As network traffic grows and networks get more complex, security becomes ever more problematic. To address this, the WatchGuard Dimension analytics platform from WatchGuard Technologies uses Big Data visualization to make sense of enterprise network traffic and the relationships between data elements. That information can be directly correlated to create actionable tasks that enhance security. WatchGuard Dimension follows October’s release of FireWare XTM 11.8, the latest revision to the WatchGuard XTM Series firewall OS, which can work in conjunction with Dimension to create a unified security management platform that offers predictive, reactive and actionable security intelligence.
The combination of UTM (Unified Threat Management) technology with an analytical platform creates a new ideology for building secure networks. They can now be proactive against complex security threats by analyzing multiple data sets, both structured and unstructured, to deliver a comprehensive view of network activity.
I performed hands-on testing of a pair of WatchGuard XTM Series firewalls at WatchGuard’s Seattle testing lab, where I also put WatchGuard Dimension through its paces using data generated by the firewalls under test and data sourced from other WatchGuard firewalls in use at the company. Extensive data sets and high-speed traffic mimicking real-world activity proved ideal for testing the platform. Under analysis, the results were eye-opening.
A closer look at WatchGuard Dimension
WatchGuard Dimension can be deployed as a cloud service to facilitate the need to gather and store large amounts of log data from multiple sources. The implementation I tested used Amazon’s AWS to host the combined services WatchGuard Dimension offers, providing me access to the full functionality of the product via nearly any web browser.
I found the product to be a fascinating security tool. As far as I am aware, it takes a completely new approach to analyzing network traffic. Simply put, WatchGuard Dimension does for network traffic log data what Tableau does for Big Data. It transforms large amounts of data into visual representations.
For example, with WatchGuard Dimension, I was able to correlate certain traffic events from multiple sources over a period of time to identify a trend, presented as a graphical representation that can be automatically placed into a PDF based report.
Using filters and queries, based upon Boolean logic, I was quickly able to isolate the traffic flow from a remote host to a range of internal IP addresses, which WatchGuard Dimension in turn presented as a graphic table. With this, I was able to detect an attack from the remote host. The browser-based management/query console offers several options, submenus, reports and analytical processes. The test environment I used fully leveraged all of the log data from the associated WatchGuard firewalls, enabling me to perform analytics chores on any of the features offered by those firewalls, including complex queries aimed at appropriate use policies (URL Filtering Services), application usage (based upon firewall application control policies), and Data Leakage Protection (DLP) policies, along with all of the normal features firewalls include in their logged information.
WatchGuard Dimension drilldown on CryptoLocker-infected host
The browser-based management console also supports features like drilldown, pivot tables, and the ability to schedule reports for email delivery.
WatchGuard Dimension drilldown on single user
One of the most impressive analytical representations is a world map, which offers color-coded depictions of where data originates or is destined. The map can be filtered by attacks, blocked traffic, allowed traffic, packet type and so on, creating a simplified view of what traffic impacts the network and/or triggers firewall policies.
WatchGuard Dimension threat map showing blocked sites
A closer look at WatchGuard Dimension and the XTM Series
The new XTM firewalls from WatchGuard incorporate a vast array of security technologies that work in a unified fashion to create Next Generation Firewall (NGFW) services. WatchGuard has upped the game on the hardware front by eschewing proprietary hardware in favor of Intel standards-based components, creating high-performance devices unbound by the limitations of typical ASIC-based firewalls.
What’s more, the adoption of Intel-based technologies allows WatchGuard to easily offer virtual appliance versions of the firewalls for both Hyper-V and VMware environments. Not only does that eliminate the need for proprietary hardware, it also introduces the capability to install WatchGuard XTM firewall services onto hosted infrastructures.
WatchGuard takes a modular approach to the XTM series, allowing users to pick and choose what features they consider most critical for their network edge. That said, the firewall can be configured for antivirus, intrusion protection services, application control, URL filtering, anti-spam, and DLP, all combinable with traditional stateful packet inspection and port protection technologies.
The modular approach offers some other benefits. Customers only pay for what they need and have the advantage of flexible licensing, where licenses are based upon the appliance rather than total user counts. For example, when a customer buys a license for DLP, the license authorizes unlimited users on the device.
Port counts and throughput capabilities differentiate the various appliances in the XTM family. The 5 Series offers seven ports and as much as 3.5 Gbps of throughput, while the XTM 8 Series offers 14 ports and as much as 14 Gbps of throughput. At the very top of the XTM product pyramid sits the XTM 2520, which offers 35 Gbps of throughput, a dozen 10/100/1000 Ethernet ports and four 10G SFP+ ports.
Of course, WatchGuard also offers various iterations of each model series, with four different configurations available on the 5 Series, three different units under the 8 Series, and so on. The XTM product family includes nine different series of devices. WatchGuard offers special upgrade deals that allow users to move from one series to another at discounted prices.
The devices all share a common management paradigm, with three different styles of interactive management: a command line interface (CLI), a browser based GUI and WatchGuard System Manager (WSM).
The CLI proves very effective for using scripting tools to automate routine tasks across multiple appliances. For example, an administrator can build a script to apply policy changes across multiple devices, to enforce commonality requirements for multi-site security purposes. In my experience, the CLI is the quickest and easiest way to push out multiple changes across multiple devices, because it avoids all of the navigation requirements, such as menu selection, option choices and screen navigation, that normally occur with a GUI.
On the other hand, many administrators, such as those dealing with just a few devices, will be well served by the web interface, which offers a full-featured, easy-to-navigate GUI that eliminates the need to build or execute scripts.
Meanwhile, for administrators looking for the ultimate in ease of use, especially with multiple devices, WSM is a great choice. WSM is a Windows application that rolls up all of the management and configuration chores into a streamlined management program. Administrators can quickly create VPN tunnels, change configurations, update software licenses and perform other functions. What’s more, WSM offers extensive integrated help and several monitoring screens in addition to logging and reporting. For most administrators, WSM will be the management console of choice, even if they are only managing a single XTM appliance.
Pricing for the 5 Series starts at $2,295.00 for the WatchGuard XTM 515 and 1-Year Security Bundle. The 8 Series starts at $12,975 for the WatchGuard XTM 850 and 1-Year Security Bundle. The Security Bundle includes AV, IPS, Spam Blocker, App Control, RED, Webblocker, LiveSecurity and WatchGuard Dimension, with DLP available as an add-on subscription.
Photo courtesy of Shutterstock.