Securing Business-Critical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks
|
|
- Jeffrey Edwards
- 8 years ago
- Views:
Transcription
1 Securing BusinessCritical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks
2 Agenda Security Market and Solutions Overview New NetworkBased Security Architecture Key Features for NetworkWide Security Summary 2
3 Security Solutions in the Market Traditional Firewalls Stateful Inspection Firewalls (Layer 2 through 4) Maintain State of Every Flow (L4) Traffic Only on PreEstablished Flows Some DoS, NAT, IPSEC VPN Proxy Firewalls (Layer 2 through 7) Full Termination with Proxy Terminate TCP and ReEstablish Protocol Aware Proxy Layer (HTTP, FTP Etc.) Slower because of Full Termination Firewall Inadequacies Need to Augment and Offload Very Poor DoS, Application Rate Limiting, Layer 7 Intelligence Performance Challenged Especially for NAT and DoS FWLB for Scalability and HA Still a Key Need 3
4 Security Solutions in the Market Intrusion Prevention and Detection IDS (Intrusion Detection Systems) Passive Devices in the Network Observing Traffic Observe Behavior and Alert or Act on Anomalies Downsides: False Positives, Slow Responsiveness, Reliance on Magic IPS (Intrusion Prevention Systems) Inline Devices Blocking Threats, Vulnerability and Exploits Signature Based Deep Packet Scan Engines Deterministic Enforcement against Known Signatures Weaknesses and Inadequacies Need for Integration Overpriced Point Products Solving ONE Security Problem Not Ideal for Inline Deployment PC, No Networking, No Robust L24 Defenses, L7 Limited to Signatures IPS Needs to be a Feature on a *Total Solution* Inline Security Device IDS Must Work Together with Switches and Traffic Monitoring (sflow) 4
5 Security Solutions in the Market and Message SPAM Full Content SPAM Mitigation and Prevention Inspect for Keywords, Signatures, Attachments Using Complex Rules Block Bad and Mark Suspected Mail Score System (1 to 100) Administrator Set Threshold for Blocking IP Reputation List Based SPAM Mitigation Solutions Lists of *Known BAD* IP Addresses and Prefixes (Assigned a Score) Many Sources for Lists Gathering Reputation Data Worldwide Lists Customizable on Score (Ex: IPs Ranked 70 or Above) SPAM Defense in Depth Need for Network Solutions Exclusive Content Solutions are Inefficient, Costly, and Inadequate Exclusive IP Reputation is Ineffective and Inadequate Using Defense in Depth for Best of Both Approaches Apply IP Reputation in Network (Real Time Updated) Apply ContentBased Solutions in Server Farm 5
6 Security Solutions in the Market Web and Application Firewalls Outbound URL Filtering and Web Security Prevent Enterprise Users from Accessing BAD Websites Compliance, Etiquette, Corporate Policy, Productivity Database of Known Bad URLs (Scored) and Applied Periodically Updated with New URLs Application Firewall for Web Applications (Data Center) Goal is to Prevent Hacking and Abuse of Website (Scripting, Malicious Code, SQL Injection, Forceful Browsing, Cookie Tampering, Cloaking) Emerging Area Consolidating into Application Switch/Delivery Platform Web Filtering Need to Integrate with Inline Security Inline Security Device Leverages Offline Database to Enforce Policies Better Performance, Scalability and Security Beyond URL Enforcement Opportunity to Offload Firewalls from this Function Application Firewall on Application Switching and Delivery Class Products Data Center 6
7 Security Solutions in the Market Edge and Desktop Security Network Admission Control Enforce Policies on Who can Gain Access to the Network Enforce Policies Regarding Endpoint Security Updates and OS Authenticate Users Before They Get into the Network AntiVirus Solutions and Appliances Primarily *OnDesktop* Solutions that Prevent Viruses NewGeneration Appliances Emerging from Leading Vendors to Offload Some AntiVirus Function into the Network Network Access Control More fine Grained Control of Network and Service Access Who, When, How, From Where and Why? Web Authentication and Access 7
8 Security Market Needs and Trends Key Trends to Capitalize for NetworkWide Security Network Perimeter as we knew it is Disappearing Mobility, Convergence, Remote Access, Growing Internal Threats Need for Security Everywhere in the Network Well Established and Agreed Role of Network to Deliver Security Organizations are Gravitating Towards NetworkBased Security Solutions Protection for Infrastructure, Services, Critical Resources Moving Beyond the Firewall Without Giving Up on Firewalls Enterprises Endorse the Need for Solutions that Augment Firewalls Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly Emerging Vision/Trend of NetworkWide Security is Catching On Network Integration is Seen as Inevitable and Required Solutions that Promote Incremental Steps are Needed Growing Attacks and Threats in Content and Service Provider Infrastructure These Customers Can t Rely on Firewalls 8
