Gateway Security at Stateful Inspection/Application Proxy

Size: px
Start display at page:

Download "Gateway Security at Stateful Inspection/Application Proxy"

Transcription

1 Gateway Security at Stateful Inspection/Application Proxy Michael Lai Sales Engineer - Secure Computing Corporation MBA, MSc, BEng(Hons), CISSP, CISA, BS7799 Lead Auditor (BSI)

2 Agenda Who is Secure Computing Corporation Stateful Inspection vs Application Proxy IPS on Application Proxy Firewall Web Page Displacement P2P/IM Control Cross Site Script Q&A

3 Who is Secure Computing Corporation

4 Secure Computing Highlights Who We Are Public company (NASDAQ: SCUR); HQ is San Jose (USA), Worldwide presence; 900+ employees Largest independent enterprise gateway security company Annual billings run rate ~$300M, profitable, strong cash generation Singular focus on enterprise gateway to enable safe, secure and productive use of open networks, including the Internet What We Do Technology Perimeter protection most secure firewalls, Identity & Access Comprehensive messaging & web gateway security Inbound & Outbound protection: Block the bad and guard the good 145 Patents pending/granted Unmatched protection with TrustedSource using global intelligence Purpose-built gateway security appliances Recognized leadership positions by Gartner and IDC Customers 20,000+ Blue-chip customers in 106 countries. 60% of Fortune 500; 56% of DJ Global 50; 8 out of 10 top world banks

5 Enterprise Gateway Security Integrated, Best-of-Breed Appliances Secure your Network Edge Firewall Sidewinder AV IPS Connex Control Secure your Messaging Anti- Communication Virus Anti- IronMail Compliance Spam Intrusions Encryption Data & Users Internet Ensure proper Identity & Access SafeWord Authentication Connex Control Authorization Secure your Web Encryption Communication Anti- Webwasher Compliance Virus Anti- Malware URL Filtering Network Gateway Application Gateway

6 Stateful Inspection vs App Proxy

7 Two Kinds of Firewall - Network layer and packet filters (L4) : - Control based on IP and port - Stateful and stateless - Application-layer (L7): - Intercept all packets traveling to/from an application - Inspecting all packets for improper content

8 Proxy Technology Vs. Packet Filtering Only Trusted Proxies Talk to Your Servers! PROXIES > External clients NEVER DIRECTLY CONNECT with the internal application servers TWO SEPARATE CONNECTIONS are maintained per client-server session ONLY TRUSTED PROXY is allowed to talk directly to the internal application servers Securely processing packets Versus. Just passing packets Stateful Inspection Compromises Security STATEFUL INSPECTION > Stateful Inspection (SI) allows external clients a DIRECT PACKET FLOW WITH SERVERS SI is more like a router than a true firewall COMPROMISING SECURITY to gain performance Helping unknown sources get direct connections with internal servers is a POOR SECURITY DESIGN

9 Application Proxy Technology Client ONLY Sidewinder s trusted proxy is allowed to talk directly to internal application servers Two separate connections are maintained per client-server session Proxy securely processes client requests to the server Proxy automatically strips out attacks trying to introduce malicious commands that violate RFCs Proxy may be further configured to tightly enforce a limited-use policy for the application Client-server communications are configured to only allow needed operations and denies all else! Untrusted TCP/IP Stack HTTP Proxy Layer 7 defenses Full packet assembly RFC compliance Configured to allowed use All else denied Scanning Engines Trusted TCP/IP Stack Server Web Server App Server Oracle SQL Citrix VoIP Etc.

10 Proxy-Based Application Defenses The power of the Positive Model of security POSITIVE MODEL OF SECURITY Deny all methods of communicating with the application unless the methods are explicitly allowed. Proxy configuration selections define the only allowed communications with the protected applications! RFC compliance is automatically enforced. Not just simple signature-based checks that is the negative model of security (allow all traffic while looking for the bad known in the traffic) Positive Model proxies have deep understanding of the applications they protect Proxy GUI treatment allows very granular control over how clients communicate with protected applications Protecting applications this way stops zero-hour unknown attacks

11 Attack Containment & Control Analogy Type Enforcement Master Control SecureOS FTP NTP Sendmail Web SQL Open SSL SNMP Telnet DNS Server VPN Master Control (Type Enforcement in the OS kernel) Nothing happens on any file, directory or executable without real-time permission being granted (Non by-passable) Compartmentalization of functions Software applications running in secure compartments Eliminates attack creep from one application to another Containment of attacks If one software piece fails or is attacked, others keep running unaffected Authorization to board No foreign software can launch on the system because it would lack Type Enforcement (trojans, viruses, attack scripts, etc.)

