Securing an IP SAN. Application Brief

Size: px
Start display at page:

Download "Securing an IP SAN. Application Brief"

Transcription

1 Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time. This publication is copyright by StoneFly, Inc. and is intended for use only by recipients authorized by StoneFly, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of StoneFly, Inc., is in violation of U.S. copyright law.

2 Introduction Storage Area Networks (SANs) provide a high-speed network for storing and retrieving data. With storage networking, a dedicated high-speed network allows files and data to transfer between storage devices and client machines directly, bypassing the traditional server bottlenecks and network control. In this way, increased flexibility and performance are achieved by separating control from data. SANs deliver the capability for any server to access any storage device. Though this is extremely powerful and cost effective, it is obvious that security measures must be in place to prevent illegal access to data and to prevent accidental corruption or loss of data. Networked storage can introduce security vulnerabilities. To counter these weaknesses, it is important to adopt storage-specific security policies and practices. Network infrastructures and storage networks must be evaluated from end to end and secured at every point of vulnerability. Security and Compliance To add to the security complexity issue, compliance with regulatory requirements has proven difficult for many organizations. Regulations dramatically impact data security, retention and storage requirements. These regulations include, but are not limited to: HIPPA for insurance, healthcare and medical providers SEC 17a-3 and 17a-4 for brokers and dealers in the financial services industry The Sarbanes-Oxley Act for public companies and institutions to regulate corporate and public accounting practices to ensure that financial statements are accurate Significant penalties and fines can result from regulatory violations, such as the unauthorized viewing of private medical records (HIPAA). IT departments now must report to upper management the risk that their networks face as well as give assurances that their storage and security practices comply with appropriate laws. IP SAN Security While the iscsi protocol itself provides quality of service and security features, the advanced services offered by TCP/IP internetworking can be immediately applied to iscsi traffic. For security, IP offers easily deployed mechanisms such as Access Control Lists (ACLs) and Virtual Private Networks (VPNs) and is compatible with more sophisticated capabilities such as IP Security (IPSec) and advanced data encryption algorithms or public key infrastructure (PKI). Because iscsi must accommodate inflows, such as , from untrusted IP environments, the iscsi specification allows for implementing multiple security methods. Given the vulnerability of corporate networks and the current regulatory climate, the good news is that you can reduce the risk to your storage network, protect your company's data assets, and better align security practices with the requirements of your environment. Considering Security Options There are two important considerations when evaluating IP storage security. First, the nature of Ethernet-based IP storage networks mean they are exposed to the same security vulnerabilities as those by traditional IP networks with connection to Internet traffic. As such, the same technologies and solutions may be used. The second consideration is performance degradation due to security measures. While performance for encrypted data may be acceptable for traditional LAN data traffic over IP networks, the level of degradation may be unacceptable for storage networks due to their high data rates and short time-out conditions. For example, data encryption of storage StoneFly, Inc. Page 2 of 7

