Using Ranch Networks for Internal LAN Security

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Using Ranch Networks for Internal LAN Security"

Transcription

1 Using Ranch Networks for Internal LAN Security The Need for Internal LAN Security Many companies have secured the perimeter of their network with Firewall and VPN devices. However many studies have shown that despite this protection, the frequency of security breaches of various types is on the rise. The number of reported security incidents has been doubling year-over-year, to 82,000 in The number of actual security incidents is estimated to be approximately five times the number of reported incidents. A large subset of the total number of security breaches actually comes from within the LAN. The sources of these internal breaches include: - Disgruntled employees - Contract employees - Laptops and other portable devices that have been connected elsewhere and brought back into the corporate LAN - Other companies that are connected in various ways to the corporate LAN: customer access, outsourcing, partnerships, or shared LAN environments - Improperly secured Wireless LANs - Peer-to-peer applications such as those for Instant Messaging or File Sharing - Malicious code that passes through the perimeter protection, infects an internal system by exploiting an unpatched vulnerability, then launches an internal attack These security breaches can cause many serious issues such as: - Damage from Worms and Viruses - Theft of Intellectual Property or other sensitive company data - Financial fraud - Internally launched Denial of Service Attacks - Violation of laws such as HIPAA, Sarbanes-Oxley, the Patriot Act, or Gramm- Leach-Bliley - Sabotage There are many statistics that justify these concerns: - The FBI/CSI Computer Crime and Security Survey of US corporations, government agencies, and universities found: i. The theft of proprietary information cost US$70 Million in 2002 with an average of US$2.7 Million per reported loss ii. In 2001 the financial loss from financial fraud totaled US$116 Million, with an average loss of US$4.4 Million iii. For those respondents who knew where security breaches came from, about half came from inside their network iv. 77% of respondents listed disgruntled employees as a likely source of attack

2 - A survey of US corporations entitled Managing Security Information from The McKinsey Corporation found: i. 49% of respondents experienced unauthorized network access by insiders ii. 26% experienced a theft of proprietary information, with an average loss of US$4.5 Million iii. 12% experienced financial fraud, with an average loss of US$4.4 Million - A survey conducted at the InfoSecurity 2003 Conference found: i. 49% of respondents listed potential security breaches from current employees as the most-common cause of concern ii. Over one-third of respondents named current employees as a source of the majority of corporate security breaches in the past year However, some companies think it won t happen to me and sweep the issue under the rug..

3 How Ranch Networks Helps to Solve These Problems Providing Internal LAN Security as an Overlay to an Existing Network Ports trunked together, containing VLANs RN20 Internet Existing Network Layer 2 Backbone Switch Conf Rm A Desktops WLAN 4 WLAN 3 Third Floor L2 VLANs Conf Rm B Conf Rm C Desktops Second Floor L2 WLAN 2 Selective Access Control Policy: Guests entering through Wireless LANs or other Zone 1 points are allowed to access the Internet but no other segment of the network Employees entering through these same points can access the areas of the networks they are permitted to enter by Authenticating with the RN20, which contains Authorization Profiles for each type of user VLANs VLANs VLANs First Floor L2 Desktops Data Center L2 Lobby Guest Office WLAN 1 RN20 Zone Plan: Zone 1: VLANs for all WLANs, all Conf Rms, Guest Office, Lobby Zone 2: VLANs for all Accounting Desktops Zone 3: VLANs for all Sales Desktops Zone 4: VLANs for all HR Desktops Zone 5: VLANs for Financial Servers Zone 6: VLANs for Sales Servers Zone 7: VLANs for HR Servers Zone 8: VLAN for Internet S1: Servers with Financial Apps S2: Servers with Sales Apps S3: Servers with HR Apps If you believe that increasing internal LAN security is important, Ranch Networks has an inexpensive, easy-to-implement way to address this need. The above diagram helps illustrate the various ways that a Ranch device can be used to increase the security of an existing LAN and complement the functions already provided by a perimeter Firewall/VPN device. Adding the Ranch product is an easy migration due to our Split Subnet feature which means that many layers of security can be added without rewiring the existing network or reconfiguring IP addresses. In this example, VLANs are used to subdivide the existing network. These VLANs are then brought back to the Ranch device where they are grouped into areas of trust or Secure Zones. The resulting increase in network security includes: - The LAN is subdivided into multiple Secure Zones with each Secure Zone having its own independent security policies. The RN20 provides up to 12 Secure Zones, with separate Virtual Firewalls between each pair of Zones in both directions, totaling 132 Virtual Firewalls. The RN5A/B/C provide up to 5

