1 WHITE PAPER NUCLEAR PLANT CONTROL SYSTEM CYBER VULNERABILITIES AND RECOMMENDATIONS TOWARD SECURING THEM Enabling Comprehensive Network- Based Security for Control Systems Copyright 2009, Juniper Networks, Inc. 1
2 Table of Contents Executive Summary Introduction Threats to the Control System Network NRC March 2009 Security Enhancements Seven-Step Plan for Plant Control System Cyber Security Step 1 Identifying Critical Assets Step 2 Profiling the Network Step 3 Creating and Managing Policies Across the Network Step 4 Creating a Strong Defense Perimeter Step 5 Ensuring Identity Management and Rogue Device Mitigation Step 6 Setting Up Secure Remote Access Step 7 Monitoring and Reporting Conclusion About the Contributing Author About Juniper Networks Table of Figures Figure 1: Seven-step plan for plant control system cyber security Figure 2: Nuclear power plant network security architecture Copyright 2009, Juniper Networks, Inc.
3 Executive Summary The nuclear energy industry is one of the few industries whose security program is regulated by the federal government. The U.S. Nuclear Regulatory Commission (NRC) holds nuclear power plants to the highest security standards of any American industry. Each of the nuclear power plants within the U.S. has extensive security measures in place to protect the facility from intruders. The increasing reliance on computer systems and networks within control systems at nuclear power plants has presented new potential security threats referred to as cyber security that include such threats as viruses, worms, and unauthorized access. The potential effects such cyber security threats might pose to the real-time visibility and control, along with real-time response and deployment of needed resources in a plant on a daily basis, are not acceptable. This paper helps control network and security managers better understand the cyber security challenges within today s nuclear power plants and what the actual threats are. The document then briefly reviews the key enhancements to cyber security required by the recent NRC Security Rule 7354, and presents a seven-step plan that can help address meeting these requirements by enabling a comprehensive network-based security solution. Introduction For nuclear power plants, the digital computers and communication systems and networks are a strategic asset. Some key cyber security challenges in maintaining the safety and availability of nuclear plants are in the areas of interoperability, scalability, performance, usability, and manageability. From a security perspective, many current security solutions lack the ability to adapt and respond proactively in real time to constantly evolving unintentional incidents and intentional threats such as hacking, scanning, denial-of-service (DoS) attacks, new exploits in applications, worms, and viruses, to name a few. Further, the lack of tight integration between security products such as firewalls and intrusion prevention systems (IPS), in combination with disparate features, creates a challenge to the job of adequately addressing security incidents. Security and IT administrators are also faced with the challenge of making sure that the products they deploy scale to support ever-increasing network traffic and a diverse user population, while at the same time maintaining fast, reliable, and secure access to applications and network resources. Often this results in a compromise, where adding extra security degrades performance of the service or vice versa. Performance, interoperability, and scalability are also an issue, especially when service is required under heavy traffic load such as during an off-normal event or plant scram. Finally, because existing solutions consist of a mix of different products and technologies that are not tightly integrated, administrators are faced with the challenge of understanding and managing multiple security products and management systems. This challenge grows exponentially when one tries to identify the root cause of an incident, where reports and logs need to be viewed from multiple systems and several hundred devices that are spread over many locations. This makes forensic analysis difficult at best, and leaves the network extremely vulnerable. Threats to the Control System Network A primary source of cyber attacks against control systems originates via the WAN, the Internet, and trusted thirdparty or remote connections. While internal threats are still significant and one of the top areas of concern for plant managers, increasing numbers of targeted threats are originating from external sources. This mirrors the current threat trend in traditional IT systems. Internal threats can come from a number of different sources, including attacks by disgruntled employees and contractors or accidental infection from a device accessing the network without the latest protection and unknowingly spreading a virus, worm, or other attack. However, user error and unintended consequences of routine actions actually represent the greatest risks, causing many cyber-related incidents in industrial environments. A local or remote user might access the wrong systems and make changes to them; IT personnel can perform a network penetration test that degrades performance or renders a system inoperable; or a user might download or send large files over the network and impact control traffic performance. There is also a wide range of external threats to control systems. These range from accidental infection by a guest laptop to deliberate attacks. Today s hackers are now more often motivated by profit, with groups looking for opportunities for extortion or theft that provide a quick payoff. Such targeted intrusions are increasingly difficult to detect, which is a key reason for achieving complete visibility across the corporate network. These types of threats can include: Copyright 2009, Juniper Networks, Inc. 3
