[Restricted] ONLY for designated groups and individuals

Customer Requirements for Next Generation Firewalls

Customer Rating

(Must Have, Nice

to Have, N/A)

Deployment Topologies

Gateway deployments should support L2 (transparent) and L3 with High Availability topologies. HA

transitions should occur seamless with or without STP and react or ignore physcial link state changes.

VLAN translation should be supported.

The gateway should support virtualization while maintaining all security features

Able to be deployed in virtual cloud based environments (VMware). Provide hypervisor-level security

for inter-VM traffic between guests. Preserve security with zero downtime during virtual machine live

migration

Gateways should support VoIP interoperability of leading vendors including NAT support. Logs should

be tailored to VoIP traffic and easily viewed by administrators for troubleshooting.

Gateways should support IPv6 including monitoring, dynamic routing, virtualized environments and

dual-stack definitions

IPv6 support should include Next Generation technologies such as IPS, Application Control and URL

Filtering and Anti-Malware

The solution should allow for BYOD security including sandboxing and document encryption

The solution should Support Single Sign On to SaaS (Software as a Service) applications using SAML

protocol

The solution should support easily deployed dynamic routing and large scale VPN deployment

Stateful Firewall Requirements

The solution should account for all seven layers of the OSI model dividing networking and security into

discrete components (SANS Institute)

Solution should comply with PCI DSS specification is for organizations to deploy a 'stateful inspection'

firewall

The solution should not allow for application and network traffic cache poisoning

URLF and application NGFW products should not allow HTML evasion techniques

The solution should be able to leverage an architecture with scalable computing resources for all

security inspections

[Restricted] ONLY for designated groups and individuals

The solution should support IPv6 for remote users connection with IPv6 addresses

The solution should support full IPv6 stateful inspection including NAT66,NAT64

The solution should support Multicast Acceleration The solution should offer acceleration technologies and offer low latency architectures (sub 5 micro-

seconds)

URL Filtering

URLF solution allows for "real time updates" via cloud or other mechanism

The URLF engine allows for URL’s to be part of multiple categories.

Solution has ability to be deployed as a URLF proxy

The URLF solution enable users to submit re-categorization interactively

Does the direct vendor (not a third party) have the ability to change or re-classify URLs and associated

categories

The URLF solution should enforce 'safe search'

The URLF solution should filter and allow for HTTPS without SSL Inspection

Ability to Enforce bandwidth and/or time limits to select websites or Web 2.0 applications Solution allows for administrators to allow groups or users to "bypass" (Self Remediation) rules at a

granular level without IT administrative action

User Identification and Control

The identity solution should not require an installation and should support multi-forest and sub-domains

The solution should integrate seamlessly with directory services, IF-MAP and Radius

The identity solution should enforce policy on machine, user, and IP information

The identity solution should support terminal and citrix servers

The identity solution should support transparent proxy authentication and captive portal

The identity solution should support MAC and PC agents and allow for Single Sign OnSolution allows identification through a proxy (example: X-forwarded headers)

SSL Inspection (inbound / outbound)

Solution offers support for SSL Inspection/Decryption with leading performance across all threat

mitigation technologies

The solution should support Perfect Forward Secrecy (PFS , ECDHE cipher suites)

The solution should support AES-NI,AES-GCM for improved throughput

Threat emulation/sandboxing should be integrated with SSL Inspection

Solution can leverage the URL filtering data base to allow administrator to create granular https

inspection policy

Solution can inspect HTTPS based URL Filtering without requiring SSL decryption

[Restricted] ONLY for designated groups and individuals

DLP & Content Visibility

Ability to inspect 100's of file types (i.e. Word, Excel, PDFs, etc…..)

Solution can identify non-English characters in Microsoft Office documents

The inspection technology should be able to inspect custom list or dictionaries over 350 items

The DLP solution should be able to identify 100's of data content types with pattern, keyword matching

and dictionaries

The solution should support advanced inspection based on structured content (examples database

files, xls, csv's…etc.)

The solution should support file fingerprinting to protect files residing in network repositories

The DLP solution be aware of all protocols

Does the solution have the ability to watermark sensitive data as it leaves the organization?Does the solution have the ability to interact with the user to send, quarantine or discard potentially

sensitive data leaks?

The solution should support an open scripting language to tailor and create specific data classifications

Solution has pre-built DLP compliance classifications (HIPPA, GLBA, IBAN and SEC out of the box)

Threat Mitigation

How often does the vendor update IPS, application and URLF categorization?