4 Secure Zones and a total of 20 Virtual Firewalls. Firewall rules can be set at Layers 2, 3, or 4. A full range of NAT options is available. Unauthorized access to Zones or IP addresses can be denied as can unauthorized access from Zones or IP addresses. - Denial of Service protection is provided between each pair of Secure Zones. - Authentication can be enabled so that it is required to enter or exit a Secure Zone. This means that no packets from a user will be allowed through the Ranch device until the user first enters their Username and Password. Once the user is authenticated, they are then permitted to only enter those areas of the network to which they have been authorized. This enables a Single-Sign-On approach: once the user is authenticated by the Ranch device, they can be allowed access to those applications to which they are permitted without further sign-on if desired. - Security breaches can be automatically or manually isolated and quarantined within a Zone. i. Leveraging your investment in an Intrusion Detection System (IDS) Ranch products can be used to increase the performance, coverage, and effectiveness of an IDS in two ways: 1. Ranch products can be configured to mirror traffic to the IDS. Traffic can be selected by Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Given the centralized location of a typical Ranch installation (see the above figure), it is in a perfect position to selectively filter and mirror traffic from most any area of the network. By performing this function, traffic to the IDS can be regulated to match the IDS throughput capacity and prioritized to mirror the traffic the network admin most wants to monitor. This approach effectively increases the performance and coverage of the IDS and can significantly decrease the cost of an IDS deployment. 2. If the IDS detects an attack or the presence of some malicious code, it can send a message to the Ranch device instructing it to isolate the infected Zone and/or IP address. In this way the Ranch product becomes an enforcement point for the IDS. ii. Leveraging your investment in a Security Policy Management or Event Correlation system Just as with an IDS, these security management systems can be configured to automatically send a message to an RN device to isolate a Zone and/or IP address. iii. Manual Isolation Just as an IDS can be programmed to perform an automatic isolation of a Zone or IP address, a network admin can implement this isolation manually through SNMP. iv. Alarms can be initiated when port scanning occurs so that malicious code can be identified and removed before it can do damage beyond the Zone. This function can be quite valuable in containing worm attacks because port scanning is the most common method for the propagation of worms.

5 v. Alarms can be initiated when an unauthorized connection is attempted. With many Client/Server applications, the Server should never initiate a new connection it only responds the queries by the Client. If however the Server becomes infected and attempts to launch a new connection out of the Zone, the Ranch device can not only deny the attempted connection but also initiate an alarm so that the Server can be cleaned. - Wireless LANs can be separated into their own Zone, with stricter security policies applied to this Zone. The diagram above illustrates this scenario. Even if Wireless LAN Access Points are scattered randomly throughout the LAN, VLANs can be used to segment them from the rest of the LAN. These VLANs are then brought back to the Ranch device and grouped together into a Secure Zone. Other LAN connections where Guests, Contractors, or other third parties are likely to connect can also be grouped into this same Zone. Then special security policies can be applied to this Zone: i. If the company wishes, it can allow Guests to have access from this Zone to the Internet, but not to the rest of the network. ii. If the company wants to restrict the total bandwidth from this Zone to the Internet a maximum bandwidth rule can be configured. iii. If the company wants to implement a Username and Password before Guests can access the Internet this can be configured. iv. If an Employee enters the network through this same Zone (for instance, by using the Wireless LAN), they can enter the internal network by using the Authentication feature so that they can access those portions of the network to which they have been authorized. - Network hiding is provided between each pair of Secure Zones. Since the Ranch device sits in-line in front of the Servers, Desktops, and other devices in the Zone, it hides these devices from many types of hacking attempts: i. Port scanning is blocked and does not get to the Servers and other devices ii. Operating System vulnerabilities become less accessible iii. Patch management can be performed in reasonable time periods iv. Devices that may not themselves have adequate internal security are hidden and protected (such as many Printers, IP Phones, Routers, Switches, PBXs, Network Attached Storage (NAS), PDAs and other devices with exotic Operating Systems) - Rate limiting and port mirroring can be configured for any Zone. - VPN will be available in 2Q04

