Copyright © 2017 Forcepoint. All rights reserved.
Forcepoint NGFWSecuring people and assets in an unsecure world
Veli-Pekka Kusmin, Senior Sales Engineer
April 2017
Copyright © 2017 Forcepoint. All rights reserved. | 2
Commercial Leaderwith
Content Security & DLP
Cloud / On-Premise / Hybrid
Pioneer on Cyber Frontlineswith
Financial Resources
Deep Understanding of Threat Detection
Networking Innovatorwith
Advanced Evasion Prevention
Security at Scale
NEW COMPANY, UNIQUELY FORMED TO
OFFER A NEW APPROACH TO SECURITY
Copyright © 2017 Forcepoint. All rights reserved. | 3
▶ 2,500 Employees
▶ 155 Countries
▶ 50 Offices
▶ 2,500 Partners
▶ Average Support CSAT 8.7- 8.9
▶ 380 Patents &
Patent Applications
▶ 27 Data Centers
Headquarters, Austin, TX
Engineering & Operations
Cloud Data Center
Sales & Support
AMERICAS EMEA APAC
FORCEPOINT 2017
Copyright © 2017 Forcepoint. All rights reserved. | 4
Where critical data and IP are most valuable –
and most vulnerable
PROTECTING
THE HUMAN POINT
Forcepoint NGFWs connect and protect people and data at the point they come together
– the Human Point
Copyright © 2017 Forcepoint. All rights reserved. | 5
Forcepoint Core Products
2017 Network Security:
Forcepoint
Next Generation Firewall
Copyright © 2017 Forcepoint. All rights reserved. | 6
WHAT FORCEPOINT NEXT GENERATION FIREWALL IS ALL ABOUT
Unique innovation with direct impact in each area Unified capabilities & management everywhere – physical, virtual, cloud
Managed Service Provider (MSP) support
High-availability clustering for firewalls and WANs
IPS built in with pioneering anti-evasion defenses
Encrypted traffic inspection that’s transparent and maintains user privacy
Business value that can be measured every day Highest Efficiency, Availability, Security
Security ecosystem powered from the Cloud
Slash theft, not performance.
Eliminate downtime.
Cut TCO burden up to 50%.
At the center of Networking and Security Connect and Protect seamlessly across Data Centers – Edge – Branches – Cloud
NETWORKING SECURITY
Copyright © 2017 Forcepoint. All rights reserved. | 7
IP & FileReputation
InstallationCloud
Physical, Virtual, Cloud
NGFW Security Management Center (SMC)
FORCEPOINT PRODUCTS WORK TOGETHER
Cloud-AssistedSecurity
(industry-leadingadvanced protection)
NGFW Appliances(unified operation & performance
across all deployments)
CentralizedNGFW Management
(self-administered or via MSP)
EmailSecurity
WebSecurity
CASBDLP for
Cloud Apps
AWS
Azure (coming)Cloud
KVM
VMware ESXi
VMware NSXVirtualCustomizable
Interfaces
AdvancedMalware
Detection
URLFiltering
Copyright © 2017 Forcepoint. All rights reserved. | 8
FORCEPOINT APPLIANCES
6200 SeriesMax 66 interfaces
FW 240 Gbps, IPS & NGFW 21 Gbps
1000 SeriesMax 12 interfaces
FW 10-20 Gbps, IPS & NGFW 400 Mbps-1.2 Gbps
300 Series (desktop)
5 interfaces + opt. 2 modules and WLAN on 325
FW 4 Gbps, IPS & NGFW 200 Mbps
1400 SeriesMax 20 interfaces
FW 30-40 Gbps, IPS & NGFW 3-4.5 Gbps
Branch
Office
Data Center
Campus
Edge
320X (ruggedized)
4 interfaces + WLAN
FW 2 Gbps, IPS & NGFW 200 Mbps
SOHO
3300 SeriesMax 35 interfaces
FW 80-160 Gbps, IPS & NGFW 9-11 Gbps
100 Series (desktop)
10 interfaces (8 switch ports) + WLAN on 325
FW 1.5 Gbps, IPS & NGFW 50 Mbps
CLOUDAWS
Azure (coming)
VIRTUAL
KVM
VMware
ESXi & ESX
Copyright © 2017 Forcepoint. All rights reserved. | 9
FORCEPOINT NGFW POSITIONS IN THE NETWORK
SMC
NGFW
(IPS)
NGFW
(FW/VPN)
NGFW
IPS
NGFW
(FW/VPN)
VPN
VPN
VPN
CRM Web
interface
ERP Web
interface
Web
interface
Subcontractor
Data
Remote office
Headquarters
Mobile
user
Partner
Remote user
DMZ
Internet
Low level of trust High level of trust
NGFW
(FW/VPN)
Copyright © 2017 Forcepoint. All rights reserved. | 10
CONSISTENT CAPABILITIES, POWERED BY A UNIFIED CORE
Managed Service ProviderReady
