Transcription
SonicWall Network Securityvirtual (NSv) firewall seriesNext-gen security for public, private or hybrid cloud environmentsThe design, implementation anddeployment of modern networkarchitectures, such as virtualization andcloud, continue to be a game-changingstrategy for many organizations.Virtualizing the data center, migratingto the cloud, or a combination of both,demonstrates significant operationaland economic advantages. However,vulnerabilities within virtual environmentsare well-documented. New vulnerabilitiesare discovered regularly that yield serioussecurity implications and challenges. Toensure applications and services aredelivered safely, efficiently and in ascalable manner, while still combatingthreats harmful to all parts of the virtualframework including virtual machines(VMs), application workloads and datamust be among the top priorities.The SonicWall Network Security virtual(NSv) firewall series helps security teamsreduce these types of security risks andvulnerabilities, which can cause seriousdisruption to your business-criticalservices and operations. NSv nextgeneration virtual firewalls integratetwo advanced security technologies todeliver cutting-edge threat preventionthat keeps your network one step ahead.SonicWall’s patent-pending Real-TimeDeep Memory Inspection (RTDMI )technology enhances our award-winningmulti-engine Capture Advanced ThreatProtection (ATP) sandboxing service. TheRTDMI engine proactively detects andblocks mass market, zero-day threatsand unknown malware by inspectingdirectly in memory. Because of thereal-time architecture, SonicWall RTDMItechnology is precise, minimizes falsepositives, and identifies and mitigatessophisticated attacks where themalware’s weaponry is exposed for lessthan 100 nanoseconds. In combination,SonicWall’s patented* single-passReassembly-Free Deep Packet Inspection(RFDPI ) engine examines every byte ofevery packet, inspecting both inboundand outbound traffic on the firewall.BenefitsPublic and private cloud security Next-gen firewall with automatedreal-time breach detection andprevention capabilities Patent-pending Real-Time DeepMemory Inspection (RTDMI)technology Patented Reassembly-FreeDeep Packet Inspection (RFDPI)technology Complete end-to-end visibility andcontrol Application intelligence and control Segmentation security and securityzoning Support across private cloud (ESXi,Hyper-V) and public cloud (AWS,Azure) platforms BYOL and PAYG licensingVirtual machine protection Zero-day threat protection withCapture ATP Data confidentiality Secure communication with dataleakage prevention Traffic validation, inspection andmonitoring System safety and integrityIaaS*U.S. Patents 7,310,815; 7,600,257; 7,738,380; 7,835,361; 7,991,723SaaS Virtual network resilience andavailability
Flexible Deployment Use CasesClassified MalwareStreaming DataRANSOMWAREPDFLockyEmailRANSOMWAREData FileBLOCKWannaCry1 0 1 0 0 1 0 0 1 0 100 1 0 1 0 0 1 0 1 1 010 1 0 0 1 0 1 0 0 1 001 0 1 0 0 1 0 1 0 0 101 1 0 1 0 1 0 1 0 0 100 1 0 1 0 0 1 0 0 0 101 0 1 1 0 0 1 0 0 1 01Artifact 1Artifact 2Artifact 3Artifact 4TROJANMACHINELEARNINGSpartanUNKNOWNDeep LearningAlgorithmsEndpointCLOUD CAPTURESANDBOXA HypervisorABCDB EmulationC VirtualizationD RTDMIBadThe NSv series delivers the automatedreal-time breach detection andprevention organizations need byutilizing innovative deep learningtechnologies in the SonicWall CaptureCloud Platform. This platform deliverscloud-based threat prevention andnetwork management plus reportingand analytics for organizations of anysize. This platform consolidates threatintelligence gathered from multiplesources including our Capture ATP, aswell as more than 1 million SonicWallsensors located around the globe. Byleveraging the SonicWall Capture CloudPlatform in addition to capabilitiesincluding intrusion prevention, antimalware and web/URL filtering, the NSvseries blocks even the stealthiest threatsat the gateway.NSv is easily deployed and provisioned ina virtual environment, typically betweenvirtual networks (VNs) or virtual privateclouds (VPCs). This allows it to capturecommunications and data