ngfw ngtp test plan
TRANSCRIPT
[Restricted] ONLY for designated groups and individuals
Customer Requirements for Next Generation Firewalls
Customer Rating
(Must Have, Nice
to Have, N/A)
Deployment Topologies
Gateway deployments should support L2 (transparent) and L3 with High Availability topologies. HA
transitions should occur seamless with or without STP and react or ignore physcial link state changes.
VLAN translation should be supported.
The gateway should support virtualization while maintaining all security features
Able to be deployed in virtual cloud based environments (VMware). Provide hypervisor-level security
for inter-VM traffic between guests. Preserve security with zero downtime during virtual machine live
migration
Gateways should support VoIP interoperability of leading vendors including NAT support. Logs should
be tailored to VoIP traffic and easily viewed by administrators for troubleshooting.
Gateways should support IPv6 including monitoring, dynamic routing, virtualized environments and
dual-stack definitions
IPv6 support should include Next Generation technologies such as IPS, Application Control and URL
Filtering and Anti-Malware
The solution should allow for BYOD security including sandboxing and document encryption
The solution should Support Single Sign On to SaaS (Software as a Service) applications using SAML
protocol
The solution should support easily deployed dynamic routing and large scale VPN deployment
Stateful Firewall Requirements
The solution should account for all seven layers of the OSI model dividing networking and security into
discrete components (SANS Institute)
Solution should comply with PCI DSS specification is for organizations to deploy a 'stateful inspection'
firewall
The solution should not allow for application and network traffic cache poisoning
URLF and application NGFW products should not allow HTML evasion techniques
The solution should be able to leverage an architecture with scalable computing resources for all
security inspections
[Restricted] ONLY for designated groups and individuals
The solution should support IPv6 for remote users connection with IPv6 addresses
The solution should support full IPv6 stateful inspection including NAT66,NAT64
The solution should support Multicast Acceleration The solution should offer acceleration technologies and offer low latency architectures (sub 5 micro-
seconds)
URL Filtering
URLF solution allows for "real time updates" via cloud or other mechanism
The URLF engine allows for URL’s to be part of multiple categories.
Solution has ability to be deployed as a URLF proxy
The URLF solution enable users to submit re-categorization interactively
Does the direct vendor (not a third party) have the ability to change or re-classify URLs and associated
categories
The URLF solution should enforce 'safe search'
The URLF solution should filter and allow for HTTPS without SSL Inspection
Ability to Enforce bandwidth and/or time limits to select websites or Web 2.0 applications Solution allows for administrators to allow groups or users to "bypass" (Self Remediation) rules at a
granular level without IT administrative action
User Identification and Control
The identity solution should not require an installation and should support multi-forest and sub-domains
The solution should integrate seamlessly with directory services, IF-MAP and Radius
The identity solution should enforce policy on machine, user, and IP information
The identity solution should support terminal and citrix servers
The identity solution should support transparent proxy authentication and captive portal
The identity solution should support MAC and PC agents and allow for Single Sign OnSolution allows identification through a proxy (example: X-forwarded headers)
SSL Inspection (inbound / outbound)
Solution offers support for SSL Inspection/Decryption with leading performance across all threat
mitigation technologies
The solution should support Perfect Forward Secrecy (PFS , ECDHE cipher suites)
The solution should support AES-NI,AES-GCM for improved throughput
Threat emulation/sandboxing should be integrated with SSL Inspection
Solution can leverage the URL filtering data base to allow administrator to create granular https
inspection policy
Solution can inspect HTTPS based URL Filtering without requiring SSL decryption
[Restricted] ONLY for designated groups and individuals
DLP & Content Visibility
Ability to inspect 100's of file types (i.e. Word, Excel, PDFs, etc…..)
Solution can identify non-English characters in Microsoft Office documents
The inspection technology should be able to inspect custom list or dictionaries over 350 items
The DLP solution should be able to identify 100's of data content types with pattern, keyword matching
and dictionaries
The solution should support advanced inspection based on structured content (examples database
files, xls, csv's…etc.)
The solution should support file fingerprinting to protect files residing in network repositories
The DLP solution be aware of all protocols
Does the solution have the ability to watermark sensitive data as it leaves the organization?Does the solution have the ability to interact with the user to send, quarantine or discard potentially
sensitive data leaks?
The solution should support an open scripting language to tailor and create specific data classifications
Solution has pre-built DLP compliance classifications (HIPPA, GLBA, IBAN and SEC out of the box)
Threat Mitigation
How often does the vendor update IPS, application and URLF categorization?
