McAfee NGFW Reference Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

Size: px
Start display at page:

Download "McAfee NGFW Reference Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role"

Transcription

1 McAfee NGFW Reference Guide for Firewall/VPN Role 5.7 NGFW Engine in the Firewall/VPN Role

2 Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the McAfee website: Revision: SGFRG_

3 TABLE OF CONTENTS INTRODUCTION CHAPTER 1 Using SMC Documentation How to Use This Guide Documentation Available Product Documentation Support Documentation System Requirements Supported Features Contact Information CHAPTER 2 Introduction to Firewalls The Role of the Firewall Firewall Technologies Packet Filtering Proxy Firewalls Stateful Inspection Multi-Layer Inspection Additional Firewall Features Authentication Deep Packet Inspection and Unified Threat Management Integration With External Content Inspection.. 22 Load Balancing and Traffic Management Logging and Reporting Network Address Translation (NAT) VPNs Firewall Weaknesses Complexity of Administration Single Point of Failure Worms, Viruses, and Targeted Attacks CHAPTER 3 Introduction to McAfee NGFW in the Firewall/VPN Role The McAfee NGFW Solution SMC Components Firewall/VPN Engines Main Benefits of McAfee Firewall/VPN Advanced Traffic Inspection Built-in Clustering for Load Balancing and High Availability Multi-Link Technology Built-in Inbound Traffic Management QoS and Bandwidth Management Integration with IPS and Layer 2 Firewalls Clustered Multi-Link VPNs CHAPTER 4 NGFW Deployment in the Firewall/VPN Role Deployment Overview Supported Platforms General Deployment Guidelines Positioning Firewalls External to Internal Network Boundary Internal Network Boundaries DMZ Network Boundaries INTERFACES AND ROUTING CHAPTER 5 Single Firewall Configuration Overview to Single Firewall Configuration Configuration of Single Firewalls Dynamic Firewall Interface Addresses Internal DHCP Server Security Strength of Management Connections 45 Configuration Workflow Task 1: Create Single Firewall Elements Task 2: Define Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define Tunnel Interfaces Task 5: Define an ADSL Interface Task 6: Define a Wireless Interface Task 7: Define IP Addresses Task 8: Define Loopback IP Addresses Task 9: Define Modem Interfaces Task 10: Install the Firewall Engine Task 11: Install a Firewall Policy Example of a Single Firewall Deployment Setting up a Single Firewall Adding a New Interface to an Existing Configuration Table of Contents 3

4 CHAPTER 6 Firewall Cluster Configuration Overview to Firewall Cluster Configuration Benefits of Clustering Communication Between the Nodes Hardware Security Strength of Management Connections 53 Configuration of Firewall Clusters Load Balancing Standby Operation Network Interfaces and IP Addresses Clustering Modes How Packet Dispatch Works Configuration Workflow Task 1: Create a Firewall Cluster Element Task 2: Create Physical Interfaces Task 3: Define VLAN Interfaces Task 4: Define Tunnel Interfaces Task 5: Configure Physical or VLAN Interfaces Task 6: Define Loopback IP Addresses Task 7: Install the Firewall Engines Task 8: Install a Firewall Policy Using a Firewall Cluster Internal DHCP Server Node State Synchronization Security Level for State Synchronization Manual Load Balancing Examples of Firewall Cluster Deployment Setting up a Firewall Cluster Adding a Node to a Firewall Cluster CHAPTER 7 Master Engine and Virtual Firewall Configuration Overview to Master Engine and Virtual Firewall Configuration Configuration of Master Engines and Virtual Firewalls Configuration Workflow Task 1: Create a Master Engine Element Task 2: Create Virtual Resource Element(s) Task 3: Configure Master Engine Interfaces Task 4: Create a Virtual Firewall Element Task 5: Configure Virtual Firewall Interfaces Task 6: Install a Firewall Policy Using Master Engines and Virtual Firewalls Moving a Virtual Firewall to a Different Master Engine Using Master Engines and Virtual Firewalls With Domains Example of Master Engine and Virtual Firewall Deployment Deploying Virtual Firewalls for MSSP Customers CHAPTER 8 Routing and Antispoofing Overview to Routing and Antispoofing Configuration of Routing and Antispoofing Reading the Routing and Antispoofing Trees.. 74 Multi-Link Routing Default Elements Configuration Workflow Task 1: Add Router or NetLink Task 2: Add Network(s) Task 3: Refresh Firewall Policy Using Routing and Antispoofing Policy Routing Multicast Routing Modifying Antispoofing Monitoring Routing Examples of Routing Routing Traffic with Two Interfaces Routing Internet Traffic with Multi-Link Routing Traffic to Networks That Use Same Address Space ACCESS CONTROL POLICIES CHAPTER 9 Firewall Policies Overview to Firewall Policies Policy Hierarchy How the Engine Examines Traffic Configuration of Policy Elements Default Elements Configuration Workflow Task 1: Create a Template Policy Task 2: Create a Policy Task 3: Create a Firewall Sub-Policy Task 4: Install the Policy Table of Contents

