forcepoint ngfw - blue bridge grupė ngfw security management center perimeter firewall creating an...

Copyright © 2017 Forcepoint. All rights reserved.

Forcepoint NGFWSecuring people and assets in an unsecure world

Veli-Pekka Kusmin, Senior Sales Engineer

April 2017

Copyright © 2017 Forcepoint. All rights reserved. | 2

Commercial Leaderwith

Content Security & DLP

Cloud / On-Premise / Hybrid

Pioneer on Cyber Frontlineswith

Financial Resources

Deep Understanding of Threat Detection

Networking Innovatorwith

Advanced Evasion Prevention

Security at Scale

NEW COMPANY, UNIQUELY FORMED TO

OFFER A NEW APPROACH TO SECURITY


▶ 2,500 Employees

▶ 155 Countries

▶ 50 Offices

▶ 2,500 Partners

▶ Average Support CSAT 8.7- 8.9

▶ 380 Patents &

Patent Applications

▶ 27 Data Centers

Headquarters, Austin, TX

Engineering & Operations

Cloud Data Center

Sales & Support

AMERICAS EMEA APAC

FORCEPOINT 2017


Where critical data and IP are most valuable –

and most vulnerable

PROTECTING

THE HUMAN POINT

Forcepoint NGFWs connect and protect people and data at the point they come together

– the Human Point


Forcepoint Core Products

2017 Network Security:

Forcepoint

Next Generation Firewall


WHAT FORCEPOINT NEXT GENERATION FIREWALL IS ALL ABOUT

Unique innovation with direct impact in each area Unified capabilities & management everywhere – physical, virtual, cloud

Managed Service Provider (MSP) support

High-availability clustering for firewalls and WANs

IPS built in with pioneering anti-evasion defenses

Encrypted traffic inspection that’s transparent and maintains user privacy

Business value that can be measured every day Highest Efficiency, Availability, Security

Security ecosystem powered from the Cloud

Slash theft, not performance.

Eliminate downtime.

Cut TCO burden up to 50%.

At the center of Networking and Security Connect and Protect seamlessly across Data Centers – Edge – Branches – Cloud

NETWORKING SECURITY


IP & FileReputation

InstallationCloud

Physical, Virtual, Cloud

NGFW Security Management Center (SMC)

FORCEPOINT PRODUCTS WORK TOGETHER

Cloud-AssistedSecurity

(industry-leadingadvanced protection)

NGFW Appliances(unified operation & performance

across all deployments)

CentralizedNGFW Management

(self-administered or via MSP)

EmailSecurity

WebSecurity

CASBDLP for

Cloud Apps

AWS

Azure (coming)Cloud

KVM

VMware ESXi

VMware NSXVirtualCustomizable

Interfaces

AdvancedMalware

Detection

URLFiltering


FORCEPOINT APPLIANCES

6200 SeriesMax 66 interfaces

FW 240 Gbps, IPS & NGFW 21 Gbps


FW 10-20 Gbps, IPS & NGFW 400 Mbps-1.2 Gbps

300 Series (desktop)

5 interfaces + opt. 2 modules and WLAN on 325

FW 4 Gbps, IPS & NGFW 200 Mbps


FW 30-40 Gbps, IPS & NGFW 3-4.5 Gbps

Branch

Office

Data Center

Campus

Edge

320X (ruggedized)

4 interfaces + WLAN

FW 2 Gbps, IPS & NGFW 200 Mbps

SOHO


FW 80-160 Gbps, IPS & NGFW 9-11 Gbps

100 Series (desktop)

10 interfaces (8 switch ports) + WLAN on 325

FW 1.5 Gbps, IPS & NGFW 50 Mbps

CLOUDAWS

Azure (coming)

VIRTUAL

KVM

VMware

ESXi & ESX


FORCEPOINT NGFW POSITIONS IN THE NETWORK

SMC

NGFW

(IPS)

NGFW

(FW/VPN)

NGFW

IPS

NGFW

(FW/VPN)

VPN

VPN

VPN

CRM Web

interface

ERP Web

interface

Web

interface

Subcontractor

Data

Remote office

Headquarters

Mobile

user

Partner

Remote user

DMZ

Internet

Low level of trust High level of trust

NGFW

(FW/VPN)