12 IPS on Application Firewall

13 IPS at Stateful Inspection Firewall Usually, great performance drop if the IPS is turned on. For example, from 2Gbps to 300Mbps It is because the firewall cannot apply protocol enforcement The firewall has no ability to recognize the protocol or ability to scan traffic selectively Hence, all traffic will be scanned with the whole IPS database

14 Customized IPS for Different Attack Sidewinder allows customized signature for each connection Performance enhanced Different response can be set for different attack Default rule sets are built-in for popular protocol

15 Select how you want SIP.SOFTSTONE.REXPLOIT"; content: the firewall to respond " if the signature is hit Look for relevant signature groups for the service VoIP/SIP and add to the rule

16 Signature groups are provided so the firewall is at maximum efficiency in employing signatures only for services and connections you wish to inspect with signatures.

17 Web Page Displacement

18 Secure The Passing Traffic Web Sites Internet The firewall should have ability to handle the traffic passing through it - Mac address (L2) - IP address (L3) and Port (L4) - VPN (L2 L4) - IPS (L3 L7) - Anti-Virus and Anti-Spam (L7) - Protocol anomaly detection and content control (L7) - Proxy function

19 Attack Demo - Identify the Victim The demo will show a hacker change the price of a web site selling book and CD so that he can buy at a very low price

20 Attack Demo Launch an Attack The hacker runs a script to replace the file on the web site

21 Where can the Attacking Traffic be Stopped - By connection (L2 to L4) - Yes if you know where is source IP of the hacker - By connection behavior (L3 to L5) - No because it is not DOS or network probe and the connection is same as from a normal user - By IPS (L3 L7) - Yes provided that the IPS signature includes the particular code such as cgi-bin/foo.bat? dir+c:+>..\htdocs\dir.txt or cgibin/foo.bat? echo+hacked+owned+by+dr0zz+>>+..\htdocs\index2.html - By AV (L7) - No because the file passing through the firewall has text and image only. - By Protocol (L7) - Yes, because most web site attack violate the HTTP protocol RFC standard. See below demo.

22 A Common Solution in HK Secure your Network Edge 1st Tier FW IPS 2nd Tier FW Internet Data & Users 1st Tier FW IPS 2nd Tier FW Central Management - L3/L4 FW cannot scan content - IPS is the only chance to block the attack - Fail to have multiple layer protection

23 Solution From Secure Computing 1st Tier FW IPS 2nd Tier FW Internet Data & Users 1st Tier FW IPS 2nd Tier FW - TrustedSource stops connection from suspicious IP - Two different IPS (Snort + SCC) - Content filtering by protocol control

24 Blocked by Protocol Anomaly Detection This is a sample of injection attack. The injected command violate the HTTP Protocol and it can be stopped by application layer firewall

25 Sample HTTP Attack Stopped by Sidewinder

26 P2P/IM Control

27 Block by Protocol Enforcement - P2P/IM connection uses non-common port will be blocked by default - Only P2P/IM uses port 80/443 can make connection - In Application Awareness firewall, port 80 and 443 can be bound with HTTP and HTTPS respectively. No tunneling - Only P2P/IM uses port 80/443 with standard HTTP/HTTPS can pass through - E.g. Skype will be blocked because it uses non-standard SSL

28 Block by Content Control - Application firewall allows you to control the content within the protocol - Only P2P/IM cannot have identified type within the protocol can pass through. - E.g MSN can be blocked by denying x-msn-message MIME type.

29 Block by URL Filtering - As the P2P/IM uses standard HTTP/HTTPS, a valid URL should be found - All P2P/IM can be blocked provided that the URL control database includes the URL/IP - E.g. FOXY file sharing can be blocked

30 Cross Site Script

31 The Leader in Proactive Protection Largest Reputation Network Feeds from thousands of load balancers, FWs, Msg & Web gateways Highest quality data Over 100 Billion Messages/month Millions of URLs Most Reliable Reputation Score 25 research scientists Sophisticated behavior analysis 450,000+ zombies detected each day Best image spam detection Portland Atlanta Brazil -180 Data Store Bad London Hong Kong Reputation Query Internet Traffic Reputation Score Calculated Suspicious Internal Network +180 Good Be Proactive in Protecting From Next Generation Threats Work with the clear leader in this business!

