Reignite your firewall

You don’t have to think back too far to remember a time when firewalls were all about speeds and feeds, and not much else. Over the past few years, however, we’ve seen a shift from the firewall leading a lonely, isolated existence, to a new conversation about the firewall as an integrated component of your greater IT security strategy.  A firewall that’s able to communicate as part of a larger IT security ecosystem is much more effective, providing a whole new level of security, responsiveness and insight.

That doesn’t mean the race for the fastest firewall has gone away, but measures like “gigabits per second” now need to work as part of the protection, performance and price mix.

How to compare firewalls

No two network environments are the same and testing methodologies among vendors can vary wildly, making it fruitless to compare firewalls based on published datasheet numbers alone.  In any case, just comparing datasheets completely ignores security effectiveness – which these days is a critically important metric.

That’s why third-party testing labs are so valuable. When done correctly and fairly, independent tests bring all vendors to a common denominator and highlight what really matters: the price-performance ratio.

Check out the recent NSS Labs Next-Gen Firewall tests  to see how firewalls from the top vendors stack up when put to the test:

NSS Labs Group Firewall Security Value Map

Modernizing the Beast

IT departments often struggle to find time to upgrade their outdated firewalls due to budget and resource constraints. From our conversations with customers and partners, it appears that more organizations than you’d think have a beast – an older firewall – in the datacenter, which nobody dares to touch as it cost a small fortune to buy and get set up. It may be doing its job – but that’s the job a firewall was expected to do ten years ago. As a result, these firewalls typically lack the extras that their modern counterparts can offer.

For example, a lot of old firewalls can’t block unknown threats, automatically respond to incidents or reveal hidden risks on the network.

The old beast of a firewall in that rack of yours probably doesn’t offer contemporary security features such as sandboxing or other forms of more advanced threat detection, response and mitigation.  In contrast, an intelligently-deployed modern firewall can protect proactively against modern ransomware attacks like the recent WannaCry and Petya outbreaks.


LEARN MORE: Firewall Best Practices to Block Ransomware ►


Firewalls today provide more effective mechanisms to respond to and isolate threats by working with the rest of your IT ecosystem. By communicating and sharing information, they provide better protection and insight through added intelligence – something you could call Synchronized Security. (In fact, that’s exactly what we do call it!).

What you can do

Ideally, you’d replace your old firewall with the latest and greatest sort of firewall that can adapt, grow and respond not only to your changing needs but also the shifting IT security landscape.

But if you’re one of those organizations with an old beast of a firewall, you could consider adding a more adaptable firewall in-line instead. In one simple and risk-free move, you could greatly enhance your network security without disturbing the beast.

Deploying XG Firewall in-line with your existing firewall is easy and risk free.

Our new XG and SG Series 1U and 2U rackmount appliances are the perfect fit whether you’re replacing or augmenting your existing firewall. They strengthen our price-performance ratio even further by providing the latest high-performance technology at the same attractive price point. They also offer:

  • A modular system for connectivity with a wide variety of flexi port modules
  • Ease deployment in-line with two fail-safe bypass ports on-board every 1U appliance and an optional bypass flexi port module for all 1U and 2U XG models
  • Optional Power-over-Ethernet (PoE) equipped flexi port modules to power your wireless access points
  • Enhanced redundancy features, even on entry-level 1U appliances

Both the XG Series and the SG Series have the same hardware specifications; it’s what’s pre-installed on the inside that makes them different – you can choose either our XG Firewall (SFOS) or Sophos UTM as your software platform. Both can be enhanced with Sandstorm sandboxing technology without the need for additional hardware.

Download the full details on our hardware appliances for XG Firewall or for SG UTM.

For automated incident response and real-time insight and control, you can also add Sophos Synchronized Security to your XG Firewall, giving you the Sophos Central Endpoint or Intercept X solutions, too.

To find out more about this and other innovative ways to get the full potential out of your Sophos XG or SG Series firewall appliance, speak to your local Sophos Partner or Sales Team today.

Article source:

Posted in Sophos | Comments Off on Reignite your firewall

Bitcoin may help hackers monetize their business: McAfee CEO …

The anonymous nature of cryptocurrencies like Bitcoin may be helping online hackers to monetize their approach, making it imperative for companies to evolve their cybersecurity policies, said McAfee CEO Chris Young.

Continue Reading Below

“It’s an evolving, emerging technology, and it’s an emerging approach to currency,” Young said to FOX Business Network’s Maria Bartiromo of Mornings with Maria. “It’s not the currency’s fault, necessarily that it’s being used for these purposes.”

Instead of stealing information and selling it on the black market, hackers are now taking the information back to the companies and threatening to expose or release it unless they pay a ransom fee. That type of attack is playing out right now with HBO and Game of Thrones, he said.

More From

In order to protect themselves, Young suggested that all companies need to make cybersecurity an employee-wide issue, and added that some companies have gone as far as to send out fake phishing emails to see whether any employee falls for the trick.

“A lot of companies are doing that these days,” he said. “It’s a teachable moment.”

Young also addressed what type of response technology companies should have to terrorist attacks, including the one in Barcelona on Thursday that left at least 14 people dead and 130 injured.

Continue Reading Below

“I think the industry should be sharing information, that’s one of the most important things we can do, whether we’re security companies or larger content companies like Google,” he said. “Sharing information, working together so that we can more quickly respond to these attacks is really important.”

Article source:

Posted in McAfee | Comments Off on Bitcoin may help hackers monetize their business: McAfee CEO …

Trend Micro discovers ‘indefensible’ car security/CAN standard flaw

Trend Micro claims to have discovered a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral.

Discovered by researchers at Politecnico di Milano, Linklayer Labs and Trend Micro’s Forward-looking Threat Research (FTR) team, the hack is said to be currently indefensible by modern car security technology and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made. Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade.

The researchers say it abuses the Controller Area Network, or CAN, network protocol that connects all in-vehicle equipment, parking sensors, airbag, active safety system and infotainment systems and allows them to communicate. The standard for this network is called a Controller Area Network, or CAN.

Trend Micro’s online blog says, “It’s not the car manufacturers’ fault, and it’s not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works. Car manufacturers can only mitigate the attack we demonstrated by adopting specific network countermeasures, but cannot eliminate it entirely. To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles.”

David Barzilai, co-founder and chairman, automotive cyber-security firm Karamba Security, agrees with Trend Micro that the CAN protocol can be abused, causing it to disable devices on a CAN network, and that IDS systems will not be able to help against such an attack.
However, he says, In order to remotely launch Denial of Service (DoS) CAN attacks, a hacker must compromise an externally-connected electronic control unit (ECU) and interfere with its factory settings. Such interference enables the hackers to start sending CAN messages that generate errors leading to a device DoS.
“Instead of changing the legacy CAN protocol in all cars that use it (practically all vehicles), the industry should harden the externally-connected ECUs according to their factory settings, to prevent any unauthorised change to the ECU. Blocking such changes enables the industry to prevent cyber-attacks, including the DoS attack that Trend Micro reported on.”

Article source:

Posted in Trend Micro | Comments Off on Trend Micro discovers ‘indefensible’ car security/CAN standard flaw