Secured Connectivity Release 6.1.0 Barracuda NG Firewall Secured Connectivity Release 6.1.0 Corporate Firewall Criteria v4.2 The first Microsoft Azure Certified security solution provider Reader‘s Choice Awards Best Security Hardware Vendor 2014 Silver Winner

Transportation Financial Retail Manufacturing Industry Broadcasting Government NGO Healthcare Legal Security Food Reference Customers We are not focusing on a single business – everywhere when it comes to multiple remote sites

Operations Deployment Security Connectivity Central Management & Lifecycle Granular Admin Concept Revision Control Troubleshooting GTI & Live Status Cost Control Reporting Scalable Deployment Disaster Recovery Multi-Tentancy Hardware Virtual Cloud Operations Deployment Security Connectivity VPN IPS/IDS Stateful Firewall SSL Interception User Awareness AV / ATD / Web Filter Application Detection VPN Multiple ISP Traffic Intelligence Wan Optimization Traffic Shaping / QoS Virtual WAN Balancing Application-Based Link Selection

Full NG featureset Full NG featureset: - Traditional Stateful Firewall (DoS, DDoS, Anti-Spoofing, Port Scan etc) - Geo IP (Source & Destination) - Inline Malware scanning (for HTTP/HTTPS) - Inline URL filtering - SSL Interception (Full & Light) - QoS - Customizable Block Page & Continue - Inline SaveSearch & YouTube for Schools

App Detection - Protect the Business Control and throttle acceptable traffic Preserve bandwidth and speed-up business critical applications Example of an Application ruleset: 1) Block unwanted traffic like „P2P“ 2) Allow „Facebook“ and „Twitter“ on Lunch Breack but block all other „Social“ content based on URL category. 3) Everything goes for „MGMT“ users 4) Lower priority for „Updates“ for everyone 5) Give business critical application highes priority but the application must use HTTP/HTTPS

User Awareness Transparent Authentication via DS Agent TS Agent for MS and Citrix Terminal Server Non transparent authentication provides via Portal login like - MSAD, LDAP, TACACS, LOCAL DB etc…

Advanced Threat Detection Prevent malicious files – even unknown ones – from entering the organization and avoid network breaches. Identify zero-day malware exploits, targeted attacks, advanced persistent threats and other advanced malware which routinely bypass traditional signature based IPS and anti-virus engines. Granular Control over PDFs, EXEs/MSIs/DLLs, Android APKs, Microsoft Office files, and compressed files and archives Full interoperability with the integrated SSL Inspection files can be extracted and checked in order to detect advanced malware in the encrypted stream Cloud-based emulation allows resource intensive file emulation to be offloaded to the Barracuda Cloud Learning local cryptographic hash database for emulation optimization Multiple and simultaneous OS environments for emulated files Automatic email notifications in case malware activity is identified can help minimize the time for reaction of the administrator in order to mitigate the network breach Available for hardware and virtual appliances as well as for Microsoft Azure and the Amazon AWS Cloud to fit your IT strategy as you standardize across hypervisors for network security and securely leverage public cloud infrastructures.

Advanced Threat Detection Sharing ATD signatures and hashes with the Barracuda Cloud

Application-Based Provider Selection IPS selection based on applications, application category and/or URLfilter category

Adaptive WAN Virtualization xDSL xDSL MPLS MPLS

Adaptive WAN Virtualization xDSL xDSL Surfing: 50% Class2 Email: 50% Class1 MPLS MPLS VoIP 50%: NoDelay Business 50%: Class1

Adaptive WAN Virtualization xDSL xDSL MPLS VoIP: 70% NoDelay Business: 70% Class1 Email: 20% Class2 Surfing: 10% Class3 MPLS

Adaptive WAN Virtualization No surfing xDSL xDSL MPLS MPLS 3G VoIP: 90% NoDelay Business: 90% Class1 Email: 10% Class2 No surfing 3G Only important applications

Adaptive WAN Virtualization xDSL xDSL MPLS VoIP: 70% NoDelay Business: 70% Class1 Email: 20% Class2 Surfing: 10% Class3 MPLS 3G 3G

Adaptive WAN Virtualization xDSL xDSL Surfing: 50% Class2 Email: 50% Class1 MPLS MPLS VoIP 50%: NoDelay Business 50%: Class1 3G 3G

Up to 24 Transports for one Tunnel Virtual WAN Balancing Up to 24 Transports for one Tunnel Session Balancing Packet Balancing Paket balancing has only really a benefit if you have same up/down stream for ISPs and the same latency.