9 Agenda Security Market and Solutions Overview New NetworkBased Security Architecture Key Features for NetworkWide Security Summary 9
10 Security Traffic Managers and Secure LAN Switches are Key Building Blocks Secure LAN Switches Security Traffic Managers Direct Desktop Protection Desktops Server Farm Protection Web & Application Servers WAN WAN Traditional Firewalls Host Protection (Desktop and Servers) L2 Devices with Premium Security Features in Centralized Mgmt. Module Protection for Desktops and Servers from Network Attacks, and Vice Versa Initial Applications for HighValue User Desktops and Assets Network Protection (Internal and Perimeter) High Performance Security Between Network Segments Protection Against internal and External Threats, Including Web and SPAM Firewall Clustering, High Availability, Augmentation and Offload 10
11 Secure Network Architecture with Two New Product Categories Wire Speed LAN Switching Security L2/L4 DoS Attack Prevention Port, CPU, VLAN, & Rogue Protection Anomaly Based IPS External Collector, Analyzer External ClosedLoop Interface sflow based Anomaly IPS Solution ZeroDay Solution Interface to Network Mgmt. for Remediation Network Manager Web & Application Servers Internet Internet sflow From Switches Edge Port Remediation Web & Application Servers Security Traffic Manager (Perimeter Security) Secure LAN Switch (Server Farm Protection) Security Traffic Manager (InLine Inside LAN Protection) Radius NAC Server Secure LAN Switch (Direct Desktop Protection) sflow Security Traffic Mgr. and LAN Switch Signature based IPS and More Edge, Aggregation, and Perimeter Network Admission Control Agents on the Desktops 11 Network Admission Control Agents on the Desktops Application Security and Protection Web and URL Security Networkbased SPAM, DNS Jan and 2006 VoIP Foundry Security Networks, Inc.
12 Augment with sflow (RFC3176) NetworkWide WireSpeed Visibility Statistical Sampling Delivers Visibility to All Traffic Flows Throughout the Network Layer 2 through 7 visibility and analysis Scales with Network Size and Speeds with Zero Performance Impact No other Technology can Scale to GbE and 10 GbE rates Embedded implementations available today Free! Sampled Packet sflow Datagram Layer 27 Information Packet Header Analysis Src/Dst MAC addresses Src/Dst VLAN (802.1q) and 802.1p Src/Dst IPv4 addresses, including TOS/DSCP, TCP, TCP flags, UDP, and ICMP information Src/Dst IPv6 addresses and other information Src/Dst IPX addresses and other information Src/Dst AppleTalk addresses and other information MPLS information Sampling process parameters (rate, pool) Physical input/output ports Src/Dst prefix bits and next hop subnet, Source AS and source peer AS Destination AS path Communities and local preference 802.1X user name or RADIUS/TACACS user ID Interface Statistics (SNMP) The captured packet itself Collection, Analysis and Archival sflow Collector 12
13 Security OS Total Solution Must Combines Key Features and Applications WireSpeed Network Protection DNS Proxy and Security Application Rate Limiting DoS and DDoS Protection Security OS Features Intrusion Protection Deep/Bulk Packet Inspection SPAM Mitigation VoIP Security High Performance IP NAT Firewall Clustering and HA URL Filtering Web Security High Availability with Hitless Failover 13
14 Security Traffic Manager Applications Perimeter Security Front End and Traffic Manager Firewall Scalability and Performance Bottlenecks Firewalls Not for L7 and Application Security Security Traffic Manager Augments and Offloads Firewall Protects Firewall Investment and Extend Firewall Life Internal LAN Security Traffic Management at Distribution Layers Network Vulnerable to Threats from Within Internal Abuse a Key Challenge Security Traffic Manager Provides PerimeterLike Protection inside LAN 14
15 Secure LAN Switches Application Secure LAN Switches are Layer 2/3 LAN Switch with Premium ValueAdded Security Features High Density Desktop and Server Connectivity Small Price Premium over Traditional LAN Switch Port Cost Security Against DOS, Anomaly, Intrusion and Others High Value Desktop Protection Secures Desktops of High Value Users from Network Originated Attacks 10/100 and Gigabit Copper Connectivity for Desktop Machines Securing Critical Servers and Associated Applications Server Aggregation LAN Switch with Premium Security Protects Servers and Applications from Network Originated Attacks Prevents Abuse of Resources by Controlling Access Position of Traditional and Secure LAN Switches Traditional Layer 2/3 LAN Switching for Connectivity and WireSpeed Secure LAN Switching for ValueAdded Security to Desktop 15