exchangesbetween virtual machines for automatedbreach prevention, while establishingstringent access control measures fordata confidentiality and VM safety andintegrity. Security threats (such as crossvirtual-machine or side-channel attacks,common network-based intrusions, andapplication and protocol vulnerabilities)are neutralized successfully throughSonicWall’s comprehensive suite ofsecurity inspection services1. All VMtraffic is subjected to multiple threatanalysis engines, including intrusionprevention, gateway anti-virus and antispyware, cloud anti-virus, botnet filtering,application control and Capture ATPmulti-engine sandboxing with RTDMItechnology.2BLOCK GooduntilVERDICTSENTSegmentation SecurityFor optimal effectiveness againstAdvanced Persistent Threats (APTs),network security segmentation mustapply an integrated set of dynamic,enforceable barriers to advancedthreats. With segment-based securitycapabilities, NSv can group similarinterfaces and apply the same policies tothem, instead of having to write the samepolicy for each interface. By applyingsecurity policies to the inside of theVN, segmentation can be configured toorganize network resources into differentsegments, and allow or restrict trafficbetween those segments. This way,access to critical internal resources canbe strictly controlled.NSv automatically enforces segmentationrestrictions based upon dynamic criteria,such as user identity credentials, geoIP location and the security stature ofmobile endpoints. For extended security,NSv is also capable of integratingmulti-gigabit network switching into itssecurity segment policy and enforcement.It directs segment policy to traffic atswitching points throughout the network,and globally manages segment securityenforcement from a single pane of glass.Since segments are only as effectiveas the security that can be enforcedbetween them, NSv applies intrusionprevention system (IPS) to scan incomingand outgoing traffic on the VLANsegment to enhance security for internalnetwork traffic. For each segment,it enforces a full range of securityservices on multiple interfaces based onenforceable policy.With infrastructure support for highavailability implementation, NSv fulfillsscalability and availability requirementsof Software Defined Data Centers. Itensures system resiliency, servicereliability, and regulatory conformance.Optimized for broad range of public,private and hybrid deployment use cases,NSv can adapt to service-level changesand ensure VMs and their applicationworkloads and data assets are available,as well as secure. It can do it all at multiGbps speed with low latency.Organizations gain all the securityadvantages of a physical firewall, withthe operational and economic benefitsof virtualization. This includes systemscalability, operation agility, provisioningspeed, simple management andcost reduction.The NSv series is available in multiplevirtual flavors carefully packaged for abroad range of virtualized and clouddeployment use cases. Delivering multigigabit threat prevention and encryptedtraffic inspection performance, the NSvseries adapts to capacity-level increasesand ensures VN and VPC safety. The seriesalso ensures application workloads anddata assets are available as well as secure.Govern CentrallyNSv deployments can be centrallymanaged either on premises withSonicWall Global Management System(GMS²), or with Capture Security Center²,SonicWall’s open, scalable cloud securitymanagement, monitoring, reporting andanalytics platform delivered as a costeffective as-a-service offering.Capture Security Center gives theultimate in visibility, agility and capacityto govern the entire SonicWall virtualand physical firewall ecosystem withgreater clarity, precision, and speed – allfrom a single pane of glass.Flexible LicensingNSv supports Bring Your Own License(BYOL) and Pay As You Go (PAYG)licensing. The BYOL license for NSv canbe purchased directly from SonicWall,a partner or reseller. Whereas, PAYGlicense is purchased directly from theAWS Marketplace. This type of license isa usage-based license wherein paymentis made as per usage on an hourly orannual basis.
