McAfee Next Generation Firewall – Introduction
McAfee Next Generation Firewall is in fact the product of the company Stonesoft which was acquired in 2013 by McAfee. At this moment the product is not yet integrated with the other McAfee products (version 5.7 is now the latest one).In this summer, the version 5.8 will be released and a couple of steps will be made on the road to the “Security Connected” concept McAfee provides.
I had the opportunity this week to participate to a technical workshop where we were presented the main features and strengths of the McAfee Next Generation Firewall. I want to thank Provision Software Division for the invitation to this workshop.
After installing an instance of the McAfee Next Generation Firewall in my lab environment I could start the tests and the user interface exploration.
Here is my review of this product, with some key points that I thought deserve mentioning.
McAfee Next Generation Firewall – PROs
- the active-active clustering technique is patented (it’s called “dispatch” technique) and Stonesoft was the clustering solution vendor for Checkpoint back in the 90’s (till 2001 when Stonesoft started creating their own firewall solution); they say it’s the only true active-active firewall clustering solution on the market at this moment; the limit for clustering is 16 members in active-active connection
- the cluster nodes can run different software versions allowing a transition period when the new version can be tested but if something goes wrong the old version is still available
- the Multilink Technology used for balancing the Internet connections (assuming for example that you have 2 Internet Service Providers) can easily replace BGP that requires you to have an AS number
- the standard deployment contains 2 NGFW machines (McAfee appliances or physical/virtual machines, 1 SMC (Security Management Console is installed on a Windows/Linux machine) and 1 Logger (installed on a Windows/Linux machine, can be the same machine as SMC)
- in a distributed deployment the SMC can be installed only in the main site and connected to all the gateways through SSL channel over Internet (there are special built-in NAT rules for this mode)
- it supports firewall virtualization but the virtual instance lacks the antivirus and antispam capabilities
- the logs are sent to the main logger but secondary loggers can be defined, as fail-over or as backup for the main logger; it accepts syslog from other vendors
- in the logger there is a very nice feature named “Analyze” that takes a snapshot of the logs based on a time frame and other filters (for example all the logs for a specific destination IP) and creates a visual map of the traffic (requires Java on the management workstation); however it has a limitation of only 100.000 logs so the filtering must be very careful set
- the IPS module is integrated but can be installed on a separate machine using the same installation DVD (or ISO file in case of VMWARE deployment); the IPS has a very powerful protection against Advanced Evasion Techniques (patented) used by most of the attacks
- a nice feature that is available for free in the McAfee Next Generation Firewall is a basic Load Balancer that combined with 2 ISPs using the Multilink Technology offers high-availability for the company’s web services
- for identity awareness this product uses an agent that needs to be installed in the internal network and has access to the Domain Controller’s security events; in the next version the integration with ePo will allow it to read extended workstation information using the McAfee Agent installed on the endpoint
McAfee Next Generation Firewall – CONs
- there is no SSL VPN module yet (it will be available for free in the 5.8 version that will be released this summer)
- there is no “standalone” appliance because the management is not integrated with the firewall yet (it will be available in the 5.8 release)
A very nice tool to test your IPS is the EVADER
More information can be found on the McAfee Website