5 Using Policy Elements and Rules Validating Policies User Responses Connection Tracking vs. Connectionless Packet Inspection Policy Snapshots Continue Rules Adding Comments to Rules Naming Rules Examples of Policy Element Use Protecting Essential Communications Improving Readability and Performance Restricting Administrator Editing Rights CHAPTER 10 Access Rules Overview to Access Rules Configuration of Access Rules Considerations for Designing Access Rules Default Elements Configuration Workflow Task 1: Define the Source and Destination Task 2: Define the Service Task 3: Select the Action and Action Options Task 4: Select Logging Options Task 5: Add User Authentication Requirements Task 6: Restrict the Time When the Rule Is Enforced Task 7: Restrict the Rule Match Based on Source VPN Using Access Rules Allowing System Communications Configuring Default Settings for Several Rules 111 Using Continue Rules to Set Logging Options Using Continue Rules to Set the Protocol Using Aliases in Access Rules Creating User-Specific Access Rules Using Domain Names in Access Rules Interface Matching in Access Rules Examples of Access Rules Example of Rule Order Example of Continue Rules Example of User-Specific Rules CHAPTER 11 Inspection Policies Overview to Inspection Policies Configuration of Inspection Policies Verifying and Tuning Inspection Considerations for Designing Inspection Policies Exception Rule Cells Default Elements Configuration Workflow Task 1: Create an Inspection Policy Task 2: Activate Deep Inspection in Firewall Policies Task 3: Activate the Relevant Inspection Checks Task 4: Define the Exceptions Task 5: Eliminate False Positives Task 6: Add Custom Inspection Checks Using Inspection Policies Setting Default Options for Several Inspection Exceptions Importing Snort Rules Libraries Example of Inspection Rules Eliminating a False Positive CHAPTER 12 Network Address Translation (NAT) Overview of NAT Element-Based NAT Static Source Translation Dynamic Source Translation Static Destination Translation Destination Port Translation Configuration of NAT Considerations for Designing NAT Rules Default Elements Configuration Workflow Task 1: Define Source, Destination, and Service Task 2: Define Address Translation Task 3: Define the Firewall(s) that Apply the Rule Task 4: Check Other Configurations Using NAT and NAT Rules NAT and System Communications Example of a Situation Where a Contact Address is Needed Contact Addresses and Locations Outbound Load-Balancing NAT Table of Contents 5

6 Proxy ARP and NAT Protocols and NAT Examples of NAT Dynamic Source Address Translation Static Address Translation NAT with Hosts in the Same Network CHAPTER 13 Protocol Agents Overview to Protocol Agents Connection Handling Protocol Validation NAT in Application Data Configuration of Protocol Agents Configuration Workflow Task 1: Create a Custom Service with a Protocol Agent Task 2: Set Parameters for the Protocol Agent Task 3: Insert the Service in Access Rules Using Protocol Agents FTP Agent GRE Agent GTP Agent H323 Agent HTTP Agent HTTPS Agent MGCP Agent MSRPC Agent NetBIOS Agent Oracle Agent RTSP Agent SCCP Agent Services in Firewall Agent Shell Agent SIP Agent SMTP Agent SSH Agent SunRPC Agent TCP Proxy Agent TFTP Agent Examples of Protocol Agent Use Preventing Active Mode FTP Logging URLs Accessed by Internal Users CHAPTER 14 TLS Inspection Overview to TLS Inspection Configuration of TLS Inspection Default Elements Configuration Workflow Task 1: Create Server Credentials Elements Task 2: Create Client Protection Certificate Authority Elements Task 3: Exclude Traffic from Decryption and Inspection Task 4: Activate TLS Inspection Using TLS Inspection Security Considerations Virus Scanning of Decrypted TLS Traffic URL Filtering Decrypted TLS Traffic Examples of TLS Inspection Server Protection Client Protection CHAPTER 15 URL Filtering Overview to URL Filtering Configuration of URL Filtering Default Elements Configuration Workflow Task 1: Prepare the Firewall Task 2: Create User Response Messages Task 3: Blacklist/Whitelist Individual URLs. 165 Task 4: Configure URL Filtering Rules Examples of URL Filtering Allowing a Blocked URL CHAPTER 16 Spam Filtering Overview to Spam Filtering Configuring Spam Filtering Configuration Workflow Task 1: Define Spam Filtering for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Select Traffic Not to Be Filtered Using Spam Filtering Anti-Spoofing and Anti-Relay Protection Handling Address Forgery Spam Filter Sensitivity Settings Spam Filtering Rules Table of Contents