Centrally Managed at ScaleUp to 2000 systems from one console
Branch
Edge
Cloud
Data Center
Copyright © 2017 Forcepoint. All rights reserved. | 11
Multi-Link NetworkingMulti-Link Networking
Connectivity
Availability
EfficacyScalability
Manageability
Visibility
Interior Connectivity
Cloud
Connectivity
Multi-Site
VPNs
Edge Connectivity
Multi-Link Networking
Branch
ConnectivityPlug &
Play
Deployment
Zero-Downtime
Upgrade
Advanced
Evasion
Techniques Resilient
Architecture
Copyright © 2017 Forcepoint. All rights reserved. | 12
HIGH AVAILABILITY – THE LEADING CLUSTERING TECHNOLOGY
Different Hardware Models
Different Firmware Versions
Up to 16 Active/Active Nodes
Transparent Failover
Hot-swap
Seamless Upgrades
No Traffic Interruptions
True
ADVANCEDCLUSTERING
Copyright © 2017 Forcepoint. All rights reserved. | 13
HIGH AVAILABILITY, EFFICIENCY & PERFORMANCE FOR NETWORKS
ERP BACK UP
VOIP
BROADBAND
MPLS
3/4G
XDSL
SATELLITE
FIBER
CABLEFTP
WEB
FORCEPOINT
MULTI-LINK VPN
Centrally Managed
Inspected & Encrypted
Always-on
Always Optimized
Controlled Bandwidth
Controlled Costs
Copyright © 2017 Forcepoint. All rights reserved. | 14
MULTI-LINK TECHNOLOGY
Enterprise-class performance
Scalable and resilient site-to-site
connectivity over multiple links and ISPs
Support for ISP load balancing
Supports multiple access
technologies including DSL, MPLS, 3G
Bandwidth management with QoS
2Mbps
2Mbps =
2Mbps
up to 6Mbps
+HQ
Remote
Site
+
Remote
Site
Up to 90%Savings on
MPLS costs
Copyright © 2017 Forcepoint. All rights reserved. | 15
MULTI-LINK TECHNOLOGY
Internet
Location B
Business
Critical Application
Server
Non-Critical
Application
Server
Location A
512Kbps
512Kbps
Demo
Traffic ClassificationPrioritizing Network
High AvailabilityCombined with
Load-Balancing & QoSmeans Network Resiliency
NGFW
Cluster
Copyright © 2017 Forcepoint. All rights reserved. | 16
Multilayer InspectionMultilayer Inspection
L2 Firewalls
VPN
NGFW
IPS
Resilient
Architecture
Proxies
AP-WEB Security
Multi-Link Networking
SandboxingURL Filtering
zero-Downtime
Upgrade
Advanced
Evasion
TechniquesConnectivity
Availability
EfficacyScalability
Manageability
Visibility
Copyright © 2017 Forcepoint. All rights reserved. | 17
MULTI-LAYER INSPECTION ARCHITECTURE
TRAFFIC CONTROL• USER CONTROL
• APPLICATION CONTROL
• URL CATEGORIZATION
ACCESS CONTROL• ANTI-SPOOFING
• IP REPUTATION
• GEO-PROTECTION
• INVALID COONNECTIONS
NORMALIZATION• FULL PROTOCOL NORMALIZATION
• TRAFFIC DECRYPTION
DEEP INSPECTION• VULNERABILITY-CENTRIC
• ANAMOLY DETECTION
APPLICATION PROXY• WHITELIST APPLICATION VERSIONS
• WHITELIST APPLICATION
COMMANDS
MALWARE CONTROL• FILE FILTERING
• FILE REPUTATION
• ANTIMALWARE SCAN
• SANDBOXING
Incoming
Traffic
Outgoing
Traffic
1
3
2
4
6
5
THREAT
VOLUME
Resource
Consumption
ADVANCED
THREAT
Copyright © 2017 Forcepoint. All rights reserved. | 18
NETWORK EVASIONS
Copyright © 2017 Forcepoint. All rights reserved. | 19
NETWORK EVASIONS
Network
Evasions are
used here
Copyright © 2017 Forcepoint. All rights reserved. | 20
CERTIFICATIONS
Common Criteria with Network Device and Firewall Protection Profile
for NGFW functions in March 2016
FIPS 140-2 crypto certification in January 2016
ANSSI French national security certification for NGFW
IPv6 certified against the USGv6 Firewall Conformance v1.3 test suite
Section 508 Accessibility
Copyright © 2017 Forcepoint. All rights reserved. | 21
3RD PARTY VALIDATION
Promote 3rd Party segment Analyst papers IDC Business value paper (Feb 2017)
ESG: The Case for Modern Network Security Operations
ESG: Digital Transformation, Network Security, and Forcepoint
Promote 3rd Party Testing NSS Labs NGFW report
NSS Labs IPS Report
NSS Labs Virtual Firewall Report
Copyright © 2017 Forcepoint. All rights reserved. | 22
99.9%
SECURITY
EFFECTIVENESS
100.0%
BLOCKED
APPLICATION-
LAYER ATTACKS.