6 In addition to these security functions, Ranch products also provide many useful nonsecurity functions: - Overlay without reconfiguration i. Ranch products can be added as an overlay to upgrade an existing LAN without needing to (1) rewire the LAN to achieve Secure Zones, or (2) reconfigure IP addresses. This is possible due to the Virtual Zones and Split Subnetting features included in all Ranch devices. - Quality of Service i. Bandwidth Management / Traffic Shaping 1. Guaranteed, minimum, maximum, and burst bandwidth can be allocated based upon Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Thus it is possible to prioritize traffic on a per-user or per-application basis. 2. Bandwidth allocations can be either permanent or dynamic (only used when needed, and if not needed, it is shared) ii. Full support for end-to-end QoS can be provided by (1) setting TOS or DiffServ priority for outgoing traffic and (2) classification and prioritization of incoming traffic based on TOS or DiffServ. - Support for Voice-over-IP includes low latency, high throughput, Bandwidth Management, TOS / DiffServ, dynamic firewall control, Per-User Authentication, and the ability to segment voice devices into their own Secure Zone. - Load Balancing i. Load Balancing can be provided for multiple server groups (up to a total of 1024 server groups per Ranch device) ii. Common Load Balancing algorithms such as Round Robin, Weighted Round Robin, and Least Connections are provided. iii. Persistency can be provided via: Cookie, SSL, Client IP HTTP, HTTPs, FTP (active and passive) - Health Monitoring i. Any device with a reachable IP address, within the LAN or elsewhere, can be monitored via ICMP ping verification (Layer 3). If the device does not respond, an SNMP alarm/trap and/or Syslog message is sent. ii. TCP connection verification can be used to monitor devices with a reachable IP address and TCP enabled (Layer 4). iii. Link monitoring (Layer 2) is performed for links physically connected to Ranch device. iv. Web (HTTP) and FTP servers can also be monitored at Layer 7 v. An HTTP server can be requested to perform a database query into another server. If this database query is not successful an alarm will be sent. - Multicasting and Switching i. Layer 2-4 Switching is provided with VLAN support.

7 ii. Multicasting is based on RFC 1112/2236/2933 and is hardware assisted to provide up to 1 Gbps of Multicast traffic. - Accounting i. All Ranch devices have the ability to count packets and bytes so that network usage can be monitored or charged back to users. Traffic can be classified for Accounting purposes based on Source or Destination Zone, Source or Destination IP Address, Source or Destination Protocol Port, or other Protocol information. The number of packets (or bytes) corresponding to the classification specification are then counted. An external Accounting, Billing, or Network Management System can query the Ranch device periodically in order to read the counters and bill (or measure) users accordingly. Over a thousand Classification Categories can be defined. Monitoring of network usage can thus be performed by customer, application, user (or group of users), server (or group of servers), or network segment - Remote Management i. Currently two types of Remote Management are provided: a Web-based GUI (Graphical User Interface) and SNMP. ii. In January 2004 Ranch will be adding a third method of Remote Management which will be a PC-based tool. This tool will allow RN devices to be easily configured using a Drag and Drop user interface. The tool will also store Configuration Files for multiple RN devices, thus serving as a central repository for all Config Files.

8 The Advantages of This Approach This Ranch solution is advantageous over other alternatives in the following ways: - Unprecedented Value: Ranch Networks devices contain greater functionality for the price than any competitive product. - More robust internal network security: Ranch devices are specifically optimized for internal network security and provide more security between Zones than any competitive product. Some competitors say that they provide zones but typically there are not even separate firewalls between these zones, nor Denial of Service protection, nor most of the other security functions Ranch provides. - Lower Capital Expense: The cost of purchasing the separate products required to perform a similar set of functions is much more expensive. (up to 5-7 times more expensive depending on vendors and products used) - Lower Operating Expense: The cost of maintaining the separate products required to perform these functions is similarly much more expensive. These costs include vendor maintenance, software support, and technical support, internal staff time, training time, installation and configuration time, per-user licensing fees as users on the system increase, and network monitoring costs. - Ease of Upgrade: Ranch devices can be easily added as an overlay to upgrade an existing Data Center without needing to (1) rewire the Data Center to achieve Secure Zones, or (2) reconfigure IP addresses. This is possible due to the Virtual Zones and Split Subnetting features included in all Ranch devices.