3 traffic, performed by IPSec protocols, may induce significant delays for traffic between two high-speed SANs. Using IPSec, therefore, may require specialized hardware for the encryption/decryption process just to ensure acceptable performance. A sound security policy is an important tool for creating a secure LAN/SAN and may employ several different security mechanisms. Below is an overview of several security methods. Separate the LAN from the SAN At the very least, keep IP SAN storage on a physically separate network. Duplicate the key advantage of the Fibre Channel network: its physical separation from the IP network. Keep management of the IP SAN on a different subnet. StoneFly recommends both of these actions with its IP SAN. Firewalls Just as you place a firewall between your corporate LAN and the outside world, you can place a packet-filtering firewall between the IP SAN and the hosts. By restricting access to the IP SAN storage devices you can make it more difficult for an internal attacker to access the devices. Configure the filtering rules to only allow traffic to and from specific IP SAN ports and addresses. Use firewalls that support Network Address Translation to hide the real addresses and port numbers of the IP SAN devices from the outside world. One issue with firewalls is that they do not currently support the iscsi protocol so they can only be used for protection in the LAN. It will be highly desirable to have a firewall system built with the iscsi protocol because firewalls filter out multiple connections, which iscsi relies on for performance. Firewalls that support iscsi may become more common in the future. Virtual Private Networks (VPNs) For iscsi SANs behind a gateway, a VPN (virtual private network) could securely connect initiators and targets and differentiate between traffic that requires security and traffic that doesn't. The difference comes down to the risk of security threats and whether the network topology stresses security at the network edge or at each individual node. Security at the edge raises infrastructure costs but allows multiple nodes to share security resources. Security at each node means data is secure, but every device that handles secure data must have its own security-processing resources, potentially at a greater overall cost. Devices in which you can optionally implement security will cover the needs of the security market without raising costs for users that don't need or won't pay for security. This may mean building a virtual private network that makes a tunnel around the information and lets it be seen only by authorized users. Alternatively, some of the highspeed VPN appliances in the market may be deployed. VPNs are often combined with other cryptographic authentication methods. For example, IPSec support may be integrated in the initiator and the target, or be provided by a standalone device such as a VPN appliance. One solution for Organizations that want to prevent unauthorized internal LAN access to block level data is to install VPNs to prevent LAN access to the SAN. Some VPNs support additional security measures such as IPSec or another type of encryption. StoneFly, Inc. Page 3 of 7

4 For more IP SAN protection, especially to prevent insiders from gaining unauthorized access, VPNs can be located in the Storage Network as well. RADIUS The RADIUS protocol is a widely used protocol for performing network authentication, authorization, and accounting (AAA) functions. It is used to control remote and local user access - via dial-in, VPN, firewall, wireless, LAN, or any combination. RADIUS is primarily implemented by using a dedicated RADIUS server. RADIUS servers are designed to provide the foundation for network identity services in a secure and easy-to-manage implementation. Access Control The measures discussed so far, provide security within the physical storage network and storage subsystems. Another critical security aspect is the access to the logical volumes and its administration on the servers. This allows a hacker using a spoofed address to gain access to the IP storage device, without the additional challenge of obtaining root (or similar) access. At that point the intruder could read and write data with the same privileges as the spoofed host. With IP SANs this type of attack can be launched from anywhere inside or outside of the corporate network. Software that controls access to data volumes is an effective tool that manages potential data corrupting issues. Each user, application, or group can be assigned different access privileges for every storage volume. This is usually accomplished through the volume manager as part of the OS and file system environment on the server. A storage management solution should provide direction on storage provisioning to maintain these storage access rights of the volume manager on the host. Access Control for iscsi is volume or host-based rather than user-based. StoneFly supports Access Control Lists (ACLs) for both hosts and volumes. Access Control is strengthened by using CHAP. CHAP The iscsi protocol specifies a variety of security capabilities, including the use of Challenge Handshake Authentication Protocol (CHAP) during initial iscsi login to restrict access to targets. CHAP allows you to set a Password or Secret as a gatekeeper for communication between a host initiator and a volume. Combined, access control lists and CHAP provide a high degree of security to ensure that only specified hosts have access to Storage Concentrator volumes. StoneFly, Inc. Page 4 of 7