Does the vendor allow for custom categories and/or application definitions?
The IPS should detect and block DNS tunneling attempts
The solution should allow for third party signature import such as Snort
Anti-Malware solution should include pre & post inspection capabilities
The IPS should scan all parts of the session in both directions (in PAN disable DSRI,in Fortinet (up to
Forti-OS 5.0.X) set ignore_session_bytes to 0
The AV and Anti-Bot solution should be a multi-tier inspection and not be limited to file types
The AV should support more than 50 cloud based engines
The AV should support scanning for links inside emails
The AV should Scan files that are passing on CIFS protocol
The vendor malware update mechanism should include reputation, network signatures and suspicious
email activity detection
The threat technologies should be updatable on an instant without user intervention and offer a cloud
based mechanism
How large is the database of identified malware?
How large is the install base that could leverage/interact with this malware DB?
Does the vendor collaborate with security organizations adding to their threat indicator database?
[Restricted] ONLY for designated groups and individuals
Threat mitigation should included unified management of DDoS
DDoS gateway inspection should drop packets from suspected sources and allow for rate limiting from
these specific sources and services
The security vendor should have global security and trending initiatives and an incident response team
Solutions has a constant line of defense (Example: multi-inspection DLP)The solution should include threat emulation either cloud or locally based with central emulation
capabilities
Threat Emulation & Extraction
The solution should be able to emulate exe, pdf, archive files (zip, rar etc..) and office files (doc, ppt,
xls etc…), JAVA and flash
The emulation engine should be able to inspect, emulate, prevent and share the results of the
sandboxing event into the anti-malware infrastructure
the solution would enable emulation of file sizes larger than 10 Mb
The solution should offer a deployment option of not requiring any additional infrustructure
The emulation engine should support multiple OS's such as XP and Windows7 including customized
images
The engine should detect API calls, file system changes, system registry, network connections, system
processes
Threat emulation should be part of a complete multi-layered threat prevention architecture
The solution should provide both onsite and cloud based implementations
The solution should support static analysis for mac OS-X,linux and any x86 platfrom
The solution would be able to detect and block threats at the exploit phase (CPU-level )
The solution should not require separate infrastructure for SMTP, HTTP etc…
The solution should have anti-evasion capabilities detecting sandbox execution
The emulation engine should have anti-vm detection capabilities
The solution should be able to perform pre-emulation static filtering
SMTP emulation should allow for MTA deployment
The emulation device should have deployment options such as emulation offload, dedicated on-site,
cloud and MTA
The threat emulation device should be able to collaborate with on-box technologies such as IPS, AV
and Anti-Bot
The threat emulation solution should allow for 'Geo Restriction' which enables emulations to be
restricted to a specific country
the solution should Eliminate threats and remove exploitable content, including active content and
embedded objects
the solution should be able to Reconstruct files with known safe elements
the solution should Provide ability to convert reconstructed files to PDF format
[Restricted] ONLY for designated groups and individuals
the solution should Maintain flexibility with options to maintain the original file format and specify the
type of content to be removed
The emulation engine should exceed 90% catch rate on Virus Total tests where known malicious pdf's
and exe's are modified with 'unused' headers in order to demostrate the solutions capability to detect
new, unknown malware
Management and Reporting
The solution should be centrally managed and account for expanding and discrete environmentsScalable Management infrastructure that allows for 1000's of rules and objects
The solution should be able to report on specific user traffic
Solution has built in central monitoring tool for VPN status
The Event analysis solution should have direct connection to the security Policy editor UI (i.e
smartdashboard) to enable editing the policy as a result of an event (e.g. adding IPS exception to an
event deemed as false positive)
The management reporting solution should offer detailed user activity reports including web browsing
duration
Does the solution have the ability to determine adherence to compliance or best practice guidelines
and report on them in real-time?
The Event analysis solution should have “out of the box” ability for events to the following security
services: FW,IPS,APCL,URLF,AB,Threat Emulation
VPN tunnel configuration should not require that each tunnel be created separately
Logging infrastructure should be quickly searchable able to search millions of records in an efficient
manner
End User Interaction SystemSecurity elements should have user integration that educates and alerts users without involving
IT/security personnel
The solution should enable a practical process move from detection to prevention for
security/mitigation technologies
The education system should empower users to self-administer incidents, handling-with options to
send, discard or review
End User Interaction should support IPv6 networks
Notifications should occur in real-time, via email or pop-up or with/without an agent