Post on 08-May-2020
Barracuda CloudGen FirewallProtection and Performance for the Cloud Era
Florian Vojtech, Sales Engineer
Transportation Financial Retail Manufacturing Industry
Broadcasting Government NGO Healthcare
Legal
Food
CloudGen? Facebook is no longer the challenge
Technological and Digital Transformation
Cloud Service Utilization Connected ThingsPublic Cloud Computing
There are new requirements, environments and operators.
Additional attack surface, new vulnerabilities and threats
NextGen + SD-WAN + Cloud Ready
Cloud Generation Firewall
Speed of deployment ?
Initial Configuration ?
Cost of Deployment ?
Cost of small units ?
Virtual ?
Cloud ?
Mgmt. of hundreds of boxes?
Multiple Admins ?
Audit & traceability ?
Ongoing OPEX ?
Compliance ?
Reporting ?
Cost ?
Control ?
Security ?
Availability ?
Multi-Provider Mgmt. ?
Performance / Bandwidth ?
Data Theft
Spyware/Botnets
APT / Ransomware
Employee Productivity
Network Security / Hacking
Internet Access compliance
Operations
Security
Deployment
Connectivity &
Secure SD-WAN
Challenges Barracuda CloudGen Firewalls Solve
Zero Touch Deployment
Pool Licensing
Disaster Recovery
Multi-Tenancy
Native Cloud
Hardware
Virtual
Central Management & Lifecycle
Granular Admin Concept
Revision Control
Troubleshooting
GTI & Live Status
OPEX expenses
Reporting
Multi- ISP
WAN compr.
VPN + SSL-VPN
Traffic Intelligence
Traffic Shaping / QoS
Virtual WAN Balancing
Application-Based Link Selection
IPS/IDS
SSL Interception
User Awareness
Antivirus / Web Filter
Stateful FW + AppDetect
Advanced Threat Protection
(ATP)
+ Botnet & Spyware Detection
Operations
Security
Deployment
Challenges Barracuda CloudGen Firewalls Solve
Connectivity &
Secure SD-WAN
Security
10.) Malware Protection & Anti-
Virus
1.) Geo IP Control
2.) DoS / DDoS
8.) Web Filtering + Mail Security
4.) SSL Inspection
9.) File Content Filter
5.) Botnet & Spyware Protection
6.) Intrusion Prevention System
(IPS)
Advanced Threat Protection
On-box
Cloud Service
Barracuda
Global Threat
Intelligence Network
sing
le p
ass
in
spect
ion
continuous updates
upload for inspection
Threat Intelligence Push
7.) Application Control
3.) User Identity Awareness
1.) Advanced Signatures Analysis
2.) Behavioral & Heuristics
Analysis
4.) Sandboxing (Detonation)
3.) Static Code Analysis
Full Next-Generation Security
Advanced Threat Protection (ATP)
Supported Protocols• HTTP/S
• SMTP/S
• POP3/S
• FTP
Block file
Allow file
on-box malware protection
on-box IPS
on-box hash database Filetype Policies
• First Scan, Then Deliver
• First Deliver, Then Scan
Layered Defense-in-Depth• CPU Emulation based Sandbox
• Analysis and detonation of advanced threats
• Scans 900+ attributes in seconds
• Examination of commands in code / scripts for common viral
activities such as:
• File over-writes, replication, registry access, obfuscation
techniques etc.
• Analysis of suspicious coding such as:
• Excessively long timers and loops, that run for days etc.
• Signatures collection from and shared with over 250,000
endpoints
• Multi-opined A/V engines
• Blocks spam, viruses, phishing, and other traditional malware
Signatures Analysis
Static Analysis
Sandboxing
(CPU emulation)
Behavioral Analysis
Machine Learning
• Examines executable file without actually executing it
• De-obfuscates code constructs
• Rapid pre-filtering of malware prior to sandboxing
>95%
Eff
icie
ncy
4
3
2
1
ATP: Botnet & Spyware Protection
DNS Sinkhole using hostname reputation DB (needs ATP)
Malware Host
Command & Control Server
Bots
DNS Sinkhole
ATP - Threat
Intelligence
bad.com
1.2.3.4
bad.com?