7 DNS-Based Blackhole Lists CHAPTER 17 Virus Scanning Overview to Virus Scanning Configuration of Virus Scanning Configuration Workflow Task 1: Activate the Anti-Virus Feature for a Firewall Task 2: Select Traffic for Inspection with Access Rules Task 3: Define the Content Not to Be Scanned Using Virus Scanning Integrated Scanning vs. Content Inspection Server Limitations of Virus Scanning on Clusters CHAPTER 18 External Content Inspection Overview to Content Inspection Configuration of Content Inspection Default Elements Configuration Workflow Task 1: Create a CIS Server Element Task 2: Create a Custom Service for Content Inspection Server Redirection Task 3: Define Access Rules for Redirection Task 4: Configure NAT Rules for Content Inspection Server Redirection Using Content Inspection Example of Content Inspection Inspecting Internal User s Web Browsing and File Transfers CHAPTER 19 Situations Overview to Situations Configuration of Situations Situation Contexts Correlation Contexts Anti-Virus Contexts DoS Detection Contexts Scan Detection Contexts Protocol-Specific Contexts File Contexts System Contexts Default Elements Configuration Workflow Task 1: Create a Situation Element Task 2: Add a Context for the Situation Task 3: Associate Tags and/or Situation Types with the Situation Task 4: Associate the Situation with a Vulnerability Using Situations Example of Custom Situations Detecting the Use of Forbidden Software CHAPTER 20 Applications Overview to Applications Configuration of Applications Default Elements Configuration Workflow Task 1: Define TLS Matches Task 2: Create Access Rules Examples of Applications Blocking Application Use CHAPTER 21 Blacklisting Overview to Blacklisting Risks of Blacklisting Configuration of Blacklisting Configuration Workflow Task 1: Define Blacklisting in Access Rules Task 2: Define Exceptions in the Inspection Policy Using Blacklisting Manual Blacklisting Monitoring Blacklisting Whitelisting USERS AND AUTHENTICATION CHAPTER 22 Directory Servers Overview to Directory Servers Configuration of Directory Servers Internal User Database Authentication Server User Linking External Directory Server Integration User Agents for Active Directory Configuration Workflow Task 1: Create an LDAP Server or an Table of Contents 7

8 Active Directory Server Element Task 2: Add an LDAP Domain Task 3: Add Users and User Groups or Link Users Task 4: Install and Configure the User Agent Examples of Directory Servers Using the Internal User Database Integrating a Microsoft Active Directory Server 206 CHAPTER 23 User Authentication on the Firewall Overview to User Authentication on the Firewall 208 Configuration of User Authentication on the Firewall Default Elements Configuration Workflow Task 1: Define User Authentication in IPv4 Access Rules Task 2: Configure User Authentication Interfaces Example of User Authentication on the Firewall. 211 Authenticating VPN Client Users CHAPTER 24 External User Authentication Overview to External User Authentication Configuration of External User Authentication Directory Servers for External User Authentication RADIUS Authentication TACACS+ Authentication Authentication Methods Federated Authentication Default Elements Configuration Workflow Task 1: Define Servers Task 2: Associate Authentication Methods with Servers Task 3: Define User Authentication in IPv4 Access Rules Task 4: Configure User Authentication Interfaces Examples of External User Authentication Integrating a Microsoft Active Directory Server 220 Using SecurID Authentication with Stonesoft IPsec VPN Clients TRAFFIC MANAGEMENT CHAPTER 25 Outbound Traffic Management Overview of Outbound Traffic Management Configuration of Multi-Link Load-Balancing Methods Standby NetLinks for High Availability Link Status Probing Configuration Workflow Task 1: Create NetLink Elements Task 2: Configure Routing for NetLinks Task 3: Combine NetLinks into Outbound Multi-Link Elements Task 4: Create NAT Rules for Outbound Traffic Using Multi-Link Multi-Link with a Single Firewall Multi-Link with a Firewall Cluster Using Multiple Outbound Multi-Link Elements. 231 Examples of Multi-Link Preparing for ISP Breakdown Excluding a NetLink from Handling a QoS Class of Traffic Balancing Traffic According to Link Capacity Balancing Traffic between Internet Connections 233 CHAPTER 26 Inbound Traffic Management Overview to Server Pool Configuration Configuration of Server Pools Multi-Link for Server Pools Default Elements Configuration Workflow Task 1: Define Hosts Task 2: Combine Hosts into a Server Pool Element Task 3: Configure the External DNS Server Task 4: Create an Inbound Load- Balancing Rule Task 5: Set up Server Pool Monitoring Agents Using Server Pools Dynamic DNS (DDNS) Updates Using Server Pool Monitoring Agents Examples of Server Pools Load Balancing for Web Servers Table of Contents