9 - Higher Reliability: The presence of multiple devices instead of one decreases the reliability of the system since more boxes means more cables, more connectors, more power supplies, more fans, and more electronic components. The greater the number of these components, the more likely there will be a system failure. Increased Reliability and Performance Firewall Bandwidth Manager Load Balancer Switch Servers Traditional Approach Enterprise LAN Ranch Approach Enterprise LAN RN20 - Higher Performance: When a packet needs to traverse multiple devices, each device must process the packet up and down its own TCP/IP stack. With Ranch Networks patent-pending Single Pass Packet Scanning technology, each packet is only processed once, regardless of how many services (security, bandwidth, etc.) are applied to it. - Lower Complexity: Fewer boxes means less network complexity and fewer opportunities to make mistakes. Training can be standardized on a single user interface, rather than multiple. Providing redundant configurations in far easier. - A higher level of security than VLANs: VLANs do a great job of segmenting a network, but what happens when traffic needs to pass between VLANs? VLAN switches alone provide no security policies between VLANs, whereas Ranch provides all the security functionality described above. - A higher level of security than ACLs: Access Control Lists provide filtering of traffic to specific IP addresses. However ACLs alone provide a very low level of security: they are not Stateful, they provide no Denial of Service protection, they

10 do not include Per-User Authentication, nor do they provide many other functions that Ranch security provides. - Greater leverage of an IDS investment: Ranch selective mirroring allows customers to save money on their IDS deployments by reducing the per-port, per-leg, or per-user licensing they may otherwise be required to pay. An RN device also provides a powerful enforcement point so that an IDS can automatically stop an attack and isolate it. - Assist rather than impede application performance: Usually when security is increased on a network the availability and performance of applications is decreased so business productivity suffers. Because of Ranch s QoS support, Single Sign On support, high throughput, low latency, and application prioritization through bandwidth management, application performance is improved rather than impeded while network security is simultaneously increased. - Security can be matched to the areas of trust associated with a specific organization. - Complement and enhancement to host-based security: RN devices provide many security functions that host-based security does not: i. Denial of Service protection ii. Security for systems that may not contain adequate host-based security such as many Printers, IP Phones, Routers, Switches, PBXs, Network Attached Storage (NAS), PDAs and other devices with exotic Operating Systems. iii. Blockage of port scanning iv. Prevention of unauthorized access into a network segment v. Hiding of Operating System vulnerabilities vi. Protection of devices during patch management vii. Traffic mirroring to an IDS and enforcement for the IDS viii. Detection of malicious communication from an infected host ix. Easier management because there are many fewer enforcement points to configure (or misconfigure!), monitor, modify, and maintain.

Ranch Networks for Hosted Data Centers

Ranch Networks for Hosted Data Centers Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch

More information

DEPLOYING VoIP SECURELY

DEPLOYING VoIP SECURELY DEPLOYING VoIP SECURELY Everyone knows that Voice-over-IP (VoIP) has been experiencing rapid growth. Even still, you might be surprised to learn that: 10% of all voice traffic is now transmitted with VoIP

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

Technical Note. ForeScout CounterACT: Virtual Firewall

Technical Note. ForeScout CounterACT: Virtual Firewall ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewall VPN Router. Quick Installation Guide M73-APO09-380 Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been difficult and time-consuming. This paper describes the security

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

A Model Design of Network Security for Private and Public Data Transmission

A Model Design of Network Security for Private and Public Data Transmission 2011, TextRoad Publication ISSN 2090-424X Journal of Basic and Applied Scientific Research www.textroad.com A Model Design of Network Security for Private and Public Data Transmission Farhan Pervez, Ali

More information

Directory and File Transfer Services. Chapter 7

Directory and File Transfer Services. Chapter 7 Directory and File Transfer Services Chapter 7 Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major

More information

8 Steps for Network Security Protection

8 Steps for Network Security Protection 8 Steps for Network Security Protection cognoscape.com 8 Steps for Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because

More information

8 Steps For Network Security Protection

8 Steps For Network Security Protection 8 Steps For Network Security Protection 8 Steps For Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because of their

More information

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection

More information

Deploying ACLs to Manage Network Security

Deploying ACLs to Manage Network Security PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system

