Transcription

ER 20072010200920082007WINNER 2008WINNER 2009WINNER 2010

WatchGuard Application Controlvs. SonicWall, Fortinet, Juniper, Cisco and Palo AltoAt A GlanceSonicWallFortinetJuniperCiscoPalo AltoPoor ease of use.Fewer applications than WatchGuard. Reporting is an add-on extra.Not released yet. It will only be available for their most expensive enterprise-level appliances.No application management features on their firewall products.Application management is a specialty, but only competes in enterprise space.APPLICATION CONTROL COMPETITIVE MESSAGINGSONICWALLFeature Name: Application IntelligenceOverall: Difficult to configure; policy relationships are confusingNegatives: No Search – SonicWall application intelligence service is missing this most basic user interfacefunction. It is very difficult and time-consuming to find the application that you are looking for. No Multiple Select of Applications – While you can make a change to a high level application that willaffect all the signatures for that application, you cannot make changes to multiple granular signaturesat one time; you have to change each signature individually. Application Policies are not Clearly Tied to Normal Firewall Policies – It is not clear in the UI how theglobal application policy interacts with the normal firewall policies. There is not one common table ofall firewall policies. In the WatchGuard UI, the application control policy is DIRECTLY attached tofirewall policies, so it is easy to see how they interact. Many Menus and Clicks to Make a Per Policy App Control RuleIn order to create per policy application control rules, you need to go to multiple menus, and createmultiple objects and policies. You have to go to the Match Object menu to create an application objectto match, then go to the App Rules menu to create a policy for that match object, and potentially eventhe Action Objects menu to create an action for a match. Confused yet? You are still not finished. Youstill need to go to the Access Rules menu to create a port-based policy to allow traffic in the first place.All these are separate menus, with many separate settings you have to configure. WatchGuardincludes the application control policy DIRECTLY within the Firewall port policy rule – so you actuallyadd your application policy as you add a typical firewall policy. Wikipedia Entries for Application Control Descriptions - MANY applications do not have Wikipediaentries, thus MANY of SonicWall’s signatures have NO description. Many Duplicate Signatures - In the signature view, there is no explanation of the difference betweenclosely related signatures. What is the difference between Facebook Browsing Activity -1, -2, and -3?(SonicWall Screen Shot 2)

SonicWall Screen Shot 1 – Application rules are not integrated into main Firewall policy tableSonicWall Screen Shot 2 – Duplicate signatures are confusingWatch out for: Bandwidth control per application – Setting bandwidth controls at the application level is one areathat has been implemented well in the SonicWall UI. Integrated real-time reporting – Slick integrated charts look good in a SonicWall demo, butWatchGuard provides most of this information in available reports.WatchGuard will continue to develop Application Control capabilities in 2011, adding more features includingbandwidth control at the application level, and more sophisticated real-time reporting capabilities.WatchGuard Technologies. For Internal Use Only. 2011

FORTINETFeature Name: Application ControlOverall: Cumbersome UI; fewer applications than WatchGuardNegatives: Confusing “Filter” Paradigm Instead of Simple Search – Finding an application requires navigating afilter dialog box with multiple options. It’s more like writing a SQL query for programmers than aneasy-to-follow UI with “equals”, “contains,” etc. (Fortinet Screen Shot 1) No Multiple Select and Configure for Signatures – You have to add rules either by category, orindividually – one by one; you cannot shift-select a group of signatures and configure them all at onceas you can with WatchGuard. (Fortinet Screen Shot 2) App Coverage – Fortinet has 1,450 signatures. WatchGuard has over 2,800 signatures for 1,800 applications and responds in days to new requests. WatchGuard provides extensive coverage ofregional-specific applications. Check if Fortinet really covers the applications that your customers careabout.Fortinet Screen Shot 1: Could the search UI be more confusing?WatchGuard Technologies. For Internal Use Only. 2011

Fortinet Screen Shot 2: Applications are poorly organized in long listsWatch out for: Fortinet claims that WatchGuard Application Control has not been released yet – Not true!Fortinet claims that WatchGuard Application Control is not available on all models. ApplicationControl is not available on Firebox e-Series appliances, which have already reached End of Sale status.Application Control is available for every WatchGuard XTM appliance.WatchGuard Technologies. For Internal Use Only. 2011

JUNIPEROverall: Not available yet (as of Feb 2011). Will only be available for their most expensive boxes.Details: Juniper has pre-announced a new application service for high end models, which will be included intheir IPS. Their datasheet says that it will not ship until 1H2011, and it is only available for SRX 3400,SRX 3600, SRX 5400, and SRX 5800. Most of these models are higher end, above the range thatcompetes with WGRD models. SRX 3600, for example, is 28,000 for the base system.CISCOOverall: They don’t have anything like Application Control!Details: No Application Identification or Control capabilities in UTM competitive devices (ASAs). Cisco hassome application identification function in the IronPort Web Gateway product.PALO ALTOOverall: Palo Alto is an application specialist with very expensive hardware.Details: WatchGuard provides support for more applications: 1,800 vs. Palo Alto’s 1,100 Palo Alto does not have reputation services for security – WatchGuard has Reputation EnabledDefense Palo Alto does not have anti-spam capabilities – WatchGuard has spamBlocker Palo Alto does not support Active/Active High Availability configurations Palo Alto does not have any low end or table top appliances and are 3 to 6 times more expensive thancorresponding WatchGuard appliancesRefer to the Palo Alto-specific battlecard for a detailed comparison of models, features, and prices.WATCHGUARDOverall: Comprehensive application coverage in easy-to-use UIDetails: Over 1,800 applications, using 2,500 signatures Easy-to-control granular application behavior More than pattern matching, sophisticated behavioral techniques are used to identify apps All application policies are clearly applied in the same firewall policy table as all other firewallpoliciesWatchGuard Technologies. For Internal Use Only. 2011

WatchGuard Screen Shot 1: Intuitive, easy-to-use search and category drop-downsWatchGuard Screen Shot 2: Many applications expose granular sub-functionsWatchGuard Technologies. For Internal Use Only. 2011

WatchGuard Screen Shot 3: Application Control actions are laid out in the firewall policy tableWatchGuard Technologies. For Internal Use Only. 2011