720 likes | 732 Views
Get full control over your network with the new ZyXEL USG series. This series offers a range of advanced features including anti-virus, anti-spam, content filtering, intrusion detection & prevention, application intelligence, VPN, SSL inspection, and more.
E N D
Next Generation USG SeriesUnified UTM PowerGet full control over your network with the new ZyXEL USG series GSBU/ ZyXEL Communications Corp. April, 2014
Table of Contents • Introducing Next-Gen USG Series • Technology Details • Anti-Virus • Anti-Spam • Content Filtering • Intrusion Detection & Prevention • Application Intelligence • VPN • SSL Inspection • Profile Overview • Competition Analysis • Why ZyXEL • Ordering Information • Ultra-high Performance • Unified Security Policy • Single-sign-on • WLAN Controller • High Availability • Bundled License & myZyXEL.com 2.0
A Most Danger Just Happened The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet…..
Threats actually happens every day… 2013 security timeline
And it will never ends… More and more new applications, plus more creative threats!
What’s NG Firewall? • UTM needs to be renewed! • To stay ahead of more and new threats • Next generation firewall • Gartner “Magic Quadrant” defines the capabilities of a next-gen firewall • Deep packet inspection • Intrusion detection • Application identification • Granular control • Reduced complexity
Next Generation USG • Anti-malware protection • Deeper inspection • Ultra-high performance • Broad coverage of VPN applications • To policy with ease • Enhanced user experience • Non-stop availability
Gateway Level Protection Reasons your network still needs strong protection at Gateway point: • Endpoint software, ex. AV, can be disabled by end-users • Not all devices on the network have endpoint protection software; ex. printer and other peripherals • Mobile devices are a risk • Endpoints are often out of date • Guest systems need protection too!
Anti-Malware Protection • Best-of-breed technologies Anti-Virus Content Filtering IDP App Mgmt Anti-Spam
Next-Gen USG Series TECHNOLOGY DETAILS
Anti-Virus World Best Anti-Virus • GOLD zero-day protection awards from AV-Comparatives • First-class detection rates • AV-Comparatives consistently awards Kaspersky the highest possible rating (Advanced+)
Anti-Virus World Best Anti-Virus • Integrate Kaspersky’s newest SafeStream II gateway anti-virus • Blocks unknown threats and over 650,000 viruses at the gateway • Fast stream-based scanning provides real-time protection with no file size limitation • Optimum frequency of updates • 10 to 25 per day and each are less than 50 KB • best frequency-to-content ratio • Fast response time and the best defense from new & unknown threats.
Anti-Virus Spam Is Still There… • Around 3 out of every 4 emails are Spam • Most of these deliver threats, but ‘traditional’ Spam content is still there • Impacts to users • Cluttered inboxes • Unnecessary exposure to threats, e.g. Phishing • Lost communications & productivity • Impact to business (IT) • Increased support burden • Increased infrastructure load • User complains
Anti-Spam Cloud-based Anti-Spam Proven, high-performance protection with strict content privacy • Identify new spam, malware and phishing attacks - the moment they emerge • Recurrent Pattern Detection™ (RPD) technology blocks spam based on its most fundamental characteristics - mass distribution and repeating patterns • Global detection from a patented content and language agnostic solution • Powered by the GlobalView™ Cloud • Deployed across 12 carrier-grade data centers • Gathering billions of Internet transaction daily
Anti-Spam How It Works RPD looks at the ‘macro picture’ across the global Internet and output to GlobalView Cloud Next-Gen USG Series
Web: The Primary Attack Factor Content Filtering Malware attacks come from the Web 92%(1) Attacks die in less than 24 hours 54%(1) Companies are hit by targeted attacks 50%(1) ATTACKS Malware comes from legitimate sites 85%(3) Companies are hit by Web attacks 72%(2) ¹ M86 Security, 2011 ² Verizon Data Breach Report, 2012 ³ Websense, 2012
Core Of Content Filtering Content Filtering • RELEVANT COVERAGE • Full detail on the URLs you need – not the ones you don’t Global URLs Locall URLs • FRESH DATA • Base decisions on the state of the web right now • MASSIVE SCALABILITY • Global coverage with low latency
Cloud-based Content Filtering Sets the performance standard for URL filtering applications: • Broad, high-accuracy coverage • Near zero latency • Real-time threat identification • Customize cache by location • Custom categorization Content Filtering Next-Gen USG Series