Virtual WAN Acceleration De-Duplication & Data Caching Multiple Transport modes (Encapsulation) Compression (Stream/Packet) Application Acceleration De-Duplication Compression Application Accel. Caching TCP encapsulation De-Duplication Compression UDP encapsulation Transport mode, compression, application acceleration, de-duplication can be set independently for each transport. Various setup are possible to fulfill the needs. HYBRID encapsulation

Dynamic Meshed VPN Classic Hub & Spoke setup

Dynamic Meshed VPN Hub detects traffic between branches Hub (HQ) detects traffic between branches e.g. VoIP

Dynamic Meshed VPN Hub triggers automatic configuration update Hub (HQ) will update automatically Branches which communicate to each other directly

Dynamic Meshed VPN Branches create temporary tunnel Branches create a temporary tunnel - Tunnel is displayed on hub - Hub-branch tunnels stay active (for other connections and for failover)

Effective Operations VPN is hard to setup, to maintain, to troubleshoot? Easiest and fastest way to create VPN tunnels in the market. Even more faster with Fully-meshed VPN.

Hardware Deployment

Virtual Deployment

Cloud Deployment

Rollout Process = Disaster Recovery Ist „CEO“ proof… Take a USB jumpdrive, put the configuration file (box.par) and the ISO image on. Plug it into the NG, reboot and wait until a „beep“ occurs, plug off the jumpdrive and reboot – DONE.

Management & Control

Barracuda NG Control Center For efficient and flexible management, Barracuda offers five different control centers. C400 (hardware appliance) and VC400 (virtual appliance fof VMware, KVM, XenCitrix) Unlimited firewalls (recommended 20) 1 tenant (one range, one cluster) Multiadmin support Role-based administration Revision control system Central statistics Central syslog (host/relay) Firewall audit collector/viewer NG access monitor C610 (hardware appliance) and VC610 (virtual appliance fof VMware, KVM, XenCitrix) The above plus: Unlimited firewall (recommend 200 hardware-based; unlimited, but depending on hardware for virtual appliance) Multitenancy on cluster-base Barracuda NG Earth PKI Service VC820 Unlimited firewall (depending on hardware for virtual appliance) Multitenancy on range-base (5 tenants included; more available for purchase) High Availability license included

Live Status Polling Live Status polling Multi-tenancy configuration and managed topology Easy roll-out, maintenance and disaster recovery Repository links & object database Granular administration concept Centralized lifecyle management Graphical VPN tunnel editor (drag‘n‘drop)

Hirarchical Multi-Tenancy Concept “The control of a large force is the same principle as the control of a few men: It is merely a question of dividing up their numbers.” *Sun Tzu – The Art of War The CC configuration is a hierarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Hirarchical Multi-Tenancy Concept Global Range Europe The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Hirarchical Multi-Tenancy Concept Global Range Europe Cluster Austria The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Hirarchical Multi-Tenancy Concept Global Range Europe Cluster Austria Box Vienna The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Hirarchical Multi-Tenancy Concept Global Range Europe Cluster Austria Box Vienna The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level Admin access to single gateway

Hirarchical Multi-Tenancy Concept Global Range Europe Cluster Austria Admin access to country Box Vienna The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Hirarchical Multi-Tenancy Concept Global Range Europe Admin access to continent Cluster Austria Box Vienna The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Hirarchical Multi-Tenancy Concept Global Range Europe Admin access to global enviroment Cluster Austria Box Vienna The CC configuration is a hirarchical tree. - Splitted up into Ranges - Every Range as Clusters - Every Cluster has Boxes (the actual NG firewall gateway) - The admin scope can be set on „box“, „cluster“ or „range“ level