9 Setting up Multi-Link and Dynamic DNS Updates CHAPTER 27 Bandwidth Management and Traffic Prioritization Overview to Bandwidth Management and Traffic Prioritization Bandwidth Management Traffic Prioritization Effects of Bandwidth Management and Prioritization Configuration of Limits, Guarantees, and Priorities for Traffic Default Elements Configuration Workflow Task 1: Define QoS Classes Task 2: Define QoS Policies Task 3: Assign QoS Classes to Traffic Task 4: Define QoS for Interfaces and VPNs Using Bandwidth Management and Traffic Prioritization Designing QoS Policies Communicating DSCP Markers Managing Bandwidth of Incoming Traffic Collecting QoS Class-Based Statistics Examples of Bandwidth Management and Traffic Prioritization Ensuring Quality of Important Communications 256 Preparing for ISP Breakdown Limiting the Total Bandwidth Required VIRTUAL PRIVATE NETWORKS CHAPTER 28 Overview to VPNs Introduction to VPNs IPsec VPNs Tunnels Security Associations (SA) Internet Key Exchange (IKE) Perfect Forward Secrecy (PFS) Authentication Header (AH) and Encapsulating Security Payload (ESP) Authentication Tunnel and Transport Modes IPsec VPN Topologies for Policy-Based VPNs CHAPTER 29 Policy-Based VPN Configuration Overview to Policy-Based VPN Configuration Configuration of Policy-Based VPNs Default Elements Configuration Workflow Task 1: Define the Gateway Settings Task 2: Define the Gateway Profile Task 3: Define the Gateways Task 4: Define the Sites Task 5: Create Certificates Task 6: Define the VPN Profile Task 7: Define the VPN Element Task 8: Modify the Firewall Policy Task 9: Configure VPN Clients and External Gateway Devices Using VPNs VPN Logging Using a Dynamic IP Address for a VPN End-Point Using a NAT Address for a VPN End-Point Supported Authentication and Encryption Methods FIPS Mode GOST-Compliant Systems Message Digest Algorithms Authentication Methods Encryption Algorithms Using Pre-Shared Key Authentication Using Certificate Authentication Validity of Certificates Internal VPN Certificate Authorities External Certificate Authorities Configuring Policy-Based VPNs with External Gateway Devices Clustering and Policy-Based VPNs Multi-Link and Policy-Based VPNs Providing Encryption for the Route-Based VPN in Tunnel Mode Examples of Policy-Based VPN Configurations. 289 Creating a Policy-Based VPN Between Three Offices Creating a Policy-Based VPN for Mobile Users 291 Creating a Policy-Based VPN That Requires NAT Table of Contents 9

10 CHAPTER 30 Route-Based VPN Configuration Overview to Route-Based VPN Configuration Configuration of the Route-Based VPN Default Elements Configuration Workflow Task 1: Define Tunnel Interfaces Task 2: Configure Routing and Antispoofing for Tunnel Interfaces Task 3: Define the Gateways Task 4: Define the VPN Profile Task 5: Define Route-Based VPN Tunnels Task 6: Add Access Rules to Allow the Traffic Task 7: Refresh Firewall Policy Using the Route-Based VPN Configuring the Route-Based VPN with External Gateway Devices Using the Route-Based VPN in Tunnel Mode Using the Route-Based VPN with Dynamic Routing Examples of Route-Based VPN Configurations Protecting Dynamic Routing Communications. 302 Configuring a Route-Based VPN with an External Gateway APPENDICES APPENDIX A Command Line Tools Security Management Center Commands NGFW Engine Commands Server Pool Monitoring Agent Commands APPENDIX B Default Communication Ports Security Management Center Ports Security Engine Ports APPENDIX C Predefined Aliases Predefined User Aliases System Aliases APPENDIX D Situation Context Parameters Correlation Context Parameters Regular Expression Parameter Other Context Parameters APPENDIX E Regular Expression Syntax SMC Regular Expression Syntax Special Character Sequences Pattern-Matching Modifiers Variable Expression Evaluation Stream Operations System Variables Independent Subexpressions Parallel Matching Groups Tips for Working With Regular Expressions APPENDIX F Schema Updates for External LDAP Servers APPENDIX G SNMP Traps and MIBs APPENDIX H Multicasting The General Features of Multicasting Multicasting vs. Unicasting Multicasting vs. Broadcasting IP Multicasting Overview Multicasting Applications Internet Group Management Protocol Membership Messages Ethernet Multicasting Multicasting and McAfee Firewalls Unicast MAC Multicast MAC Multicast MAC with IGMP Glossary Index Table of Contents

11 INTRODUCTION In this section: Using SMC Documentation - 13 Introduction to Firewalls - 17 Introduction to McAfee NGFW in the Firewall/VPN Role - 25 NGFW Deployment in the Firewall/VPN Role

12 12

13 CHAPTER 1 USING SMC DOCUMENTATION This chapter describes how to use this guide and related documentation. It also provides directions for obtaining technical support and giving feedback about the documentation. The following sections are included: How to Use This Guide (page 14) Documentation Available (page 15) Contact Information (page 16) 13

14 How to Use This Guide The McAfee NGFW Reference Guide for Firewall/VPN Role provides information that helps administrators of McAfee NGFW in the Firewall/VPN role to understand the system and its features. It provides high-level descriptions and examples of the configuration workflows. This guide is divided into several sections. The chapters in the first section provide a general introduction to McAfee NGFW in the Firewall/VPN role. The sections that follow each include chapters related to one feature area. The last section provides detailed reference information in tabular form, and some guideline information. For other available documentation, see Documentation Available (page 15). Typographical Conventions The following conventions are used throughout the documentation: Table 1.1 Typographical Conventions Formatting User Interface text References, terms Command line User input Command parameters Informative Uses Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is in monospaced bold-face. Command parameter names are in monospaced italics. We use the following ways to indicate important or additional information: Note Notes prevent commonly-made mistakes by pointing out important points. Caution Cautions prevent breaches of security, information loss, or system downtime. Cautions always contain critical information that you must observe. Tip Tips provide additional helpful information, such as alternative ways to complete steps. Example Examples present a concrete scenario that clarifies the points made in the adjacent text. 14 Chapter 1 Using SMC Documentation