5 CHAP is supported at the Volume Level and at the Host level in the StoneFly Storage Concentrator. Depending on the host initiator, you may want to specify host CHAP, volume CHAP, both host and volume with the same or different secrets, or use neither. Encryption Once you have access controls in place, encryption is the next logical step in securing data stored in an IP SAN. Encryption provides restriction if access controls are circumvented. In other words, encryption should stop someone who has already broken through the first line of defense. Encryption forms the next barrier of entry for data at rest. Encryption is the conversion of data into a form that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a "code," was employed to keep the enemy from obtaining the contents of transmissions. Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the "scrambling" of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that "undoes" the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to "break" the cipher. The more complex the encryption algorithm, the more difficult it becomes to decrypt the information without access to the key. The major downside to encryption is the substantial performance hit to servers and applications. Several storage security vendors, such as Decru, Kasten Chase, and Neoscale offer high-speed encryption solutions for storage traffic. Encryption solutions that reside below iscsi such as IPSec require no special negotiation between iscsi end devices and are transparent to the upper layers. For other authentication implementations such as Kerberos or Public/Private Key exchanges, the iscsi Login Phase provides text fields for negotiating the type of security supported by both end devices. If the negotiation is successful, the data exchanged between iscsi devices will be formatted for appropriate security validation required by the agreed upon security routine. An Internet Storage Name Server (isns) may also be used to assist this process by, for example, serving as a repository for public keys. IPSec The iscsi standard requires that IPSec be supported, but allows its use to be optional. Not all hardware vendors currently include support for IPSec. iscsi HBAs and storage systems are available both with and without IPSec security. Some solutions, such as the StoneFly Storage Concentrator can support the storage of encrypted data, but not the actual encryption/decryption process. IPSec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. StoneFly, Inc. Page 5 of 7

6 For IPSec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as IP Encapsulating Security Payload (ESP) and Internet Key Exchange (IKEv2) Protocol, which allows the receiver to obtain a public key and authenticate the sender using digital certificates. Public Key Infrastructure (PKI) PKI is based on a pair of mathematically related public and private keys. While the private key is carefully safeguarded, the public key is linked to subject identifier information (e.g., name and other information) in a digitally signed public key certificate, where the subject is the owner of the public/private key pair. This linkage or binding is made possible by including specified data in the certificate, which is essentially a specially formatted file generated in accordance with industry standards. The certificate itself and the public and private keys are then used by systems to represent the individual or entity that is the subject identified by the certificate. In some cases, they will be used in the process of creating and verifying digital signatures. Therefore, it is critical for a relying party application (i.e., an application that relies on the use of a certificate) to have confidence that the certificate correctly and accurately identifies the subject and subject s public key, as well as the issuer of the certificate. The distinguishing feature of PKI is the use of the certificate published by a Certification Authority to confirm the identity, and other relevant information about the entity that holds the certificate. Secure Socket Layer Secure Sockets Layer (SSL) is a specially designed PKI protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http. SSL support is built into the StoneFly Storage Concentrator, which uses https and password protection. Application Software Security Many software applications support security, such as encryption. For example, StoneFly Backup Advantage allows encrypting data both for transmission over un-secure networks and for storage on third-party vaults. The data is always encrypted in the same manner (blowfish algorithm), but key management policies differ depending on the customer needs. For customers that need only network security the keys are randomly chosen for every session. Data is encrypted on Client and the keys are discarded at the end. The entire process is completely transparent to the user; all the user has to do is to enable encryption. Summary Since iscsi security is based on the same technology used for TCP/IP security today, a single SAN with secure iscsi initiators can easily span over a WAN with storage devices and servers in multiple locations. By providing security in iscsi end-nodes, the storage network and data network can eventually converge to maximize network bandwidth usage, lower network management costs, and share the same fabric switch equipment, without the concern of security breaches and illegal access to information. Protecting data in an IP SAN is relatively straightforward due to the iscsi specification, which allows for implementing multiple security methods. While the iscsi protocol itself provides quality of service and security features, the advanced services offered by TCP/IP internetworking can be immediately applied to iscsi traffic. Vendors such as StoneFly StoneFly, Inc. Page 6 of 7

7 support a variety of security methods both explicitly and implicitly, giving IP SAN users the means to form a sound security strategy. StoneFly, Inc. Page 7 of 7

Virtual Private Networks

Virtual Private Networks Virtual Private Networks ECE 4886 Internetwork Security Dr. Henry Owen Definition Virtual Private Network VPN! Virtual separation in protocol provides a virtual network using no new hardware! Private communication

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols 2011-11-22. ETSF10 Internet Protocols 2011

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols 2011-11-22. ETSF10 Internet Protocols 2011 Internet Security Voice over IP ETSF10 Internet Protocols 2011 Kaan Bür & Jens Andersson Department of Electrical and Information Technology Internet Security IPSec 32.1 SSL/TLS 32.2 Firewalls 32.4 + Voice

