AM
AM.
Policy Debugging

17
You can disable a policy
for troubleshooting
purposes, but keep the
policy
p
y in yyour
configuration in case you
want to activate it again
later.
Transparent Proxies
IIntelligent
t lli
t Layered
L
dS
Security
it
Architecture
18
Traditional Security

High cost and complexity
complexity, limited protection and performance
Normal Traffic
Security Threat
19
Firewall/VPN
Intrusion detection/
intrusion prevention
Authentication
Spam solution
Antivirus
Intelligent Layered Security (ILS)

Lower cost
cost, higher performance
performance, better protection
Intelligent Layered Security engine
Normal Traffic
Security Threat
20
Content security
Application security
Stateful firewall
VPN
Data integrity
E t
External
l security
it services
i
ILS — Behavioral Analysis and Shunning
Intelligent Layered Security engine
DETECT
SHUN
21

Detects IP and Port Scanning

Remembers attackers

Shuns known scanners and
attackers
tt k
(low
(l
processing
i cost)
t)
Exploit Lifecycle

ILS proactively blocks many threats
threats, such as spyware and
viruses

Gateway AV and IPS protect affected systems
Vulnerability
found and
exposed
Hacker
builds attack
t leverage
to
l
vulnerability
Attack is
l
launched
h d
ILS
provides
zero-day
protection
22
Vendor
builds
patch
Attack
signature
developed
and
distributed
Vendor
distributes
patch
IT admin
queues patch
update
d t based
b
d
on severity
IT admin
installs
patch
WatchGuard Application Proxy

Unlike simple and stateful packet-filters,
packet filters
which inspect but do not alter packets,
a proxying firewall acts as an
intermediary in all transactions that
traverse it.
Diff
Different
t proxy ffor each
h application:
li ti

SMTP, POP3, HTTP, FTP, DNS…
“The original value proposition of a proxy firewall is that the proxy is essentially a
security-oriented reference implementation of the application protocol “
Marcus Ranum
23
Protocol Anomaly Detection
24

The WatchGuard application proxies closely examine
data streams, including packet headers and the data
payload, for anomalies and errors.

Any suspicious
A
i i
iinformation
f
ti iis di
discarded.
d d Thi
This prevents
t
many forms of attack (for example, buffer overflows).

In addition, the firewall performs:

Packet Handling — Prevents packets from entering
the network until they are reassembled and examined.

Packet Reassembly — Reassembles packet
fragments to prevent fragment overlap attacks such as
Teardrop and other Layer 3 protocol anomaly based
attacks.
attacks
Example of Fragmentation Attack —
TearDrop
p
1 – Source sends a
fragmented packet
packet,
e.g. 2 parts of a
packet
2 – The offset is false in
order
d to make
k the
h fragments
f
overlap
Internet
Source
IP Header
Data 2
IP Header
Private Network
Data 1
3 – Destination Server
reassembles the frame using
the two fragmented parts but
the result is not correct.
Many TCP/IP stacks then
crash or freeze
25
IP Header
Data 1
IP Header
Data 2
Destinatio
n Server
IP Header
Data 1 Data 2
Packet Reassembly by an XTM Device
There are two ways a firewall can reassemble a packet:

In a virtual pipe, without really modifying the packet

Easier because the packet is not modified; it’s just a memory
calculation
l l ti
Reassemble the packet and then refragment it (what WatchGuard
does!)

Can prevent sequence attacks in fragmentation by normalizing the
fragmented packet size and fields
IP Header
Data 1
IP Header
Data 2
IP Header
Internet
Source
Private Network
IP Header
Data 1
IP Header
IP Header
26
Data 2
Data 3
Data 3
Destination
Server
Enhanced Transparent Proxies
27

All Transparent Proxies can be used and are
fully configured for both client side/direction
and server side/direction

HTTP Server proxy can be used to protect
Web Servers from Attacks

SMTP Client Proxy can be used to filter
content and scan viruses within user emails

A full POP3 proxy for customers without a
local email server

FTP and DNS Proxies give full granular
control over the protocols (content, commands, queries, etc.)

TCP-UDP p
proxy
y offers g
generic p
protection for all p
ports

Signature-Based IPS for all policies adds dynamic protection from
attacks that comply with protocol standards
Enhanced
E
h
d Transparent
T
t Proxies
P
i —
Default Settings

28
All Transparent Proxies can be fully configured for incoming and
outgoing traffic, but the default settings are different

HTTP Client,, SMTP Incoming,
g, FTP Client are secured,, with default
Content Types already defined

HTTP Server, SMTP Outgoing, FTP Server are more permissive
Enhanced Transparent Proxies —
Full Flexibility
29

All Transparent Proxies are completely flexible

Default action can be modified to be deny, allow, or strip for any
configurable components in a proxy policy (content types,
commands, request, response, headers, etc.)

