Technical Note. ForeScout CounterACT: Virtual Firewall

Size: px
Start display at page:

Download "Technical Note. ForeScout CounterACT: Virtual Firewall"

Transcription

1 ForeScout CounterACT:

2 Contents Introduction... 3 What is the vfw? Technically, How Does vfw Work? How Does vfw Compare to a Real Firewall? How Does vfw Compare to other Blocking Methods?... 4 When is vfw the Best Network Control Method? What Are the Limitations of the vfw Method? Configuring the vfw... 6 Example 1: Create a rule to block traffic to a specific host: Example 2: Create a rule to block traffic from a specific host: Example 3: Define exceptions to a blocking rule About ForeScout

3 Introduction ForeScout CounterACT includes several different mechanisms with which you can control network access. Within the CounterACT policy system, these mechanisms are known as enforcement options. Of all the enforcement options, the (vfw) option stands out as being particularly interesting because it does not require writing to your network architecture. In some environments, this can make deployment and ongoing maintenance easier than any other network control technology, from any vendor. In this tech note, we will describe the capabilities, use cases, and limitations of vfw technology. This will bring help you understand how to best utilize the vfw feature. vfw technology is proprietary to ForeScout, unlike mechanisms such as VLAN assignment, ACL management, and port blocking which are included within ForeScout CounterACT as well as many other commercially available NAC products What is the vfw? ForeScout s vfw lets you block, limit or quarantine hosts on the network by detecting their network traffic and then disrupting their communication with a target host/server. The blocking can target all or some of the traffic from one or more sources to one or more hosts. For example, you can block all traffic to a specific destination, or you can block all traffic except HTTP to that destination. The vfw gives you all the benefits of an inline firewall without actually being inline. This means there are no issues of latency or dependency on 3rd party hardware. There are multiple applications for the vfw: 1. Create security zones: ForeScout vfw technology lets you create network security zones, giving you more control over network traffic. Specifically, by defining a vfw policy you can: Create network zones or segments that you want to close off entirely as a result of new threats or newly detected vulnerabilities Create network zones or segments that you want to close off to specific sources Prevent unwanted protocols from being transmitted within your network or between specific network segments, for example, if you know that RPC traffic should not be transmitted between various departments in your organization Designate business critical services that should always remain open 2. Quarantine non-compliant and/or non-corporate hosts: The vfw can be incorporated within NAC policies to detect non-compliant and/ or non-corporate hosts and limit their access to the network. In the case of a non-compliant host, the vfw will be applied as soon as the host is detected to be non-compliant. If CounterACT policies are setup to automatically remediate the non-compliant host, the vfw will be removed automatically as soon as the remediation is successful. For non-corporate hosts (BYOD), the vfw can be used to control and limit access to the corporate network. ForeScout CounterACT can apply different vfw rules on non-corporate hosts depending on whether the user of the device has registered as a guest using the guest management system that comes included with ForeScout CounterACT. 3. Quarantine infected or malicious hosts: ForeScout CounterACT can continuously monitor traffic from all endpoints and can detect if the traffic is malicious, e.g. if the endpoint has been infected with a worm or a virus, or if the user is intentionally trying to attack the network. If CounterACT dectects such a condition, it can dynamically apply a vfw against the host to limit the spread of the infection or to disrupt the user s attempt to hack into network resources. 3

4 Technically, How Does vfw Work? The vfw works by detecting a connection request from a source host that has a vfw action applied against it, then emulating that source host and sending TCP reset packets to the target, telling it to terminate and ignore the TCP/IP connection request from the source host. The diagram below shows the step by step process that takes place when a vfw is applied against a host. In this example, the source is a PC, and the target is a server. Figure 1: vfw applied against a PC to a server. How Does vfw Compare to a Real Firewall? The vfw gives you all the benefits of an inline firewall without actually being inline. The vfw sits logically inline but physically out-of-band. Meaning, the traffic flows to one of our ports from a span or tap. Then we introduce TCP reset packets into the network from a separate management port. This means that network traffic doesn t physically flow through the CounterACT appliance. As a result, the CounterACT appliance doesn t introduce latency in the network, doesn t affect throughput of the network, and doesn t represent a failure point if the CounterACT appliance should go down. Since the CounterACT appliance sees all network traffic and has the ability to immediately respond, you have all the benefits of an inline security device without any drawbacks. A second difference is that unlike a real firewall, vfw is policy-based, therefore is more dynamic. ForeScout CounterACT can dynamically adapt to the changing network environment. For example, a physical firewall will open a port for egress traffic and typically leave the port open. But vfw can dynamically respond to the egress traffic request, closing it off on the basis of many different conditions, for example the type of device, the ownership of the device, whether the employee is an employee or a guest, whether the device is running certain apps, etc. The vfw lets you create network segmentation without the need to modify your existing infrastructure. For example, if your data repositories are all at the core of your network or in a virtual DMZ, ForeScout s vfw can ensure that all data paths into your data stores are monitored and that only authorized users/devices can access those data stores. How Does vfw Compare to other Blocking Methods? As mentioned earlier, ForeScout CounterACT provides other mechanisms for controlling network access: VLAN assignment, ACL management, and switch port block. All of these mechanisms can block or limit traffic from a host, except for the switch port block which can only provide complete host block. What differentiates the vfw from other blocking methods is the following: ForeScout s vfw can be deployed immediately and is totally independent of whatever switching hardware you have in place. vfw does not require any interoperation with switching hardware and does not require switch privileges. All that is needed for the vfw to work is visibility into the blocked host traffic through a span port on the switch, which most enterprise switch vendors support. In contrast, VLAN assignment, ACL management, and switch port block actions require SNMP and/or SSH access to the switches and routers the hosts are connected to. 4