1.2.3.4
bad.com
1.1.1.1
App Detection - Protect the Business
• Control and throttle acceptable traffic
• Preserve bandwidth and speed-up business critical applications
User Awareness
NTLM
LDAP/S
RSA SecurID x.509 TACACS
+
SMS Passcode
(VPN)
Local authentication database
Microsoft TSCitrix
TS
Active
DirectoryDC Agent
TS Agent
Wi-Fi Controllers
RADIUS
URL Filtering
• URL filter service with 96 categories
• Customizable response pages
• Allow / Block / Alert / Warn & Continue / Override
• White & Blacklists
File Content & User Agent Control
Connectivity &
Secure SD-WAN
Application-Based Provider Selection
Custom
App
General
Games
General Games
Custom
App
use X use Y use Zuse Y or Z
Application Control
ISP X
ISP Y
ISP Z
Application Usage & Risk Report.pdf
Traffic Intelligence / WAN Virtualization
xDSL
MPLS
xDSL
MPLS
Traffic Intelligence / WAN Virtualization
xDSL
MPLS
xDSL
MPLS
Surfing: 50% Class2
Email: 50% Class1
VoIP 50%: NoDelay
Business 50%: Class1
Traffic Intelligence / WAN Virtualization
xDSL
MPLS
xDSL
MPLSVoIP: 70% NoDelay
Business: 70% Class1
Email: 20% Class2
Surfing: 10% Class3
Traffic Intelligence / WAN Virtualization
xDSL
MPLS
xDSL
MPLS
LTE LTEVoIP: 90% NoDelay
Business: 90% Class1
Email: 10% Class2
No surfingOnly important applications
No surfing
Traffic Intelligence / WAN Virtualization
xDSL
MPLS
xDSL
MPLS
LTE LTE
VoIP: 70% NoDelay
Business: 70% Class1
Email: 20% Class2
Surfing: 10% Class3
Traffic Intelligence / WAN Virtualization
xDSL
MPLS
xDSL
MPLS
LTE LTE
Surfing: 50% Class2
Email: 50% Class1
VoIP 50%: NoDelay
Business 50%: Class1
Virtual WAN Balancing
Up to 24 Transports for one Tunnel
Session BalancingPacket Balancing
WAN Optimization
• De-Duplication & Data Caching
• Multiple Transport modes (Encapsulation)
• Compression (Stream/Packet)
• Application Acceleration
De-Duplication
Compression
Application Accel.
Caching
De-Duplication
CompressionTCP encapsulation
UDP encapsulation
HYBRID encapsulation
Dynamic Bandwidth/Latency Detection
• Initial Active Probing and Monitoring
• Passive Probing every 15mins
• Active Re-Probing every 60mins
Performance-based Traffic Selection
• Selection based on „Connection Object“
• Configuration per access/application rule
Adaptive Bandwidth Protection
• NoDelay (VoIP) QoS band is always prioritized over standard traffic
• Reserves 30% for NoDelay traffic
• Reserves 70% for standard traffic
• Traffic Duplication for VoIP
Dynamic Meshed VPN
Classic Hub&Spoke setup
Branch 1
Branch 6
Branch 5
Branch 2
Branch 3
Branch 4
HQ
Dynamic Meshed VPN
Hub detects traffic between branches
Branch 1
Branch 6
Branch 5
Branch 2
Branch 3
Branch 4
HQ
Dynamic Meshed VPN
Hub triggers automatic configuration update
Branch 1
Branch 6
Branch 5
Branch 2
Branch 3
Branch 4
HQ
Dynamic Meshed VPN
Branches create temporary tunnels
Branch 1
Branch 6
Branch 5
Branch 2
Branch 3
Branch 4
HQ
Effective Operations
VPN is hard to setup, to maintain, to troubleshoot?