For example, you can allow all mime types for HTTP, except
some specific ones
HTTP Transparent Proxy
30

Fully configurable
configurable, HTTP
request and response

URL Paths can be used to
block complete URL

Configurable header
fields, protocol settings,
methods (request and
response)

Content Types with
enhanced
h
dD
Default
f lt S
Settings
tti

Specific Cookies can be
allowed or denied

Proxy Exceptions (used
for Microsoft updates for
example)

WebDav Support
HTTP Transparent Proxy —
Body Content Types
31

Real content type blocking,
not based on file extension
but on file binary code

XTM device checks if the file
is an EXE / DLL / ZIP / CAB
or JAVA using the Byte code
code,
and is not fooled by a file
with a renamed extension

For example,
example if an
executable file is renamed
*.pdf, the proxy still knows
tthat
at the
t e file
e iss an
a .exe
e e file
ea
and
d
prevents the file download

New binary types can be
added for more protection
HTTP Transparent Proxy —
Deny Message

32
Configurable HTML Deny Message for users who are
blocked by the proxy
Redirect HTTP to Caching Proxy Server

33
No configuration necessary in the user browser
Redirect HTTP to Caching Proxy Server (cont.)
Internet
HTTP Response
p
to
Proxy
HTTP Request from
Proxy
HTTP request
redirected
automatically
y
HTTP request
Client PC, no proxy configuration
HTTP Response
Caching Pro
Proxy Ser
Server
er
34
SMTP Transparent Proxy
35

Fully configurable

ESMTP settings and
Authentication

Attachment filtering by
Content Types or Filename
patterns

Access List for email
addresses (From and To)

Header Filtering
g
SMTP Transparent Proxy —
Address Filtering
36

Access List
A
Li t ffor domains
d
i
or email address
patterns

Can be used to prevent
the email server being
used as an Open Relay

Email / Domain
addresses can be
rewritten
SMTP Transparent
T
t Proxy
P
—
Deny Message

37
Configurable SMTP Deny Message when an action is
denied (attachment denied because of virus detected,
content type
yp not allowed,, email address blocked,, etc.))
HTTPS Transparent Proxy

Blocks access to
objectionable HTTPS
sites using
WebBlocker

Allow or deny access
to sites based on
Domain Names

38
Fireware XTM
matches Domain
Name patterns
against the
Subject field in
the web site’s
site s
SSL certificate
HTTPS Content Inspection
39

Inspects SSL
SSL-encrypted
encrypted
HTTP content

Bypass List
HTTPS Content Inspection
A new SSL certificate
with the web site details,
signed with the XTM
device HTTPS inspection
Certificate, is created
Import the XTM
device HTTPS
inspection
Certificate in
the client
Browser
XTM Device HTTPS Inspection
INTERNET
Secured Web Site
SSL connection retrieving
details of the web site
certificate
Client access to HTTPS
web site
SSL connection
established with the
resigned web certificate
40
Client
FTP Transparent Proxy
41

Fully configurable

All FTP commands can be
blocked

Control file download and
upload
FTP Transparent Proxy —
Download and Upload Control

42
Use file name patterns to
control the files that can be
uploaded
p
or downloaded
through FTP
DNS Transparent Proxy
43

Fully configurable

Control OPCodes

Block Query Types and
Query Names
DNS Transparent Proxy

44
You can block Query
Names to easily block
a user from connecting
to Internet Mail,
Mail IM’s
IM s,
P2P applications, or
any Internet software
that forces users to
connect to a server by
its DNS name
Import and Export Proxy Actions and
Rulesets
45

Useful when you manage many boxes

Copy back and forth between XML device
configurations

Must be from the same version of WSM/Policy
Manager
g

For example, you cannot import a v11.5.2 proxy
action into v11.6 Policy Manager

Convert the older configuration before you export
proxy actions for use in a newer version
Import and Export Proxy Actions and
Rulesets (cont.)