GOVERN CENTRALLYCOMPLIANCERISK MANAGEMENT Establish an easy path to comprehensivesecurity management, analytic reportingand compliance to unify your networksecurity defense program Make regulatory bodies and auditorshappy with automatic PCI, HIPAA andSOX security reports Move fast and drive collaboration,communication and knowledge acrossthe shared security framework Customize any combination of securityauditable data to help you move towardsspecific compliance regulations Make informed security policy decisionsbased on time-critical and consolidatedthreat information for higher level ofsecurity efficiency Automate and correlate workflowsto form a fully coordinated securitygovernance, compliance and riskmanagement strategyGMS provides a holistic approach to security governance, compliance and risk managementFeaturesSonicOS PlatformThe SonicOS architecture is at the coreof every SonicWall physical and virtualfirewall including the NSv and NSaSeries, SuperMassive Series and TZSeries. Refer to the SonicWall SonicOSPlatform datasheet for the complete listof features and capabilities.Automated breach prevention1NSv delivers complete advanced threatprotection, including high-performanceintrusion and malware prevention,and cloud-based sandboxing withSonicWall’s RTDMI technology.Around-the-clock security1NSv ensures lateral movementprotection, plus inbound and outboundtraffic protection. New threat updatesare automatically pushed to firewallswith active security services, and takeeffect immediately without reboots orinterruptions.Zero-day protection1NSv protects against zero-day attackswith constant updates against the latestexploit methods and techniques thatcover thousands of individual exploits.Threat APINSv receives and leverages any andall proprietary, original equipmentmanufacturer and third-party intelligencefeeds to combat advanced threats,such as zero-day, malicious insider,compromised credentials, ransomwareand advanced persistent threats.Zone protectionNSv strengthens internal security byenabling segmentation of the networkinto multiple security zones, withintrusion prevention service keepingthreats from propagating across thezone boundaries. Creating and applyingaccess rules and NAT policies to trafficpassing through the various interfaces,it can allow or deny internal or externalnetwork access based on various criteria.Application intelligence and control1NSv provides granular control overnetwork traffic at the user, emailaddress, schedule, and IP-subnetlevels, with application-specific policies.It controls custom applications bycreating signatures based on specificparameters or patterns unique to anapplication. Internal or external networkaccess is allowed or denied based onvarious criteria.Data leakage preventionNSv provides the ability to scan streamsof data for keywords. This restricts thetransfer of certain file names, file types,email attachments, attachment types,email with certain subjects, and email orattachments with certain keywords orbyte patterns.Application layer bandwidthmanagementNSv can select among various bandwidthmanagement settings to reduce networkbandwidth usage by an application usingpacket monitor. This provides furthercontrol over the network.Secure communicationNSv ensures the data exchangebetween groups of virtual machines¹ Requires SonicWall Advanced Gateway Security Services (AGSS) subscription.² SonicWall Global Management System and Capture Security Center require separate licensing or subscription.3is done securely, including isolation,confidentiality, integrity, and informationflow control within these networks viathe use of segmentation.Access controlNSv validates that only VMs that satisfy agiven set of conditions are able to accessdata belonging to another through theuse of VLANs.User authenticationNSv creates policies to control or restrictVM and workload access by unauthorizedusers.Data confidentialityNSv blocks information theft andillegitimate access to protected dataand services.Virtual network resilience andavailabilityNSv prevents disruption or degradationof application services andcommunications.System safety and integrityNSv stops unauthorized takeover of VMsystems and services.Traffic validation, inspection andmonitoring mechanismsNSv detects irregularities and maliciousbehaviors to stop attacks targeting VMworkloads.Deployment optionsNSv can be deployed on a wide varietyof virtualized and cloud platforms forvarious private/public cloud securityuse cases.