More information

Lucent VPN Firewall Security in 802.11x Wireless Networks

Lucent VPN Firewall Security in 802.11x Wireless Networks Lucent VPN Firewall Security in 802.11x Wireless Networks Corporate Wireless Deployment is Increasing, But Security is a Major Concern The Lucent Security Products can Secure Your Networks This white paper

More information

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) : Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)

More information

VLANs. Application Note

VLANs. Application Note VLANs Application Note Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static

More information

Barracuda Link Balancer

Barracuda Link Balancer Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.2 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.2-110503-01-0503

More information

Multi-Homing Dual WAN Firewall Router

Multi-Homing Dual WAN Firewall Router Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How Network Security Is Breached Network Security Policy

More information

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges

More information

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.

More information

IBM. Vulnerability scanning and best practices

IBM. Vulnerability scanning and best practices IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration

More information

Load Balance Router R258V

Load Balance Router R258V Load Balance Router R258V Specification Hardware Interface WAN - 5 * 10/100M bps Ethernet LAN - 8 * 10/100M bps Switch Reset Switch LED Indicator Power - Push to load factory default value or back to latest

More information

CompTIA Network+ N Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs

CompTIA Network+ N Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs CompTIA Network+ N10 005 Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs Domain 1.0: Network Concepts 1.1 Compare the layers of the OSI and TCP/IP Models TCP/IP Model Layer Matching

More information

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20

More information

THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER

THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER How to ensure a cloud-based phone system is secure. BEFORE SELECTING A CLOUD PHONE SYSTEM, YOU SHOULD CONSIDER: DATA PROTECTION.

More information

Designing a security policy to protect your automation solution

Designing a security policy to protect your automation solution Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...

More information

Cisco WRVS4400N Wireless-N Gigabit Security Router Cisco Small Business Routers

Cisco WRVS4400N Wireless-N Gigabit Security Router Cisco Small Business Routers Cisco WRVS4400N Wireless-N Gigabit Security Router Cisco Small Business Routers Highlights Secure, high-speed wireless network access for small business Gigabit Ethernet connections enable rapid transfer

More information

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks WHITE PAPER The Need for Wireless Intrusion Prevention in Retail Networks The Need for Wireless Intrusion Prevention in Retail Networks Firewalls and VPNs are well-established perimeter security solutions.

More information

GregSowell.com. Mikrotik Basics

GregSowell.com. Mikrotik Basics Mikrotik Basics Terms Used Layer X When I refer to something being at layer X I m referring to the OSI model. VLAN 802.1Q Layer 2 marking on traffic used to segment sets of traffic. VLAN tags are applied

More information

Network Access Control ProCurve and Microsoft NAP Integration

Network Access Control ProCurve and Microsoft NAP Integration HP ProCurve Networking Network Access Control ProCurve and Microsoft NAP Integration Abstract...2 Foundation...3 Network Access Control basics...4 ProCurve Identity Driven Manager overview...5 Microsoft

More information

SLA para aplicaciones en redes WAN. Alvaro Cayo Urrutia

SLA para aplicaciones en redes WAN. Alvaro Cayo Urrutia SLA para aplicaciones en redes WAN Alvaro Cayo Urrutia Quién es FLUKE NETWORKS? Enterprise SuperVision (ESV) Soluciones portátiles de prueba y análisis LAN y WAN distribuidas Infrastructure SuperVision

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by

More information

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost. Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost. Peplink. All Rights Reserved. Unauthorized Reproduction Prohibited Presentation Agenda Peplink Balance Pepwave MAX Features

More information

Network Design Best Practices for Deploying WLAN Switches

Network Design Best Practices for Deploying WLAN Switches Network Design Best Practices for Deploying WLAN Switches A New Debate As wireless LAN products designed for the enterprise came to market, a debate rapidly developed pitting the advantages of standalone

More information

Gigabit SSL VPN Security Router

Gigabit SSL VPN Security Router As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the

More information

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc. Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Hirschmann. Simply a good Connection. White paper: Security concepts. based on EAGLE system. Security-concepts Frank Seufert White Paper Rev. 1.