4 1. Malicious Code (Malware): Malware includes the broad range of software designed to infiltrate or damage computing systems without user knowledge or consent. The most well-known forms of malware include the following: a. Viruses manipulate legitimate users into bypassing authentication and access control mechanisms in order to execute malicious code. Virus attacks are often untargeted and can spread rapidly between vulnerable systems and users. They damage systems and data, or decrease availability of infected systems by consuming excessive processing power or network bandwidth. b. A worm or self-replicating program uses the network to send copies of itself to other nodes without any involvement from a user. Worm infections are untargeted and often create availability problems for affected systems. They might also carry a malicious code to launch a distributed attack from the infected hosts. There has been at least one case of a worm affecting a nuclear plant. c. The trojan is a type of virus in which the malicious code is hidden behind a functionality desired by the end user. Trojan programs circumvent confidentiality or control objectives and can be used to gain remote access to systems, gather sensitive information, or damage systems and data. 2. Denial-of-Service Attack: DoS attacks have become notorious over the past few years when used by attackers to flood network resources, such as critical servers or routers, in several major organizations with the goal of obstructing communication and decreasing the availability of critical systems. A similar attack can be easily mounted on a targeted control system, making it unusable for a critical period of time. An unintentional denial-of-service incident has occurred to at least one nuclear plant. 3. Rogue Devices: In wireless networks, an unauthorized access point might be inserted into the control system. This can be done in a non-malicious manner, which inadvertently provides an unknown access point. It can also be done maliciously to provide false or misleading data to the controller, which can cause it to issue errant commands such as triggering a fail-safe device or changing operator screens to provide erroneous information. 4. Reconnaissance Attacks: Reconnaissance attacks enable the first stage of the attack life cycle by probing. This serves to provide a more focused life cycle and improve the odds of success in the attacker s favor. 5. Eavesdropping Attacks: The goal of an eavesdropper is to violate the confidentiality of communications by sniffing packets of data on the control network or by intercepting wireless transmissions. Advanced eavesdropping attacks, also known as man-in-the-middle (MITM) or path insertion attacks, are typically leveraged by a hacker as a followup to a network probe or protocol violation attack. 6. Collateral Damage: This type of impact is typically unplanned or materializes as an unforeseen or unplanned side effect of techniques being used for the primary attack. An example is the impact that bulk scanning or probing traffic can have on link and bandwidth availability. Or, if a network is not properly configured, unintended traffic such as large downloads, streaming video, or penetration tests can consume excessive bandwidth and result in unacceptable levels of network noise and slowed performance. Jitter is a significant, and usually undesired, factor in the design of almost all communications links. Since field controllers are sensitive to jitter, network noise can be detrimental to performance. 7. Unauthorized Access Attacks: These are attempts to access assets that the attacker is not privileged or authorized to use. This implies that the attacker has some form of limited or unlimited control over the system. 8. Unauthorized Use of Assets, Resources, or Information: In this type of incident, an asset, service, or data is used by someone authorized to use that particular asset, but not in the manner being attempted. The faster a threat can be recognized, the more quickly with which it can be dealt. Preventing the behavior of the attacks and intrusions once the hacker is inside is the key to network security. There are many back doors and potential weak links in industrial control system networks. Typically, these include misconfigured devices, undocumented connections, wireless networks without proper security configurations, and open unguarded ports. A primary vector of concern is the compromise of data that can alter the operation of field devices or mislead an operator into taking inappropriate action. Perhaps the greatest threat of all is the lack of understanding within the industrial organizations in both operations and IT departments as to the seriousness of the problem. Even control system vendors still are not designing technologies for security. In fact, many are instead including vulnerable applications and technologies such as Microsoft IIS, Bluetooth wireless communications, and wireless modems in their latest offerings. 4 Copyright 2009, Juniper Networks, Inc.