32 - In the future, all incoming connection will have the TrustedSource screened. - Only trusted IP can make connection to Sidewinder or Snapgear. - The risk of making connection from a hacker or a zombie will be reduced significantly. In the Future

33 A Sample Hacked Site Searched on 30 Apr 2008

34 The Sample Cross-Site Script

35 Client Protected by TrustedSource It may be the hacked site and the final script hosting site AV/IPS can stop the known attack Content control can deny script

36 Server Protected by Sidewinder Trusted Source protected the server from dangerous client such as zombie App proxy can apply URL control to stop injection attack and deny SOAP AV and IPS can kick out known attack

37 Q&A

Secure Computing s TrustedSource

Secure Computing s TrustedSource The industry s most acclaimed reputation system Proactive security based on global intelligence. Secure Computing s TrustedSource One of the most important characteristics of enterprise security is proactive

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott Symantec Enterprise Firewalls From the Internet Thomas Symantec Firewalls Symantec offers a whole line of firewalls The Symantec Enterprise Firewall, which emerged from the older RAPTOR product We are

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category

More information

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Importance of Web Application Firewall Technology for Protecting Web-based Resources Importance of Web Application Firewall Technology for Protecting Web-based Resources By Andrew J. Hacker, CISSP, ISSAP Senior Security Analyst, ICSA Labs January 10, 2008 ICSA Labs 1000 Bent Creek Blvd.,

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Stateful Inspection Technology

Stateful Inspection Technology Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

New possibilities in latest OfficeScan and OfficeScan plug-in architecture New possibilities in latest OfficeScan and OfficeScan plug-in architecture Märt Erik AS Stallion Agenda New in OfficeScan 10.5 OfficeScan plug-ins» More Active Directory support» New automated client grouping

More information

Zscaler Internet Security Frequently Asked Questions

Zscaler Internet Security Frequently Asked Questions Zscaler Internet Security Frequently Asked Questions 1 Technical FAQ PRODUCT LICENSING & PRICING How is Zscaler Internet Security Zscaler Internet Security is licensed on number of Cradlepoint devices

More information

Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd

Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd Who Moved My Firewall Clinton Thomson Derivco (PTY) Ltd 1 Agenda Introduction to Derivco (Pty) Ltd Efficacy of Firewalls Firewall Roles Threat Landscape De-perimeterisation Q & A 2 Derivco as a company

More information

Application Firewalls

Application Firewalls Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed

More information

Pełne bezpieczeństwo sieci i uŝytkowników końcowych.

Pełne bezpieczeństwo sieci i uŝytkowników końcowych. Pełne bezpieczeństwo sieci i uŝytkowników końcowych. Rozwiązania Check Point klasy UTM i endpoint security Piotr Stępniak Channel Manager The customer environment Impossible to manage Complicated Complex

More information

E-Guide. Sponsored By:

E-Guide. Sponsored By: E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000 Network Security Protective and Dependable With the growth of the Internet threats, network security becomes the fundamental concerns of family network and enterprise network. To enhance your business

More information

Lesson 5: Network perimeter security

Lesson 5: Network perimeter security Lesson 5: Network perimeter security Alejandro Ramos Fraile aramosf@sia.es Tiger Team Manager (SIA company) Security Consulting (CISSP, CISA) Perimeter Security The architecture and elements that provide

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

Firewall and UTM Solutions Guide

Firewall and UTM Solutions Guide Firewall and UTM Solutions Guide Telephone: 0845 230 2940 e-mail: info@lsasystems.com Web: www.lsasystems.com Why do I need a Firewall? You re not the Government, Microsoft or the BBC, so why would hackers

More information

From Network Security To Content Filtering

From Network Security To Content Filtering Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH W H I T E P A P E R Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH Table of Contents 2 Network Firewalls: Notable Facts Why that s good Why that s not good enough

More information

Web Application Security

Web Application Security Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?

More information

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE Game changing Technology für Ihre Kunden Thomas Bürgis System Engineering Manager CEE Threats have evolved traditional firewalls & IPS have not Protection centered around ports & protocols Expensive to

More information

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,

More information

McAfee Firewall Enterprise: The only Firewall with the Intelligence to Continuously, Automatically Reduce the Risk and Threat Exposure of Your Network

McAfee Firewall Enterprise: The only Firewall with the Intelligence to Continuously, Automatically Reduce the Risk and Threat Exposure of Your Network : The only Firewall with the Intelligence to Continuously, Automatically Reduce the Risk and Threat Exposure of Your Network Reputation filtering with TrustedSource and Geo-Location cost-effectively minimizes

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Fortigate Features & Demo

Fortigate Features & Demo & Demo Prepared and Presented by: Georges Nassif Technical Manager Triple C Firewall Antivirus IPS Web Filtering AntiSpam Application Control DLP Client Reputation (cont d) Traffic Shaping IPSEC VPN SSL

More information

NGFWs will be most effective when working in conjunction with other layers of security controls.

