The solutions for the Cloud-Era - Cybersecurity meeting · The solutions for the Cloud-Era. Pietro...
15
Barracuda Security for Cloud The solutions for the Cloud-Era Pietro Felisi - Senior SE for Italy
The solutions for the Cloud-Era - Cybersecurity meeting · The solutions for the Cloud-Era. Pietro Felisi - Senior SE for Italy ... But this presentation is to show the differences
Barracuda Security for CloudThe solutions for the Cloud-Era
Pietro Felisi - Senior SE for Italy
In The Beginning
Headquarters
Internet
“Central Policy Management” @ Headquarters
Centralized Internet Break Out
MPLS with VPN backup
Servers & Apps@ HQ or DC
Relatore
Note di presentazione
When NextGen Firewalls were introduced about 10 years ago WAN networks use cases looked a lot different than today. �Companies applications where typically hosted at he headquarters or a datacenter on premises. �All remote locations were connected via rather expensive MPLS lines to the headquarters where security and policy was enforced before breaking out to the internet. �In the unlikely event MPLS went down important remote locations also connected to the Headquarters via VPN over a much cheaper broadband internet uplink. �However only one link was utilized at a time. Security Scanning was always done at the Headquarters. This results in a lot of tangible drawbacks: Cost: MPLS is somewhere between 50 to 100 times more expensive over broadband. Flexibility: Establishing a new MPLS link may take weeks and might not be available at the next planned small office location at all ( think of pop up shops at an airport or event locations) So instead of optimizing access to the Headquarters today all company locations need reliable access to cloud hosted applications like Salesforce or Office 365, cloud hosted datacenters in Azure or Amazon AWS or Google Compute Cloud AND reliable access to the headquarter. This means security functionality needs to be provided at many more locations while of course the overall solutions needs to be cheaper, everything gets cheaper over time , right ?�
WAN Networking in the Cloud Era: Zero Trust
Headquarters
Most companies still have WAN by MPLS with VPN backup
SaaSInternet IaaS
Servers & Appsmoved to CloudLocally installed
Apps moved to Cloud
Relatore
Note di presentazione
In the Cloud Era we have to distinguish between three different types of Cloud that need to be treated differently. 1.) First of all, general internet Access.�When accessing Sites like Twitter or news sites that are not business critical it generally makes no difference if they’re accessed directly or via multiple hops, adding some round Trip Time. However what has changed in recent years: a.) SSL is ubiquitous, when accessing the Internet it is mandatory to provide SSL Interception, either locally at the remote location or at the Headquarters/Datacenter. b.) Ransomware like WannaCry and other variants has become the number one outside threat to WAN networks. To ensure reliable protection against these, the solution must provide a layer of Advanced Threat Prevention including sandboxing to reliably detect every latest form of ransomware.
[Note: This is a security overview slide in case the customer shows more intereste in the core NGFW security functionality. In most case you will not need to read out the slide completely but just mention that the NGFW is a fully featured NextGen Security device with a feature set and security effectiveness on par or even better to the major players like PaloAlto, Checkpoint and cisco. But this presentation is to show the differences to existing incumbent players when it comes to the cloud era. The Slide titel: Zero Trust Security Model refers to „don‘t even trust a file there is no signature for, in today‘sd world you need to sandbox everything“] << CLICK >> A couple of years ago simple URL filtering and Anti-Virus was considered sufficient to keep the WAN save. Today, with more and more ransomware and zero day exploits ditributed via social engineering techniques and via SSL encrypted channels, the Firewalls need to provide a much better set of technology to keep up. The Barracuda NextGen Firewall comes loaded with technology to keep your WAN save, available on every form factor and every deployment possibility. Of course it contains a powerful statefull firewall engine. On top of this it delivers: Dos / DDOS Built in Denial of Service Protection by remembering an abnormally large number of packets coming from single sources and either blocking or ignoring packets coming from these sources at the TCP layer 2, effectively protecti ng endpoints and evern servers from Denial of service attacks, This works both ways, outside in and inside out, so in case you get a aptop inside the company that behaves suspisiously it gets blocked and reported. Geo IP blocking: Barracuda NextGen Firewalls allow blocking of IP adresses and ranges based oncountry and continent Information already at the network level without any overhead. So if you have no business in China at all you can simply block all incoming traffic from China. Our customers tell us that this effectively already eliminates somewhere between one third to half of all intrusion attempts. IPS: Every Barracuda NextGen Firewall comes with full Intrusion prevention capabilities detecting and blocking hacking and infiltration attacks at the Network level. The integrated IPS system alone blocks clode to 100% of possible attacks iand is continuously rated in the NSS Labs Cyber Advanxced Warning sytem that can be accessed by customer any time (paid Service) looking for Confirmation . In the 90 days precendingthe creation of this presentation we score a phenomenal block rate of 99.86%. One of the highest achiebavle in multifunctional nextgen security devices. To get a better block rate you need specialized Intrudion detection systems that forego all the other benefits. (https://www.nsslabs.com/caws-threat-protection-platform/overview/ ) Application & User Control: Every Barracuda NextGen Firewall provided with full control for thousands of web and network level applications. This included control over sub applications and can be combined with Time /Day and User ID information. So e.g. Barracuda