15 Documentation Available Stonesoft technical documentation is divided into two main categories: Product Documentation and Support Documentation (page 16). Each SMC product has a separate set of manuals. Product Documentation The table below lists the available product documentation. Table 1.2 Product Documentation Guide Reference Guide Installation Guide Online Help Administrator s Guide User s Guide Appliance Installation Guide Description Explains the operation and features of the SMC comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available as separate guides for McAfee Security Management Center and McAfee Firewall/VPN, and as a combined guide for McAfee IPS and McAfee Layer 2 Firewall. Instructions for planning, installing, and upgrading the SMC. Available as separate guides for McAfee Security Management Center and McAfee Firewall/VPN, and as a combined guide for McAfee IPS and McAfee Layer 2 Firewall. Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the Management Client and the Web Portal. An HTML-based system is available in the SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-by-step. Available as a combined guide for McAfee Firewall/VPN, McAfee IPS, and McAfee Layer 2 Firewall, and as separate guides for the SSL VPN and the IPsec VPN Client. Instructions for end-users. Available for the IPsec VPN Client and the Web Portal. Instructions for physically installing and maintaining McAfee NGFW appliances (rack mounting, cabling, etc.). Available for all McAfee NGFW appliances. PDF guides are available at https://www.stonesoft.com/en/customer_care/documentation/ current/. The McAfee SMC Administrator s Guide, and the Reference Guides and Installation Guides for McAfee Security Management Center, McAfee Firewall/VPN, McAfee IPS, and McAfee Layer 2 Firewall are also available as PDFs on the Security Management Center DVD. Documentation Available 15

16 Support Documentation The McAfee support documentation provides additional and late-breaking technical information. These technical documents support the SMC guide books, for example, by giving further examples on specific configuration scenarios. The latest technical documentation is available at System Requirements The certified platforms for running the McAfee Next Generation Firewall from Intel Security (NGFW) can be found at the product pages at firewall_vpn/. The hardware and software requirements for the SMC and version-specific details for all software products can be found in the Release Notes available at Supported Features Not all features are supported on all platforms. See the Appliance Software Support Table for more information. Contact Information For general information about SMC products, visit our web site at 16 Chapter 1 Using SMC Documentation

17 CHAPTER 2 INTRODUCTION TO FIREWALLS This chapter introduces and discusses the underlying security principles of firewalls in general. In this chapter we will discuss what firewalls are, which different types of firewalls there are, how they are used, what they are capable of, as well as what their possible weaknesses are. The following sections are included: The Role of the Firewall (page 18) Firewall Technologies (page 19) Additional Firewall Features (page 21) Firewall Weaknesses (page 24) 17

18 The Role of the Firewall Firewalls are the primary tool for perimeter access control between networks with different security levels. Firewalls control the traffic between networks and deny access that does not look like acceptable business use as defined by the administrators. The generally accepted principle of access control is whatever is not expressly permitted is denied. The most secure network is achieved when nobody and nothing is permitted entry to the protected network. In most cases, such a network is naturally too limited, so a firewall must be introduced to allow specific limited services to pass in a safe way. That means that in order for any traffic to be allowed into the network, it must first match an explicit allow rule. There are three main types of platforms for running a firewall: Dedicated McAfee NGFW appliances. Firewall software installed on a server dedicated to be used as a firewall. Firewall software running as a virtual machine in a virtualized server environment. McAfee Firewalls are available on all of these platform types. Regardless of the type of platform, the network structure in which the firewalls are placed must be carefully designed so that there are no loopholes or back doors. Firewalls can only control traffic that actually passes through them; even the most carefully planned firewall system can be undermined by a single back door that allows traffic to circumvent the firewall. In addition to access control, modern firewall devices often include a variety of additional integrated features, such as intrusion prevention systems (IPS), content filtering, anti-virus, and anti-spam. In this chapter, the additional features are discussed separately, and the discussion focuses on the primary role of access control. Such additional features in McAfee Firewalls are covered in more detail in section Additional Firewall Features (page 21). 18 Chapter 2 Introduction to Firewalls

19 Firewall Technologies This section presents an overview to the main firewall techniques, and explains how McAfee Firewalls use them. The discussion here is limited to the traditional firewall component of a firewall system; the various additional inspection features that modern firewalls often incorporate are discussed separately. Traditional firewall features are commonly achieved through three main techniques: packet filtering proxy firewalls stateful inspection. The next sections first discuss these techniques separately and then explains how they can be utilized together to achieve an optimal balance between performance and security. Packet Filtering Packet filtering examines the header information of packets and allows or stops each packet individually. In addition to firewalls, such simple access control lists (ACLs) are implemented on most common routing devices. Pure packet filters cannot protect against protocol misuse or other malicious contents in higher levels of the protocol stack. However, for some simple network protocols, packet filtering can be light on firewall resources and even provide an adequate level of protection. Proxy Firewalls Proxy firewalls are firewalls running application proxy services. Proxies are a man-in-the-middle, and they establish their own separate connections to both the client and the server. This type of firewall is fully application-aware, and therefore very secure, but at the same time there s a trade-off in performance due to the inevitable increase in overhead. Illustration 2.1 Proxy Firewall Model Firewall Technologies 19