More information

Computer Networks. Secure Systems

Computer Networks. Secure Systems Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

SSL Overview for Resellers

SSL Overview for Resellers Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an

More information

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002 INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Remote Access Security

Remote Access Security Glen Doss Towson University Center for Applied Information Technology Remote Access Security I. Introduction Providing remote access to a network over the Internet has added an entirely new dimension to

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 356 Lecture 27 Internet Security Protocols. Spring 2013 CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012 Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret

More information

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP) Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic

More information

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999 Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer February 3, 1999 Frame Relay Frame Relay is an international standard for high-speed access to public wide area data networks

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Best practices for protecting network data

Best practices for protecting network data Best practices for protecting network data A company s value at risk The biggest risk to network security is underestimating the threat to network security. Recent security breaches have proven that much

More information

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network Protecting a Corporate Network with ViPNet Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network Introduction Scope ViPNet technology protects information systems by means

More information

Regulatory Compliance Solutions for Security and Privacy

Regulatory Compliance Solutions for Security and Privacy Regulatory Compliance Solutions for Security and Privacy Nobuyuki Osaki SAN Solutions Lab Hitachi America Ltd Hitachi and Hitachi Data Systems Hitachi Ltd Founded 1910 One of the World s Largest Integrated

More information

Technical papers Virtual private networks

Technical papers Virtual private networks Technical papers Virtual private networks This document has now been archived Virtual private networks Contents Introduction What is a VPN? What does the term virtual private network really mean? What

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Virtual Private Networks: IPSec vs. SSL

Virtual Private Networks: IPSec vs. SSL Virtual Private Networks: IPSec vs. SSL IPSec SSL Michael Daye Jr. Instructor: Dr. Lunsford ICTN 4040-001 April 16 th 2007 Virtual Private Networks: IPSec vs. SSL In today s society organizations and companies

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

Site to Site Virtual Private Networks (VPNs):

Site to Site Virtual Private Networks (VPNs): Site to Site Virtual Private Networks Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0002.01 Prog. Director Mark Ferrar Owner Tim Davis Version 1.0

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Protocol Security Where?

Protocol Security Where? IPsec: AH and ESP 1 Protocol Security Where? Application layer: (+) easy access to user credentials, extend without waiting for OS vendor, understand data; (-) design again and again; e.g., PGP, ssh, Kerberos

More information

Executive Summary and Purpose

Executive Summary and Purpose ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

The Benefits of SSL Content Inspection ABSTRACT

The Benefits of SSL Content Inspection ABSTRACT The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic

More information

High Performance VPN Solutions Over Satellite Networks

High Performance VPN Solutions Over Satellite Networks High Performance VPN Solutions Over Satellite Networks Enhanced Packet Handling Both Accelerates And Encrypts High-Delay Satellite Circuits Characteristics of Satellite Networks? Satellite Networks have

More information

ICAB4236B Build security into a virtual private network

ICAB4236B Build security into a virtual private network ICAB4236B Build security into a virtual private network Release: 1 ICAB4236B Build security into a virtual private network Modification History Not Applicable Unit Descriptor Unit descriptor This unit

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Chapter 32 Internet Security

Chapter 32 Internet Security Chapter 32 Internet Security Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3

More information

White Paper. BD Assurity Linc Software Security. Overview

White Paper. BD Assurity Linc Software Security. Overview Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity Secure Remote Monitoring of the Critical System Infrastructure An Application Note from the Experts in Business-Critical Continuity TABLE OF CONTENTS Introduction................................................2

More information

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline Course Number: SEC 150 Course Title: Security Concepts Hours: 2 Lab Hours: 2 Credit Hours: 3 Course Description: This course provides an overview of current technologies used to provide secure transport

More information

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents WHITE PAPER TrustNet CryptoFlow Group Encryption Table of Contents Executive Summary...1 The Challenges of Securing Any-to- Any Networks with a Point-to-Point Solution...2 A Smarter Approach to Network