NextGen Firewalls can allow browsing facebook only during lunch time and pevent postings , while enabling full access to facebook for the marketing department all the time. Unlike most other security devices available on the market Application & User Control are fully integrated into Traffic shaping and uplink selection process. As an example Facebook can be proritized doen and only go out via a cheap broadband intenret line while Salesforce.com is given higher priority and traffic is be routed via morestable MPLS connection. Web Filter and Dual Anti-Virus: Barracuda NextGen Firewalls includes web Filtering and Anti-Virus functionality bot requiring a slow proxy but performed directly in single pass mode in the Firewall engine. The web filter database contains multiple hundred of categorized URLs and and is constantly updated by more than 150.000 collection points (Web Filters, Web Filter Service, other Firewalls). The malware engines are constantly updated and based on Avira Professional and Barracuda‘s enhanced ClamAV. File Content & Browser Filtering: Alll Barracuda NextGen Firewalls include the ablity to block/allow and even prioritize/unprioritize the traffic based on detected File Content and utilized Browser version. �This allows for example to dynamically reduce priorty of the download of a large DVD .iso file while pdf files retain the same high priority as normaly assigned to web browsing. Acces to the Inernet can be allowed/blocked by browser type and even browser version. So e.g. old and potentially vulberable browsers can be cut of the internet for security reasons. Applications downloading updates ( e.g. Adobe Acrobat or Apple ITunes update) are also classified as a browser agent and can be dynamically throttled in bandwidth so a software update that is simultaneously downloaded by multiple employees does not choke the network. SSL Interception: All security and filtering mechanisms are applied to HTTPS traffic. This is crucial for todays networks as about half of all web traffic is encrypted. Barracuda NextGen Firewalls F18 and higher, all Virtual and cloud versions support SSL Inspection. So every small remote location can be fully secured. Botnet & Spyware Protection: As partof the ATP protection bundle all Barracuda NextGen Firewalls provide special functionality to detect and block traffic from botnet and spyware infected machines in the WAN, the underlying technology, DNS sinkholing, is transparent to the operating system, so regardless if Windows PCs. Android Tables or maybe even unix servers, infected machines are detected, traffic to spyware & botnet servers blocked and the administrator alerted. <<Click>> All of the security functions are powered by the Barracuda Threat Intelligence Network where feedback from more than 150,000 Spam Filters, Web Filters and NextGen Firewalls is analyzed in real time. Advanced Threat Protection (Sandboxing) Even in case a mlicious piece of data evades IPS, Dual Anti-Virus and Contetn Filtering, the optional ATP subscription will find it. Questioable documents and executable are uploaded on the fly and totally transparent to the admin to the Barracuda ATP cloud end analyzed in real time. As part of the analysis the file is executed on Windows, MacOS and Android and the files behaviour tracked. <<Click>>
WAN Networking in the Cloud Era: SaaS
Headquarters
Most companies still have WAN by MPLS with VPN backup
SaaSInternet
Servers & Appsmoved to CloudLocally installed
Apps moved to Cloud
IaaS
Relatore
Note di presentazione
Second: �Let us have a look at specific traffic requirements that a gateway security solution must fulfill to optimize access for� Software as a Service Applications, most prominent example Office365. <<click>> When shifting from locally installed applications that save to some hard drive or server in the headquarters to Office365 the traffic that does go out to the SaaS solution in the internet multiplies. �Microsoft even provides its own traffic increase calculators for migrations to O365 in the cloud. ( https://support.office.com/en-us/article/Network-and-migration-planning-for-Office-365-f5ee6c33-bcd7-4b0b-b0f8-dc1d9fb8d132?ui=en-US&rs=en-US&ad=US#calculators ) So if you keep current networking layout and firewalls you need more internet facing bandwidth at the central exit point. <<Click>> Now, in order to backhaul all remote office traffic for central policy enforcement you would also have to purchase more MPLS bandwidth .. <<Click>> After all the customer already has MPLS and adding more will potentials get a better discount level. After all there is quite a bit of savings moving to O365, customers might as well re-invest a bit into more high quality bandwidth. Purchasing more bandwidth alone will not suffice. Office 365 traffic also has latency requirements that make it impossible to use a centralized internet break out. Typically Microsoft recommends the less latency the better with 50 ms as the maximum recommended. Backhauling traffic via MPLS connection to another city, state or even country to get out to the internet is just simply no longer an option when working with cloud applications. https://support.office.com/en-us/article/Media-Quality-and-Network-Connectivity-Performance-in-Skype-for-Business-Online-5fe3e01b-34cf-44e0-b897-b0b2a83f0917 So lets look at another approach.. <<Click: Next Slide>>
Barracuda Saas Cloud Protection
Barracuda Essentials
Barracuda Sentinel
Barracuda PhishLine
Gateway Defense
Resiliency
Fraud Protection
Human Firewall
Confidential
O365 | Gsuite | Exchange
Relatore
Note di presentazione
In fact, we’ve built our product portfolio to support that layered approach to security Barracuda Essentials provides gateway defenses and resiliency Barracuda Sentinel stops brand hijacking and catches social engineering attacks using artificial intelligence And Barracuda PhishLine provides the last line of defense – training your employees to spot and thwart phishing attacks on unsecured personal accounts The approach is totally modular, letting you layer in defense where you need a boost, or use all three components for the ultimate in protection
WAN Networking in the Cloud Era: SD-WAN
Hea
dqua
rter
s
Reduced cost for MPLS !