Granular Configuration Levels Global Asia Europe R2 / W2 Admin A: R/W=50, Austria only Admin B: R/W=20, Europe only R99 / W80 R99 / W10 Italy Austria R99 / W10 R99 / W60 Graz Vienna Read Level R W Write Level R80 / W50 The administration concept is evenmore powerful by using „Configuration Levels“. Every node has its own „read“ and „write“ level. As lower the number as higher the permissions. The „root“ user is „-1“. Per default all nodes have read=99 and write=2. Example: „Admin A“ has level „50“. That means he can read/write box „Vienna“ but only read cluster „Austria“. „Admin B“ has level „20“. That means he can read/write the whole cluster „Austria“ but only read the range „Europe“. R80 / W20

Revision Control System Integrated „Revision Control System“. Every change on every config node is logged in a own version. Who did changed what and when. Its possible to revert to any former version at any time.

Lifecycle Management NG Firewall HW VF SF CL Regardless which deployment 1 Installation Image… 1 Major Release Update… 1 Minor Release Update… 1 Hotfix… …. for everything! Centralized and Schedulable Distribution Installation Regardless if a NG hardware appliance, a NG virtual appliance, NG in the cloud or just the software on a 3rd party server is used. Its always the same software. So one installation image, one major update, one minor update, one hotfix for everything.

Consolidated Configuration Daily Task for 100 firewalls 10 minutes Daily Task for 100 firewalls 16 hours Daily Task for 1 firewall 10 minutes In our experience, it takes 10 minutes per day to manage a single firewall Example: Changing root password on one gateway takes 10sec. Do it on 100 gateways and will take a way longer. With NG CC and the global config node templates and global object database, you link all 100 boxes to one config file and just change the root password there and all gateways get this change.

Simple Licensing Base Hardware License [F] Virtual License [VF] Software License [SF] Maintenance Energize Update [EU] Instant Replacement [IR] Premium Support [PS] Additional Malware Protection [M] Advanced Thread Detection [A] SSLVPN/NAC [V] A very simple licensing for NG. There are only 9 licenses per gateway possible.

Troubleshooting

All you need to know with just 1-click Realtime information & manipulation „Live“ Tab(active connections) - Live session table of active connections. - Detailed information about application

All you need to know with just 1-click Historic information „History“ Tab (recent connections) Allowed traffic (allowed via rule) Blocked traffic (based on rule) Dropped traffic (based on AV, IPS or URL violation) Failed traffic (traffic which was allowed by rule but did not establish because Host or Port unreachable) Unique in the marked is also to show the SRC and DST NAT IPs in the live session table as well in the history.

All you need to know with just 1-click Application Context Application Context Trying to discover intention of an applicaton Showing Youtube video ID and jump on this video

Threat Monitor „Threat Monitor“ Tab Shows all detected threats for IPS, AV, Protocol Detection, ATD

Application Monitor and Drilldown „Monitor“ Tab (Applications only) First Image shows Monitor in general Second Image shows drilldown for „facebook“

Reporting, Alerting, Logging & Statistics

Customized Reports Create customizable Top-Reports for: Applications & Categories Sources & Destinations Geo Locations (SRC/DST) URLs & URL Categories Risk & Usage Protocols Users Schedulable and automated Reports are generated on-demand on the box directly or via „NG Report Creator“ tool for windows. Reporter create scheduled reports (once a day, week, month) and distribute it via email. Consolidated reports for more than one box are available Anonymized reports for management are available for privacy reasons.

Splunk Integration Splunk integration with own „Barracuda NG firewall app“.

Security Information & Event Management Logs (Support for Syslog, IPFIX, NetFLOW) Lancope Partnership Firewall Audit Log Eventing and Notifications SNMP (Service & Traps) Statictics