46
You can import/export any of these objects:

Proxy actions

Individual rulesets within proxy actions

Custom policies

W bBl k exceptions
WebBlocker
ti

spamBlocker exceptions

Schedules
VoIP and VideoVideo
Conferencing
g
47
Application Layer Gateways —
SIP & H.323
48

The Fireware XTM SIP and H.323 application layer gateways
(ALGs) are similar to proxies. These ALGs dynamically open
only the correct ports for the SIP & H
H.323
323 protocols (solves the
firewall Issue)

ALGs address the NAT issue, processing and modifying the
signaling
i
li with
ith the
th public
bli IP addresses
dd
and
d ports
t
VoIP Security

49
Call setup security

Limit to only certain codecs

Limit calls to/from onlyy certain addresses
VoIP Security (cont.)
50

Directory Harvesting

Maximum number of sessions

User-Agent masking

Idle media session timeout

Header Normalization
(SIP only)

Topology Hiding (SIP only)
WebBlocker
51
WebBlocker — Web Content Filtering
52

Keeps malicious web content out of your network through 15+
million blocked URLs and 54 categories

Works with HTTP and HTTPS proxy policies

Reduces unproductive web surfing and potential liability

Blocks access to IM/P2P download sites

Blocks access to 9000+ sp
spyware
are sites

Easily configurable and integrated with WSM

Helps schools to attain CIPA compliancy

Stays current through daily incremental database updates

Global URL database — English, German, Spanish, French,
I li
Italian,
D
Dutch,
h JJapanese, T
Traditional
di i
l Chi
Chinese, and
d Si
Simplified
lifi d
Chinese sites
WebBlocker

WebBlocker blocks URLs based
on a WebSense URL database
featuring a selection of categories
and white/black lists

WebBlocker requires a server on
installed on your management
computer to host the database
(can be in hosted mode for
2 Series or 3 Series)

The WebBlocker Server database
is automatically updated daily
WebBlocker
Updates
Internet
WebBlocker Server
53
URL Checking
User Surfing restricted by
WebBlocker URL filtering
WebBlocker Override

54
You can bypass WebBlocker with authentication
RED
(Reputation Enabled
Defense))
55
Reputation Enabled Defense for HTTP
56

Cloud-based
Cloud
based analysis of web sites using the WatchGuard
ReputationAuthority servers

Improves HTTP performance

Improves security
WatchGuard ReputationAuthority
57
58
59
Reputation Enabled Defense for HTTP
60

URLs are assigned a reputation score with a value between 1
and 100 by the ReputationAuthority

RED configuration must specify threshold values for “bad
reputation”
t ti ” and
d ““good
d reputation”
t ti ”

URLs with a reputation score that exceeds your “bad reputation”
threshold are blocked before any virus scanning occurs, reducing
resource load on device

URLs with a reputation score that lower than your “good
reputation”
p
threshold bypass
yp
virus scanning,
g, improving
p
g speed
p
of
loading web pages
Send Feedback to ReputationAuthority
Servers
61

When you enable Reputation Enabled Defense, the default
configuration enables the XTM device to send the results of your
local
oca Ga
Gateway
e ay AntiVirus
us sca
scans
s to
o WatchGuard
a c Gua d se
servers
es

If you have Gateway AntiVirus,
but do not have
Reputation Enabled
Defense, you can still
send Gateway
Anti-Virus
Anti
Virus scan results
to WatchGuard

Scan results are sent
to WatchGuard as
encrypted data
Application Control
62
Application Control
63

Monitor and block application usage on your network

Signature-based service identifies over 1500 applications, including
IM, P2P, Facebook, Skype, and many more

Configure Application Control to drop traffic for applications you do
not want to allow

For some applications,
applications
you can block specific
application behaviors
((for example,
p , you
y can
allow the use of MSN for
chat, but block file
transfers))

Monitor the use of
allowed applications
Application Control
64

Create multiple Application Control
actions to control different applications
or application categories.

Apply
A
l A
Application
li ti C
Control
t l actions
ti
tto
specific policies.

Log files and reports show which
applications were detected and what
action was taken.
Application Control
65

Control applications by users or
groups within your policies

Control applications b
by time of da
day
using policy scheduling features
Application Control Reporting

Reports are available to help you identify how
applications are being used on your network
Application Use S
Summary
mmar
Blocked Application Summary
Top Clients by Application Usage
Top Clients by Blocked Applications
Top Clients by Blocked Categories
66
Intrusion Prevention
Service
67
Intrusion Prevention Service
68

In-line
In
line protection from attacks
that comply with protocol
standards but carry malicious
content

Blocks attack sources
automatically
False Positives
69

False Positives are the biggest danger in using IPS
because IPS blocks legacy traffic.