CONSISTENT CAPABILITIES, POWERED BY A UNIFIED CORE

Managed Service ProviderReady

Centrally Managed at ScaleUp to 2000 systems from one console

Branch

Edge

Cloud

Data Center


Multi-Link NetworkingMulti-Link Networking

Connectivity

Availability

EfficacyScalability

Manageability

Visibility

Interior Connectivity

Cloud

Connectivity

Multi-Site

VPNs

Edge Connectivity

Multi-Link Networking

Branch

ConnectivityPlug &

Play

Deployment

Zero-Downtime

Upgrade

Advanced

Evasion

Techniques Resilient

Architecture


HIGH AVAILABILITY – THE LEADING CLUSTERING TECHNOLOGY

Different Hardware Models

Different Firmware Versions

Up to 16 Active/Active Nodes

Transparent Failover

Hot-swap

Seamless Upgrades

No Traffic Interruptions

True

ADVANCEDCLUSTERING


HIGH AVAILABILITY, EFFICIENCY & PERFORMANCE FOR NETWORKS

ERP BACK UP

VOIP

BROADBAND

MPLS

3/4G

XDSL

SATELLITE

FIBER

CABLEFTP

WEB

FORCEPOINT

MULTI-LINK VPN

Centrally Managed

Inspected & Encrypted

Always-on

Always Optimized

Controlled Bandwidth

Controlled Costs


MULTI-LINK TECHNOLOGY

Enterprise-class performance

Scalable and resilient site-to-site

connectivity over multiple links and ISPs

Support for ISP load balancing

Supports multiple access

technologies including DSL, MPLS, 3G

Bandwidth management with QoS

2Mbps

2Mbps =

2Mbps

up to 6Mbps

+HQ

Remote

Site

+

Remote

Site

Up to 90%Savings on

MPLS costs


MULTI-LINK TECHNOLOGY

Internet

Location B

Business

Critical Application

Server

Non-Critical

Application

Server

Location A

512Kbps

512Kbps

Demo

Traffic ClassificationPrioritizing Network

High AvailabilityCombined with

Load-Balancing & QoSmeans Network Resiliency

NGFW

Cluster


Multilayer InspectionMultilayer Inspection

L2 Firewalls

VPN

NGFW

IPS

Resilient

Architecture

Proxies

AP-WEB Security

Multi-Link Networking

SandboxingURL Filtering

zero-Downtime

Upgrade

Advanced

Evasion

TechniquesConnectivity

Availability

EfficacyScalability

Manageability

Visibility


MULTI-LAYER INSPECTION ARCHITECTURE

TRAFFIC CONTROL• USER CONTROL

• APPLICATION CONTROL

• URL CATEGORIZATION

ACCESS CONTROL• ANTI-SPOOFING

• IP REPUTATION

• GEO-PROTECTION

• INVALID COONNECTIONS

NORMALIZATION• FULL PROTOCOL NORMALIZATION

• TRAFFIC DECRYPTION

DEEP INSPECTION• VULNERABILITY-CENTRIC

• ANAMOLY DETECTION

APPLICATION PROXY• WHITELIST APPLICATION VERSIONS

• WHITELIST APPLICATION

COMMANDS

MALWARE CONTROL• FILE FILTERING

• FILE REPUTATION

• ANTIMALWARE SCAN

• SANDBOXING

Incoming

Traffic

Outgoing

Traffic

1

3

2

4

6

5

THREAT

VOLUME

Resource

Consumption

ADVANCED

THREAT


NETWORK EVASIONS


NETWORK EVASIONS

Network

Evasions are

used here


CERTIFICATIONS

Common Criteria with Network Device and Firewall Protection Profile

for NGFW functions in March 2016

FIPS 140-2 crypto certification in January 2016

ANSSI French national security certification for NGFW

IPv6 certified against the USGv6 Firewall Conformance v1.3 test suite

Section 508 Accessibility


3RD PARTY VALIDATION

Promote 3rd Party segment Analyst papers IDC Business value paper (Feb 2017)

ESG: The Case for Modern Network Security Operations

ESG: Digital Transformation, Network Security, and Forcepoint

Promote 3rd Party Testing NSS Labs NGFW report

NSS Labs IPS Report

NSS Labs Virtual Firewall Report


99.9%

SECURITY

EFFECTIVENESS

100.0%

BLOCKED

APPLICATION-

LAYER ATTACKS.

NSS LABS NGIPS TEST REPORT


NSS LABS CAWS REPORT

NSS Labs' Cyber Advanced Warning System (CAWS) platform enables continuous validation

of layered network security defenses

Demo


Connectivity

Availability

EfficacyScalability

Manageability

Visibility

Smart PolicySmart Policy

Automated

Workflow

Delegated roles

Centralized

Configuration &

Monitoring

Optimized

Virtual/SaaS

Performance

16-Node

Mixed Clusters


NO

CENTRALIZED

MGMT

CHECKPOINT FORCEPOINT

firewall:policy

ratio 1:1 50:1 2000:1

number of

edits 2000 40 4

WHAT DO YOU THINK?

Question:

Number of required

edits to

add 4 policy

rules in a

500-firewall network?


SIMPLIFIED POLICY WITH HIERARCHICAL STRUCTURE

The Stonesoft policy structure is a hierarchy based on templates, which allows you to reduce the need for creating the same or similar rule in several policies.

► Policies follow the template

changes automatically

► Main policy can contain

jumps to Sub-Policies

► By using aliases you can use

the same policy for several

engines

POLICY TEMPLATE

MAIN POLICY

SUB POLICY 1

SUB POLICY 2

EXAMPLETemplate B contains

rules defined in Template A +rules in Sub-Policies +

rules defined directly in Template B.