NSS LABS NGIPS TEST REPORT
Copyright © 2017 Forcepoint. All rights reserved. | 23
NSS LABS CAWS REPORT
NSS Labs' Cyber Advanced Warning System (CAWS) platform enables continuous validation
of layered network security defenses
Demo
Copyright © 2017 Forcepoint. All rights reserved. | 24
Connectivity
Availability
EfficacyScalability
Manageability
Visibility
Smart PolicySmart Policy
Automated
Workflow
Delegated roles
Centralized
Configuration &
Monitoring
Optimized
Virtual/SaaS
Performance
16-Node
Mixed Clusters
Copyright © 2017 Forcepoint. All rights reserved. | 25
NO
CENTRALIZED
MGMT
CHECKPOINT FORCEPOINT
firewall:policy
ratio 1:1 50:1 2000:1
number of
edits 2000 40 4
WHAT DO YOU THINK?
Question:
Number of required
edits to
add 4 policy
rules in a
500-firewall network?
Copyright © 2017 Forcepoint. All rights reserved. | 26
SIMPLIFIED POLICY WITH HIERARCHICAL STRUCTURE
The Stonesoft policy structure is a hierarchy based on templates, which allows you to reduce the need for creating the same or similar rule in several policies.
► Policies follow the template
changes automatically
► Main policy can contain
jumps to Sub-Policies
► By using aliases you can use
the same policy for several
engines
POLICY TEMPLATE
MAIN POLICY
SUB POLICY 1
SUB POLICY 2
EXAMPLETemplate B contains
rules defined in Template A +rules in Sub-Policies +
rules defined directly in Template B.
Template A
Template B
Sub-Policies
Policy
Copyright © 2017 Forcepoint. All rights reserved. | 27
REDUCING POLICY RULES
CUSTOMER CASEFrench customer
Reduced firewall rulesfrom 10k to 2k
within couple of days
Demo
FIND DUPLICATE AND UNUSED POLICY RULES
Stonesoft Firewall rules contain
a “Hits Cell” that can show how many times each rule in your Firewall Policy has matched actual network traffic. You can scan for, identify, and merge similar rules (a common set of parameters) and delete duplicate or unused rules to keep rule sets
manageable.
