Analytical Report

Atlantys Networks, Inc.

Office of Chief Information Officer

ALEX DEAC

9/10/2014

ALEX DEAC 2

Table of Contents

Table of content ..............................................................................................................................3

Table of figures ...............................................................................................................................3

Abstract ...........................................................................................................................................4

ANI: Enhancing corporate security posture ...............................................................................5

Risk management, governance and regulatory compliance ...................................................5

Zero-trust network security concept .........................................................................................6

Analysis of current security solutions ..........................................................................................8

Traditional Firewalls ..................................................................................................................8

Next-generation firewalls ...........................................................................................................9

Mitigating current threats ........................................................................................................10

Vendor solutions analysis ............................................................................................................12

NGFW vendors..........................................................................................................................12

Performance versus costs .........................................................................................................13

Conclusions ...................................................................................................................................15

References .....................................................................................................................................16

Table of Figures

Figure1. Traditional firewall setup for network security ..........................................................7

Figure 2. NGFW works at all 7 TCP/IP layers ..........................................................................9

Figure 3. A basic DDoS Attack ..................................................................................................10

Figure 4. Next Generation Firewall Security Value map ........................................................14

Table 1. NSS Labs NGFW Comparative Analysis ...................................................................15

ALEX DEAC 3

Abstract

This report discusses in detail specific measures in addressing security weaknesses at Atlantys

Networks, Inc. The technical measure proposed in order to enhance ANI’s security measures

naturally results from the findings of the security assessment made by Trusted Security

Solutions.

The next-generation firewalls (NGFW) introduced along this report is designed not only to fix

the technical aspect. More than that NGFW can help Atlantys Networks, Inc. (ANI) to gain

market confidence and expand its customer base. In addition this upgrade will help ANI to

comply with multiple local, state, and federal regulations. Furthermore the company will also

meet strict industry standards requirements while strengthening its overall security posture.

Additionally the paper compares the costs of implementing the solution and also the costs of not

taking proper action. Overall costs are taking in consideration during all phases of NGFW

implementation starting with designing, implementing, and maintaining technology and also with

training people.

ALEX DEAC 4

Enhancing Corporate Security Posture

Security Technology Recommendation

Atlantys Networks, Inc. (ANI) as a recognized leader in virtual storage solutions which includes

cloud computing and web hosting is trying to strengthen the security posture in order to reinforce

its position on the market. However the findings of Trusted Security Solutions (TSS) report

unveiled certain weaknesses in the corporate information systems network. After running a

comprehensive security assessment including penetration testing and cloud application

vulnerability, TSS identified as the most critical issue the existent perimeter firewalls. The

existent hardware-based firewalls were delivered, installed and updated by ANI’s IT department

and support provided by CISCO.

While this security solution was a state-of-the-art back in 2000 nowadays the hardware is

completely obsolete. According with Trusted findings the firewalls could not withstand more

than 70% of modern threats during penetration testing. Among the tools used during the

simulation were various families of computer viruses, worms and Trojan. In addition the test

included simulating launching a distributed denial of service (DDoS) which completely

overwhelmed the security appliance. In turn the network became unavailable to its customers for

approximately 2 hours. The overall conclusion of the test was that ANI could be at any point

exposed to a massive cyber-attack that could result in loss of data confidentiality, integrity, and

availability (Gibson, 2012).

Risk management, governance and regulatory compliance

Since among ANI customers were several mid-sized federal agencies the company must comply

with different federal legislation in regard of data security. The most prominent law is the

Federal Information Security Management Act (FISMA) of 2002 which refers to federal

agencies and their contractor information and information security. In addition ANI must comply

with The Federal Risk and Authorization Management Program (FedRAMP) which provides

uniform standards for federal cloud-computing solutions.

ALEX DEAC 5

Moreover ANI must meet industry standards like Payment Card Industry Data Security

Standards (PCI-DSS) 3.0 and where applicable international standards such as ISO/IEC 27001

Information Security Management (Disterer, 2013).

Besides external regulatory compliance ANI must also ensure sound governance in applying its

own information security (InfoSec) program. Senior executive management should always

ensure that security policies and standard operational procedures are implemented and enforced

across the entire organization.