NGFWs will be most effective when working in conjunction with other layers of security controls. Research Publication Date: 12 October 2009 ID Number: G00171540 Defining the Next-Generation Firewall John Pescatore, Greg Young Firewalls need to evolve to be more proactive in blocking new threats, such

More information

Boston Area Windows Server User Group April 2010

Boston Area Windows Server User Group April 2010 Boston Area Windows Server User Group April 2010 Hey Jack, don t you have a new job? Yes, unbelievably, my job is better than ever. After working in our outstanding Support Engineering team for the past

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services Product Highlights Intrusion Prevention System Dectects and prevents known and unknown attacks/ exploits/vulnerabilities, preventing outbreaks and keeping your network safe. Gateway Anti Virus Protection

More information

Anti-SPAM Solutions as a Component of Digital Communications Management

Anti-SPAM Solutions as a Component of Digital Communications Management Anti-SPAM Solutions as a Component of Digital Communications Management Ron Shuck CISSP, GCIA, CCSE Agenda What is Spam & what can you do? What is the cost of Spam E-mail E to organizations? How do we

More information

Next Generation Firewall

Next Generation Firewall Next Generation Firewall Product Overview SANGFOR Next-Generation Firewall is designed with Application Control, Intrusion Prevention and Web Security in mind, providing deep and fine-grained visibility

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Introducing IBM s Advanced Threat Protection Platform

Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Load Balancing Security Gateways WHITE PAPER

Load Balancing Security Gateways WHITE PAPER Load Balancing Security Gateways WHITE PAPER Table of Contents Acceleration and Optimization... 4 High Performance DDoS Protection... 4 Web Application Firewall... 5 DNS Application Firewall... 5 SSL Insight...

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Secure Cloud-Ready Data Centers Juniper Networks

Secure Cloud-Ready Data Centers Juniper Networks Secure Cloud-Ready Data Centers Juniper Networks JUNIPER SECURITY LEADERSHIP A $1B BUSINESS Market Leadership Data Center with High- End Firewall #1 at 42% Secure Mobility with SSL VPN #1 at 25% Security

More information

The Hillstone and Trend Micro Joint Solution

The Hillstone and Trend Micro Joint Solution The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry

More information

Astaro Gateway Software Applications

Astaro Gateway Software Applications Astaro Overview Astaro Products - Astaro Security Gateway - Astaro Web Gateway - Astaro Mail Gateway - Astaro Command Center - Astaro Report Manager Astaro Gateway Software Applications - Network Security

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content Filtering

More information

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Securing Business-Critical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks www.foundrynet.

Securing Business-Critical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks www.foundrynet. Securing BusinessCritical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks www.foundrynet.com Agenda Security Market and Solutions Overview New NetworkBased Security

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure

More information

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices Data Sheet Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices Medium-sized enterprises face the same daunting challenges as the Fortune 500 and Global 2000 - higher mail volumes and

More information

Huawei Eudemon200E-N Next-Generation Firewall

Huawei Eudemon200E-N Next-Generation Firewall Huawei 200E-N Next-Generation Firewall With the popularity of mobile working using smartphones and tablets, mobile apps, Web2.0, and social networking become integral parts of works. This change in IT

More information

Security Administration R77

Security Administration R77 Security Administration R77 Validate your skills on the GAiA operating system Check Point Security Administration R77 provides an understanding of the basic concepts and skills necessary to configure Check

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Stateful Inspection Technology

Stateful Inspection Technology White Paper Stateful Inspection Technology The industry standard for enterprise-class network security solutions Check Point protects every part of your network perimeter, internal, Web to keep your information

More information

IronPort X1000 Email Security System

IronPort X1000 Email Security System I r o n P o r t A p p l i a n c e s T H E U LT I M AT E E M A I L S E C U R I T Y S Y S T E M F O R T H E W O R L D S M O S T D E M A N D I N G N E T W O R K S. IronPort X1000 Email Security System O v

More information

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0 EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single