NSv Series system specificationsFIREWALL GENERALNSv 10NSv 25Operating systemSupported HypervisorsInterface Count (ESXi/Hyper-V)Max Mgmt/DataPlane CoresNSv 100VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, Microsoft Hyper-V Win 2012 / 2016LicensingMax Supported vCPUsNSv 50SonicOS1BYOL22228/88/88/88/81/11/11/11/1Min Memory34 GB4 GB4 GB4 GBMax Memory46 GB6 GB6 GB6 GB102550100100100Supported IP/NodesMinimum StorageSSO users60 GB25Logging50Analyzer, Local Log, SyslogHigh availabilityActive/PassiveFIREWALL/VPN PERFORMANCE6NSv 10NSv 25NSv 50NSv 100Firewall Inspection Throughput2 Gbps2.5 Gbps3 Gbps3.5 GbpsFull DPI Throughput (GAV/GAS/IPS)450 Mbps550 Mbps650 Mbps750 MbpsApplication Inspection Throughput1 Gbps1.25 Gbps1.5 Gbps1.75 GbpsIPS Throughput1 Gbps1.25 Gbps1.5 Gbps1.75 GbpsAnti-Malware Inspection Throughput450 Mbps550 Mbps650 Mbps750 MbpsIMIX Throughput750 Mbps850 Mbps950 Mbps1100 MbpsTLS/SSL DPI Throughput650 Mbps750 Mbps850 Mbps950 MbpsVPN Throughput500 Mbps550 Mbps600 Mbps650 MbpsConnections per second1,8005,0008,00010,000Maximum connections (SPI)2,5006,25012,50025,000Maximum connections SL DPI ConnectionsVPNNSv 10NSv 25NSv 50NSv 100Site-to-Site VPN Tunnels10102550IPSec VPN clients10102525SSL VPN NetExtender henticationDES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B, Common Access Card (CAC)Key exchangeDiffie Hellman Groups 1, 2, 5, 14vRoute-based VPNNETWORKINGRIP, OSPF, BGPNSv 10IP address assignmentAuthenticationNSv 1001:1, many:1, 1:many, flexible NAT (overlapping IPs), PAT25Routing protocolsQoSNSv 50Static, DHCP, internal DHCP server, DHCP relayNAT modesMax VLANNSv 25255050BGP, OSPF, RIPv1/v2, static routes, policy-based routingBandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1pXAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, CitrixVoIPSIPStandardsTCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, L2TP, PPTP, RADIUSMax SD-WAN groups12121832Max SD-WAN members per product242436644
NSv Series system specifications con'tFIREWALL GENERALNSv 200NSv 300Operating systemNSv 800NSv 1600SonicOS1Supported HypervisorsSupported Public Cloud Platforms(Instance Type)NSv 400VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, Microsoft Hyper-VAWS (c5.large),Azure (Std D2 v2)N/ALicensingAWS (c5.xlarge),Azure (Std D3 v2)AWS (c5.2xlarge),Azure (Std D4 v2)AWS (c5.4xlarge),Azure (Std D5 v2)BYOL, PAYG2Max Supported vCPUsInterface Count (ESXi/ Hyper-V/ AWS/Azure)Max Mgmt/DataPlane CoresMin Memory3Max Memory4Supported 1/21/31/71/156 GB6 GB8 GB10 GB12 GB6 GB8 GB10 GB14 GB18 5,00010,00015,00020,000Minimum StorageSSO users60 GBLoggingAnalyzer, Local Log, SyslogHigh availabilityActive/Passive5FIREWALL/VPN PERFORMANCE6NSv 200NSv 300NSv 400NSv 800NSv 1600Firewall Inspection Throughput4.1 Gbps5.9 Gbps7.8 Gbps13.9 Gbps17.2 GBPSFull DPI Throughput (GAV/GAS/IPS)900 Mbps1.6 Gbps2.2 Gbps4.0 Gbps6.4 GbpsApplication Inspection Throughput2.3 Gbps3.4 Gbps4.1 Gbps5.5 Gbps6.4 GbpsIPS Throughput2.3 Gbps3.4 Gbps4.1 Gbps5.5 Gbps6.7 GBPSAnti-Malware Inspection Throughput900 Mbps1.6 Gbps2.2 Gbps4.0 Gbps6.6 GbpsIMIX Throughput1.5 Gbps2.3 Gbps2.8 Gbps4.2 Gbps5.3 GbpsTLS/SSL DPI Throughput1.1 Gbps1.2 Gbps1.8 Gbps3.4 Gbps5.1 GBPSVPN Throughput750 Mbps1.4 Gbps1.9 Gbps4.2 Gbps8.4 Gbps13,76024,36037,27075,640125,000Maximum connections (SPI)225,0001M1.5M3M4MMaximum connections 0050,000NSv 200NSv 300NSv 400NSv 800NSv 1600Connections per secondTLS/SSL DPI ConnectionsVPNSite-to-Site VPN TunnelsIPSec VPN clients (Maximum)SSL VPN NetExtender Clients 