20 Stateful Inspection Stateful inspection firewalls are aware of basic networking standards and use historical data about connections in determining whether to allow or stop a packet. They track the established connections and their states in dynamic state tables and ensure that the connections comply with the security policies and protocol standards. Since stateful inspection understands the context of connections (and therefore can relate the returning packets to appropriate connections), connections already determined to be secure can be allowed without full examination based on previous packets. This is especially important with services such as FTP, which can open several related connections that do not match a single basic profile. Even though Stateful inspection has some application awareness, it concentrates on protocols, not on inspecting data at the application layer. Multi-Layer Inspection Multi-Layer Inspection combines application layer inspection, stateful inspection, and packet filtering technologies flexibly for optimal security and system performance. Like stateful inspection, the McAfee Firewall uses state tables to track connections and judge whether a packet is a part of an established connection or not. The McAfee Firewall also features application-layer inspection through specific Protocol Agents, when necessary, for enhanced security to inspect data all the way up to the application layer. The McAfee Firewall can also act as a packet filter for types of connections that do not require the security considerations of stateful inspection. Illustration 2.2 Multi-layer Inspection Model By default, all McAfee Firewall Access rules implement stateful inspection, but the administrator can flexibly configure rules with simple packet filtering or an additional layer of application level security as needed. McAfee Firewalls apply application level inspection with or without proxying the connections, depending on what is required. Application level inspection can be selected to certain types of traffic by attaching a connection to a protocol-specific Protocol Agent. 20 Chapter 2 Introduction to Firewalls

Stonesoft 5.5. Firewall/VPN Reference Guide. Firewall Virtual Private Networks

Stonesoft 5.5. Firewall/VPN Reference Guide. Firewall Virtual Private Networks Stonesoft 5.5 Firewall/VPN Reference Guide Firewall Virtual Private Networks Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current

More information

F IREWALL/VPN REFERENCE GUIDE

F IREWALL/VPN REFERENCE GUIDE STONEGATE 5.3 F IREWALL/VPN REFERENCE GUIDE F IREWALL V IRTUAL PRIVATE NETWORKS Legal Information End-User License Agreement The use of the products described in these materials is subject to the then

More information

Stonesoft 5.4. Firewall Reference Guide. Firewall Virtual Private Networks

Stonesoft 5.4. Firewall Reference Guide. Firewall Virtual Private Networks Stonesoft 5.4 Firewall Reference Guide Firewall Virtual Private Networks Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current

More information

F IREWALL/VPN REFERENCE GUIDE

F IREWALL/VPN REFERENCE GUIDE STONEGATE 5.2 F IREWALL/VPN REFERENCE GUIDE F IREWALL V IRTUAL PRIVATE NETWORKS Legal Information End-User License Agreement The use of the products described in these materials is subject to the then

More information

McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles 5.7. NGFW Engine in the IPS and Layer 2 Firewall Roles

McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles 5.7. NGFW Engine in the IPS and Layer 2 Firewall Roles McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles 5.7 NGFW Engine in the IPS and Layer 2 Firewall Roles Legal Information The use of the products described in these materials is subject to

More information

StoneGate Reference Guide

StoneGate Reference Guide SMC FW IPS SSL VPN VPN StoneGate Reference Guide Firewall/VPN 5.0 Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user

More information

McAfee SMC Reference Guide 5.7. Security Management Center

McAfee SMC Reference Guide 5.7. Security Management Center McAfee SMC Reference Guide 5.7 Security Management Center Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can be

More information

McAfee Next Generation Firewall (NGFW) Administration Course

McAfee Next Generation Firewall (NGFW) Administration Course McAfee Product Education McAfee Next Generation Firewall (NGFW) Administration Course The McAfee NGFW Administration course from Education Services provides attendees with hands-on training on the design,

More information

McAfee NGFW Installation Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

McAfee NGFW Installation Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role McAfee NGFW Installation Guide for Firewall/VPN Role 5.7 NGFW Engine in the Firewall/VPN Role Legal Information The use of the products described in these materials is subject to the then current end-user

More information

F IREWALL/VPN INSTALLATION GUIDE

F IREWALL/VPN INSTALLATION GUIDE STONEGATE 5.1 F IREWALL/VPN INSTALLATION GUIDE F IREWALL V IRTUAL PRIVATE NETWORKS Legal Information End-User License Agreement The use of the products described in these materials is subject to the then

More information

McAfee SMC Installation Guide 5.7. Security Management Center

McAfee SMC Installation Guide 5.7. Security Management Center McAfee SMC Installation Guide 5.7 Security Management Center Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can

More information

F IREWALL/VPN INSTALLATION GUIDE

F IREWALL/VPN INSTALLATION GUIDE STONEGATE 5.3 F IREWALL/VPN INSTALLATION GUIDE F IREWALL V IRTUAL PRIVATE NETWORKS Legal Information End-User License Agreement The use of the products described in these materials is subject to the then