In addition ANI must continuously prove to its existent and potential customers that executive

management has a strong risk management framework (RMF) in place (SP 800-39, 2011). The

RMF proves that Atlantys Networks considers all adverse factors when conducting business. In

conclusion implementing technical security measures (e.g. firewalls, end-point security, intrusion

prevention systems) could definitely improve ANI’s security posture.

Zero-trust network security

The traditional approach of securing corporate networks relies on installing perimeter firewalls

which would filter most or all incoming traffic based on the Internet Protocol (IP) address and

the logical port corresponding to each type of data. For instance files and documents would use

File Transfer Protocol (FTP) on ports 21 and 22 while web browsing technically known as HTTP

would use port 80 (Dulaney & Harwood, 2012). Network administrators would open or block

these ports depending on the company’s needs and in compliance with security policies

(Stallings, 2011).

ALEX DEAC 6

Figure1. Traditional firewall setup for network security (Chomsiri et al., 2014)

Although back in 2000 the configuration from Figure 1 would have provided strong security

today is not the case anymore. As authors Gupta, Laxmi and Sharma showed in their excellent

report entitled A Survey on Cloud Security Issues and Techniques (2014) cloud providers

confront numerous threats including DDoS (loss of data availability), and SQL injection (loss of

data integrity and confidentiality).

Besides external threat organizations faces internal threats as well. In the last few years there was

a rise in internal threats which can be intentional or unintentional. The first Computer

Emergency Response Team (CERT) in United States sponsored by Carnegie Mellon University,

US Secret Service and Deloitte started publishing their reports on insider threats few years ago.

The most recent survey shows that approximately 29% of all security breaches happen due to

insiders while more than 50% of companies experienced insider threats (CERT, 2013). Therefore

every organization has considerable chances to confront a loss of confidentiality of data due to

insiders.

It is important to note that all these threats cannot be stopped by traditional firewalls. More

recently security experts from reputable Forrester Research Institute presented a new concept

called zero-trust network architecture. The researchers led by John Kindervag explain that this

ALEX DEAC 7

concept is in total opposition to traditional network security (Ashford, 2013). Classic models

including the one employed by ANI were based on the assumption that all data originated from

the outside (e.g. Internet, business partners) could be potentially malicious while all internal

traffic and data stored or accessed from the inside is secure therefore trustworthy. In contrast

zero-trust model considers all internal and external data and network traffic potentially malicious

(Ashford, 2013). By employing this concept companies could safeguard data confidentiality,

integrity, and availability while mitigating today’s most feared cyber threats.

Analysis of current security solutions

As noted by IT department previous memos and recently amended by TSS report, ANI network

security mainly relies on three hardware-based firewalls. In addition the enterprise recently

installed end-point security solutions to all workstations including desktops, laptops,

smartphones and tablets. Furthermore Atlantys Networks deployed an advanced encryption

solution for internal traffic by using Secure Socket Layer (SSL) standard.

Traditional Firewalls

As mentioned before traditional firewalls work on allowing and blocking network access to

external traffic in accordance with security policies and business needs. It is worth noting this

type of security device is incapable of inspecting data packets contained in the traffic. Firewalls

blindly allow traffic based on IP protocols associated with various applications such as document

files, web browsing, remote access, etc.

While simple to operate and maintain the biggest shortcoming of traditional layer 3 firewalls

(e.g. transport protocol TCP/IP) is that they cannot identify modern threats (EC-Council, 2010).

For instance the company allows web traffic access by opening port 80 on the firewall. The issue

is when employees are accessing a popular application like Facebook and access malicious links

on it the existent firewalls are side-blinded (CISCO, 2013). Therefore malware such as viruses or

Trojans can successfully penetrate the network defense. Another drawback is that ANI widely

uses encrypted traffic that flows through port 443 which in turn render existent firewalls

incapable of inspecting potentially malicious data.

ALEX DEAC 8

Next-generation firewalls

Since the introduction of first firewall in the late 80s those security devices came a long way.

The most recent iteration called next-generation firewalls or NGFW integrates several stand-

alone modules which fulfil complementary tasks. Besides traditional role of port-based traffic

filtering NGFWs have the capability of modern Intrusion Prevention Systems which detect

anomalous traffic and actively blocks it. This feature is based on deviation from pre-established

baseline as show in the report Are Tomorrow’s Firewalls Finally Here Today? by George

Lawton (2012).