Try to normalize the traffic to reduce false positives. For example:
If a header is not correct, remove it but don’t discard the
entire frame
If Fragmentation
g
has a bad sequence,
q
, refragment
g
it in a
“normal” way
If a Content type is dangerous, remove it but don’t discard
the entire frame
If some protocol parameters or requests are not correct,
override them but don’t discard the entire frame

Most firewalls jjust check traffic and application
pp
layers,
y , but cannot
clean the traffic. This generates too many false positives.

Fireware XTM modifies the traffic at all layers to reduce false
positives and optimize the signature database.
G t
Gateway
AntiVirus
A tiVi
70
Gateway AntiVirus
71

Signature-based
Signature
based service to
identify and block worms,
spyware, and trojans in
e-mail
e
mail attachments or content

Protection at the gateway:
Blocks threats from entering
your network
network, executing
dangerous payloads, or
disabling desktop AV

Inbound and outbound HTTP /
SMTP / FTP / POP3 scanning

Flexible user-defined actions:
Allow, Deny, Quarantine and
Lock
Gateway AntiVirus
72

Locks or quarantines infected
attachments

Prevents self
self-executing
executing or
accidental execution of
malicious payloads at the
desktop
p
spamBlocker
Bl k
73
spamBlocker
74

Spam blocking service for XTM
devices

Partnered with Commtouch, an
i d t lleader
industry
d iin spam prevention
ti
and mitigation

Value:

It’s the best service in the
industry at distinguishing
legitimate
g
communication from
spam attacks, blocking 97% of
unwanted e-mails

Processing is done off the
appliance so there is minimal
impact to other network traffic
processing
spamBlocker Architecture

Securely simply detects mass outbreaks in real time
Securely,

How it works:

Detects the repetitive
p
component
p
of each outbreak

Uniquely identifies the DNA of each outbreak

Compares incoming messages with spam DNA in real-time
Analyzing Internet Traffic
Classification
DNA
Real Time
Detection Center
75
Query
RPD™ (Recurrent Pattern Detection) Patent
Pending Technology
spamBlocker Configuration

76
Simple to set up

WSM makes it easy
to set up; it takes
only
l a ffew minutes
i t

Just a few screens
to configure

Flexible enough to
handle spam in
several different
ways

Easily route tagged
mail to dedicated
spam / bulk folders

Quarantine Server
available (user and
admin access)
spamBlocker Quarantine
77

Quarantine for SMTP Spam

Install server software with WSM

User notification and localized access
spamBlocker Quarantine (cont.)
78

Set the spamBlocker action to quarantine

Quarantine based on:

spam
p
category
g y

Exception
Real-Time Virus Outbreak Detection

79
spamBlocker s Real-time
spamBlocker’s
Real time Virus Outbreak Detection feature offers
protection from unknown (zero day) threats

Real-time security technology that identifies and blocks nearly 100%
off allll email-based
il b
d malware
l
attacks
tt k iincluding
l di spam, viruses
i
and
d
phishing

Provides an additional layer of security and shields your network in
the earliest moments of new malware outbreaks—complements
existing systems

Signature-based
g
solutions can take
days to catch up!
Ad
Advanced
d Networking
N t
ki
80
Fireware XTM Interface Modes

3 different modes to integrate an
XTM device in network
infrastructures

Mixed
Mi
dR
Routing
ti Mode
M d (diff
(differentt
subnets on each interface)

Drop-In Mode (proxy ARP
mode)

Bridge Mode (transparent
mode))
Internet
XTM Device
81
LAN
Interface Independence

82
Any interface can be External
External, Trusted
Trusted, Optional,
Optional VLAN
VLAN, or Bridge
Network Address Translation

Fireware XTM supports Dynamic NAT
NAT,
1-to-1 NAT, and Port forwarding (or
incoming Static NAT)
NAT Enabled
INTERNET
POP
XTM device
Public IP Address
83
Private IP Address Range
Network Address Translation (cont.)

84
Dynamic NAT can be disabled per policy
User-defined
U
d fi d Dynamic
D
i Network
N t
k
Address Translation
85

By default, the IP address used for
Dynamic NAT is the interface IP address

User defined Dynamic NAT can be
User-defined
configured with a different source IP
address
Server Load Balancing

XTM devices support Server Load Balancing
Public IP Address used as
a Virtual
Vi t l IP Address
Add
INTERNET
XTM device
86
Servers for
the same
service
Server Load Balancing
87

Supports up to 10
servers

Algorithms

Weighted Roundrobin

Weighted Least
Connections
Routing

XTM devices support static routing and dynamic routing

RIP v1, RIP v2, OSPF, and BGP4
Dynamic routing increases network reliability by dynamically updating
routing tables
Public Network
XTM device
automatically learns
10.0.0.0/24
Dynamic Route exchange
192.168.0.0/24
172.16.0.0/24
10.0.0.0/24
88
192.168.0.0/24
172.16.0.0/24
Virtual LAN Support (802.1Q)