More information

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Secure Use of the New NHS Network (N3): Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0003.01 Prog. Director Mark Ferrar Status Approved Owner Tim Davis Version 1.0 Author Phil Benn Version

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Circuit switching vs. packet switching OSI and TCP/IP layered models TCP/IP encapsulation

More information

Steelcape Product Overview and Functional Description

Steelcape Product Overview and Functional Description Steelcape Product Overview and Functional Description TABLE OF CONTENTS 1. General Overview 2. Applications/Uses 3. Key Features 4. Steelcape Components 5. Operations Overview: Typical Communications Session

More information

Data-at-Rest Encryption Addresses SAN Security Requirements

Data-at-Rest Encryption Addresses SAN Security Requirements Data-at-Rest Encryption Addresses SAN Security Requirements QLogic 2500 Series Fibre Channel Adapters Meet Enterprise Security Needs Key Findings SAN security via encryption is necessary for protecting

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

Understand Wide Area Networks (WANs)

Understand Wide Area Networks (WANs) Understand Wide Area Networks (WANs) Lesson Overview In this lesson, you will review: Dial-up Integrated services digital networks (ISDN) Leased lines Virtual private networks (VPN) Wide area networks

More information

Overview. Protocols. VPN and Firewalls

Overview. Protocols. VPN and Firewalls Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls VPN-Definition VPNs (Virtual Private Networks)

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Digital s Internet Tunnel Products

Digital s Internet Tunnel Products TM Digital s Internet Tunnel Products White paper: Virtual private networking over the internet today October 1995 Table of Contents 3 What is tunneling? 3 Benefits of using the Internet for private networking

More information

PRIVACY, SECURITY AND THE VOLLY SERVICE

PRIVACY, SECURITY AND THE VOLLY SERVICE PRIVACY, SECURITY AND THE VOLLY SERVICE Delight Delivered by EXECUTIVE SUMMARY The Volly secure digital delivery service from Pitney Bowes is a closed, secure, end-to-end system that consolidates and delivers

More information

Using Application Layer Technology to Overcome the Impact of Satellite Circuit Latency on VPN Performance

Using Application Layer Technology to Overcome the Impact of Satellite Circuit Latency on VPN Performance Using Application Layer Technology to Overcome the Impact of Satellite Circuit Latency on VPN Performance Ground Control February 2003 Abstract This paper explains the source of severe throughput degradation

More information

Tim Bovles WILEY. Wiley Publishing, Inc.

Tim Bovles WILEY. Wiley Publishing, Inc. Tim Bovles WILEY Wiley Publishing, Inc. Contents Introduction xvii Assessment Test xxiv Chapter 1 Introduction to Network Security 1 Threats to Network Security 2 External Threats 3 Internal Threats 5

More information

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

More information

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Wireless Security Overview Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Ground Setting Three Basics Availability Authenticity Confidentiality Challenge

More information

How To Secure My Data

How To Secure My Data How To Secure My Data What to Protect??? DATA Data At Rest Data at Rest Examples Lost Infected Easily Used as Backup Lent to others Data Corruptions more common Stolen Left at airports, on trains etc Hard

More information

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key Friends and Enemies Security Outline Encryption lgorithms Protocols Message Integrity Protocols Key Distribution Firewalls Figure 7.1 goes here ob, lice want to communicate securely Trudy, the intruder

More information

Network Security. Chapter 9 Integrating Security Services into Communication Architectures

Network Security. Chapter 9 Integrating Security Services into Communication Architectures Network Security Chapter 9 Integrating Security Services into Communication Architectures Network Security (WS 00): 09 Integration of Security Services Motivation: What to do where?! Analogous to the methodology

More information

Security Considerations for DirectAccess Deployments. Whitepaper

Security Considerations for DirectAccess Deployments. Whitepaper Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Circuit switching vs. packet switching OSI and TCP/IP layered models TCP/IP encapsulation