Figure2. NGFW covers all 7 TCP/IP layers (The Fortinet Advantage, 2014)

Another feature of NGFW is packet deep-inspection which allows inspecting encrypted traffic,

emails, and even text messages between mobile devices. It is important to note that many

modern cyber-threats use SSL encryption in order to disguise malicious payload within

legitimate traffic which makes this feature even more important (Holquist, 2011). In addition

some NGFW includes a reputation management tool which based on the reputation of a website

choses to drop or allow access (Lawton, 2012).

Additional features of NGFW include scanning files and email attachments in Windows Word,

Excel, PowerPoint, as well as PDF and .jpeg format (e.g. pictures). In addition NGFW inspects

all incoming-outgoing traffic such external, internal, and restricted. Moreover majority of

NGFWs offers extensive policy implementation in order to ensure corporate governance and

compliance.

ALEX DEAC 9

Mitigating current threats

As a recent report shows last year in US alone were recorded over 1.5 million cyber-attacks with

a 7 fold increase in DDoS (Watson, 2014). Therefore is important to note that NGFW have the

capability to mitigate DDoS on a various scale.

Figure3. A basic DDoS Attack (IXIA, 2014)

In addition Advance Persistent Threats (APT) which represents targeted weaponized malware

could go undetected for months or even years (Ponemon, 2013). This sophisticated threat is

mainly used in cyber-espionage and cybercrime against federal agencies, defense contractors,

and data centers due to their highly valuable information (Jasek & Smiraus, 2011). It is also

important to note that APT uses as attack vectors zero-day exploits which are based on hidden

faulty codes in popular applications such as Java, Adobe, Windows, Flash, Android, and many

more (Ponemon, 2013).

Another remarkable advantage of implementing NGFW is its capability of detecting insider

threats due to deep packet inspection. In other words if an employee is trying to access a

malicious email attachment from its workstation the device will detect, block, and report the

event to security administrators. This feature also allows enforcing enterprise security policies

such Acceptable Use of Information Systems, Bring Your Own Device, and many more.

ALEX DEAC 10

As a special note many security experts are using the term Unified Threat Management (UTM)

interchangeably with NGFW. While both security appliances have similar components and even

look the same there are also three main differences between the two (Gartner, 2014).

1. UTMs are designed to process data on a smaller scale especially for small to mid-sized

enterprises (SMB). In contrast NGFW can handle massive amounts of data and traffic in

once being designed for large organizations, data centers, and cloud-based solutions.

2. Many UTM includes anti-virus solutions which are important for SMBs. In contrast

enterprises that employ thousands of devices on their networks want separate workstation

software as a dedicated anti-virus solution.

3. Although there are many vendors that offer both categories very few excel in providing

performant devices and technical support for NGFW as well as UTM.

Vendor solutions analysis

Today there are many major names competing on the NGFW market. Some of the most

prominent are listed below.

Barracuda Network

Palo Alto

Dell

Huawei

Juniper Networks

Fortinet

Sophos

Stonesoft

Check Point

WatchGuard

McAfee

Cisco

Most of these vendors offer both UTMs and NGFWs with a different degree of support,

performance, and market availability. This paper will further discus main attributes of vendors

and products linked to the next-generation firewall market.

NGFW vendors

While most of the vendors makes sufficiently performant devices there are three that really stand

out. The brands selected are Dell, Cisco, and Fortinet. All three vendors were chosen for their

continuous presence in the NSS Labs annual testing which is the main independent authority in

the matter. In addition all three brands were recommended in the Magic Quadrant of Next-

Generation Firewalls by Gartner in the last several years. It is important to note that NSS Labs

13

ALEX DEAC 13

tests performance of devices while Gartner is surveying customer satisfaction during post-sale

phase.

The first vendor is Dell which offers several solutions in the SonicWALL series. Known more

for its desktop, laptops and servers Dell emerged in the last few years as a serious competitor on

the security appliances market. SonicWALL provides relatively affordable integrated solutions

for medium to large enterprises with a solid technical support due to its global presence. To

differentiate its line of NGFW from UTM, Dell added the SuperMassive brand to the large

enterprise solutions (Dell, 2014). Gartner Research recommends this product line (2014).