5 NRC March 2009 Security Enhancements The NRC endorsed cyber security guidelines in 2005 and by May 2008 all 104 operations nuclear power plants in the U.S. had implemented them voluntarily. In March 2009, the NRC issued enhancements to cyber security Nuclear Regulations 10 CFR Protection of digital computer and communication systems and networks. This rule stated the following: By November 23, 2009 every one of the 104 U.S. plants and companies seeking to license new plants must submit a comprehensive cyber security plan including a proposed implementation schedule. These cyber security plans must include measures to: -- Ensure the capability for timely detection and response to cyber attacks -- Mitigate the consequences of such attacks -- Correct exploited vulnerabilities -- Restore the affected systems, networks, and equipment The rule also imposes new requirements pertaining to individuals who have electronic means to interfere with plant safety, security, or emergency preparedness such as enhanced psychological assessments. The actions laid out in this security rule state that to accomplish its objectives, the licensee will: Analyze digital computer and communication systems and networks and identify those assets that must be protected against cyber attacks Establish, implement, and maintain a cyber security program for the protection of these assets Incorporate the cyber security program as a component of the physical protection program to emerging threats that take advantage of gaps between disparate devices to cause disruption and downtime The draft NRC Regulatory Guide 5-71 identifies the NIST standards as an acceptable program to meet the NRC Security Rule. Seven-Step Plan for Plant Control System Cyber Security To address the security needs of nuclear power plant control networks, it is essential to begin with a layered defensein-depth approach that enables administrators to monitor the network at every level. Primary concerns for a control system network manager include: Assuring the integrity of the data Securing remote access Validating and authenticating every device and user on the control system network A systematic approach to security begins with reducing the vulnerable surface of the industrial control system network. The first stage is the creation of control system-specific policies that detail which devices, what protocols, and which applications can run on the network; who and what have access to these devices and from where; and what are the types of operations a user (or a role) is allowed to perform. The next stage is to identify the appropriate locations to implement the policy. This can be through the appropriate configuration of controls on devices already present on the network, and by adding various network elements. Such network elements are required to create a security perimeter, provide additional enforcement points, and segment the network for fault containment. The third stage is to monitor the implementation of the policy to ensure these controls are effective, locate any violations, and then feed back into the policy any corrections based on observed network behavior. Security is a continuous process and requires diligent monitoring, reviewing, and adjusting to be effective. The following sections explain each of these stages and discuss existing technologies that can be used for securing typical control networks. Copyright 2009, Juniper Networks, Inc. 5
6 STEP 1 Indentifying Critical Assets STEP 2 Profiling the network STEP 3 Creating and Managing Policies Across the Network STEP 4 Creating a Strong Defense Perimeter STEP 5 Ensuring Identity Management and Rogue Device Mitigation STEP 6 Setting up Secure Remote Access STEP 7 Monitoring and Reporting Figure 1: Seven-step plan for plant control system cyber security Step 1 Identifying Critical Assets Policy creation begins with identifying assets that need protection and the requisite level of protection. On a control system network these are real-time servers, field devices, and peripherals such as printers and network routers and switches. The primary vector of most concern is the compromise of communication that can alter the operation of field devices. In order to gain a foothold behind a firewall, attackers typically target non-essential appliances that are most vulnerable. Hence, any network-enabled device on the control network must be considered critical for security. Since most servers on the control network run standard operating systems and applications, they must be guarded against common cyber threats. Such threats include intentional as well as unintentional DoS attacks through packet floods, irregular packets, protocol anomalies, buffer overflows, worms, trojans, and spyware. Step 2 Profiling the Network In order to create a comprehensive policy, the network administrator (typically a role performed by a control systems engineer) needs a tool that can collate information from all subnets. Since a majority of devices are vulnerable to disruption from active scans using tools such as Nessus, passive scanning and identification is currently the only viable option to discover and identify all devices detected on the network. This profiler tool needs to log all network activity into tables that provide information about device types, operating systems, protocols, applications, and network peers. The profiler can be used to establish a baseline that can track the servers and control devices on the network, as well as the protocols and services those components use to communicate. By immediately locating new components on the network, an administrator can ensure that those components are protected and can track their status. The profiler should use passive fingerprinting to provide an inventory of operating systems and software applications, their versions, and what components use them. As new versions or security updates are announced, an administrator is able to determine if the network is affected, locate the affected components, and identify remediation as appropriate. Step 3 Creating and Managing Policies Across the Network Once devices, networks, applications, and users have been identified, a network management system is required, which preferably can be used as a centralized management system to create and manage policies across all security devices. Through rule-based policies, an administrator can create policies tailored to the type of devices being protected on a particular subnet or VLAN. Such tailored policies improve efficiency while reducing the number of events an administrator has to address. For example, a Windows-targeted worm attacking a Linux host might not be a critical event. The network management system should also support dynamic groups of attack objects. An administrator can define a dynamic group based on OS or protocol set, such as DCS, and stay up-to-date on protection without having to manually address each vulnerability. 6 Copyright 2009, Juniper Networks, Inc.
