SERVICE DESCRIPTION Firewall

Transcription

1 SERVICE DESCRIPTION Firewall Date: Document: Service description: Firewall

2 TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION Basic service Options DHCP service Link Balancing Network Segmentation 8 3 ADDITIONAL DOCUMENTS 9 4 DISCLAIMER 9 Copyright United Security Providers AG page 2/9

3 1 INTRODUCTION This document describes the USP Firewall managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service. Field of application A modern network is subdivided into various zones. The individual zones contain data of different sensitivity levels which can be accessed by different user groups. The different zones are separated by firewalls. The firewalls examine the flow of data against predefined rules and thereby establish the authorizations for the individual zones. Surveillance of the data traffic flow between the zones and the effective blocking of inadmissible data traffic offers a striking increase in security on your network. Every data packet is unambiguously assigned to an active session. Any data packet that cannot be assigned to a valid session is discarded. This is an effective method for preventing attacks from the Internet. All zone transitions are logged. The firewall logs are not only used for later analysis of any attacks, but more often also constitute a valuable tool in the analysis of network problems. Copyright United Security Providers AG page 3/9

4 2 SERVICE DESCRIPTION 2.1 Basic service The USP Firewall service offers an effective separation between two different network zones, for example an internal company network and the Internet. Name of service Service abbreviation Firewall MSS-FW Service version 2.0 Status Operating hours Operational OH1: Monday Friday, 08:00 18:00 CET OH2: Monday Saturday, 07:00 21:00 CET OH3: Monday Sunday, 0:00 23:59 CET OH4: Monday Friday, 08:00 18:00 local time Availability guarantee ACA: Best effort ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours Usage parameter Description The service is assessed on the basis of the number of IP addresses protected. The Firewall service uses a predefined set of firewall rules to control the transition between the different network zones. The basic service covers one zone transition, between the internal network and the Internet, for example. In conventional firewalls, two rules have to be detected so that communication can flow in both directions between an internal partner A and an external partner B. USP's Firewall service deploys state-controlled filters: if A initiates the communication, the response from B is automatically permitted. B is not permitted to send anything into the internal network if the communication was not started by A. A further essential component of the basic services is the translation of addresses and (NAT and PAT). Predefined rules are applied to redirect data packets to different addresses or ports. The entire data flow between the different zones is monitored and controlled by the Firewall service. This blocks access to sensitive data right at the perimeter of the zones. In this way potential attackers are not only locked out of the data, but also out of the data environment. The data are extremely efficiently protected. Copyright United Security Providers AG page 4/9

5 The data traffic between the zones is logged in full. Attacks or data theft is often only noticed significantly after the event. The firewall logs are a vital forensic resource in such cases. Analysis of the Firewall service log data contributes to an efficient defence against future attacks. Key Performance Indicators (KPIs) Reporting Measuring points Conditions of use Compliance with the SLA parameters is measured against the availability of the service infrastructure. The following service-specific values are collated in the monthly reports: - infrastructure workload - total data volume - incoming and outgoing data volume per zone - number of sessions - number of requests allowed, number of requests blocked The following measuring points are watched to monitor the service: - CPU/RAM utilisation - log status - number of IP addresses in internal networks - number of sessions - incoming and outgoing data volume per zone The firewall infrastructure must be implemented redundantly for availability guarantees that are better than ACA. The Firewall service requires a valid Fortiguard or Forticare subscription for the infrastructure. Copyright United Security Providers AG page 5/9

6 2.2 Options DHCP service The firewall infrastructure acts as a DHCP server or forwards DHCP messages to a target segment. Name of the service option Abbreviation Usage parameter Description DHCP service MSS-FW-DHCP The service option is assessed on the basis of the size of the address range. DHCP relaying is assessed at a fixed amount. Clients need to have a valid address before they are able to use network resources. These addresses are either set statically or assigned dynamically by a DHCP server. If this option is enabled, the firewall infrastructure acts as a DHCP server. Two different versions of this are supported. Either the firewall acts as a DHCP server for one or more internal segments. Or alternatively, the addresses are accepted by the firewall from a remote server and forwarded into the internal segment. Often there is no DHCP server available at smaller sites. No additional infrastructure is required if the firewall infrastructure takes on the role of the DHCP server. Static addressing is not possible if the clients in a segment are not known and change frequently, for example in guest networks. Instead of using a dedicated server and hence additional infrastructure, this job can be taken on by the existing firewall infrastructure. Key Performance Indicators (KPIs) Reporting Measuring points Conditions of use Compliance with the SLA is determined using the KPIs for the basic service. The following data is added to the reported data: - number of addresses assigned per day - addresses assigned concurrently The number of addresses assigned concurrently is monitored. The option is offered for segments with no more than 50 protected IP addresses or for guest segments. Copyright United Security Providers AG page 6/9

7 2.2.2 Link Balancing Where a site has a number of Internet links, they can be used in common with this option. Name of the service option Abbreviation Usage parameter Description Link Balancing MSS-FW-LB The service option is assessed on the basis of the size of the basic service. This option distributes the data traffic over the available links. Various strategies can be used for this: - source IP-based: standard, links selected in sequence by the roundrobin method, depending on the source IP. - weighted load balance: based on the configured weighting of the links. - spillover: the second link is only selected once a specified bandwidth is exceeded on the first link. Equal Cost Multipath Routing (ECMP) is generally used on these set-ups. As an alternative to using both links, one line can also be used as a pure backup line. As an alternative to the strategies listed above, it is also possible to define the load distribution on the basis of predefined rules. Connection to the Internet is of enormous importance for many companies. Pure availability is just as important in this context as the performance of the link. This option allows the achievement of an improvement in performance by distributing the load over a number of links. Very high availability can be achieved by using multiple links. Should one link fail, the entire data flow will be taken on by the remaining links so that connectivity is assured and you benefit from a constant connection to the Internet. Key Performance Indicators (KPIs) Reporting Measuring points Conditions of use Compliance with the SLA is determined using the KPIs for the basic service. The following data is added to the reported data: - availability of Internet links - utilisation of Internet links The availability of the links is checked by sending pings. The relevant interfaces on the firewall are additionally monitored. The Internet links are provided by the customer and are not a part of this service option. USP recommends that the USP Security Operations Center is made changeauthorised with the ISP so that changes and incidents can be handled as quickly as possible. Copyright United Security Providers AG page 7/9

8 2.2.3 Network Segmentation This option operates a further zone and manages the relevant rule sets. Name of the service option Abbreviation Usage parameter Description Reporting Measuring points Conditions of use Network Segmentation MSS-FW-NS The service option is assessed on the basis of the size of the basic service. This option operates an additional network segment. The segment is terminated at the firewall infrastructure. The data traffic between the zones is defined using predefined firewall rules. The zones can be terminated at a physical interface or be implemented as VLANs. Data of differing security sensitivity is stored in different zones. Security is significantly enhanced by the fact that all zone transitions are monitored and logged by the firewall infrastructure. Incoming and outgoing data traffic for the additional segment is added to the existing report. The incoming and outgoing data volume is measured. The conditions of use for the basic service apply. Copyright United Security Providers AG page 8/9

9 3 ADDITIONAL DOCUMENTS The present document describes the functional scope of USP's Firewall service. General information on the Service Level Agreement and on operation may be found in the additional documents. Service management and SL catalogue Services catalogue Price list This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees. The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. The prices of all services and options are laid down in the price list. 4 DISCLAIMER This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement. USP's General Terms and Conditions shall apply unless higher-ranking provisions apply. Copyright United Security Providers AG. All rights reserved. Copyright United Security Providers AG page 9/9