The second vendor is Cisco which is the largest global provider for networking devices such as

routers, switches, and hubs. Security solutions come as a natural extension to Cisco’s field of

operation. Cisco integrates various security modules in its devices based on client needs. Its line

of NGFW is branded FirePOWER from Sourcefire since it acquired its maker last year (CISCO,

2013). The reputable report Magic Quadrant for Enterprise Network Firewalls from Gartner

Research recommends this NGFW (2014).

Fortinet is a relatively newcomer in the industry since it was established in 2000. Contrary to the

other two vendors introduced, Fortinet specialized from the beginning in providing emerging

security technologies. In a short amount of time Fortinet built a strong reputation among NGFW

vendors by integrating sophisticated technologies in its products. In addition Fortinet’s flagship

line named FortiGate gained a global technical support from third-party vendors. NSS Labs

which is the main authority in testing all types of security devices recommends FortiGate as a top

choice. In addition Fortinet offers at no extra cost the Advance Malware Protection module

which adds another layer of protection against APT (The Fortinet Advantage, 2014).

Performance versus costs

The products selected were Dell SonicWALL SuperMassive 10800, Cisco Sourcefire 8250, and

Fortinet FortiGate 3600C. All three vendors’ products scored close to 100% in terms of

performance in successfully blocking all types of threats according to NSS Labs (2014).

According with the same source Fortinet NGFW scored the highest in terms of throughput of

14

ALEX DEAC 14

data processed. NSS Labs declared FortiGate 3600 capable of handling up to 17,050 Mbps

(96.3% blocked threats in comparison with Sourcefire 8250 which capped at 10,000Mbps

(98.9% blocked threats) respectively SuperMassive 10800 at 16,395 Mbps (NSS Labs, 2013) and

97.9% blocked threats.

While costs vary from vendor to vendor it is important to compare a similar configuration since

each NGFW considered offers multiple additional modules. The configuration chosen includes

besides the firewall (perimeter and network) capability the following modules: VPN tunneling

(IPsec and SSL), Network Access Control (NAC), Intrusion Prevention System (signature and

anomaly based), application control, reputation manager, URL filtering, IPv6 support, and IT

policy compliance modules (The Fortinet Advantage, 2014).

Figure4. Next Generation Firewall Security Value map (NSS Labs, 2013)

The best way to assign a specific cost is to follow NSS Labs methodology. NSS Labs defines

Total Cost of Ownership (TCO) as all costs associated with purchasing, implementing,

maintaining, and updating these devices. In addition supplementary costs need to be considered

such personnel training and systems certifications.

NGFW Product Security Effectiveness Value (TCO per

Protected-Mbps)

Rating

15

ALEX DEAC 15

Dell SonicWALL

SuperMassive E10800

97.90% (Good) $15.46 (Fair) Recommended

Cisco Sourcefire 8250 99.20% (Excellent) $20.03 (Good) Recommended

Fortinet FortiGate-3600C 96.30% (Good) $8.30 (Excellent) Recommended

Table1. NSS Labs NGFW Comparative Analysis

Furthermore is important to note why there are needed three firewalls. The reason for this

architecture is to have two of them handling in parallel the main corporate traffic. This design

will help load balancing the traffic while providing backup in case of failure of one device. The

third NGFW is designated to handle all the wireless traffic along with mobile applications.

At the end it is crucial to note that the total costs of implementing this solution may seem on the

high-end but in fact it becomes insignificant compared with the associated cost of a security

breach. According with Ponemon Institute these losses average $9.4 million resulting from

devaluating brand reputation, cleanup and recovery, business disruption, and legal consequences

(2013).

Conclusions

Adopting an emerging technology is no longer a matter of keeping up with the industry trends.

Enterprises of all sizes, commercial and governmental, are forced to invest in proper security

technology in order to protect confidentiality, integrity and availability of data. In addition

organizations that are handling and storing sensitive data on behalf of their customers must

comply with many regulation and standards. This compliance does not stop to simple reporting;

it goes in-depth by requiring preventive measures against security breaches.