7 Step 4 Creating a Strong Defense Perimeter Given the need to access control networks from the corporate network or, in some cases, from the Internet, it is essential to create a strong defense perimeter. A perimeter firewall must create at least three security zones a secure zone for the control system network elements, a demilitarized zone (DMZ), and an insecure zone. Even if all access to the control network is through the corporate network, the perimeter firewall must treat the corporate network as insecure and have a mutually non-trusting policy. The DMZ contains secure access authentication devices, workstations, and servers that are accessible from the insecure network. Any device in the secure zone should be accessible only through one of the DMZ devices. By ensuring that the devices in the DMZ are properly protected and continuously monitored, a control network administrator can significantly reduce the probability of a network-based attack. As previously mentioned, it is key that the perimeter device not only provide security zones and flow-based firewalls, it must also detect protocols and applications it is protecting. An integrated, purpose-built firewall/ipsec VPN security solution is recommended that can be used to secure control system networks. This device should offer robust firewall capabilities for control system-specific protocols (for example, Modbus, DNP3, etc), providing the first line of defense from network attacks. Additionally, it should have upgraded capabilities for full IPS support to secure the control system network from the latest application-level exploits and attacks. Step 5 Ensuring Identity Management and Rogue Device Mitigation The most likely vector for an intrusion in a control system network is unintentional inappropriate use. An employee or contractor might plug in a laptop to perform routine tasks without realizing that it has picked up a worm or spyware. (This has already occurred in nuclear plants). The worm can then start scanning the control system network, and cause outages on devices such as PLCs due to unexpected traffic. This scenario is even more likely with the proliferation of wireless access points. Control over access points through authentication of every user and health-checking of every device is essential to ensure security within the perimeter. A network access control (NAC) solution should combine user identity, device security, state, and location information for session-specific access control by user, enforced throughout the network. This NAC system should be an open-standards-based solution built on field-tested, best-in-class security and networking products. With strong authentication enforced, access to the network and resources within the network can be closely controlled. Control over the resources accessible by particular users can minimize the proliferation of worms and other malware, which might have been inadvertently introduced to the network. One of the primary concerns in augmenting control system networks is to ensure that inline security devices do not impact the network s performance or availability. Therefore, we suggest to use a device that provides a passive intrusion detection service (IDS) with a sniffer mode combined with a NAC policy server that enables the creation of policies to restrict access at the application level. For example, if a contractor sends a Modbus write command to change PLC setpoints, the Juniper Networks IDP Profiler notifies the NAC appliance about the unauthorized activity. The NAC appliance can then signal to any 802.1X-compliant switch or firewall that the contractor s access must be terminated or quarantined. Meanwhile, an event is logged for administrators to follow up. The NAC solution should minimize the need for an administrator to create numerous access control lists (ACLs) across the control system network to provision the appropriate level of access for each user. The IDP Profiler can also provide usage information for every session on the control system network for compliance monitoring and forensics. In addition, Juniper Networks IC Series Unified Access Control Appliances can be deployed locally to the control center with federation of identities enabled from the corporate network to the control network. This allows control system network administrators to have complete control over permitted users and their access privileges regardless of their privilege levels on the corporate network without a dual sign-on. Copyright 2009, Juniper Networks, Inc. 7
8 Centralized Security Manager Secure VPN Remote Access Device Trusted 3 rd Party Secure VPN LAN Access Policy Mgr Finance App Servers CORPORATE ENTERPRISE LAN CORPORATE IT NETWORK Firewall/IDP Firewall/IDP INTERNET Remote IT Management Secure VPN Engineering Workstations Safety Parameter Display System (SPDS) PLANT-WIDE LAN Security Monitoring & Reporting System Real-time Servers Plant Process Computer (PPC) LAN Access Policy Mgr Secure VPN Remote Access Device Figure 2: Nuclear power plant network security architecture Step 6 Setting Up Secure Remote Access Remote access is enabled for several reasons. A plant operator/engineer might remotely monitor equipment status; corporate engineering might need to collect plant data; or a vendor might have to diagnose and fix operational problems. In order to minimize the probability of unintentional misuse or tampering, users should be limited only to functions for which they are authorized. For example, a vendor logging in to update a patch must not be able to run any control system commands. If a contractor s laptop contains spyware, or his antivirus is not up to date, that contractor should not be allowed access to the control system network. A VPN appliance based on SSL, the security protocol found in all standard Web browsers, is what we recommend. The use of SSL VPNs eliminates the need for client-software deployment, changes to internal servers, and costly ongoing maintenance and desktop support. Enhanced remote access methods enable the enterprise to provision access by purpose for virtually any resource. The level of access can also be dynamically adjusted based on the condition of the remote access device, such as the timestamp of the most recent antivirus definition files. Step 7 Monitoring and Reporting Once access policies are defined, firewalls, switches, and intrusion prevention devices can act as enforcement points as well as monitoring stations for flagging any policy violation. The