Copyright © 2017 Forcepoint. All rights reserved. | 28
Audit & GDPR FriendlyAudit & GDPR Friendly
Connectivity
Availability
EfficacyScalability
Manageability
Visibility
Automated
Workflow
Delegated Roles
Centralized
Configuration &
Monitoring
Interactive
Investigation &
Visualization
360° Reporting
Copyright © 2017 Forcepoint. All rights reserved. | 29
GENERAL DATA PROTECTION REGULATION
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Copyright © 2017 Forcepoint. All rights reserved. | 30
SMC – HOME VIEW
Copyright © 2017 Forcepoint. All rights reserved. | 31
SMC – LOGS VIEW
Copyright © 2017 Forcepoint. All rights reserved. | 32
FORCEPOINT NGFW V6.2 (RELEASED ON THE 3RD OF APRIL)
Industry’s best sandboxing – Forcepoint Advanced Malware Detection
More differentiation for MSPs – mission-critical app protection (Sidewinder Proxies)
Automated scalability for Virtualized Data Centers – OSC on VMware NSX
Automating admin & compliance – Policy Change Management Approvals
Even more IT efficiency – a Spotlight Search in SMC
Advanced control over networkSMC configuration of Protocol Independent Multicast (PIM) standard for multicast routing
DNS relay in NGFW – control DNS information given to internal networks
Customizable HTTP pages displayed when NGFW blocks pages
Copyright © 2017 Forcepoint. All rights reserved. | 33
ADVANCED MALWARE DETECTION SANDBOXING
Sandboxing and more to uncover malware techniques Advanced Persistent Threats, Zero-Day Threats, and Advanced Malware
Provide deep content inspection analyzes for unknown objects
Complements NGFW-based file reputation & malware scans
INTERNET
Serveror
Workstation
ForcepointAdvanced
Malware Detection
Fil
es
Verdict
• Trustworthy | Malicious
• Low | Medium | High Risk
• Unknown
Verd
ict
Settings applied to Verdict
to decide Allow or Block
Based on proven
sandboxing and dynamic detection
technology
Verd
ict
Copyright © 2017 Forcepoint. All rights reserved. | 34
MANAGEABILITY – SECURITY PROXIES FOR MSPS
Network Security as a ServiceInternal or external
Rich capabilities, including mission-critical proxies
Domains isolated per customerWeb portal access per domain (customer)
Role-based access at root and within domains
Domains inherit elements from shared domain
3
4
Shared
Domain
Customer 1
Domain
Customer 2
Domain
Customer 3
Domain
Copyright © 2017 Forcepoint. All rights reserved. | 35
SCALABILITY – AUTOMATION VIA OPEN SECURITY CONTROLLER
Deep packet inspection
between layers & workloads
Granular controls, centrally
implemented
DistributedVirtual hosts
WebSecurity Group
AppSecurity Group
DBSecurity Group
DistributedFirewall Security
east/west
no
rth/so
uth
VM
war
e N
SX A
gen
t
Network
Open Security Controller
Forcepoint NGFW
Security Management Center
Perimeter
firewall
Creating an advanced distributed firewall security
inside distributed virtual appliances
Copyright © 2017 Forcepoint. All rights reserved. | 36
MANAGEABILITY – POLICY MANAGEMENT & APPROVALS
Policy snapshots
always trackedReview
Compare
Two-person approval
can be enabledFor compliance practices
1REQUESTPolicy Change
2PENDINGChanges Visible on SMC
3COMMITChanges
4APPROVEOne-by-Oneor All Together
Need
Approval
?N
4a
VIEWDetailed Changes
Y
Copyright © 2017 Forcepoint. All rights reserved. | 37
WHAT ANALYSTS SAY ABOUT FORCEPOINT
Gartner Magic Quadrant:
• “[Forcepoint] firewall has long been a leader in high-availability”
• “[Forcepoint] focused early on anti-evasion technology,
and as attacks evolved, it protected customers well”
NSS Labs NGFW & NGIPS tests
• RECOMMENDED – NGFW (4 times in a row) and NGIPS
• Continuously leading the pack in CAWS testing
Copyright © 2017 Forcepoint. All rights reserved. | 38
WHY CUSTOMERS SELECT FORCEPOINT NGFW
EfficiencyCutting TCO Burden
Best centralized management,
payback in 7 mon with 510% ROI (5Y)
AvailabilityEliminating downtime
Best clustering/HA for firewalls and networks
prevents 70% maintenance, 38% outages
SecurityStopping theft, not performance
High-performance IPS, decryption, VPN
stops 69% more breaches
Enterprise-
Grade
Payback, ROI, downtime and breach data from IDC Research
Copyright © 2017 Forcepoint. All rights reserved. | 39
BENCHMARKS AFTER DEPLOYING FORCEPOINT NGFW
86%Fewer Cyberattacks
69%Fewer Breaches
73%Faster Incident
Response
53%Less IT Staff Time
70%Less Time toDeploy FW
70%Less
Planned Maintenance2017 IDC Business Value study
Copyright © 2017 Forcepoint. All rights reserved. | 40Copyright © 2017 Forcepoint. All rights reserved. | 40
Thank you!
Email: [email protected]
Phone: +358 40 4803199