More information

STONEGATE 5.3 SMC REFERENCE GUIDE S TONEGATE MANAGEMENT CENTER

STONEGATE 5.3 SMC REFERENCE GUIDE S TONEGATE MANAGEMENT CENTER STONEGATE 5.3 SMC REFERENCE GUIDE S TONEGATE MANAGEMENT CENTER Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user

More information

StoneGate Installation Guide

StoneGate Installation Guide SMC FW IPS SSL VPN VPN StoneGate Installation Guide SOHO Firewalls Updated for StoneGate Management Center 5.0.0 Legal Information End-User License Agreement The use of the products described in these

More information

STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM

STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

NETASQ MIGRATING FROM V8 TO V9

NETASQ MIGRATING FROM V8 TO V9 UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Forcepoint Stonesoft Management Center

Forcepoint Stonesoft Management Center Datasheet Forcepoint Stonesoft Management Center EFFICIENT, CENTRALIZED MANAGEMENT OF FORCEPOINT STONESOFT NEXT GENERATION FIREWALLS IN DISTRIBUTED ENTERPRISE ENVIRONMENTS FORCEPOINT STONESOFT MANAGEMENT

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course The McAfee Firewall Enterprise System Administration course from McAfee University is a fast-paced,

More information

Barracuda Link Balancer

Barracuda Link Balancer Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.2 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.2-110503-01-0503

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

UAG715 Support Note. Revision 1.00. August, 2012. Written by CSO

UAG715 Support Note. Revision 1.00. August, 2012. Written by CSO UAG715 Support Note Revision 1.00 August, 2012 Written by CSO Scenario 1 - Trunk Interface (Dual WAN) Application Scenario The Internet has become an integral part of our lives; therefore, a smooth Internet

More information

SMC INSTALLATION GUIDE

SMC INSTALLATION GUIDE STONEGATE 5.3 SMC INSTALLATION GUIDE S TONEGATE MANAGEMENT CENTER Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current end-user

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Cisco AnyConnect Secure Mobility Solution Guide

Cisco AnyConnect Secure Mobility Solution Guide Cisco AnyConnect Secure Mobility Solution Guide This document contains the following information: Cisco AnyConnect Secure Mobility Overview, page 1 Understanding How AnyConnect Secure Mobility Works, page

More information

Cisco ASA, PIX, and FWSM Firewall Handbook

Cisco ASA, PIX, and FWSM Firewall Handbook Cisco ASA, PIX, and FWSM Firewall Handbook David Hucaby, CCIE No. 4594 Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA Contents Foreword Introduction xxii xxiii Chapter 1 Firewall

More information

Lucent VPN Firewall Security in 802.11x Wireless Networks

Lucent VPN Firewall Security in 802.11x Wireless Networks Lucent VPN Firewall Security in 802.11x Wireless Networks Corporate Wireless Deployment is Increasing, But Security is a Major Concern The Lucent Security Products can Secure Your Networks This white paper

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

F-Secure Messaging Security Gateway. Deployment Guide

F-Secure Messaging Security Gateway. Deployment Guide F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Tagesordnung WIN/IP-Forum

Tagesordnung WIN/IP-Forum Tagesordnung WIN/IP-Forum Mittwoch 19.10.2005 9:00 11:00 Uhr 9:00-9:15 Uhr Bericht des WiN-Labors Verena Venus, WiN-Labor RRZE Erlangen 9:15-9:30 Uhr Customer Network Management für das G-WiN, X-WiN und

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Gigabit SSL VPN Security Router

Gigabit SSL VPN Security Router As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the

More information

McAfee Security. Management Client

McAfee Security. Management Client Security Management Center Efficient, centralized management of Next Generation Firewalls in distributed enterprise environments Key Benefits Centralized, single-paneof-glass management of Next Generation

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Configuring the Transparent or Routed Firewall

Configuring the Transparent or Routed Firewall 5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing

More information

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc. Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

What s New in ISA Server 2004 ISA Server 2004 contains a fullfeatured,

What s New in ISA Server 2004 ISA Server 2004 contains a fullfeatured, Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced application-layer inspection firewall, VPN, and Web cache solution that enables enterprise customers to maximize existing

More information

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance This article will easily explain how to configure your Apple ipad, iphone or ipod Touch

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall Government of Canada Managed Security Service (GCMSS) Date: July 12, 2012 TABLE OF CONTENTS 1 FIREWALL... 1 1.1 SECURITY...1 1.2 STANDARDS...1 1.3 FAILOVER...2 1.4 PERFORMANCE...3 1.5 REPORTING...3 1.6

More information

(d-5273) CCIE Security v3.0 Written Exam Topics

(d-5273) CCIE Security v3.0 Written Exam Topics (d-5273) CCIE Security v3.0 Written Exam Topics CCIE Security v3.0 Written Exam Topics The topic areas listed are general guidelines for the type of content that is likely to appear on the exam. Please

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Firewall Defaults and Some Basic Rules

Firewall Defaults and Some Basic Rules Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

Chapter 8 Router and Network Management

Chapter 8 Router and Network Management Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by