IDP Profiler information, combined with user information from the NAC and SSL/VPN devices, provides insight into who is using the network, what applications they are running, and from where they came. The IDP Profiler provides session context at the granularity of individual control system protocol commands and the values being set. This information can be used to create a baseline of expected communications. The administrator can establish a policy of acceptable communication and have the management system send an alert on any violations of policy. For example, a point-to-point connection initiated to/from the control system network, or an IRC command being sent to a machine designated as a real-time data collection server, could automatically trigger an alert and notify the control system network administrator of these policy violations. The network administrator should also have a monitoring and reporting tool to help keep track of the services running in the DCS network and alert to any new services being deployed or changes in the behavior of the existing services. Changes to the network or behavior of existing services might indicate an attack has gained access to the equipment or that an employee might be using the systems inappropriately, causing risk to the organization. 8 Copyright 2009, Juniper Networks, Inc.
9 The tool should also monitor for other known attack vectors that might go undetected. These might include a system attempting to connect to known hostile hosts or networks, such as those known to run BOTNET command and control channels. The tool should also prioritize and correlate attacks on the DCS network back to the location of origin. This tool should also provide correlation features, where all the devices monitoring the control system network such as IPS, firewalls, and antivirus platforms can be correlated together for a single operational view of the security state of the control system network. The tool should also go beyond the network and also monitor the application logs from the control system, which might indicate certain attack vectors or even system failures. The monitoring and reporting tool, as well as third-party analyzers such as SecureView, can also provide additional features that offer significant value to a complete security solution, including: Historical Data: Providing precise point-in-time data supports forensic investigation when researching past events. Many solutions support detailed correlation between multiple events, allowing network managers and security professionals to establish the root cause of an incident. Comprehensive Reporting: Textual and graphical reports are a vital tool for communicating the status of securityrelated events to a broad range of personnel including network managers, facility managers, as well as third parties such as regulatory officials. Reporting solutions provide a framework for establishing consistent, measurable reporting metrics to key constituents. Compliance Management: With a myriad of ever-changing regulatory requirements from FERC and NRC as well as pending legislation the ability to correlate implemented policies and controls to specific statements in regulations, best practices, and SLAs is critical. Juniper security solutions can integrate with third-party tools to map these policies and controls to specific compliance criteria, and provide evidence for auditing events. Asset-Based Risk Management: Knowing the importance as well as the potential attack vectors of devices and systems on control networks is an important first step in the process of securing these components. By establishing key criteria related to these assets such as value, likelihood of specific threats being realized, and the potential consequence of those threats network managers can establish security controls that are both effective and efficient. Conclusion The security of nuclear power plants control system networks is critical to achieving mission objectives. To effectively protect the security of their plants, control system network administrators and network security specialists must have insight into the multiple types and levels of evolving threats to secure their network perimeter, critical resources, and remote access. Adopting the recent NRC security rule helps organizations establish a prioritized baseline for their information security measures and controls. Taking a systematic, step-by-step approach to network security helps reduce the vulnerabilities of the control system network for nuclear power plants. By first creating system-specific polices, then identifying the appropriate locations to implement the policy, and finally monitoring the implementation of policy, administrators are able to protect against today s highly volatile and damaging cyber security threats. About the Contributing Author Joe Weiss, Managing Partner of Applied Control Solutions (ACS), is an industry expert on control systems and security, with more than 30 years in the energy industry. Before launching ACS, he spent time at the Electric Power Research Institute (EPRI), heading programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program, and initiatives on cyber security for digital control systems. He has provided testimony to five congressional committees, and has served as a regular speaker for numerous industry events and at the NIST/NSA Security Summit. Mr. Weiss holds two patents and has published more than 60 papers on instrumentation, controls, and diagnostics. He has also written a chapter for Electric Power Substations Engineering on Cyber Security of Substation Control and Diagnostic Systems. He also established and chairs the annual Control System Cyber Security Workshop, and established the International Standards Coordination Meeting on Control System Cyber Security. He has received numerous industry awards, including the EPRI President s Award (2002) and is an ISA Fellow and member of the ISA Engineering, Science, and Technology Policy Committee. He is also the Managing Director of ISA Nuclear Plant Standards. Mr. Weiss is a registered professional engineer in California and a Certified Information Security Manager. Copyright 2009, Juniper Networks, Inc. 9
10 About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: EMEA Sales: Fax: please contact your Juniper Networks representative at or authorized reseller. Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Dec 2009 Printed on recycled paper 10 Copyright 2009, Juniper Networks, Inc.