5 ForeScout s vfw reacts to (blocks) traffic faster. There is no wait time for an action to be written to a switch, such as the case with VLAN assignment and ACL management ForeScout s vfw is non-disruptive to the end user. The endpoint doesn t have to renegotiate an IP address as it does with a VLAN change. With the popular VLAN change method of other NAC vendors, as an endpoint changes VLANs, the following has to happen: VLAN change is written to switch port (takes a few seconds) Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address Endpoint goes through the DHCP process to receive a mew IP address (can take 5+ seconds depending on the device) As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest VLAN change is written again to move the endpoint back (a few seconds) Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address Endpoint goes through the DHCP process to receive a new IP address (can take 5+ seconds depending on the device) User continues working In contrast, the same process with ForeScout vfw looks like this: CounterACT introduces TCP resets to prevent access to certain resources (almost instantaneous) As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest CounterACT releases TCP reset action (almost instantaneous) User continues working When is vfw the Best Network Control Method? Since ForeScout CounterACT has so many network control mechanisms, customers sometimes ask Which network control method should I use? While each situation is different, here are two obvious situations where vfw technology is probably the right choice: 1. If the switch and/or router does not support SNMP or CLI access for applying other blocking methods. 2. If your network environment is centralized with a natural choke point between the endpoints and the computing resources or sensitive data, then a single centralized CounterACT appliance can use vfw to control access to these resources. The CounterACT appliance would need to be able to see all of the traffic at that choke point via a mirror port or span port. What Are the Limitations of the vfw Method? Just like any technology, the vfw has some limitations. For example: TCP vs. UDP blocking. The vfw was designed to block traffic that uses the TCP protocol, which represents over 95% of all traffic. With TCP traffic, three packets are sent even before the first data packet. Each packet gives the vfw an opportunity to terminate the session, making it very effective against this kind of traffic. But UDP traffic is different. While vfw can block traffic using the UDP protocol, the effectiveness depends on the nature of the service. With UDP traffic, the number of wait periods for response packets ranges between zero and higher. If there is no response packet, there is no opportunity for ForeScout vfw to intervene and terminate the UDP traffic flow. The greater the number of packets sent, the more opportunities to terminate the UPD traffic flow. Consider these examples: With syslog, there is no opportunity to terminate the session. The sender transmits the data message to the syslog server but does not wait for a reply. With DNS, there is a single opportunity to terminate the session. After the sender transmits a query, he/she waits for a reply. If the vfw responds with a port unreachable ICMP message before the server responds, the session will be terminated. With TFTP, the vfw has multiple opportunities to terminate the session. Chunks of the files are transferred within individual packets, and each packet provides a termination opportunity. In conclusion, if you want to be sure to terminate UDP sessions, we recommend that you utilize ForeScout CounterACT s ACL management technologies, or integrate CounterACT with a 3rd party firewall such as Cisco ASA. The vfw relies on the ability of the CounterACT appliance to see all traffic from the source host. In some cases, this might be hard to achieve. The main concern will always be the ability (or inability) to see inter-switch traffic, i.e traffic that does not traverse the network, does not flow to an upper layer switch where CounterACT is listening to traffic via the span port. 5

6 ForeScout CounterACT: Configuring the vfw The vfw can be manually invoked at any time from the CounterACT console, or it can be included within an automated policy. Manual invocation is as simple as selecting right-clicking on a host, then select from the list of Restrict actions that are available. Figure 2: Policy editor window Almost any ForeScout CounterACT policy can include an automated network control using vfw. Figure 3: Sub-rules can be set up for specified conditions. 6