More information

7.1. Remote Access Connection

7.1. Remote Access Connection 7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Fundamental Principles of a Secure Network

More information

Networking Security IP packet security

Networking Security IP packet security Networking Security IP packet security Networking Security IP packet security Copyright International Business Machines Corporation 1998,2000. All rights reserved. US Government Users Restricted Rights

More information

NETWORK SECURITY (W/LAB) Course Syllabus

NETWORK SECURITY (W/LAB) Course Syllabus 6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

ICTTEN8195B Evaluate and apply network security

ICTTEN8195B Evaluate and apply network security ICTTEN8195B Evaluate and apply network security Release 1 ICTTEN8195B Evaluate and apply network security Modification History Release Release 2 Comments This version first released with ICT10 Integrated

More information

Secure SCADA Network Technology and Methods

Secure SCADA Network Technology and Methods Secure SCADA Network Technology and Methods FARKHOD ALSIHEROV, TAIHOON KIM Dept. Multimedia Engineering Hannam University Daejeon, South Korea sntdvl@yahoo.com, taihoonn@paran.com Abstract: The overall

More information

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls Computer Net Lab/Praktikum Datenverarbeitung 2 1 VPN - Definition VPNs (Virtual Private Networks) allow secure data transmission

More information

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

Electronic Service Agent TM. Network and Transmission Security And Information Privacy Electronic Service Agent TM and Transmission Security And Information Privacy Electronic Services January 2006 Introduction IBM Electronic Service Agent TM is a software application responsible for collecting

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0 COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.

More information

Achieving High Availability & Rapid Disaster Recovery in a Microsoft Exchange IP SAN April 2006

Achieving High Availability & Rapid Disaster Recovery in a Microsoft Exchange IP SAN April 2006 Achieving High Availability & Rapid Disaster Recovery in a Microsoft Exchange IP SAN April 2006 All trademark names are the property of their respective companies. This publication contains opinions of

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Network Security. Lecture 3

Network Security. Lecture 3 Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview

More information

VPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

VPN SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region VPN SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the

More information

Determining Windows 2000 Network Security Strategies

Determining Windows 2000 Network Security Strategies 625 CHAPTER 17 Determining Windows 2000 Network Security Strategies Today, most organizations want their computer infrastructure connected to the Internet because it provides valuable services to their

More information

Avaya G700 Media Gateway Security - Issue 1.0

Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise

More information

Chapter 5. Data Communication And Internet Technology

Chapter 5. Data Communication And Internet Technology Chapter 5 Data Communication And Internet Technology Purpose Understand the fundamental networking concepts Agenda Network Concepts Communication Protocol TCP/IP-OSI Architecture Network Types LAN WAN

More information

Internet Privacy Options

Internet Privacy Options 2 Privacy Internet Privacy Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 19 June 2014 Common/Reports/internet-privacy-options.tex, r892 1 Privacy Acronyms

More information

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration

More information

Industrial Communication. Securing Industrial Wireless

Industrial Communication. Securing Industrial Wireless Industrial Communication Whitepaper Securing Industrial Wireless Contents Introduction... 3 Wireless Applications... 4 Potential Threats... 5 Denial of Service... 5 Eavesdropping... 5 Rogue Access Point...

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Configuring Windows 2000/XP IPsec for Site-to-Site VPN IPsec for Site-to-Site VPN November 2002 Copyright 2002 SofaWare Technologies Inc, All Rights Reserved. Reproduction, adaptation, or translation with prior written permission is prohibited except as allowed

More information

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE Form 2A, Page 1 FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE COURSE NUMBER: CTS 2658 COURSE TITLE: PREREQUISITE(S): COREQUISITE(S): Managing Network Security CNT 2210 with grade

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

ETSF10 Part 3 Lect 2

ETSF10 Part 3 Lect 2 ETSF10 Part 3 Lect 2 DHCP, DNS, Security Jens A Andersson Electrical and Information Technology DHCP Dynamic Host Configuration Protocol bootp is predecessor Alternative: manual configuration IP address

More information