Template A

Template B

Sub-Policies

Policy


REDUCING POLICY RULES

CUSTOMER CASEFrench customer

Reduced firewall rulesfrom 10k to 2k

within couple of days

Demo

FIND DUPLICATE AND UNUSED POLICY RULES

Stonesoft Firewall rules contain

a “Hits Cell” that can show how many times each rule in your Firewall Policy has matched actual network traffic. You can scan for, identify, and merge similar rules (a common set of parameters) and delete duplicate or unused rules to keep rule sets

manageable.


Audit & GDPR FriendlyAudit & GDPR Friendly

Connectivity

Availability

EfficacyScalability

Manageability

Visibility

Automated

Workflow

Delegated Roles

Centralized

Configuration &

Monitoring

Interactive

Investigation &

Visualization

360° Reporting


GENERAL DATA PROTECTION REGULATION

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN


SMC – HOME VIEW


SMC – LOGS VIEW


FORCEPOINT NGFW V6.2 (RELEASED ON THE 3RD OF APRIL)

Industry’s best sandboxing – Forcepoint Advanced Malware Detection

More differentiation for MSPs – mission-critical app protection (Sidewinder Proxies)

Automated scalability for Virtualized Data Centers – OSC on VMware NSX

Automating admin & compliance – Policy Change Management Approvals

Even more IT efficiency – a Spotlight Search in SMC

Advanced control over networkSMC configuration of Protocol Independent Multicast (PIM) standard for multicast routing

DNS relay in NGFW – control DNS information given to internal networks

Customizable HTTP pages displayed when NGFW blocks pages


ADVANCED MALWARE DETECTION SANDBOXING

Sandboxing and more to uncover malware techniques Advanced Persistent Threats, Zero-Day Threats, and Advanced Malware

Provide deep content inspection analyzes for unknown objects

Complements NGFW-based file reputation & malware scans

INTERNET

Serveror

Workstation

ForcepointAdvanced

Malware Detection

Fil

es

Verdict

• Trustworthy | Malicious

• Low | Medium | High Risk

• Unknown

Verd

ict

Settings applied to Verdict

to decide Allow or Block

Based on proven

sandboxing and dynamic detection

technology

Verd

ict


MANAGEABILITY – SECURITY PROXIES FOR MSPS

Network Security as a ServiceInternal or external

Rich capabilities, including mission-critical proxies

Domains isolated per customerWeb portal access per domain (customer)

Role-based access at root and within domains

Domains inherit elements from shared domain

3

4

Shared

Domain

Customer 1

Domain

Customer 2

Domain

Customer 3

Domain


SCALABILITY – AUTOMATION VIA OPEN SECURITY CONTROLLER

Deep packet inspection

between layers & workloads

Granular controls, centrally

implemented

DistributedVirtual hosts

WebSecurity Group

AppSecurity Group

DBSecurity Group

DistributedFirewall Security

east/west

no

rth/so

uth

VM

war

e N

SX A

gen

t

Network

Open Security Controller

Forcepoint NGFW

Security Management Center

Perimeter

firewall

Creating an advanced distributed firewall security

inside distributed virtual appliances


MANAGEABILITY – POLICY MANAGEMENT & APPROVALS

Policy snapshots

always trackedReview

Compare

Two-person approval

can be enabledFor compliance practices

1REQUESTPolicy Change

2PENDINGChanges Visible on SMC

3COMMITChanges

4APPROVEOne-by-Oneor All Together

Need

Approval

?N

4a

VIEWDetailed Changes

Y


WHAT ANALYSTS SAY ABOUT FORCEPOINT

Gartner Magic Quadrant:

• “[Forcepoint] firewall has long been a leader in high-availability”

• “[Forcepoint] focused early on anti-evasion technology,

and as attacks evolved, it protected customers well”

NSS Labs NGFW & NGIPS tests

• RECOMMENDED – NGFW (4 times in a row) and NGIPS

• Continuously leading the pack in CAWS testing


WHY CUSTOMERS SELECT FORCEPOINT NGFW

EfficiencyCutting TCO Burden

Best centralized management,

payback in 7 mon with 510% ROI (5Y)

AvailabilityEliminating downtime

Best clustering/HA for firewalls and networks

prevents 70% maintenance, 38% outages

SecurityStopping theft, not performance

High-performance IPS, decryption, VPN

stops 69% more breaches

Enterprise-

Grade

Payback, ROI, downtime and breach data from IDC Research


BENCHMARKS AFTER DEPLOYING FORCEPOINT NGFW

86%Fewer Cyberattacks

69%Fewer Breaches

73%Faster Incident

Response

53%Less IT Staff Time

70%Less Time toDeploy FW

70%Less

Planned Maintenance2017 IDC Business Value study

forcepoint ngfw - blue bridge grupė ngfw security management center perimeter firewall creating an...

Documents