User VPN access
Public Cloud
Private Cloud
Internal Apps
Hosted in Public Cloud
Hosted on-premises
CudaLaunch app
Browser-based
SSL VPN
VPN & NAC Client
Road
Warrior
Ad
Hoc
Home
Office
Barracuda’s Industry and IoT Solutions
Security Connectivity
Security
From Individualism to Patterns
From Individualism to Patterns
Connectivity
The Barracuda Approach
Zusammenspiel zwischen IT und OT
Rollout mit ZTD
SC SC SC SCSC
MASB
Konzeption einer smart Factory 4.0
Blueprint für Industrie 4.0 (IoT/ICS)
Blueprint für Industrie 4.0 (IoT/ICS)
Blueprint für Industrie 4.0 (IoT/ICS)
Blueprint für Industrie 4.0 (IoT/ICS)
Blueprint für Industrie 4.0 (IoT/ICS))
Blueprint für Industrie 4.0 (IoT/ICS)
Supporting Industrial Protocols
S7 Sub-Protocols:
S7 UserData - Mode Transition S7 Alarm Lock Indication S7 Forces
S7 Stop S7 Alarm Query S7 UserData - Other Functions
S7 Warm Restart S7 Message Service S7 PLC Password
S7 Run S7 Notify-8 Indication S7 PBC BSend/BRecv
S7 UserData - Cyclic Data S7 Diagnostic Message S7 Request/Response
S7 Cyclic Data Unsubscribe S7 Alarm-8 Lock S7 PLC Stop
S7 Cyclic Data Memory S7 Scan Indication S7 Write
S7 Cyclic Data DB S7 Alarm Unlock Indication S7 Download
S7 UserData - Block Functions S7 Alarm-SQ Indication S7 CPU Services
S7 List Blocks S7 Alarm-S Indication S7 Upload
S7 List Blocks of Given Type S7 UserData - Time Functions S7 PLC Control
S7 Get Block Info S7 Read Clock S7 Setup Communication
S7 UserData - CPU Functions S7 Set Clock S7 Read
S7 Read SZL S7 UserData - Programmer Commands S7 Other
S7 Notify Indication S7 Remove Diagnostic Data S7 Ack
S7 Alarm-8 Indication S7 Erase S7 Server Control
S7 Alarm-8 Unlock S7 Request Diagnostic Data S7 User Data
S7 Alarm Ack S7 Variable Table S7Comm (legacy)
S7 Alarm Ack Indication S7 Read Diagnostic Data
IEC 60870-5-104 Sub-Protocols
IEC 60870-5-104 Process Information in Monitoring Direction
IEC 60870-5-104 Integrated Totals with Time Tag IEC 60870-5-104 Single Command
IEC 60870-5-104 Measured Value - Short Floating Point Number
IEC 60870-5-104 Packed Start Events of Protection Equipment with Time Tag
IEC 60870-5-104 Set Point Command - Normalized Value
IEC 60870-5-104 Packed Single-Point Information with Status Change Detection
IEC 60870-5-104 System Information in Monitoring Direction
IEC 60870-5-104 Set Point Command - Scaled Value
IEC 60870-5-104 Measured Value - Normalized Value without Quality Descriptor
IEC 60870-5-104 End of Initialization IEC 60870-5-104 Set Point Command - Normalized Value with Time Tag
IEC 60870-5-104 Single-Point Information with Time Tag IEC 60870-5-104 System Information in Control Direction IEC 60870-5-104 Regulating Step Command
IEC 60870-5-104 Measured Value - Short Floating Point Number with Time Tag
IEC 60870-5-104 Counter Interrogation Command IEC 60870-5-104 Bitstring of 32 Bits
IEC 60870-5-104 Packed Output Circuit Information of Protection Equipment with Time Tag
IEC 60870-5-104 Read Command IEC 60870-5-104 Single Command with Time Tag
IEC 60870-5-104 Double-Point Information IEC 60870-5-104 Interrogation Command IEC 60870-5-104 Set Point Command - Short Floating - Point Number with Time Tag
IEC 60870-5-104 Step Position Information IEC 60870-5-104 Reset Process Command IEC 60870-5-104 Bitstring of 32 Bits with Time TagIEC 60870-5-104 Measured Value - Scaled IEC 60870-5-104 Delay Acquisition Command IEC 60870-5-104 Double CommandIEC 60870-5-104 Integrated Totals IEC 60870-5-104 Test Command with Time Tag IEC 60870-5-104 Set Point Command - Short Floating Point