VLANs are security zones
defined on the LAN backbone
switch

VLANs can b
VLAN
be d
defined
fi d di
directly
tl
on the appliance (trusted,
optional or external type)
802.1Q Link
-
Only one cable
Layer 2 Switch
Or
Routing Switch
VLAN 1
VLAN 5
Sales
DMZ 2
VLAN 3
VLAN 4
VLAN 2
Admin
DMZ 1
Finance
Data
89
Data
Data
Data
Data
Data
VLAN Support — Virtual Interfaces

VLAN support increases the number of potential
security zones on your XTM device

Number of physical interfaces of the appliance is not
a limit
li it

When you define a VLAN, you define a new Virtual
Interface
Only 2 physical ports used
on the appliance
Finance
Admin
90
Sales
DMZ 2
DMZ 1
Network Time Protocol

Fireware XTM supports NTP — up to
three configurable NTP servers

XTM device networks can be time
synchronized to have a consistent
logging architecture

An XTM device can still use WSM
to get its time
NTP Server
NTP Server
Time synchronization
y
Internet
91
NTP Server
IPv6 Support

Fireware XTM v11.6 has achieved IPv6 Ready
Phase 2 Gold Logo certification for IPv6 Core Protocols.

The Phase 2 Logo is a req
requirement
irement for e
extended
tended test
categories, including IPSec, IKEv2, MIPv6, NEMO,
DHCPv6, SIP, SNMP-MIBs, and MLDv2
IPv6 support in Fireware XTM v11.6
Static configuration of IPv6 addresses and DNS
Router Advertisement for stateless address autoconfiguration
Static routes
92
FireCluster
93
FireCluster

Clustering solution

Active / Passive

Active / Active

Active / Active provides
Load Sharing

Active
A
ti / Passive
P
i uses
Unicast Mac addresses;
Active / Active uses
Multicast Mac Addresses
Public Network
HA dedicated Ports
Private Network
94
FireCluster (cont.)

You can define one or two
dedicated ports for Cluster link
(used to send heartbeats and
data synchronization)
y
)

Configuration file is synchronized
between the two peers

Public Network
Each XTM device has its own
Management IP address
HA dedicated Ports
Private Network
95
FireCluster — Interface Monitoring

The XTM device monitors
network interfaces to force the
failover when the link is down
Internet
Router
Hub
Hub
96
Hub
FireCluster — FW Sessions and
Tunnels Synchronization

Firewall packet filter sessions and Branch Office
VPNs are synchronized on the peer
Employee
Email server
DHCP Server
Remote Site
XTM Device
Backup XTM Device
Internal
network
Application Servers
XTM Device
INTERNET
Remote Site
XTM Device
Citrix Server
97
M lti WAN
Multi-WAN
98
Multi-WAN

Multi WAN is activated automatically
Multi-WAN
when you configure multiple external
interfaces, with multiple algorithms
available

Increases reliability by allowing up to
four ISP connections
Public Network
ISP 1
ISP 2
Private Network
99
ISP 3
ISP 4
Multi-WAN Port Configuration
100

When you configure
Wh
fi
a second
d
external interface, you have to
select the default gateway of
this ISP connection

WAN connections can also use
dynamic DHCP or PPPoE
Multi-WAN Link Monitor

101
Link health can be
evaluated by:

External Interface
Link status

Response to ICMP
request

TCP session
handshake

Both ICMP and TCP
methods
Failover / Failback

102
Internet
Use Failover mode when
you want to have a backup
external interface
Configure Failback behavior
to make sure a WAN link is
used only when the primary
link is not available:

Immediate Failback —
immediately resets all
open TCP connections

Gradual Failback —
active connections use
the same WAN
interface until they time
out or are closed by the
application
pp
Failback
Failover
ISP 1
M i Link
Main
Li k
Private Network
ISP 2
Backup Link
Weighted Round Robin

Round-robin algorithm is
weighted

Better result for Internet lines
with different bandwidths

The weight is used to determine
the bandwidth distribution
Public Network
ISP 1
ISP 2
Private Network
103
ISP 3
ISP 4
Interface Overflow
104

Restricts bandwidth use for one
or more interfaces

Provides one or more alternate
routes for excess bandwidth

Limits link saturation (less
congestion, lower latency for
sensitive applications)
Policy-Based Routing
105