Threat Prevention IDP Threat prevention and blocking malicious traffic is the 1st step to keep your biz safe. Application Control Traffic Shaping Step 1: Block malicious traffic Step 2: Allocate network bandwidth properly Step 3: Granular control to applications Threat Prevention
Leading IDP Engine IDP Powered by Next-Gen USG Series • Single-Pass Scanning Engine: • 3-in-1 DPI engine • Multi-Functional, • Low Latency, • High Performance. Intrusion Detection & Prevention Packet Classification Anti-Virus Application Intelligence & Optimization Traditional solutions: High Latency, Low Performance, Difficult to Integrate with Multi-Vendors Packet Intrusion Prevention Anti-Virus Application Recognition Vendor A Vendor B Vendor C
Full coverage of IDP IDP DoS/DDoS Buffer Overflow Access Control Scan Virus/Worm Trojan/Backdoor Web Attack Other
Advanced IDP Technology IDP Intrusion detection and prevention (IDP) • Layer 7 context-aware threat analyzing • Behavior analysis for encrypted threats and applications • Protection for both client-side and server-side vulnerabilities • Provide anomaly-based and vulnerability-based threats protection • Awards-winning engine (certified by NSS and ICSA) • Support both Exploit-based and Vulnerability-based protection • Support Web Attacks like XSS and SQL Injection • Management/Reporting system
App Intelligence (1) App Intelligence The dilemma of control v.s. vulnerability: • Internet and social media applications are main source of attacks and vulnerabilities • They are also modern tools to improve productivity • Challenges to IT now is to manage a bunch of applications without hindering productivity
App Intelligence (2) App Intelligence • Granular, precise and flexible control • Identify, categorize and control over 3,000 Web apps and behaviors • Various control mode: Prioritize, BWM (bandwidth mgmt) , Block • Effective policy enforcement over social media, gaming, P2P and other Web apps • Industry-leading signature development per week update
Protected Cloud Access VPN Challenges in adopting cloud service and applications • Retrieving data in cloud from multiple sites or during travel shall be protected from data breach Server/ applications in cloud Mobile User Internet Headquarters Branch
Hybrid VPN! VPN USG series supports various VPN algorithm and adaptive to different VPN connectivity • IPSec VPN • SSL VPN • L2TP over IPSec • GRE over IPSec Commuter L2TP VPN Mobile User Internet Headquarters IPSec VPN GRE over IPSec VPN Branch Branch
EASY VPN VPN Zero-touch client configuration required • Pre configured profile assigned to user according to their privilege
VPN Enhancement VPN Next-gen USG series comes with more enhancements Future Proof IPv6 IPSec VPN • Able to establish IPSec VPN tunnels between IPv6 network environments Fast Hand-shaking IKEv2 IPSec VPN • More efficient: faster negotiation, faster rekey time, less IOP issues (build-in DPD, NAT-T protocol) • More secure: DoS (IP spoofing) protection, EAP user authentication support Easier Deployment IPSec VPN user-based PSK • Assign a unique ID and PSK (pre-shared key) for every client site • More secure for different sites High Compatibility SSL VPN client for Mac OS X • Mac computers running on OS X are now supported
SSL Hides Threats… SSL Inspection Challenges from SSL encryption: • SSL encrypted connections are potential security blind spots • Sophisticated threats, bots and other malware hide in SSL encrypted connections to avoid inspection • Without SSL inspection, Web applications that use HTTPS (e.g. Facebook, Dropbox, Gmail, etc.) cannot be blocked, throttled or prioritized
SSL Inspection SSL Inspection Benefits of enforcing SSL inspection • Deeper policy enforcement • Apply application control policies even for SSL encrypted traffic • Block invisible threats • Stop threats, bots and other malware that usually go unseen inside SSL encrypted traffic • Comply with user privacy regulations • Create an exclude list to bypass traffic that is related to user privacy • Visible certificate cache list enables users to add items in the exclude list quick and easily
How It Works SSL Inspection Scan Content filtering IDP Anti-virus Application Intelligence Client USG Server SSL connection SSL connection Decrypt Encrypt
Don’t Be the Bottleneck Performance Gateway performance is challenged due to • Multi-media is taking majority of Internet traffics • Global IP traffic to grow by triple from 2012 to 2017 • Broadband infrastructure keeps upgrading
Ultra-high Performance Performance Faster, better, stronger New multi-core hardware platform • Multi-core and higher frequency CPUs • Higher system throughput level