7 The vfw is customizable on what it should and should not block, which makes it a great tool for creating security zones as mentioned earlier. The vfw can be configured to: Block traffic to specific hosts Block traffic from specific hosts Block traffic to all hosts except a range of hosts Block all traffic from/to a host. Block certain type of traffic from/to a host(e.g. add an exception to allow http traffic only) Example 1: Create a rule to block traffic to a specific host: 1. From the Rule dialog box, select the Add button from the Blocking Rules section. 2. Select The FW will block traffic to the detected host radio button. This allows you to block inbound traffic to detected hosts. 3. In the Source IP section, define the hosts that are prevented from communicating with the detected host. 4. In the Target Port section, define the services on the detected host that is blocked. 5. Select OK. Figure 4: Virtual firewall rules are added to block traffic to specific hosts. 7

8 Example 2: Create a rule to block traffic from a specific host: 1. From the Blocking Rules dialog box, select the Add button from the Blocking Rules section. 2. Select The FW will block traffic from the detected host radio button. This allows you to block outbound traffic from detected hosts to other network hosts. 3. In the Target Port section, define the services the detected hosts are prevented from accessing on other network hosts. 4. Select OK. The rules you defined appear in the Action dialog box. 5. Use the Edit and Remove buttons as required. Example 3: Define exceptions to a blocking rule. Exceptions are when you define a range of addresses to block, but you want to allow traffic to and from IT administrator hosts or VIP hosts. To create exceptions to specified hosts: 1. From the Rule dialog box, select the Add button from the Blocking Exceptions section. 2. Select The FW will allow traffic to the detected host radio button. This allows you to allow inbound traffic to detected hosts. 3. In the Source IP section, define the hosts that are allowed to communicate with the detected host. 4. In the Target Port section, define the services on the detected host that are allowed. 5. Select OK. To create exceptions from specified hosts: 1. From the Rule dialog box, select the Add button from the Blocking Exceptions section. 2. Select The FW will allow traffic from the detected host radio button. This allows you to allow outbound traffic from detected hosts. 3. In the Source IP section, define the hosts the detected hosts are allowed to communicate with. 4. In the Target Port section, define the services the detected hosts are allowed to access on other network hosts. 5. Select OK. Figure 5: Set up blocking exceptions for added flexibility and control About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA U.S.A. T (US) T (Intl.) F ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc:

Network Access Control in Virtual Environments. Technical Note

Network Access Control in Virtual Environments. Technical Note Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out CounterACT: Powerful, Contents Introduction...3 Automated Threat Protection against Conficker... 3 How the Conficker Worm Works.... 3 How to Use CounterACT to Protect vs. the Conficker Worm...4 1. Use

More information

ForeScout CounterACT Edge

ForeScout CounterACT Edge ForeScout is a high performance security appliance that protects your network perimeter against intrusion. Unlike traditional IPS products, ForeScout is extremely easy to install and manage. It does not

More information

Whitepaper. Securing Visitor Access through Network Access Control Technology

Whitepaper. Securing Visitor Access through Network Access Control Technology Securing Visitor Access through Contents Introduction 3 The ForeScout Solution for Securing Visitor Access 4 Implementing Security Policies for Visitor Access 4 Providing Secure Visitor Access How it works.

More information

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Addressing BYOD Challenges with ForeScout and Motorola Solutions Solution Brief Addressing BYOD Challenges with ForeScout and Motorola Solutions Highlights Automated onboarding Full automation for discovering, profiling, and onboarding devices onto both wired and wireless

More information

ForeScout CounterACT. Continuous Monitoring and Mitigation

ForeScout CounterACT. Continuous Monitoring and Mitigation Brochure ForeScout CounterACT Real-time Visibility Network Access Control Endpoint Compliance Mobile Security Rapid Threat Response Continuous Monitoring and Mitigation Benefits Security Gain real-time

More information

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software

More information

Technical Note. ForeScout MDM Data Security

Technical Note. ForeScout MDM Data Security Contents Introduction........................................................................................................................................... 3 Data Security Requirements for BYOD..................................................................................................................

More information

Intro to Firewalls. Summary

Intro to Firewalls. Summary Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer

More information

The ForeScout Difference

The ForeScout Difference The ForeScout Difference Mobile Device Management (MDM) can help IT security managers secure mobile and the sensitive corporate data that is frequently stored on such. However, ForeScout delivers a complete

More information

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module Version 1.0.1 ForeScout Mobile Table of Contents About the Integration... 3 ForeScout MDM... 3 Additional Documentation...