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
SOLUTION BROCHURE Juniper Networks Solution Portfolio for Public Sector Network Security Protect against Network Downtime, Control Access to Critical Resources, and Provide Information Assurance Juniper
WHITE PAPER Mobile Device Security in the Enterprise Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite Copyright 2010, Juniper Networks, Inc. Table of Contents
WHITE PAPER ARCHITECTURE FOR SECURE SCADA AND DISTRIBUTED CONTROL SYSTEM NETWORKS Comprehensive Network-Based Security for Control Systems Copyright 2010, Juniper Networks, Inc. Table of Contents Executive
IDP Series Intrusion Detection and Prevention Appliances PRODUCT CATEGORY BROCHURE Staying One Step Ahead With the accelerating number of applications allowed in from the Internet and the higher frequency
Solution Brochure Juniper Networks Solution Portfolio for Public Sector Network Security Protect against Network Downtime, Control Access to Critical Resources, and Provide Information Assurance STRM NS-Security
PRODUCT CATEGORY BROCHURE Juniper Networks SA Series SSL VPN Appliances Juniper Networks SA Series SSL VPN Appliances Lead the Market with Secure Remote Access Solutions That Meet the Needs of Organizations
Reasons Enterprises Prefer Juniper Wireless Juniper s WLAN solution meets the mobility needs of today s enterprises by delivering the highest levels of reliability, scalability, management, and security.
IMPLEMENTATION GUIDE Remote Access Protection Best Practices for Implementing Remote Access Protection Using Juniper Networks SA Series SSL VPN Appliances, IDP Series Intrusion Detection and Prevention
IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL An illustrated Guide to Configuring a Simple IF-MAP Federated Network Juniper Networks, Inc. 1 Table of Contents Introduction...3 Scope...3
White Paper Five Best Practices to Protect Your Virtual Environment Realizing the Benefits of Virtualization Without Sacrificing Security Copyright 2012, Juniper Networks, Inc. 1 Table of Contents Executive
SOLUTION BRIEF SECURE ACCESS TO THE VIRTUAL DATA CENTER Ensure that Remote Users Can Securely Access the Virtual Data Center s Virtual Desktops and Other Resources Challenge VDI is driving a unique need
WHITE PAPER SECURING TODAY S MOBILE WORKFORCE Connect, Secure, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite Copyright 2011, Juniper Networks, Inc. Table
PRODUCT CATEGORY BROCHURE SA Series SSL VPN Appliances Juniper Networks SA Series SSL VPN Appliances Lead the Market with Secure Remote Access Solutions That Meet the Needs of Organizations of Every Size
Five Steps to Firewall Planning and Design 1 Table of Contents Executive Summary... 3 Introduction... 3 Firewall Planning and Design Processes... 3 Step 1. Identify Security Requirements for Your Organization...
Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
WHITE PAPER Control System Cyber Vulnerabilities and Potential Mitigation of Risk for Utilities Copyright 2010, Juniper Networks, Inc. Table of Contents Table of Figures Executive Summary..................................................................................
