Players in the SSL Inspection
- Checkpoint
- A10
- BlueCoat
- ZScaler
- Fortinet
This
document is a competitive analysis of 3 SSL Inspection technologies: A10,
Zscaler and Checkpoint.
A10 Solution
The A10
Thunder appliances provide the ability to off-load SSL inspection.
·
This
solution creates decrypted zone for any appliance to inspect traffic in the
clear text.
·
There is a
security risk when creating a decrypted zone inside your network. The clear
text traffic in the decrypted zone can be accessed by anyone with access to the
A10 devices, span ports, or taps could potentially collect user credentials,
health information, credit card numbers, etc.
·
If someone
captures data from the decrypted zone created by the A10 Thunder potentially
wouldn’t leave a trace.
Checkpoint:
·
HTTPS
inspection on the Check Point appliances, the decrypted traffic is not visible
to the administrator.
·
Checkpoint does
not provide any ability to capture the unencrypted data on the appliance.
·
The only way
to off-load the HTTPS inspection on Check Point appliance would be to enable
ICAP on the gateway and point to a specific ICAP receiver.
·
All ICAP
options on the Check Point appliance are off by default. If any administrator
modifies ICAP setting an audit record is generated.
Zscalers Solution
Security
·
Threat intelligence - Threat Library contains ~121,000 protections.
·
Application database - Has 200 applications and 90 categories
·
Application visibility – Has no P2P apps and less than 70
file sharing apps
Management
·
No unified management – Can manage only security policy of users outside of the
organization. A separate solution is required for on premise-security policy to
manage internal users and traffic security at an extra cost
·
Administration overhead – Increase security architecture complexity, labor time and
security risks by forcing security admins to manage separate policies and
configurations for mobile and on-premise users
·
Lack of out-of-the-box protection - Cumbersome policy configuration
with more than 15 different security policies
Traffic
Redirection
·
Proxy based – Redirect users to their cloud through a manually configured hosted
PAC file which is not secure and can be easily bypassed
·
Port evasive – Applications which do not use proxy ports will not be forwarded
to Zscaler and will be bypassed
·
VPN – Has no
dedicated VPN client for laptops users, forcing them to manually configure VPN
on each client
·
Limited SSL decryption - SSL decryption for laptops requires dedicated proxy ports at
additional costs
Deployment
·
Manual endpoint configuration – Requires
to manually deploy PAC files to redirect laptop traffic to the cloud with
limited methods to enforce traffic redirection
·
Limited redundancy to cloud – redirection to the cloud is based on fixed
IP addresses or static DNS names. Solution lacks dynamic redundancy and user
connectivity to multiple cloud gateways
Checkpoint Solution
This
solution utilizes Application control which includes SandBlast Agent, URL and
VPN.
Security
·
Threat intelligence Library contains 46 million searchable protections
through Check Point Threat library (ThreatWiki).
·
Application database 7,000 apps and 163 categories in
Check Point Application Library (AppWiki).
·
Application visibility - 350 P2P and file sharing apps in
Check Point
Note: Zscaler solution lacks threat intelligence which increase
the ability to protect against the most advanced cyber threats
Criteria |
Zscaler |
Checkpoint |
A10 |
Cloud |
Yes |
No |
No |
Cost -
(HW/Services) |
$$$$$ |
$ |
$$$ ($250K List) |
Coverage (On
Network) |
Yes |
Yes |
Yes |
Coverage (Off
Network) |
TBD
(ADFS Validation/Agent Needed) |
Yes
- Replacement Agent |
No |
VPN
Coverage |
Yes
(routing or agent changes needed |
Yes
(routing or agent changes needed |
Yes (routing changes needed) |
Whitelisting
(By LAN ID) |
Yes |
Yes |
TBD |
Whitelisting
(By Domain) |
Yes |
Yes |
TBD |
Outbound Geo Protection Whitelisting (By Domain) |
Yes |
No |
TBD |
FireEye
(Decrypted SSL Feed) |
ICAP Feed (Ugly) |
ICAP |
Yes (via secure tap) |
Sandbox Like |
Yes
(Sandbox solution) |
Yes (Agent Based) |
TBD |
SIEM Feed |
Yes |
Yes |
Yes |
Desktop (App
Install) |
Yes
(requirements for Symantec AV agents) |
Replace VPN Agent |
No |
Desktop
(Browser Cert) |
Yes |
Yes |
Yes |
Support (Scale
from 1 to 10) |
TBD |
7 |
TBD |
Additional
features |
Yes (Feature rich) |
Yes (Feature rich) |
Yes (limited) |