Does the vendor allow for custom categories and/or application definitions?

The IPS should detect and block DNS tunneling attempts

The solution should allow for third party signature import such as Snort

Anti-Malware solution should include pre & post inspection capabilities

The IPS should scan all parts of the session in both directions (in PAN disable DSRI,in Fortinet (up to

Forti-OS 5.0.X) set ignore_session_bytes to 0

The AV and Anti-Bot solution should be a multi-tier inspection and not be limited to file types

The AV should support more than 50 cloud based engines

The AV should support scanning for links inside emails

The AV should Scan files that are passing on CIFS protocol

The vendor malware update mechanism should include reputation, network signatures and suspicious

email activity detection

The threat technologies should be updatable on an instant without user intervention and offer a cloud

based mechanism

How large is the database of identified malware?

How large is the install base that could leverage/interact with this malware DB?

Does the vendor collaborate with security organizations adding to their threat indicator database?

[Restricted] ONLY for designated groups and individuals

Threat mitigation should included unified management of DDoS

DDoS gateway inspection should drop packets from suspected sources and allow for rate limiting from

these specific sources and services

The security vendor should have global security and trending initiatives and an incident response team

Solutions has a constant line of defense (Example: multi-inspection DLP)The solution should include threat emulation either cloud or locally based with central emulation

capabilities

Threat Emulation & Extraction

The solution should be able to emulate exe, pdf, archive files (zip, rar etc..) and office files (doc, ppt,

xls etc…), JAVA and flash

The emulation engine should be able to inspect, emulate, prevent and share the results of the

sandboxing event into the anti-malware infrastructure

the solution would enable emulation of file sizes larger than 10 Mb

The solution should offer a deployment option of not requiring any additional infrustructure

The emulation engine should support multiple OS's such as XP and Windows7 including customized

images

The engine should detect API calls, file system changes, system registry, network connections, system

processes

Threat emulation should be part of a complete multi-layered threat prevention architecture

The solution should provide both onsite and cloud based implementations

The solution should support static analysis for mac OS-X,linux and any x86 platfrom

The solution would be able to detect and block threats at the exploit phase (CPU-level )

The solution should not require separate infrastructure for SMTP, HTTP etc…

The solution should have anti-evasion capabilities detecting sandbox execution

The emulation engine should have anti-vm detection capabilities

The solution should be able to perform pre-emulation static filtering

SMTP emulation should allow for MTA deployment

The emulation device should have deployment options such as emulation offload, dedicated on-site,

cloud and MTA

The threat emulation device should be able to collaborate with on-box technologies such as IPS, AV

and Anti-Bot

The threat emulation solution should allow for 'Geo Restriction' which enables emulations to be

restricted to a specific country

the solution should Eliminate threats and remove exploitable content, including active content and

embedded objects

the solution should be able to Reconstruct files with known safe elements

the solution should Provide ability to convert reconstructed files to PDF format

[Restricted] ONLY for designated groups and individuals

the solution should Maintain flexibility with options to maintain the original file format and specify the

type of content to be removed

The emulation engine should exceed 90% catch rate on Virus Total tests where known malicious pdf's

and exe's are modified with 'unused' headers in order to demostrate the solutions capability to detect

new, unknown malware

Management and Reporting

The solution should be centrally managed and account for expanding and discrete environmentsScalable Management infrastructure that allows for 1000's of rules and objects

The solution should be able to report on specific user traffic

Solution has built in central monitoring tool for VPN status

The Event analysis solution should have direct connection to the security Policy editor UI (i.e

smartdashboard) to enable editing the policy as a result of an event (e.g. adding IPS exception to an

event deemed as false positive)

The management reporting solution should offer detailed user activity reports including web browsing

duration

Does the solution have the ability to determine adherence to compliance or best practice guidelines

and report on them in real-time?

The Event analysis solution should have “out of the box” ability for events to the following security

services: FW,IPS,APCL,URLF,AB,Threat Emulation

VPN tunnel configuration should not require that each tunnel be created separately

Logging infrastructure should be quickly searchable able to search millions of records in an efficient

manner

End User Interaction SystemSecurity elements should have user integration that educates and alerts users without involving

IT/security personnel

The solution should enable a practical process move from detection to prevention for

security/mitigation technologies

The education system should empower users to self-administer incidents, handling-with options to

send, discard or review

End User Interaction should support IPv6 networks

Notifications should occur in real-time, via email or pop-up or with/without an agent