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
SOLUTION BRIEF Enterprise Data Center Interconnectivity Increase Simplicity and Improve Reliability with VPLS on the Routers Challenge As enterprises improve business continuity by enabling resource allocation
March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction
SoLuTIoN guide CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork Contents BENEfITS of ThE CLoud-rEAdy data CENTEr NETWork............................3 getting ready......................................................................3
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: email@example.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
DATASHEET vgw Gateway Product Overview The vgw Gateway provides a best-in-class virtual firewall to meet the unique security challenges of virtual data centers and clouds. IT teams can now secure their
WHITE PAPER Meeting PCI Data Security Standards with Juniper Networks STRM Series Security Threat Response Managers When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
SOLUTION BRIEF END-TO-END SECURITY WITH SA SERIES SSL VPN APPLIANCES Ensure Remote Users and Devices Meet Security Requirements Before Granting Access to Network Resources Challenge As the global workforce
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
White Paper Securing Multi-Tenancy and Cloud Computing Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation Copyright 2012, Juniper Networks,
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
White Paper Securing Today s Mobile Workforce Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite Copyright 2012, Juniper Networks, Inc. 1 Table
SOLUTION BROCHURE Wireless LAN Management Solution Overview Lifecycle Wireless Infrastructure, Security and Services Management Wireless LAN Management Solution Overview A successful wireless LAN (WLAN)
DATASHEET JUNOS SPACE VIRTUAL CONTROL Product Overview The proliferation of virtual switches in the data center has presented data center operators with a significant challenge namely, how to manage these
A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,
White Paper SRX Series as Gi/ Firewall for Mobile Network Infrastructure Protection Copyright 2012, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3 Overview of LTE (4G)
Towards End-to-End Security Thomas M. Chen Dept. of Electrical Engineering Southern Methodist University PO Box 750338 Dallas, TX 75275-0338 USA Tel: 214-768-8541 Fax: 214-768-3573 Email: firstname.lastname@example.org
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
APPLICATION NOTE Juniper NETWORKS SSL VPN and Windows Mobile Secure, Mobile Access to Corporate Email, Applications, and Intranet Resources Table of Contents Introduction.........................................................................................
Securing Visitor Access through Contents Introduction 3 The ForeScout Solution for Securing Visitor Access 4 Implementing Security Policies for Visitor Access 4 Providing Secure Visitor Access How it works.
White Paper Virus Protection Across The Enterprise How Firewall, VPN and /Content Security Work Together Juan Pablo Pereira Sr. Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda Avenue
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
Endpoint Security More secure. Less complex. Less costs... More control. Symantec Endpoint Security Today s complex threat landscape constantly shifts and changes to accomplish its ultimate goal to reap
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
A v a y a G l o b a l S e r v i c e s Managed Security Services for Data P r o a c t i v e l y M a n a g i n g Y o u r N e t w o r k S e c u r i t y 2 4 x 7 x 3 6 5 IP Telephony Contact Centers Unified
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your
WHITE PAPER SECURITY CONSIDERATIONS FOR CLOUD-READY DATA CENTERS Copyright 2009, Juniper Networks, Inc. 1 Table of Contents Executive Summary..............................................................................................3
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced
Complete and high performance protection where you need it Overview delivers high-performance protection against physical and virtual server downtime with policy based prevention, using multiple protection
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
DATASHEET NETWORK AND SECURITY MANAGER Product Overview Juniper Networks Network and Security Manager (NSM) is a unified device management solution for Juniper s network infrastructure of routing, switching
WHITE PAPER Tackling the Top Five Network Access Control Challenges Juniper Networks Unified Access Control and EX Series Ethernet Switches Copyright 2010, Juniper Networks, Inc. Table of Contents Table
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
WHITE PAPER Midrange MX Series 3D Universal Edge Routers Evaluation Report Demonstrating the high performance and feature richness of the compact MX Series Copyright 2011, Juniper Networks, Inc. 1 Table
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged
APPLICATION NOTE Deploying IP Telephony with JUNIPER NETWORKS ETHERNET Switches Optimizing Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches Copyright 2009, Juniper Networks,
Securing the Connected Enterprise Doug Bellin, Cisco Amadou Diaw, Rockwell Automation 2 The Internet of Things (IoT) Continuing Trend in Industrial Applications More Things are gaining the ability to communicate
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
Clean VPN Approach to Secure Remote Access for the SMB A clean VPN approach delivers layered defense-in-depth protection for the core elements of business communications. CONTENTS Extending Business Beyond
WHITE PAPER INTELLIGENT SECURITY: THE STRATEGIC APPROACH TO HIGH-PERFORMANCE NETWORKS FOR HIGHER EDUCATION Copyright 2010, Juniper Networks, Inc. 1 Table of Contents New Challenges Evolving...................................................................................................
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com WHITE PAPER Malicious Code and Mobile Devices: Best Practices for Securing Mobile Environments Sponsored
White Paper Firewall Migration Migrating to Juniper Networks Firewall/VPN Solutions Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net