16 Vision for Secure LAN Switches Wire Speed Security Everywhere Layer 3 was CPU Based Until Foundry Networks Revolutionized WireSpeed Layer 3 Technologies in 1997 All Layer 3 Traffic Processed by Centralized CPU Slow Performance Foundry Revolutionized the Industry by Delivering L3 in WireSpeed Today, Secure LAN Switches (Industry s New Category) are CPU Based Central Security Management Module (With Performance Scalability) NonTrusted Flows CPU Processed Not WireSpeed on All Ports Next Generation will Incorporate WireSpeed on Uplink Ports In the Future, Advanced (and Economical) Technologies will Help Deliver Security on Every WireSpeed Security Must be Everywhere, and it Must Be Available for a Small Premium over Traditional Layer 2/3 LAN Switches and without Significant Performance Sacrifice 16
17 Security Feature and Capability Differentiation across Solutions Network Security DoS and Layer 4 Layer 4 Rate Limiting Intrusion and Layer 47 Signature Blocking VoIP Security URL and Web Filtering SPAM Defense High Performance NAT High Availability Firewall Clustering and High Availability Full Featured Layer 3 DNS Proxy and Security 17 Security Traffic Managers Secure LAN Switches Traditional LAN Switches
18 Agenda Security Market and Solutions Overview New NetworkBased Security Architecture Key Features for NetworkWide Security Summary 18
19 SYN and Other HighPerformance DoS Protection Features Good Client Bad Client C1 C TCP SYN TCP SYN ACK Special SEQ TCP ACK Special SEQ TCP SYN TCP SYN ACK Special SEQ BAD TCP ACK Special SEQ Secure Traffic Mgr. Complete TCP Connection NO TCP Connection Protect Against TCP SYN/ACK Flood Attacks MultiGigabit WireSpeed Rate Protection Firewall Protection when Deployed in Front of Firewalls Host A Host B Protection Against 30+ Other DoS Signatures, Including Spoof, Land, SYN, ACK, Smurf, Ping of Death, Connection Open/Close, ICMP Unreachable, ICMP Redirect, SYN Fragment, Malformed TCP Packets and SYN Messages, Illegal TCP Options, Illegal IP Options, IP Options Filtering, Protocol Enforcement, UDP Flood, TCP Flood, Port Scanning, IP Scanning, Information Tunneling, Signature Scanning and Filtering 4 Any Internal Hosts Protects Internal Hosts from Attack 19
20 Transaction, Connection and Bandwidth Rate Limiting ProActive Policies to Thwart Attacks from Malicious Hosts Limits Number of Connections from a Given Host UserConfigurable Limits Based on Application Behavior Ensures Hosts Cannot Hog Network and Application Resources Limits Placed based on Source IP or Other Unique Host Identifiers Granular Control of Limits per Source Host or Subnetwork Sufficient Resources Reserved per Client to Allow Valid Client Transactions Limits on Connection Rate (per Defined Interval) Limits on Simultaneous Connections from a Given Host Rate Limiting of Bandwidth Used by TCP Connections to Prevent Network Abuse When a Client Exceeds Limits, Further Connections from Same Client are Dropped for a PreConfigured Duration 20
21 Application Access Policy Enforcement (Including SPAM) Solution to Enforce Access Control on Large Pool of IP Addresses and Prefixes Apply Explicit Permit and/or Deny Policies to Specific Applications Many Unique Lists of IP Addresses Defined per Application Port Ensures Enforcement of Access Policies to Specific Applications based on Host Credentials Ideal to be Used with IP Reputation Lists for Preventing Mass Abuse (SPAM) Provides Massive Scalability Compared to Standard ACLs Support for Many Million IP Addresses and Prefixes Many Separate Lists of Addresses to be Applied on a Per Application Basis Network Based Approach Protects Services from Illegal Access Right in the Network at the Edge Network Based Protection Increases Resource Efficiency and Security Proactive, Rapid and HighPerformance Protection Early (Mail Processing) 21
22 SPAM Mitigation Solution IP Reputation List Support Security Traffic Manager Prevents SPAM from Known Spammers Relies on IP Reputation Lists from Many 3rd Parties Many Millions of IP Address/Prefixes in a Policy List Dynamic Download of New Lists in Real Time Permit and Deny of Flows Based on Policy Augments Content Based SPAM Solutions on the Server BackEnd CoExists with Other SPAM Mitigation/Prevention Solutions Complement PBSLB with Content Based SPAM Solutions Deep and Bulk Content Scan of Traffic to Filter on Easily Identifiable Signatures, Keywords or Large ASCII Text Configure Signatures or Download them in ASCII/Binary Files Ability to Scan Attachments Attachments (Non Compressed) 22
