A Private Option for WildFire

Jun 03, 2013
3 minutes


Today we released the WF-500, which is the latest addition to our WildFire solution dedicated to detecting and blocking unknown malware and targeted cyber attacks. As many of you know, one of the core design principles of WildFire is the marriage of any and all of your next-generation firewalls with a cloud-based malware analysis environment where new or unknown files can be executed and observed in order to determine if they harbor malicious behaviors. The WF-500 provides the option for customers to deploy a private version of the WildFire analysis environment on your private network. For reference, you can read all about WildFire and the WF-500 here.

It’s important to note that when we say “cloud” we aren't just euphemistically referring to the Internet, or the marketing use of “The Cloud” that will swoop in to magically solve all IT problems. We are talking about actual cloud-computing, and there are important reasons why this architecture is required for addressing the challenges of modern malware and threats. First and foremost, the active analysis of unknown files demands massive amounts of compute. Each file needs its own fully virtualized environment including OS, browsers and Internet connectivity. And to protect against real attacks, we must be performing this type of analysis on all unknown files from all of our network ingress points. So in short, we have a technical requirement to support many distributed points of presence, with each requiring massive computing resources. This is a job that screams cloud computing, and this is what we have built with WildFire.

In a WildFire deployment, all firewalls can be linked with a WildFire cloud (either the public WildFire cloud available to all customers, or a private WildFire cloud using one or more WF-500s deployed on your network). The analysis is identical whether performed in the public or a private cloud, and in both cases all firewalls leverage a shared set of computing resources. In both cases, the single cloud provides support for the many firewalls.

This is far more efficient than the other commonly seen strategy where malware analysis devices are deployed as yet another security helper device, with a sandbox tied to each firewall. This is not only inefficient, it creates choke-points where the ability to protect against threats is limited by the number of files the sandbox can handle. Unlike everything else in the network stack where solutions are sized in terms of throughput, a helper sandbox must be sized in terms of how many files could hit that ingress point.

Of course, once malware is detected we will want to do something about it, and this is where WildFire can close the loop. WildFire is linked to the next-generation firewall, which not only has true, in-line enforcement capabilities, it also has native stream-based antimalware, native IPS for controlling malware command-and-control, native URL filtering to block sites associated with the newly found malware, and native DNS-based signatures to identify the unique DNS patterns of malware. This provides enforcement points across the malware lifecycle in a device that is built for high-speed enforcement.

So just as a reminder, if you are not using WildFire today, you can always use the basic features of the WildFire public cloud for free – just enable it on your firewall. If you are interested in taking a look at the WF-500 option in your network, just let us know and we will get you set up.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.