SaaSInternet IaaS
Central Mgmt.
Relatore
Note di presentazione
Lets dive into some benefits Cloud Gen Firewalls provide by integrating full SD-WAN connection technology right into the firewall. For this We’ve picked out a remote branch that connects to the Iaas Cloud. <<click>>
Public Cloud Service Responsibility
Customer
Public Cloud Platform
Physical Infrastructure
Network Infrastructure
Virtualization Layer
Customer Applications & Content
Network Security Identity & Access Control
Operating Systems / Platform Data Encryption
You define controls and security IN the Cloud
Provider takes care of the SecurityOF the Cloud
Cloud Access
You take care of link availability TO and security IN the Cloud
Relatore
Note di presentazione
So in summary: �With moving workloads to the cloud you’re responsible for security in the cloud and data protection in the Cloud. Now lets get to the one thing that customer always take for granted. You have to get to the cloud first, always, anywhere, secure and with enough bandwidth and as cost effective as possible. <<Click>> Of course there is Microsoft Express Routes for Azure and similar technologies for other cloud vendors. �But it these might not be available in every region your offices are. Express routes requires more planning and setup, it is more expensive than a bunch of broadband lines. Barracuda can help you with all of these responsibilities, with the NextGen Firewall focusing on Cloud Access, Network Security and Identity and Access Control. <<Click>>
[Note: This is a security overview slide in case the customer shows more intereste in the core NGFW security functionality. In most case you will not need to read out the slide completely but just mention that the NGFW is a fully featured NextGen Security device with a feature set and security effectiveness on par or even better to the major players like PaloAlto, Checkpoint and cisco. But this presentation is to show the differences to existing incumbent players when it comes to the cloud era. The Slide titel: Zero Trust Security Model refers to „don‘t even trust a file there is no signature for, in today‘sd world you need to sandbox everything“] << CLICK >> A couple of years ago simple URL filtering and Anti-Virus was considered sufficient to keep the WAN save. Today, with more and more ransomware and zero day exploits ditributed via social engineering techniques and via SSL encrypted channels, the Firewalls need to provide a much better set of technology to keep up. The Barracuda NextGen Firewall comes loaded with technology to keep your WAN save, available on every form factor and every deployment possibility. Of course it contains a powerful statefull firewall engine. On top of this it delivers: Dos / DDOS Built in Denial of Service Protection by remembering an abnormally large number of packets coming from single sources and either blocking or ignoring packets coming from these sources at the TCP layer 2, effectively protecti ng endpoints and evern servers from Denial of service attacks, This works both ways, outside in and inside out, so in case you get a aptop inside the company that behaves suspisiously it gets blocked and reported. Geo IP blocking: Barracuda NextGen Firewalls allow blocking of IP adresses and ranges based oncountry and continent Information already at the network level without any overhead. So if you have no business in China at all you can simply block all incoming traffic from China. Our customers tell us that this effectively already eliminates somewhere between one third to half of all intrusion attempts. IPS: Every Barracuda NextGen Firewall comes with full Intrusion prevention capabilities detecting and blocking hacking and infiltration attacks at the Network level. The integrated IPS system alone blocks clode to 100% of possible attacks iand is continuously rated in the NSS Labs Cyber Advanxced Warning sytem that can be accessed by customer any time (paid Service) looking for Confirmation . In the 90 days precendingthe creation of this presentation we score a phenomenal block rate of 99.86%. One of the highest achiebavle in multifunctional nextgen security devices. To get a better block rate you need specialized Intrudion detection systems that forego all the other benefits. (https://www.nsslabs.com/caws-threat-protection-platform/overview/ ) Application & User Control: Every Barracuda NextGen Firewall provided with full control for thousands of web and network level applications. This included control over sub applications and can be combined with Time /Day and User ID information. So e.g. Barracuda NextGen Firewalls can allow browsing facebook only during lunch time and pevent postings , while enabling full access to facebook for the marketing department all the time. Unlike most other security devices available on the market Application & User Control are fully integrated into Traffic shaping and uplink selection process. As an example Facebook can be proritized doen and only go out via a