23 Layer 7 Intrusion Prevention with Signature Based Deep Packet Scan Enforce Layer 7 Security Policies Based on Signatures Perform Deep Packet Scan on All Traffic in a Flow Supports this Capability for TCP, UDP and ICMP Flows Scan May be Performed in Both Directions of the Flow, or Limited to Direction of the Threat (Example: Only Inbound) Support for UserConfigurable Signatures Signatures when Defined May be Applied to Flows of Specific Application Very Long Bulk Signatures May be Downloaded to the Device for Security Enforcement Example: Prevent Threats in File Attachments Provide a Range of Actions upon Signature Match Log, Count, Reset, Drop, Mirror, ReDirect 23
24 DNS Protection and Proxy DNS is the Most Critical and Foundation Application for All IP Services Security Traffic Manager Must Protect DNS using Layer 4 through 7 Mechanisms Layer 4 DNS Service Protection using Rate Limiting and DoS Features Layer 7 DNS Protection Using Filtering on Specific Header Fields Example #1: Disallow Queries to Specific Domains Example #2: Disallow Queries Other than Type xxxx Example #3: Disallow Recursive Queries GeneralPurpose Layer 7 Signature Scanning and Filtering DNS Proxy Feature woud be a Good Value Add Security Traffic Manager Replies to DNS Queries with Healthy IP Addresses Unique Feature that Combines DNS Intelligence and Health Monitoring Users Connect to Available Service/Servers 24
25 SIP and VoIP Security Features Communication Services are Rapidly Migrating to IP with the Use of SIP and VoIP Protocols and Applications Opening Up these Services to Vulnerabilities of an Open Network Threat of Attacks to Critical Servers is Real Protect SIP and VoIP Services by Offering a Range of Layer 4 and Layer 7 Security Features SIP and VoIP Flows May Use Generic UDP Ports for Communication Need to Validate SIP Packets, Messages and Flows over UDP Layer 4 Protection using Rate Limiting and DoS Features Layer 7 Security Features Include Validate SIP Headers to Ensure UDP Traffic Belong to SIP Only Permits SIP Packets to Flow over PreDefined UDP Ports Validates SIP Headers, Version and Methods Ability to Define Valid SIP Methods 25
26 Agenda Security Market and Solutions Overview New NetworkBased Security Architecture Key Features for NetworkWide Security Summary 26
27 Future Security Integrated High Performance Network Architectures Security Traffic Managers and Secure LAN Switches are the Building Blocks of NetworkWide Seven Layer Security Perimeter, Internal LAN, Data Center, Server Farm, and Enterprise Edge Cost Effective and Scalable Solutions are Required Firewalls are Here to Stay (At Least For a While) New Solutions Must Augment and Offload Firewalls Cap and Protect Firewall Investment 27
28 Thank You
INTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationLayer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers
Layer 4-7 Server Load Balancing Security, High-Availability and Scalability of Web and Application Servers Foundry Overview Mission: World Headquarters San Jose, California Performance, High Availability,
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationFlow Analysis. Make A Right Policy for Your Network. GenieNRM
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationFirewall Defaults and Some Basic Rules
Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationFirewall Defaults, Public Server Rule, and Secondary WAN IP Address
Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationSonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
More informationInternet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
More informationBlackRidge Technology Transport Access Control: Overview
2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationFortiDDos Size isn t everything
FortiDDos Size isn t everything Martijn Duijm Director Sales Engineering April - 2015 Copyright Fortinet Inc. All rights reserved. Agenda 1. DDoS In The News 2. Drawing the Demarcation Line - Does One
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationGeneral Network Security
4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationTechnical Note. ForeScout CounterACT: Virtual Firewall
ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationGame changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE
Game changing Technology für Ihre Kunden Thomas Bürgis System Engineering Manager CEE Threats have evolved traditional firewalls & IPS have not Protection centered around ports & protocols Expensive to
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationAnalyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January 2009. Cristian Velciov. ceo@andrisoft.com (+40) 721 250246
Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard January 2009 Cristian Velciov ceo@andrisoft.com (+40) 721 250246 Andrisoft Solution WANGuard Platform is an enterprise-grade Linux-based software
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationApplication DDoS Mitigation
Application DDoS Mitigation Revision A 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Volumetric vs. Application Denial of Service Attacks... 3 Volumetric DoS Mitigation...
More informationHögskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :
Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)
More informationIxLoad-Attack: Network Security Testing
IxLoad-Attack: Network Security Testing IxLoad-Attack tests network security appliances determining that they effectively and accurately block attacks while delivering high end-user quality of experience
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
More informationNetwork Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000
Network Security Protective and Dependable With the growth of the Internet threats, network security becomes the fundamental concerns of family network and enterprise network. To enhance your business
More informationCALNET 3 Category 7 Network Based Management Security. Table of Contents
State of California IFB STPD 12-001-B CALNET 3 Category 7 Network Based Security Table of Contents 7.2.1.4.a DDoS Detection and Mitigation Features... 1 7.2.2.3 Email Monitoring Service Features... 2 7.2.3.2
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationDatabase Security, Virtualization and Cloud Computing
Whitepaper Database Security, Virtualization and Cloud Computing The three key technology challenges in protecting sensitive data in modern IT architectures Including: Limitations of existing database
More informationCYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationGateway Security at Stateful Inspection/Application Proxy
Gateway Security at Stateful Inspection/Application Proxy Michael Lai Sales Engineer - Secure Computing Corporation MBA, MSc, BEng(Hons), CISSP, CISA, BS7799 Lead Auditor (BSI) Agenda Who is Secure Computing
More informationNetwork Immunity Solution. Technical White paper. ProCurve Networking
ProCurve Networking Network Immunity Solution Technical White paper Introduction... 2 Current Security Threats... 2 Solutions for Internal Threat Protection... 2 Network Immunity Solution: What It Is and
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationVoice Over IP and Firewalls
Introduction Voice Over IP and Firewalls By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Use of Voice Over IP (VoIP) in enterprises is becoming more and more
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationIPS AIM for Cisco Integrated Services Routers
IPS AIM for Cisco Integrated Services Routers Technical Overview James Weathersby, TME, ARTG Tina Lam, Product Manager, ARTG 1 Cisco Integrated Threat Control Industry-Certified Security Embedded Within
More informationPolicy Management: The Avenda Approach To An Essential Network Service
End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationChapter 8 Network Security
[Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network
More informationStateful Firewalls. Hank and Foo
Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation
More informationLumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks
IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of
More informationFirewall. User Manual
Firewall User Manual 1 IX. Firewall This chapter introduces firewall general policy, access rule, and content filter settings to ensure network security. 9.1 General Policy The firewall is enabled by default.
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationIP Telephony Management
IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationContent Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway
TESTING & INTEGRATION GROUP SOLUTION GUIDE Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway INTRODUCTION...2 RADWARE SECUREFLOW... 3
More informationANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239
ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239 Check Point Firewall Software and Management Software I. Description of the Item Up gradation, installation and commissioning of Checkpoint security gateway
More informationSecuring the Enterprise
Securing the Enterprise Using the BIG-IP with the Application Security Module for Comprehensive Application and Network Security Overview The Internet has become increasingly complex, leaving many enterprises
More informationCampus LAN at NKN Member Institutions
Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and
More informationBorderWare Firewall Server 7.1. Release Notes
BorderWare Firewall Server 7.1 Release Notes BorderWare Technologies is pleased to announce the release of version 7.1 of the BorderWare Firewall Server. This release includes following new features and
More informationREAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL
REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL AWF Series Web application firewalls provide industry-leading Web application attack protection, ensuring continuity
More informationWeb Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com
Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week
More informationSecure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions
Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components Network Admission Control (NAC)
More informationGigabit SSL VPN Security Router
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the
More informationHow To Block A Ddos Attack On A Network With A Firewall
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators
More informationDescription: Objective: Attending students will learn:
Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of
More informationThis chapter covers the following topics:
This chapter covers the following topics: Components of SAFE Small Network Design Corporate Internet Module Campus Module Branch Versus Headend/Standalone Considerations for Small Networks C H A P T E
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationVLAN und MPLS, Firewall und NAT,
Internet-Technologien (CS262) VLAN und MPLS, Firewall und NAT, 15.4.2015 Christian Tschudin Departement Mathematik und Informatik, Universität Basel 6-1 Wiederholung Unterschied CSMA/CD und CSMA/CA? Was
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationSOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.
SOLUTION GUIDE Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management. North America Radware Inc. 575 Corporate Dr Suite 205 Mahwah, NJ 07430
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationContent Distribution Networks (CDN)
229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the
More information