Hirschmann. Simply a good Connection. White paper: Security concepts. based on EAGLE system. Security-concepts Frank Seufert White Paper Rev. 1. Hirschmann. Simply a good Connection. White paper: Security concepts based on EAGLE system Security-concepts Frank Seufert White Paper Rev. 1.1 Contents Security concepts based on EAGLE system 1 Introduction

More information

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway TESTING & INTEGRATION GROUP SOLUTION GUIDE Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway INTRODUCTION...2 RADWARE SECUREFLOW... 3

More information

Steelcape Product Overview and Functional Description

Steelcape Product Overview and Functional Description Steelcape Product Overview and Functional Description TABLE OF CONTENTS 1. General Overview 2. Applications/Uses 3. Key Features 4. Steelcape Components 5. Operations Overview: Typical Communications Session

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Intelligent Infrastructure & Security

Intelligent Infrastructure & Security SYSTIMAX Solutions Intelligent Infrastructure & Security Using an Internet Protocol Architecture for Security Applications White Paper July 2009 www.commscope.com Contents I. Intelligent Building Infrastructure

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

Firewall Defaults and Some Basic Rules

Firewall Defaults and Some Basic Rules Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified

More information

OLD DOMINION UNIVERSITY 4.3.4.2 - Router-Switch Best Practices. (last updated : 20080305 )

OLD DOMINION UNIVERSITY 4.3.4.2 - Router-Switch Best Practices. (last updated : 20080305 ) OLD DOMINION UNIVERSITY 4.3.4.2 - Router-Switch Best Practices (last updated: 20080303) Introduction One of the information techlogy priorities for Old Dominion University (ODU) is to provide and maintain

More information

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3 Firewall FortiOS Handbook v3 for FortiOS 4.0 MR3 FortiOS Handbook Firewall v3 24 January 2012 01-432-148222-20120124 Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to

More information

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

1. Thwart attacks on your network.

1. Thwart attacks on your network. An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Best Practices for Outdoor Wireless Security

Best Practices for Outdoor Wireless Security Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

IPS Anti-Virus Configuration Example

IPS Anti-Virus Configuration Example IPS Anti-Virus Configuration Example Keywords: IPS, AV Abstract: This document presents a configuration example for the AV feature of the IPS devices. Acronyms: Acronym Full spelling IPS AV Intrusion Prevention

More information

Barracuda Link Balancer Administrator s Guide

Barracuda Link Balancer Administrator s Guide Barracuda Link Balancer Administrator s Guide Version 1.0 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2008, Barracuda Networks

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

Internet Security Firewalls

Internet Security Firewalls Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA

More information

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway.

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Today's security needs in networking

Today's security needs in networking Today's security needs in networking Besoins actuels de la sécurité réseau European partner summit Thursday, October 13, 2005 Hervé Schauer Hervé Schauer Agenda Firewalls Liability

More information

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Building Secure Networks for the Industrial World

Building Secure Networks for the Industrial World Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Cisco Wireless Control System (WCS)

Cisco Wireless Control System (WCS) Data Sheet Cisco Wireless Control System (WCS) PRODUCT OVERVIEW Cisco Wireless Control System (WCS) Cisco Wireless Control System (WCS) is the industry s leading platform for wireless LAN planning, configuration,

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013 Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013 Outline Genesis - why we built it, where and when did the idea begin Issues

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

LAN Switching and VLANs

LAN Switching and VLANs 26 CHAPTER Chapter Goals Understand the relationship of LAN switching to legacy internetworking devices such as bridges and routers. Understand the advantages of VLANs. Know the difference between access

More information

Introduction to Endpoint Security

Introduction to Endpoint Security Chapter Introduction to Endpoint Security 1 This chapter provides an overview of Endpoint Security features and concepts. Planning security policies is covered based on enterprise requirements and user

More information

Security Solution Architecture for VDI

Security Solution Architecture for VDI Solution Architecture for VDI A reference implementation of VMware BENEFITS Validated solution architecture provides unprecedented end-to-end security dashboard for virtual desktop infrastructure (VDI)

More information

Firewalls and Intrusion Detection Systems. Advanced Computer Networks

Firewalls and Intrusion Detection Systems. Advanced Computer Networks Firewalls and Intrusion Detection Systems Advanced Computer Networks Firewalls & IDS Outline Firewalls Stateless packet filtering Stateful packet filtering Access Control Lists Application Gateways Intrusion

More information

Training Course on Network Administration

Training Course on Network Administration Training Course on Network Administration 03-07, March 2014 National Centre for Physics 1 Network Security and Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Crafting a Secure

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information