More information

ForeScout CounterACT Endpoint Compliance

ForeScout CounterACT Endpoint Compliance Highlights Benefits Continuous Monitoring: Identify security posture of devices on your network in real-time. Remediation: Ensure ends are properly configured, security agents are updated and running properly,

More information

CounterACT 7.0 Single CounterACT Appliance

CounterACT 7.0 Single CounterACT Appliance CounterACT 7.0 Single CounterACT Appliance Quick Installation Guide Table of Contents Welcome to CounterACT Version 7.0....3 Included in your CounterACT Package....3 Overview...4 1. Create a Deployment

More information

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations Identifying Network Security and Compliance Challenges in Healthcare Organizations Contents Introduction....................................................................... 3 Increased Demand For Access............................................................

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Paul Cochran - Account Manager. Chris Czerwinski System Engineer

Paul Cochran - Account Manager. Chris Czerwinski System Engineer Paul Cochran - Account Manager Chris Czerwinski System Engineer Next-Generation NAC Fast and easy deployment No infrastructure changes or network upgrades No need for endpoint agents 802.1X is optional

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series MDM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents Introduction.... 3 What Is the Cisco TrustSec System?...

More information

ForeScout MDM Enterprise

ForeScout MDM Enterprise Highlights Features Automated real-time detection of mobile Seamless enrollment & installation of MDM agents on unmanaged Policy-based blocking of unauthorized Identify corporate vs. personal Identify

More information

ControlFabric Interop Demo Guide

ControlFabric Interop Demo Guide ControlFabric Interop Demo Guide Featuring The ForeScout ControlFabric Interop Demo at It-Sa 2014 showcases integrations with our partners and other leading vendors that can help you achieve continuous

More information

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods ForeScout CounterACT Endpoint Contents Introduction.... 3 Overview of ForeScout CounterACT... 3 Overview of Discovery and Inspection... 4 Host & Network Device Discovery... 4 Endpoint Detection & Inspection

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series XenMobile Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Aaron Woland Date: December 2012 Table of Contents Introduction... 3 What Is the Cisco TrustSec System?...

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges

More information

WhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls

WhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls WhatWorks in Blocking Network-based Attacks with Automating Network Access, Endpoint Compliance and Threat Management Controls WhatWorks is a user-to-user program in which security managers who have implemented

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

INSERT COMPANY LOGO HERE

INSERT COMPANY LOGO HERE INSERT COMPANY LOGO HERE 2014 Frost & Sullivan 1 We Accelerate Growth Technology Innovation Leadership Award Network Security Global, 2014 Frost & Sullivan s Global Research Platform Frost & Sullivan is

More information

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewall VPN Router. Quick Installation Guide M73-APO09-380 Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement Comprehensive Endpoint Enforcement Overview is a complete, end-to-end network access control solution that enables organizations to efficiently and securely control access to corporate networks through

More information

Polycom. RealPresence Ready Firewall Traversal Tips

Polycom. RealPresence Ready Firewall Traversal Tips Polycom RealPresence Ready Firewall Traversal Tips Firewall Traversal Summary In order for your system to communicate with end points in other sites or with your customers the network firewall in all you

More information

Deploying ACLs to Manage Network Security

Deploying ACLs to Manage Network Security PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system

More information

Technical Note. CounterACT: 802.1X and Network Access Control

Technical Note. CounterACT: 802.1X and Network Access Control CounterACT: 802.1X and Contents Introduction...3 What is 802.1X?...3 Key Concepts.... 3 Protocol Operation...4 What is NAC?...4 Key Objectives.... 5 NAC Capabilities.... 5 The Role of 802.1X in NAC...6

More information

Technical Note. ForeScout CounterACT Rogue Device Detection

Technical Note. ForeScout CounterACT Rogue Device Detection ForeScout CounterACT Contents Introduction.... 3 The Importance of... 3 Types of Rogue Devices................................................................................................................................3

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

Using Ranch Networks for Internal LAN Security

Using Ranch Networks for Internal LAN Security Using Ranch Networks for Internal LAN Security The Need for Internal LAN Security Many companies have secured the perimeter of their network with Firewall and VPN devices. However many studies have shown

More information

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port 1. VLAN Overview 2. VLAN Trunk 3. Why use VLANs? 4. LAN to LAN communication 5. Management port 6. Applications 6.1. Application 1 6.2. Application 2 6.3. Application 3 6.4. Application 4 6.5. Application

More information

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Dragan Novaković Consulting Systems Engineer Security November 2015. New Networks Mean New Security Challenges