00)2(100)2(100)2(100)2(100)2(100)DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B, Common Access Card (CAC)Key exchangeDiffie Hellman Groups 1, 2, 5, 14vRoute-based VPNNETWORKINGRIP, OSPF, BGPNSv 200IP address assignmentNSv 1600128128128128BGP, OSPF, RIPv1/v2, static routes, policy-based routingQoSBandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1pXAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, CitrixVoIPStandardsNSv 8001:1, many:1, 1:many, flexible NAT (overlapping IPs), PAT128Routing protocolsAuthenticationNSv 400Static, DHCP, internal DHCP server, DHCP relayNAT modesMax VLAN7NSv 300SIPTCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, L2TP, PPTP, RADIUSMax SD-WAN groups383870102102Max SD-WAN members per product7676140204204Currently supporting SonicOS 6.5.4 on ESXi. Support of SonicOS 6.5.4 on Hyper-V, Azure and AWS will be available August 2019.2PAYG is currently available only on AWS.3Memory with Jumbo frame disabled.4Memory with Jumbo frame enabled. Additional memory is required for Jumbo frames. Jumbo frames are not supported on Azure and AWS.5High availability available on VMware ESXi platform and Microsoft Hyper-V, plus HA is not supported on Azure and AWS.6Published performance numbers are up to the specification and the actual performance may vary depending on underlying hardware, network conditions; firewall configuration and activated services. Performance and capacities may alsovary based on underlying virtualization infrastructure, and we recommend additional testing within your environment to ensure your performance and capacity requirements are met. Performance metrics were observed using Intel Xeon WProcessor (W-2195 2.3GHz, 4.3GHz Turbo, 24.75M Cache) running SonicOSv 6.5.0.2 with VMware vSphere 6.5.7VLAN interfaces are not supported on Azure and AWS.Testing Methodologies: Maximum performance based on RFC 2544 (for firewall). Full DPI/Gateway AV/Anti-Spyware/IPS throughput measured using industry standard Spirent WebAvalanche HTTP performance test and Ixia test tools.Testing done with multiple flows through multiple port pairs. VPN throughput measured using UDP traffic at 1418 byte packet size adhering to RFC 2544. All specifications and features are subject to change.1
FeaturesRFDPI ENGINEFeatureDescriptionReassembly-Free Deep PacketInspection (RFDPI)This high-performance, proprietary and patented inspection engine performs stream-based, bi-directionaltraffic analysis, without proxying or buffering, to uncover intrusion attempts and malware and to identifyapplication traffic regardless of port.Bi-directional inspectionScans for threats in both inbound and outbound traffic simultaneously to ensure that the network is notused to distribute malware and does not become a launch platform for attacks in case an infected machine isbrought inside.Stream-based inspectionProxy-less and non-buffering inspection technology provides ultra-low latency performance for DPI ofmillions of simultaneous network streams without introducing file and stream size limitations, and can beapplied on common protocols as well as raw TCP streams.Highly parallel and scalableThe unique design of the RFDPI engine works with the multi-core architecture to provide high DPI throughputand extremely high
The SonicWall Network Security virtual (NSv) firewall series helps security teams reduce these types of security risks and vulnerabilities, which can cause serious disruption to your business-critical services and operations. NS v next- . Logging Analyzer, Local Log, Syslog