Routes outgoing traffic based on
the policy, instead of the
destination

Force specific applications to use
a specific internet link

Better quality WANs can be used
for critical applications
Policy-Based Routing (Example)

Example:
You can force SMTP traffic to
the ISP link that hosts the
provider’s SMTP relay
ISP 1
HTTP traffic
Private Network
106
ISP 2
SMTP traffic
Combine PBR and Dynamic Multi-WAN
P li
Policy
matching
t hi
ffor IIncoming
i
packet
k t
Packet sent to the
specified interface
Policy-Based
y
Routing?
g
yes
No
Apply Multi-WAN
Dynamic Algorithm
Weighted Round Robin
Failover
Interface Overflow
Routing Table
107
Traffic Management
108
Traffic Management
109

Traffic Management is directly applied
to a policy

Traffic Management actions can be
named cloned
named,
cloned, and edited
Quality of Service Mechanisms

110
QoS mechanisms:

Marking

Prioritization

Rate limiting / traffic shaping

Connection rate limiting

Guaranteed
G
t d Minimum
Mi i
Bandwidth
QoS Marking

Fireware XTM supports
Diffserv / TOS marking

Ability to mark or clear the
t ffi according
traffic
di to
t the
th policy
li

Or, simply read the priority
field and prioritize
accordingly

111
Other devices on the
network can use this
marking to prioritize or
allocate bandwidth for
specific applications,
such as VoIP
QoS Marking can also be
done for IPSec packets
QoS Prioritization
112

Fireware XTM has eight priority
queues

Granularity for traffic management
QoS Minimum Bandwidth
113

Ability to apply a minimum
bandwidth to a policy or interface

Guaranteed Minimum Bandwidth
f key
for
k applications
li ti
(V
(VoIP,
IP etc.)
t )
Virtual Private
Networking
114
Branch Office VPN
115

Fireware XTM supports IKE and IPSec (DES / 3DES / AES)

Use Policy Manager to configure Branch Office tunnels manually, or use
the Management Server to create drag-and-drop VPNs

WSM requires licenses for Managed Branch Office VPN

No license required for Manual Branch Office VPN
VPN Branch Office (cont.)
DHCP Server
Employee
Email Server
MAIN SITE
XTM Device
Remote Site
INTERNET
XTM Device
Remote Site
Application Servers
XTM Device
Citrix Server
116
VPN and External Interfaces

VPN tunnels can be
terminated on any
External interfaces

VPN tunnels can be used
with Multi-WAN
INTERNET
Ext1 Ext2 Ext3
MAIN SITE
117
VPN Branch Office — Manual Configuration

118
RFC compliant IKE and IPSec configuration
RFC-compliant

IKE Phase 1 & 2, defines the Gateway
and Tunnel

Multiple Routing Policies can be applied
to a tunnel
Branch Office VPN Wizard

119
New BOVPN wizard to help you create policies for tunnels
Branch Office VPN Failover

Redundant VPN
Gateways to
provide full
secured VPN
Primary Tunnel
Architectures
Fireware XTM
can use either
IKE Keep -alive
or Dead Peer
Detection to
detect the failure
ISP 1
ISP 2
ISP 1
ISP 2
Secondary Tunnel
Private Network
120
Branch Office VPN Failover (cont.)

121
Failover is triggered if one of
those events occurs:

A WAN interface link
state is down

Multi-WAN health
monitor detects network
is down

Fireware XTM does not
receive an IKE keepalive
li response or DPD

IKE keep-alive response
causes failback to the
primary
i
gateway
t
X.509 External Certificates Support

Fireware XTM supports external
X.509 certificates from:

VeriSign

Entrust

RSA KEON

Microsoft Windows server
INTERNET
External Certificate Authority
122
Mobile VPN with IPSec

Remote users use a Mobile VPN with IPSec client to
connect remotely to a corporate network
DHCP Server
Employee
Email server
INTERNET
MAIN SITE
XTM Device
Compatible with Windows 7
Application servers
Citrix Server
123
Mobile
M
bil VPN —
Wizard & Configuration Profile

124
Mobile VPN with IPSec Wizard generates .wgx and .vpn files

Import the .vpn configuration file to the Shrew Soft VPN Client

I
Import
t the
th .wgx file
fil to
t the
th Mobile
M bil VPN with
ith IPSec
IPS VPN Client
Cli t
Mobile VPN with IPSec Failover

The WatchGuard Mobile VPN with IPSec client can reconnect to a
backup IP address (not available with the Shrew Soft VPN client)
ISP 1
Primary
Tunnel
ISP 2
Secondary
Tunnel
125
Mobile VPN With SSL

Remote users can use Mobile VPN with SSL to connect
remotely to a corporate network
DHCP Server
Employee
Email Server
INTERNET
MAIN SITE
XTM Device
Application Servers
Citrix Server
126
SSL VPN — Why Use SSL Technology?