NumberIEC 60870-5-104 Double-Point Information with Time Tag IEC 60870-5-104 File Transfer IEC 60870-5-104 Double Command with Time Tag
IEC 60870-5-104 Step Position Information with Time Tag IEC 60870-5-104 File Ready IEC 60870-5-104 Regulating Step Command with Time Tag
IEC 60870-5-104 Bitstring of 32 Bits with Time Tag IEC 60870-5-104 Section Ready IEC 60870-5-104 Set Point Command - Scaled Value with Time Tag
IEC 60870-5-104 Event of Protection Equipment with Time Tag
IEC 60870-5-104 Directory IEC 60870-5-104 Parameter in Control Direction
IEC 60870-5-104 Single-Point Information IEC 60870-5-104 Call Directory, Select File, Call File, Call Section
IEC 60870-5-104 Parameter of Measured Value -Normalized Value
IEC 60870-5-104 Bitstring of 32 Bit IEC 60870-5-104 ACK File - ACK Section IEC 60870-5-104 Parameter of Measured Value - Scaled Value
IEC 61850 Sub-ProtocolsIEC 61850 Goose IEC 61850 SMV
IEC 61850 MMS IEC 61850 General
MODBUS Sub-ProtocolsMODBUS Data Access MODBUS Mask Write Register MODBUS Report Server IDMODBUS Read Coils MODBUS Read FIFO Queue MODBUS Diagnostic Check
MODBUS Read Discrete Inputs MODBUS Read Input Register MODBUS Get Communication Event CounterMODBUS Read Holding Registers MODBUS File Access MODBUS Encapsulated Interface Transport
MODBUS Write Single Register MODBUS Read File Record MODBUS Read Device IdentificationMODBUS Read/Write Multiple Registers MODBUS Write File Record MODBUS CAN-Open General ReferenceMODBUS Write Single Coil MODBUS Diagnostics Modbus (legacy)MODBUS Write Multiple Coils MODBUS Read Exception StatusMODBUS Write Multiple Registers MODBUS Get Communication Event Log
DNP3 Sub-Protocols
DNP3 Control Functions DNP3 Start Application DNP3 Authentication ErrorDNP3 Operate DNP3 Stop Application DNP3 Freeze FunctionsDNP3 Select DNP3 Warm Restart DNP3 Freeze and ClearDNP3 Direct Operate DNP3 Initialize Data DNP3 Freeze with TimeDNP3 Direct Operate no ACK DNP3 Configuration DNP3 Immediate FreezeDNP3 Time Synchronization DNP3 Save Configuration DNP3 Freeze and Clear no ACK
DNP3 Delay Measurement DNP3 Enable Spontaneous Messages DNP3 Immediate Freeze no ACKDNP3 Record Current Time DNP3 Assign Class DNP3 Freeze with Time no ACKDNP3 Transfer Functions DNP3 Disable Spontaneous Messages DNP3 File Access
DNP3 Read DNP3 Activate Configuration DNP3 Open FileDNP3 Write DNP3 Response Messages DNP3 Delete File
DNP3 Confirm DNP3 Unsolicited Response DNP3 Abort FileDNP3 Application Control DNP3 Authentication Response DNP3 Authenticate File
DNP3 Cold Restart DNP3 Response DNP3 Close FileDNP3 Initialize Application DNP3 Other DNP3 Get File Info
DNP3 Authentication Request
FSC2 Family
FSC2.0
Deployment
Hardware – Entry Level / Branch OfficesF12 F18 F80 F82.DSLA F82.DSLB F180 F183 F183R F280
Firewall Throughput 1.2 Gbps 1.0 Gbps 1.5 Gbps 1.5 Gbps 1.5 Gbps 1.7 Gbps 2.0 Gbps 2.1 Gbps 3.7 Gbps
VPN Throughput 220 Mbps 190 Mbps 240 Mbps 240 Mbps 240 Mbps 300 Mbps 300 Mbps 320 Mbps 1.1 Gbps
IPS Throughput 400 Mbps400
Mbps400 Mbps 400 Mbps 400 Mbps 500 Mbps 580 Mbps 790 Mbps 1.2 Gbps
NGFW Throughput 250 Mbps340
Mbps400 Mbps 400 Mbps 400 Mbps 550 Mbps 700 Mbps 800 Mbps 1.0 Gbps
Threat Prot. Throughput 230 Mbps320
Mbps380 Mbps 380 Mbps 380 Mbps 480 Mbps 600 Mbps 700 Mbps 900 Mbps
Concurrent Sessions 80,000 80,000 80,000 80,000 80,000 100,000 100,000 100,000 250,000
New Sessions per Sec. 8,000 8,000 8,000 8,000 8,000 9,000 9,000 9,000 10,000
Form Factor Desktop Desktop Desktop Desktop Desktop Desktop Desktop Compact Desktop
1 GbE Copper 5x 4x 4x 4x 4x 6x 6x 5x 6x