Finally costs of adopting new defense technology are minor comparing with overall costs

following a security breach. Ultimately purchasing a more expensive solution will buy peace-of-

mind to companies’ employees, investors, and clients. As a final recommendation Fortinet

FortiGate 3600 would the best choice for Atlantys Networks, Inc. This device not only had the

highest performance in all NSS Labs tests but also was the only one to offer at no extra cost the

Advanced Malware Protection module (The Fortinet Advantage, 2014) and tested by ICSA Labs.

16

ALEX DEAC 16

References

Ashford, W. (2013, June 10). Zero trust model key to security success, says Forrester. Retrieved

from Computer Weekly: http://www.computerweekly.com/news/2240185636/Zero-trust-

model-key-to-security-success-says-Forrester

CERT. (2013, August). 2013 US State of Cybercrime Survey: How Bad is the Insider Threat?

Retrieved from Software Engineering Institute - Carnegie Mellon University:

http://resources.sei.cmu.edu/asset_files/Presentation/2013_017_101_58739.pdf

Chomsiri, T., He, X., Nanda, P. & Tan, Z. (2014, January). Improving cloud network security

using the Tree-Rule firewall. Future Generation Computer Systems, 30, 116-126.

doi:10.1016/j.future.2013.06.024

CISCO. (2013). Getting the Most Out of Your Next-Generation Firewall. San Jose, CA: Cisco

and Affiliates.

Dell. (2014). Next-Generation Firewalls: Critical to your organization’s network security.

Round Rock, TX: Dell White Papers.

D'Hoinne, J., Hils & A. Young, G. (2014, April 15). Magic Quadrant for Enterprise Firewalls.

Retrieved from Gartner Research: www.gartner.com

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for Information Security Management.

Journal of Information Security, 92-100. Retrieved from http://www.scirp.org/journal/jis/

Dulaney, E. & Harwood, M. (2012). CompTIA Network+ N10-005 (4th ed.). Indianapolis:

Pearson.

EC-Council. (2010). Ethical Hacking and Countermeasures: Secure Network Infrastructures

(Vol. 5). Clifton Park, NY: Cengage Learning.

Gibson, D. (2012). All-In-One Systems Security Certified Practitioner. New York: McGraw-Hill.

Gupta, G., Laxmi, P. & SHarma, S. (2014, March 22). A Survey on Cloud Security Issues and

Techniques. International Journal on Computational Sciences & Applications, 4(1), 1-8.

Retrieved from Cornell University Library: http://arxiv.org/abs/1403.5627?

Holquist, R. (2011, August). Growing Network-Encryption Use Puts Systems at Risk. Retrieved

from IEEE Computer Society:

http://www.computer.org/portal/web/computingnow/news/growing-network-encryption-

use-puts-systems-at-risk

17

ALEX DEAC 17

IXIA. (2014). Is Your Data Center Ready for Today’s DDoS Threats? Retrieved from Fortinet:

http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf

Jasek, R. & Smiraus, M. (2011). Risks of Advanced Persistent Threats and Defense Against

Them. In B. Katalinic (Ed.), Annals of DAAAM & Proceedings (pp. 1589-1590). Vienna:

DAAAM International.

Lawton, G. (2012, October 16). Are Tomorrow’s Firewalls Finally Here Today? Retrieved from

IEEE Computer Society:

http://www.computer.org.ezproxy.umuc.edu/portal/web/computingnow/news/are-

tomorrows-firewalls-finally-here-today

NSS Labs. (2014). Next Generation Firewalls Comparative Analysis. Retrieved from

http://www.nsslabs.com

Ponemon Institute. (2013). The State of Advanced Persistent Threats . Traverse City: Trusteer.

SP 800-39: Managing Information Security Risk. (2011, March). Retrieved from National

Institute of Standards and Technology (NIST):

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

Stallings, W. (2011). Network Security Essentials: Applications and Standards (4th ed.). Uppert

Saddle River, NJ: Prentice Hall.

The Fortinet Advantage. (2014). Retrieved from Fortinet:

http://www.fortinet.com/aboutus/aboutus.html

Watson, M. (2014, August 21). Fighting cyber crime in the US – Infographic. Retrieved from IT

Governance: http://www.itgovernanceusa.com/blog/fighting-cyber-crime-in-the-us-

infographic/?utm_source=Email&utm_medium=TechTarget&utm_campaign=Email3&ut

m_content=2014-09-01