Thursday, September 1, 2016

SSL_Inspection competitive



Players in the SSL Inspection

  1. Checkpoint
  2. A10
  3. BlueCoat
  4. ZScaler
  5. Fortinet

This document is a competitive analysis of 3 SSL Inspection technologies: A10, Zscaler and Checkpoint.


A10 Solution

The A10 Thunder appliances provide the ability to off-load SSL inspection.
·         This solution creates decrypted zone for any appliance to inspect traffic in the clear text.
·         There is a security risk when creating a decrypted zone inside your network. The clear text traffic in the decrypted zone can be accessed by anyone with access to the A10 devices, span ports, or taps could potentially collect user credentials, health information, credit card numbers, etc.
·         If someone captures data from the decrypted zone created by the A10 Thunder potentially wouldn’t leave a trace.



Checkpoint:
·         HTTPS inspection on the Check Point appliances, the decrypted traffic is not visible to the administrator.
·         Checkpoint does not provide any ability to capture the unencrypted data on the appliance.
·         The only way to off-load the HTTPS inspection on Check Point appliance would be to enable ICAP on the gateway and point to a specific ICAP receiver.

·         All ICAP options on the Check Point appliance are off by default. If any administrator modifies ICAP setting an audit record is generated.





Zscalers Solution

Security
·         Threat intelligence - Threat Library contains ~121,000 protections.
·         Application database - Has 200 applications and 90 categories
·         Application visibility –  Has no P2P apps and less than 70 file sharing apps


Management
·         No unified management – Can manage only security policy of users outside of the organization. A separate solution is required for on premise-security policy to manage internal users and traffic security at an extra cost
·         Administration overhead – Increase security architecture complexity, labor time and security risks by forcing security admins to manage separate policies and configurations for mobile and on-premise users
·         Lack of out-of-the-box protection - Cumbersome policy configuration with more than 15 different security policies

Traffic Redirection
·         Proxy based – Redirect users to their cloud through a manually configured hosted PAC file which is not secure and can be easily bypassed
·         Port evasive – Applications which do not use proxy ports will not be forwarded to Zscaler and will be bypassed
·         VPN – Has no dedicated VPN client for laptops users, forcing them to manually configure VPN on each client
·         Limited SSL decryption - SSL decryption for laptops requires dedicated proxy ports at additional costs

Deployment
·         Manual endpoint configuration –  Requires to manually deploy PAC files to redirect laptop traffic to the cloud with limited methods to enforce traffic redirection
·         Limited redundancy to cloud – redirection to the cloud is based on fixed IP addresses or static DNS names. Solution lacks dynamic redundancy and user connectivity to multiple cloud gateways



Checkpoint Solution

This solution utilizes Application control which includes SandBlast Agent, URL and VPN.  

Security
·         Threat intelligence Library contains 46 million searchable protections through Check Point Threat library (ThreatWiki).
·         Application database  7,000 apps and 163 categories in Check Point Application Library (AppWiki).
·         Application visibility  - 350 P2P and file sharing apps in Check Point




Note: Zscaler solution lacks threat intelligence which increase the ability to protect against the most advanced cyber threats 


Criteria Zscaler Checkpoint A10
Cloud Yes No No
Cost - (HW/Services) $$$$$ $ $$$ ($250K List)
Coverage (On Network) Yes Yes Yes
Coverage (Off Network) TBD (ADFS Validation/Agent Needed) Yes - Replacement Agent No
VPN Coverage  Yes (routing or agent changes needed Yes (routing or agent changes needed Yes  (routing changes needed)
Whitelisting (By LAN ID) Yes Yes TBD
Whitelisting (By Domain) Yes Yes TBD
Outbound Geo Protection Whitelisting (By Domain) Yes No TBD
FireEye (Decrypted SSL Feed) ICAP Feed (Ugly) ICAP Yes (via secure tap)
Sandbox Like Yes (Sandbox solution) Yes (Agent Based) TBD
SIEM Feed Yes Yes Yes
Desktop (App Install) Yes (requirements for Symantec AV agents) Replace VPN Agent No
Desktop (Browser Cert) Yes Yes Yes
Support (Scale from 1 to 10) TBD 7 TBD
Additional features Yes (Feature rich) Yes (Feature rich) Yes (limited)