cheap broadband intenret line while Salesforce.com is given higher priority and traffic is be routed via morestable MPLS connection. Web Filter and Dual Anti-Virus: Barracuda NextGen Firewalls includes web Filtering and Anti-Virus functionality bot requiring a slow proxy but performed directly in single pass mode in the Firewall engine. The web filter database contains multiple hundred of categorized URLs and and is constantly updated by more than 150.000 collection points (Web Filters, Web Filter Service, other Firewalls). The malware engines are constantly updated and based on Avira Professional and Barracuda‘s enhanced ClamAV. File Content & Browser Filtering: Alll Barracuda NextGen Firewalls include the ablity to block/allow and even prioritize/unprioritize the traffic based on detected File Content and utilized Browser version. �This allows for example to dynamically reduce priorty of the download of a large DVD .iso file while pdf files retain the same high priority as normaly assigned to web browsing. Acces to the Inernet can be allowed/blocked by browser type and even browser version. So e.g. old and potentially vulberable browsers can be cut of the internet for security reasons. Applications downloading updates ( e.g. Adobe Acrobat or Apple ITunes update) are also classified as a browser agent and can be dynamically throttled in bandwidth so a software update that is simultaneously downloaded by multiple employees does not choke the network. SSL Interception: All security and filtering mechanisms are applied to HTTPS traffic. This is crucial for todays networks as about half of all web traffic is encrypted. Barracuda NextGen Firewalls F18 and higher, all Virtual and cloud versions support SSL Inspection. So every small remote location can be fully secured. Botnet & Spyware Protection: As partof the ATP protection bundle all Barracuda NextGen Firewalls provide special functionality to detect and block traffic from botnet and spyware infected machines in the WAN, the underlying technology, DNS sinkholing, is transparent to the operating system, so regardless if Windows PCs. Android Tables or maybe even unix servers, infected machines are detected, traffic to spyware & botnet servers blocked and the administrator alerted. <<Click>> All of the security functions are powered by the Barracuda Threat Intelligence Network where feedback from more than 150,000 Spam Filters, Web Filters and NextGen Firewalls is analyzed in real time. Advanced Threat Protection (Sandboxing) Even in case a mlicious piece of data evades IPS, Dual Anti-Virus and Contetn Filtering, the optional ATP subscription will find it. Questioable documents and executable are uploaded on the fly and totally transparent to the admin to the Barracuda ATP cloud end analyzed in real time. As part of the analysis the file is executed on Windows, MacOS and Android and the files behaviour tracked. <<Click>>
Barracuda SD-WAN
Easy deployment and configuration
Secure and reliable connectivity
Link management and bandwidth optimization
WAN optimization Protect users, data, and applications
Intelligent traffic shaping
Web Applications can be anywhere
Confidential
Mobile Public CloudEnterprise Data Center
Relatore
Note di presentazione
Pretty much every application can now be accessed via a web browser or a mobile application. Also of this is over HTTP/HTTPS - compared to earlier where you would have applications requiring a custom installation that used some very obscure protocol to talk to the backend. Easier to use, faster to deploy and much easier to troubleshoot. But then, they are also quite insecure for many reasons.
Barracuda WAF
• Comprehensive protection from layer 7 attacks
• Traffic optimization and SSL acceleration built-in
• Strong authentication and access control for all apps
• Secure web, mobile and API applications
• Integrated volumetric DDoS protection
• On-premises physical or virtual deployment
Secure your apps, defend against bots and DDoS attacks, and accelerate app delivery
Relatore
Note di presentazione
Highlight key differentiated features of the Barracuda WAF
Public Cloud Replication and Restore
Barracuda Backup securely and efficiently replicates backed-up data to Amazon Web Services, giving your customers the flexibility to choose between private or
public cloud storage.
Designed for the Cloud
Relatore
Note di presentazione
So as a complete solution, customers can protect physical servers, virtual machines, and SaaS applications with Barracuda Backup. The solution can be deployed as an all-in-one physical appliance or as software that leverages existing storage and compute infrastructures. Data can then be replicated to Barracuda Cloud, Amazon Web Services, remote physical appliances, or remote virtual appliances for ultimate flexibility. And for customers who have extended retention policies, we offer long-term retention through offsite vaulting to Barracuda Cloud, or the ability to export into external media, tapes, or AWS VTLs