More information

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls

More information

IT Sicherheit im Web 2.0 Zeitalter

IT Sicherheit im Web 2.0 Zeitalter IT Sicherheit im Web 2.0 Zeitalter Dirk Beste Consulting System Engineer 1 IT Sicherheit im Web 2.0 Zeitalter Cisco SIO und Global Threat Correlation Nach dem Webinar sollte der Zuhörer in der Lage sein:

More information

Cyberoam Next-Generation Security. 11 de Setembro de 2015

Cyberoam Next-Generation Security. 11 de Setembro de 2015 Cyberoam Next-Generation Security 11 de Setembro de 2015 Network Security Appliances UTM, NGFW (Hardware & Virtual) 2 Who is Cyberoam? Leading UTM company, headquartered in Ahmedabad, India founded in

More information

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway TESTING & INTEGRATION GROUP SOLUTION GUIDE Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway INTRODUCTION...2 RADWARE SECUREFLOW... 3

More information

ISA Server Plugins Setup Guide

ISA Server Plugins Setup Guide ISA Server Plugins Setup Guide Secure Web (Webwasher) Version 1.3 Copyright 2008 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed,

More information

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two

More information

Evolutionism of Intrusion Detection

Evolutionism of Intrusion Detection Evolutionism of Intrusion Detection Jackie Lai The network technology changes with each passing day; and the attack technique of hacker also weeds through the old to bring forth the new. Worms such as

More information

Using Palo Alto Networks to Protect the Datacenter

Using Palo Alto Networks to Protect the Datacenter Using Palo Alto Networks to Protect the Datacenter July 2009 Palo Alto Networks 232 East Java Dr. Sunnyvale, CA 94089 Sales 866.207.0077 www.paloaltonetworks.com Table of Contents Introduction... 3 Granular

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Protecting the Infrastructure: Symantec Web Gateway

Protecting the Infrastructure: Symantec Web Gateway Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content Filtering (WCF) for superior

More information

Basic computer security

Basic computer security Mag. iur. Dr. techn. Michael Sonntag Basic computer security E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information Processing and Microprocessor Technology

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier Application Note TrustedSource in McAfee Firewall Enterprise McAfee version 8.1.0 and earlier Firewall Enterprise This document uses a question and answer format to explain the TrustedSource reputation

More information

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business IREBOX X IREBOX X Firebox X Family of Security Products Comprehensive Unified Threat Management Solutions That Scale With Your Business Family of Security Products Comprehensive unified threat management

More information

SafeNet Content Security. esafe SmartSuite - Security that Thinks. Real-time, Smart and Simple Web and Mail Security Solutions.

SafeNet Content Security. esafe SmartSuite - Security that Thinks. Real-time, Smart and Simple Web and Mail Security Solutions. SafeNet Content Security esafe SmartSuite - Security that Thinks Real-time, Smart and Simple Web and Mail Security Solutions Product Overview Malware CONTENT SECURITY Antivirus Malware A secure Web gateway

More information

Inspection of Encrypted HTTPS Traffic

Inspection of Encrypted HTTPS Traffic Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents

More information

Network protection and UTM Buyers Guide

Network protection and UTM Buyers Guide Network protection and UTM Buyers Guide Using a UTM solution for your network protection used to be a compromise while you gained in resource savings and ease of use, there was a payoff in terms of protection

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) : Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)

More information

Application Security Best Practices. Wally LEE Principal Consultant

Application Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant Application Security Best Practices Wally LEE Principal Consultant 17/18 March 2009 Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified

More information

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security Web Security Gateway Web Security Web Filter Hosted Web Security Web Security Solutions The Approach In the past, most Web content was static and predictable. But today s reality is that Web content even

More information

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

More information

Choose Your Weapon: Fighting the Battle against Zero-Day Virus Threats

Choose Your Weapon: Fighting the Battle against Zero-Day Virus Threats Choose Your Weapon: Fighting the Battle against Zero-Day Virus Threats 1 of 2 November, 2004 Choose Your Weapon: Fighting the Battle against Zero-Day Virus Threats Choose Your Weapon: Fighting the Battle

More information

Your Security Partner of Choice

Your Security Partner of Choice Your Security Partner of Choice 6/16/14 2 About WatchGuard 100% CHANNEL 5,000 partners in 120 countries Ø Firewall appliance pioneer Ø Nearing 1,000,000 appliances shipped to business customers worldwide

More information

Today's security needs in networking

Today's security needs in networking Today's security needs in networking Besoins actuels de la sécurité réseau European partner summit Thursday, October 13, 2005 Hervé Schauer Hervé Schauer Agenda Firewalls Liability

More information

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information