127
Replacement and evolution of
IPSec technology

Light Client / Easy
Maintenance and auto
autoconfiguration

Access from everywhere
(HTTPS instead of IKE/IPSec
IKE/IPSec,
Firewall pass-through)
IPSec technology used to be the
reference
f
in
i tterm off Mobile
M bil VPN
technology but has many
constraints
SSL VPN ttechnology
h l
b
brings
i
th
the
same level of security, but
without the constraints
ISP 1
ISP 2
Internet
SSL VPN Tunnel
Mobile VPN with SSL Portal
128

Client available for both PC and Mac

Deployment Portal
Mobile VPN with SSL Failover

Possibility for the Mobile VPN with SSL
client to reconnect to a backup IP address
ISP 1
ISP 2
Primary
Tunnel
Secondary
Tunnel
129
User Authentication
130
User Authentication
131

Fireware XTM supports user
authentication

Authentication servers:

Firebox (internal database)

RADIUS

Vasco (use RADIUS tab)

SecurID

LDAP

Activate Directory (native)
User Policies
132

Security policies apply to users and not only to IP addresses

You can build different sets of policies for different people in the
company, even in networks that use DHCP
Authentication Portal
133

User can authenticate to the XTM device through an
authentication web portal

Use the auto-redirect feature to send users to the authentication
web
b portal
t l

Configure the XTM device to redirect traffic sent to the XTM
device IP address to
a host name

Redirect authenticated
users to a specifiable
p
URL

User is authenticated
with a two hour
timeout (configurable)
Fireware XTM Web Server Certificate

134
Customizable certificate for the authentication portal
Single Sign-On
135

Automatic authentication of Active Directory users
users, no manual
authentication on the firewall required anymore

Install WatchGuard Authentication Gateway software on a domain
server (SSO A
Agent)
t)

Install SSO Client on user’s computers or the Event Log Monitor on
the domain controller

The SSO Agent queries the computers on the domain receives user
credentials from the SSO Client or Event Log Monitor, and sends the
user credentials the XTM device
Single Sign-On
Alice
Ali
logged
in
Alice authorized
without having to log
on manually
SSO
Client
Event Log
Monitor
SSO
Query
SSO Info
User Alice = IP
10.0.1.100
SSO
Agent
136
Single Sign-On Settings
P
Policy
li M
Manager > Setup
S t >
Authentication > Authentication
Settings
IP address of the PC running
WatchGuard Authentication
Gateway software
(the SSO Agent)
How long the SSO Agent
should cache responses
p
it gets from PCs it queries
IP addresses that the
XTM device will not ask
about
137
Benefits of User Authentication
138

User names can be resolved in HostWatch and Log and Report
Manager

Network admin can monitor users and modify policies to increase
security
it and
d productivity
d ti it
139

Can specify which
authentication server
appears first in the list of
servers in the

User’s browser is
redirected to a URL you
specify five seconds
after successful
authentication

Can specify a host name
to redirect traffic to

Can be used to
automatically redirect
traffic to intranet web
servers,, business sites,,
etc.
Authentication Support

140
Authentication
A
th ti ti
servers supported
by key features of
Fireware XTM

— Fully
supported by
WatchGuard

— Not yet
supported, but
successfully
tested by
WatchGuard
customers
Monitoring Tools
141
Firebox System Manager

Traffic Monitor:
Real-time log monitoring

Bandwidth Meter:
Real-time
Real
time bandwidth use
display

Service Watch:
Connection/bandwidth
monitoring of your security
policies

Subscription Services:
Gateway AV, IPS,
Application Control,
Reputation
p
Enabled
Defense, and spamBlocker
status

Performance Console:
System parameters
graphical tracing
142
Traffic Monitor
143

Displays XTM device
log messages in a
scrolling, interactive
interface

Eliminates the need
to iteratively pull and
view log files

Allows you to ping,
traceroute, or block
a site

Allows you to
download a PCAP
file for use in thirdthird
party tools

Allows you to run the
VPN Diagnostic
Report
Bandwidth Meter

144
Shows real
real-time
time
sent and received
traffic for all
interfaces
Service Watch
145

Shows the number of
connections or
bandwidth used for
each security policy

Automatically uses the
policies configured in
Policy Manager

Configure Service
Watch Settings to
specify the policies to
monitor
Performance Console
146