1 GbE Fibre SFP - - - 1x 1x - 2x 2x -
10 GbE Fibre SFP+ - - - - - - - - -
Integrated Switch - - - - - 8-port - - 8-port
Integrated Modem - - - A, RJ11 B, RJ45 - - - -
Hardware – Mid LevelF400 F600
F380 .STD .F20 .C10 .C20 .F10 .F20 .E20
Firewall Throughput 5.2 Gbps 7.1 Gbps 9.0 Gbps 11 Gbps 11 Gbps 11 Gbps 11 Gbps 20 Gbps
VPN Throughput 1.4 Gbps 2.3 Gbps 2.3 Gbps 3.1 Gbps 3.1 Gbps 3.1 Gbps 3.1 Gbps 5.6 Gbps
IPS Throughput 2.0 Gbps 2.8 Gbps 3.0 Gbps 4,6 Gbps 4,6 Gbps 4,6 Gbps 4,6 Gbps 8.0 Gbps
NGFW Throughput 1.4 Gbps 2.2 Gbps 3.0 Gbps 4.2 Gbps 4.2 Gbps 4.2 Gbps 4.2 Gbps 6.4 Gbps
Threat Protection Throughput 1.2 Gbps 2.0 Gbps 2.7 Gbps 4,0 Gbps 4,0 Gbps 4,0 Gbps 4,0 Gbps 5.8 Gbps
Concurrent Sessions 400,000 500,000 500,000 2,100,000 2,100,000 2,100,000 2,100,000 2,100,000
New Sessions per Sec. 15,000 20,000 20,000 115,000 115,000 115,000 115,000 115,000
Form Factor 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack
1 GbE Copper 8x 8x 8x 12x 12x 8x 8x 8x
1 GbE Fibre SFP - - 4x - - 4x 4x -
10 GbE Fibre SFP+ - - - - - - - 2x
Power Supply Single Single Dual Single Dual Single Dual Dual
Hardware – High LevelF800 F900 F1000
.CCC .CCF .CCE .CCC .CCE .CFE .CFEQ .CE0 .CE2 .CFE .CFEQ
Firewall Throughput 30 Gbps 30 Gbps 30 Gbps 35 Gbps 35 Gbps 35 Gbps45
Gbps40 Gbps 40 Gbps 40 Gbps 46 Gbps
VPN Throughput7.5
Gbps
7.5
Gbps
7.5
Gbps
9.3
Gbps
9.3
Gbps
9.3
Gbps13.5 Gbps 10 Gbps 10 Gbps 10 Gbps 10.3 Gbps
IPS Throughput8.3
Gbps
8.3
Gbps
8.3
Gbps11.3 Gbps 11.3 Gbps 11.3 Gbps 13 Gbps 13 Gbps 13 Gbps 13 Gbps 14 Gbps
NGFW Throughput7.7
Gbps
7.0
Gbps
7.0
Gbps
8.0
Gbps
8.0
Gbps
8.0
Gbps12 Gbps 10.2 Gbps 10.2 Gbps 10.2 Gbps 13 Gbps
Threat Prot.
Throughput
7.6
Gbps
7.6
Gbps
7.6
Gbps11.5 Gbps 11.5 Gbps 11.5 Gbps 11.5 Gbps
4.0
Gbps
4.0
Gbps
4.0
Gbps12 Gbps
Concurrent Sessions 2,500,000 2,500,000 2,500,000 4,000,000 4,000,000 4,000,000 4,000,000 10,000,000 10,000,000 10,000,000 10,000,000
New Sessions per Sec. 180,000 180,000 180,000 190,000 190,000 190,000 190,000 250,000 250,000 250,000 250,000
Form Factor 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 1U Rack 2U Rack 2U Rack 2U Rack 2U Rack
1 GbE Copper 24x 16x 16x 32x 16x 8x 8x 16x 32x 16x 16x
1 GbE Fibre SFP - 8x - - - 8x 8x - - 16x 16x
10 GbE Fibre SFP+ - - 4x - 8x 8x 4x 4x 8x 8x 6x
Virtual DeploymentVF10 VF25 VF50 VF100 VF250 VF500 VF1000 VF2000 VF4000 VF8000
# of protected IPs 10 25 50 100 250 500 unlimited unlimited unlimited unlimited
Allowed Cores 1 2 2 2 2 2 2 4 8 16
Available Subs
Malware Protection - Yes Yes Yes Yes Yes Yes Yes Yes Yes
Adv. Threat
Protection- Yes Yes Yes Yes Yes Yes Yes Yes Yes
Adv. Remote Access - Yes Yes Yes Yes Yes Yes Yes Yes Yes
Public Cloud DeploymentLevel 1 Level 2 Level 4 Level 6 Level 8
Virtual Cores 1 1 2 4 8
Protected IP
Addresses10 Unlimited Unlimited Unlimited Unlimited
Available Subs
Malware ProtectionOptiona
l
Optiona
l
Optiona
l
Optiona
l
Optiona
l
Adv. Threat
Protection
Optiona
l
Optiona
l
Optiona
l
Optiona
l
Optiona
l
Adv. Remote AccessOptiona
l
Optiona
l
Optiona
l
Optiona
l
Optiona
l
Premium SupportOptiona
l
Optiona
l
Optiona
l
Optiona
l
Optiona
l
Rollout Process = Disaster Recovery
Zero Touch Deployment
Deliver – Plug in – Play (manage)
Zero Touch Deployment
Lean IT • Zero-touch self-provisioning hardware for rapid deployment
• No on-site IT needed• Order the NGF appliance
• Configure NGF remotely
• Appliance arrives at location
• Plug in the NGF appliance
• Appliance self-provisioning
ZTD
Portal
1 NGF contacts ZTD Service
3 ZTD send basic config to NGF
Thank You