More information

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 12 Supporting Network Address Translation (NAT) [Previous] [Next] Chapter 12 Supporting Network Address Translation (NAT) About This Chapter Network address translation (NAT) is a protocol that allows a network with private addresses to access information

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Chapter 4 Security and Firewall Protection

Chapter 4 Security and Firewall Protection Chapter 4 Security and Firewall Protection This chapter describes how to use the Security features of the ProSafe Wireless ADSL Modem VPN Firewall Router to protect your network. These features can be

More information

IBM. Vulnerability scanning and best practices

IBM. Vulnerability scanning and best practices IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration

More information

Vantage Report. User s Guide. www.zyxel.com. Version 3.0 10/2006 Edition 1

Vantage Report. User s Guide. www.zyxel.com. Version 3.0 10/2006 Edition 1 Vantage Report User s Guide Version 3.0 10/2006 Edition 1 www.zyxel.com About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the Vantage

More information

SonicOS Enhanced 5.7.0.2 Release Notes

SonicOS Enhanced 5.7.0.2 Release Notes SonicOS Contents Platform Compatibility... 1 Key Features... 2 Known Issues... 3 Resolved Issues... 4 Upgrading SonicOS Enhanced Image Procedures... 6 Related Technical Documentation... 11 Platform Compatibility

More information

VPN CLIENT ADMINISTRATOR S GUIDE

VPN CLIENT ADMINISTRATOR S GUIDE STONEGATE IPSEC VPN 5.1 VPN CLIENT ADMINISTRATOR S GUIDE V IRTUAL PRIVATE NETWORKS Legal Information End-User License Agreement The use of the products described in these materials is subject to the then

More information

McAfee Network Security Platform Administration Course

McAfee Network Security Platform Administration Course McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services

More information

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

Web Request Routing. Technical Brief. What s the best option for your web security deployment? Web Request Routing and Redirection What s the best option for your web security deployment? Choosing the right method for redirecting traffic to your secure web gateway is absolutely essential to maximize

More information

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging

SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION:

More information

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations Cisco PIX Security Appliance provides stateful firewall protection at smaller Internet gateways. Cisco IT Case Study / Security and

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 2 Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server

More information

Fireware Essentials Exam Study Guide

Fireware Essentials Exam Study Guide Fireware Essentials Exam Study Guide The Fireware Essentials exam tests your knowledge of how to configure, manage, and monitor a WatchGuard Firebox that runs Fireware OS. This exam is appropriate for

More information

Configuring PA Firewalls for a Layer 3 Deployment

Configuring PA Firewalls for a Layer 3 Deployment Configuring PA Firewalls for a Layer 3 Deployment Configuring PAN Firewalls for a Layer 3 Deployment Configuration Guide January 2009 Introduction The following document provides detailed step-by-step

More information

Assuring Your Business Continuity

Assuring Your Business Continuity Assuring Your Business Continuity Q-Balancer Range Offering Business Continuity, Productivity, and Security Q-Balancer is designed to offer assured network connectivity to small and medium business (SME)

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201 FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201 Course Overview Through this 2-day instructor-led classroom or online virtual training, participants

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3 Firewall FortiOS Handbook v3 for FortiOS 4.0 MR3 FortiOS Handbook Firewall v3 24 January 2012 01-432-148222-20120124 Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0 COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.

More information

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Chapter 4: Security of the architecture, and lower layer security (network security) 1 Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access

More information

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000 Network Security Protective and Dependable With the growth of the Internet threats, network security becomes the fundamental concerns of family network and enterprise network. To enhance your business

More information

eprism Email Security Appliance 6.0 Release Notes What's New in 6.0

eprism Email Security Appliance 6.0 Release Notes What's New in 6.0 eprism Email Security Appliance 6.0 Release Notes St. Bernard is pleased to announce the release of version 6.0 of the eprism Email Security Appliance. This release adds several new features while considerably

More information

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management. SOLUTION GUIDE Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management. North America Radware Inc. 575 Corporate Dr Suite 205 Mahwah, NJ 07430

More information

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure

More information

This chapter describes how to set up and manage VPN service in Mac OS X Server.

This chapter describes how to set up and manage VPN service in Mac OS X Server. 6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure

More information

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration

More information

Basic & Advanced Administration for Citrix NetScaler 9.2

Basic & Advanced Administration for Citrix NetScaler 9.2 Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

White Paper. McAfee Multi-Link. Always-on connectivity with significant savings

White Paper. McAfee Multi-Link. Always-on connectivity with significant savings McAfee Multi-Link Always-on connectivity with significant savings Table of Contents Executive Summary...3 How McAfee Multi-Link Works...4 Outbound traffic...4 Load balancing...4 Standby links for high

More information

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE V IRTUAL PRIVATE NETWORKS C ONTENTS Introduction to the Scenarios... 3 Scenario 1: Gateway-to-Gateway With Pre-Shared Secrets... 3 Configuring

More information

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency. Optimize your defense, resilience, and efficiency. Table of Contents Need Stronger Network Defense? Network Concerns Security Concerns Cost of Ownership Manageability Application and User Awareness High

More information