Monitors performance
across system parameters

Gives you a real-time view
of the XTM device
resources and use
Subscription Services

147
See the status of:

Gateway Antivirus

Application
pp
Control
and Intrusion
Prevention Service

spamBlocker

Reputation Enabled
Defense
Status details include:

Activity

Virus, Intrusion
Virus
Intrusion, or
spam detected

Signatures details
L
Logging
i
and
d Reporting
R
ti
148
Logging Servers

149
WatchGuard Log Server

Proprietary protocol based on
TCP (connection status shown
on the server)

Encrypted with 3DES (no need
for dedicated IPSec tunnels)

Backup mechanism and multiple
backup servers possible

WatchGuard Log
g Server is
included with WSM
Syslog Server

Recommended on LAN side only

Not secure for sending log
messages over Internet
Log / Report Architecture
Logs are stored in a SQL Database
XTM device connects to Log
Server to store the logs
Log Server
Log
g and Report
p
Manager
XTM Device
Automatic
Refresh of reports
Report Server
150
Scalable Report Distributed Architecture
for MSSP
Log Server 1
Log Server 2
Log and
R
Report
t
Manager
151
Log Server 3
Report Server
Reading
R
di Log
L Messages
M
—
Traffic Monitor & Log and Report Manager
152

Log messages are stored in a SQL Database

Human Readable

Traffic Monitor displays the log messages in real
real-time
time

Review log messages with Log and Report Manager
Playing Log Messages — HostWatch
153

Graphical display of
live connections

Watch network traffic
in real time

One-click access to
more details on any
connection

Prevent unauthorized
access by blocking
sites
it iinstantly
t tl
Report Server & Log and Report Manager
154

Automatic daily
reporting, weekly
summary,
Per Client,
Client or
On-Demand
reports

Multi device
Multi-device

Fast and reliable
(SQL DB benefits)

Report on full set of
UTM capabilities
((Firewall / AV /
Antispam / Web
Filtering / etc.)
Alarms and Notifications
155

Notifications by SNMP traps,
traps email,
email or popup window on the
management computer

Log Server configuration includes email notification settings
SNMP
156

Fireware XTM supports SNMP

SNMP MIBs can be polled by an SNMP management computer

SNMP v3 supported
pp
((encryption)
yp
)
Management Server
157
Management Server
158

Managementt Server
M
S
is
i th
the WSM
multi-box management tool

Management Server requires a
license depending on the
number of devices you want to
manage

The Management Server
provides:

X509 PKI infrastructure

Drag-and-drop managed
branch office VPN

Configuration templates

Scheduled tasks

Role based access control
Role-based
Management Server and WSM
159

Connect to the
Management Server
instead of connecting to a
single device in WSM
WSM.

When connected to the
server, all the devices
managed by the
Management Server
appear.

No need to use status and
configuration passphrases
– they are centrally stored
b th
by
the M
Managementt
Server. Only the
Management Server
credentials are needed
needed.
Certificate Authority

160
The Management Server is a
Certificate Authority

For Branch Office VPN

For Mobile VPN
The Management Server can
automatically generate
certificates for drag-and-drop
branch office VPN tunnels
Drag-and-Drop Branch Office VPN
161

Drag one device to
another to create a
secure branch office
VPN tunnel

Support for multiple
WatchGuard platforms

Simplicity lowers
administrative costs

VPN configurations
g
are
distributed automatically
by the Management
Server
Configuration Templates

Device Configuration Templates are applied to XTM devices

Template policies supplement policies already on the XTM device,
do not replace

Drag-and-drop to apply a template to an XTM device of the same
version
Management Server
Client XTM Device
Template Application
Internet
Client XTM Device
Management XTM Device
Client XTM Device
162
Configuration Templates (cont.)

163
Template properties include:

Policies (including
proxies)

Logging settings

Application
Blocking

Schedules

spamBlocker

Gateway AV/IPS

WebBlocker

Q
Quarantine
i settings
i

Inheritance Settings

Object Deletion Settings
Scheduled Tasks
164

OS updates

Template application for policy updates

Feature keyy synchronization
y

Scheduled reboot

Lease
expiration
i ti
Role-Based Administration

Allows different XTM administrators to have different levels of
access to different firewalls

Integration with AD or local users

Requires Management Server
XTM Device Paris
XTM Device Paris Admin
XTM Device Seattle
XTM Device London
Super Admin
WebBlocker Admin
165
Role-Based Administration (cont.)

166
Custom and predefined roles
Thanks!
167