Overwhelming Policies Unified Policy In the past… Users had to configure policies for each UTM feature separately in multiple pages
Repetitive Policies Unified Policy Also… • Users also had to configure the same policies for different Web applications one at a time • This meant a lot of repetitive work and redundant effort
One-glance Policing Unified Policy Unified Security Policy Integrates firewall and all UTM features into a single configuration flow • Zone • Source IP • Destination IP • Destination port • User • Time • App. intelligence • Content filtering • IDP • Anti-virus • Anti-spam • SSL inspection
Unified Security Policy Unified Policy One-Glance configuring Users can apply a policy across firewall and every UTM feature from a single interface Firewall Rules UTM Profiles
Unified Security Policy Unified Policy Consolidated policing • Users can also create policies and easily add all the Web applications that need to be regulated • Redundant effort is eliminated, configuration time is reduced
Enhanced User Experience SSO Single sign-on • Sign in once for domain and Internet authentication • Supports Microsoft Active Directory • SSO agent supports Windows 7 Pro (and above), Server 2008, Server 2008 R2, Server 2012 Benefits to ITs • Reduces IT help desk calls about passwords • Compatible with native Microsoft Windows features • No need to inject or replace any Microsoft AD components Benefits to end-users • Sign in once to access multiple services • Reduces password fatigue and time spent re-entering passwords for the same identity
Single-sign-on SSO Users need to install the ZyXEL SSO agent on a Windows platform server and configure corresponding settings on the USG Internet USG allows Internet access based on user-aware policy match USG sends acknowledgement to SSO agent SSO agent queries group info from DC 7 Microsoft AD domain controllers SSO agent USG 5 3 4 2 User attempts to send traffic through USG SSO agent forwards user login info to USG DC forwards user login info to SSO agent 6 User User logs in domain 1
Integrated WLAN Controller Controller Investment protection plus easy to deploy Wi-Fi • Centralized AP provisioning, authentication, firmware upgrade • Supported amount of managed APs:
Integrated WLAN Controller Controller • No extra device integration and configuration needed • No worries about interoperability Other solutions ZyXEL’s solution Next-gen USG Series Gateway WLAN controller
Non-stop Availability High Availability 3-tier high availability Driving highest business robustness
Mobile Broadband Back-up High Availability USG series supports various mobile broadband clients to provide WAN connectivity back-up • WAN resiliency with active-active Ethernet WAN load balancing or active-passive failover • Supports more 3G/4G USB modems for WAN backup (drivers downloadable from cloud) WAH1000
VPN High Availability (1) High Availability • Utilizes GRE over IPSec and GRE trunk technology • Provides resilient IPSec VPNs with active-active load balancing or active-passive failover HQ Network Remote Office B Network Remote Office A Network WAN1 WAN2 Internet WAN1 WAN2 WAN1
VPN High Availability (2) High Availability • Provides resilient IPSec VPNs with active-active load balancing or active-passive failover GRE Trunk GRE Tunnel 2 GRE Tunnel 1 GRE Trunk IP network Site B Site A
Device High Availability High Availability • Active-passive device backup and failover • Available on Advanced and Extreme Series (USG110 to USG1900) LAN WAN ISP1 Switch USG (Master, Active) DSL CPE/Router Failover Switch ISP2 USG (Backup, Standby) DSL CPE/Router Switch
Bundled Security Services Security Licenses • Default bundles with 13-month service license, including 30-day trial • One-click to quickly activate the services; no additional purchasing required • Service license types • Karspersky anti-virus • Anti-spam • Content filtering • IDP & Application Intelligence • Managed AP scale-up
License Mgmt – MyZyXEL.com 2.0 Security Licenses • ZyXEL cloud-based license management platform End Customers’ Networks Status synchronized service Internet service service Data Center service Registration & activation Management Service service service service Channel Partner
MyZyXEL.com 2.0 Allows You… Security Licenses Saving the OPEX of Managing Your Businesses • Tiered registration and management portals • When providing services to multiple networks, ZyXEL channel partners can manage network via signal platform • Preventing multiple log-in’s to view customers’ status • Batch information upload • Device registration, license key and service activation • Via uploading .csv file • Reporting • Expired services, activated services, registered devices • By user-defined