7/30/2019 RSA 2012 SPO2-301_0306

1/13

Session ID:

Session Classification:

Mike Hamilton

BreakingPoint Systems

Firewall Fail: Live Next-Gen FirewallTesting to Expose Breaking Points

SPO2-301

Advanced

7/30/2019 RSA 2012 SPO2-301_0306

2/13

Agenda & Introduction

Todays Speaker:

Mike Hamilton Director of Global Sales Engineering

mhamilton@breakingpoint.com

Todays Topics:

Why next-generation firewalls?

The truth about testing next-generation firewalls Three Truths to get you started

Live test of a next-generation firewall

7/30/2019 RSA 2012 SPO2-301_0306

3/13

Youruniquenetworktraffic,

application,anduserneeds

The Truth Hurts: Find It Before They Do

Testnextgenfirewallswithyour

actualnetwork

behavior

and

applications

Thetruthaboutperformance

andsecurityofanynextgen

firewall

7/30/2019 RSA 2012 SPO2-301_0306

4/13

Today You Will Learn:

Three mistakes in testing next-gen firewalls that will lead tofailures

How to stay ahead of testingstandards in order to measurethe true performance of a next-generation firewall

The best way to choose a next-gen firewall for your uniqueapplication, security, and

capacity needs

7/30/2019 RSA 2012 SPO2-301_0306

5/13

CriticalApps:PrioritizedBandwidth

AcceptableApps:ManagedBandwidth

UnacceptableApps:

Blocked

Users/Groups PolicyApplicationChaosManyonPort80/443

Visualize &

Manage Policy

ControlIdentify Categorize

Malware Blocked

DeepPacket

Inspection

Why Deploy Next-Generation Devices?

7/30/2019 RSA 2012 SPO2-301_0306

6/13

Next-Gen Firewall Demands Next-Gen Testing

6

Applicationidentification

Applicationaccesscontrol

ApplicationQoS

Applicationlayerattack

SSL/TLSinspection

Malwarefiltering

7/30/2019 RSA 2012 SPO2-301_0306

7/13

7

Three Initial Truths

7/30/2019 RSA 2012 SPO2-301_0306

8/13

Truth 1: HTTP Is NOT an Application

7/30/2019 RSA 2012 SPO2-301_0306

9/13

Truth 2: Todays Applications/Threats Will Change

New applications introduced eachday

Constant changes to popular

applications such as email, IM, etc. New threats introduced each day

Vulnerabilities

DDoS evolution

Malware

New devices introduced each day

Mobile malware

Wireless to wired traffic

7/30/2019 RSA 2012 SPO2-301_0306

10/13

7/30/2019 RSA 2012 SPO2-301_0306

11/13

11

LIVE TESTING:

Finding the truth

7/30/2019 RSA 2012 SPO2-301_0306

12/13

Wrap It Up: Six Questions To Find The Truth

Ask your vendor*:

1. Are you keeping up with emerging testing standards?

2. What application mixes and weights do you use during testing?

3. Do you combine applications and high-stress user load duringtesting?

4. What have the results been when you have tested using

malformed traffic?

5. How does the firewall perform against application-layer attacks?

6. Can I test your product with my unique network, application, anduser conditions?

*Vendors, ask yourself the same questions.

12

7/30/2019 RSA 2012 SPO2-301_0306

13/13

Q & A