Review: McAfee Enhances Next Generation Firewall - Page 2

What features make McAfee's Next Generation Firewalls (NGFWs) stand out from the competition? Find out in our review.

 By Frank Ohlhorst
Page 2 of 2   |  Back to Page 1
Print Article

How the McAfee NGFW blocks AETs

Arguably one of the most critical capabilities of a NGFW is its ability to prevent malicious code from traversing the network. AETs have made that task especially challenging in recent years. AETs slip past traditional AV and anti-malware solutions by slicing and dicing malicious code to trick perimeter defenses. The code then reassembles at the endpoint. McAfee claims its Advanced Evasion Protection (AEP) feature prevents that from happening. My tests support that claim.

AEP works by combining raw processing power with multi-OSI layer analysis to fully reassemble payloads before allowing them to move onto an endpoint. McAfee accomplishes this by using horizontal packet assembly techniques to look at larger pieces of code. The vendor’s competitive advantage here comes down to that code examination. Competitors rely on ASIC-based processors, which use vertical segment analysis and therefore might miss the obfuscation techniques used for AETs.

To test the product’s AEP capabilities, I used an obfuscation tool known as Evader, to build an APT attack and attempt to pass it on to an endpoint using AETs. The McAfee NGFW effectively blocked every scenario I concocted.

McAfee NGFW Multi-Link technology

Some of the product’s other advanced capabilities leverage Multi-Link technology, which prevents single points of failure, handles load balancing, incorporates augmented VPN technologies, and supports slipstream product updates. Simply put, Multi-Link is the key McAfee High Availability (HA) solution. Larger, multi-site networks will benefit from the stronger links provided by Multi-Link.

McAfee NGFW Multi-Link start

Deployed using the SMC, Multi-Link ties together multiple ISP connections that appear as a singular IP path to available resources. All I needed to know was some basic IP and ISP (Net Link) information to quickly make a Multi-Link Connection live. Each Net Link supports QOS/Prioritization, so a link can be assigned as high priority or low priority, which drives the HA algorithms. Choices include active/active or active/standby, which controls traffic routing. Load balancing can use round-trip time for determining the route, or a ratio calculation that assigns traffic based upon available bandwidth percentages. Optionally, load balancing can be disabled, making HA the priority.

McAfee NGFW Multi-Link Priority Active Active

Augmented VPNs on McAfee NGFWs

McAfee’s Multi-Link technology also empowers the capabilities of VPN connections, creating something referred to as an Augmented VPN (aVPN), which load balances VPN traffic across multiple connections. Thanks to the drag-and-drop capabilities of SMC, creating an augmented VPN can take under a minute. aVPN is built into the solution and offers additional security in the form of integrated IPSec support, which fortifies encryption.

McAfee NGFW Multi-Link Augmented VPN

The nifty thing about an augmented VPN is that VPN traffic can be aggregated across multiple Net Links (using Multi-Link), creating a high-speed, low-cost VPN tunnel for either endpoints or site-to-site communications that incorporates HA without any extra effort. Testing the augmented VPN showed that interrupting any Net Link did not disrupt the VPN traffic. The NGFW simply continued to aggregate the traffic over the available Net Links without any noticeable impact on the endpoint transmitting information.

McAfee NGFW Aggregate VPN Link Removal

McAfee provides their own IPSec client VPN software, which fully integrates with the VPN server capabilities and keeps logs filled with pertinent information for auditing, troubleshooting and general reporting. The logging also provides ample proof of how well the augmentation and policy enforcement works.

McAfee NGFW Multi-Link IpSec VPN Client Connection

McAfee NGFW scalability

As enterprises grow, scale becomes an important consideration. Enterprises that grow faster than expected often find themselves in a conundrum when scale comes at a very high price. McAfee addresses scalability issues by incorporating a clustering capability that is both inexpensive and easy to deploy. What’s more, the clustering also offers significant throughput and speed advantages without introducing unnecessary complications.

One of the key elements of clustering is that adding, removing, reconfiguring and updating NGFWs can take place in real time and without interrupting operations. McAfee’s ability to cluster NGFWs that are running different versions of the core software (or even different models) is a key advantage, allowing updates to take place incrementally without service interruption. Failed updates are automatically rolled back and will never take other NGFWs down, making updates, patches and other changes a safe proposition.

Setting up a cluster required little manual configuration. Most of the process takes place using the SMC management console, which offers directed advice. Since I was not using USB or Cloud Configuration options, I did have to manually enter a configuration password using the CLI located on the NGFW that was being added to the cluster. NGFWs that are members of a cluster are usually referred to as "nodes."

McAfee NGFW Cluster Node Definition

McAfee NGFW Cluster Easy to Add Node

Operationally, I was able to shut down nodes, disrupting the cluster without apparent impact on the end client. To test that, I set up a client system to watch some Youtube videos and then manually disrupted nodes on the cluster. The HA/Load Balancing capabilities kicked in without a hitch. Traffic on the endpoint was not interrupted in any noticeable fashion.

McAfee NGFW Cluster Disable Node Selection

What’s important to recognize about McAfee’s NGFW’s clustering capabilities—and McAfee's NGFW overall—is that is very simple to deploy, easy to manage, and offers seamless operation, all key considerations for environments where availability is extremely important and endpoints should never experience disruption, such as retail, sales, financial and analytical environments.

Header photo courtesy of Shutterstock.

This article was originally published on Aug 13, 2014
Get the Latest Scoop with Networking Update Newsletter