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman

More information

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

vcloud Air - Virtual Private Cloud OnDemand Networking Guide vcloud Air - Virtual Private Cloud OnDemand Networking Guide vcloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by

More information

Classic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1

Classic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,

More information

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ

More information

Bypassing Network Access Control Systems

Bypassing Network Access Control Systems Bypassing Network Access Control Systems Ofir Arkin Chief Technology Officer Insightix Ltd. September 2006 United States International 945 Concord Street 13 Hasadna Street Framingham, MA 01701 Ra'anana,

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Lucent VPN Firewall Security in 802.11x Wireless Networks

Lucent VPN Firewall Security in 802.11x Wireless Networks Lucent VPN Firewall Security in 802.11x Wireless Networks Corporate Wireless Deployment is Increasing, But Security is a Major Concern The Lucent Security Products can Secure Your Networks This white paper

More information

Cisco PIX vs. Checkpoint Firewall

Cisco PIX vs. Checkpoint Firewall Cisco PIX vs. Checkpoint Firewall Introduction Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security

More information

642 523 Securing Networks with PIX and ASA

642 523 Securing Networks with PIX and ASA 642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

CISCO IOS NETWORK SECURITY (IINS)

CISCO IOS NETWORK SECURITY (IINS) CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Stateful Inspection Technology

Stateful Inspection Technology Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions

More information

Cisco IOS Inline Intrusion Prevention System (IPS)

Cisco IOS Inline Intrusion Prevention System (IPS) Cisco IOS Inline Intrusion Prevention System (IPS) This data sheet provides an overview of the Cisco IOS Intrusion Prevention System (IPS) solution. Product Overview In today s business environment, network

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and

More information

VMware vcloud Air Networking Guide

VMware vcloud Air Networking Guide vcloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document,

More information

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing DG_PAFWLB_120718.1 TABLE OF CONTENTS 1 Overview... 4 2 Deployment Prerequisites... 4 3 Architecture Overview... 5 4 Access Credentials...

More information

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software LiveAction Application Note Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software January 2013 http://www.actionpacked.com Table of Contents 1. Introduction... 1 2. ASA NetFlow Security

More information

Internet Security Firewalls

Internet Security Firewalls Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer

More information

IBM. Vulnerability scanning and best practices

IBM. Vulnerability scanning and best practices IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration

More information

NAC at the endpoint: control your network through device compliance

NAC at the endpoint: control your network through device compliance NAC at the endpoint: control your network through device compliance Protecting IT networks used to be a straightforward case of encircling computers and servers with a firewall and ensuring that all traffic

More information

Multi-Homing Dual WAN Firewall Router

Multi-Homing Dual WAN Firewall Router Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet

More information

McAfee Network Security Platform

McAfee Network Security Platform Quick Tour Revision A McAfee Network Security Platform version 8.3 McAfee Network Security Platform [formerly McAfee IntruShield ] is a combination of network appliances and software that accurately detects

More information

Norton Personal Firewall for Macintosh

Norton Personal Firewall for Macintosh Norton Personal Firewall for Macintosh Evaluation Guide Firewall Protection for Client Computers Corporate firewalls, while providing an excellent level of security, are not always enough protection for

More information

Virtual Private Cloud-as-a-Service: Extend Enterprise Security Policies to Public Clouds

Virtual Private Cloud-as-a-Service: Extend Enterprise Security Policies to Public Clouds What You Will Learn Public sector organizations without the budget to build a private cloud can consider public cloud services. The drawback until now has been tenants limited ability to implement their

More information

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

Database Security, Virtualization and Cloud Computing

Database Security, Virtualization and Cloud Computing Whitepaper Database Security, Virtualization and Cloud Computing The three key technology challenges in protecting sensitive data in modern IT architectures Including: Limitations of existing database

More information

Internet Security Firewalls

Internet Security Firewalls Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA

More information

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE Virtual Server and DDNS For BIPAC 741/743GE August, 2003 1 Port Number In TCP/IP and UDP networks, a port is a 16-bit number, used by the host-to-host protocol to identify to which application program

More information

Bypassing Network Access Control Systems

Bypassing Network Access Control Systems 1 Bypassing Network Access Control Systems Ofir Arkin, CTO Blackhat USA 2006 ofir.arkin@insightix.com http://www.insightix.com 2 What this talk is about? Introduction to NAC The components of a NAC solution

More information

Matthias Meier. VP Engineering, bw digitronik. 2013 ForeScout Technologies, Page 1 2014 ForeScout Technologies, Page 1

Matthias Meier. VP Engineering, bw digitronik. 2013 ForeScout Technologies, Page 1 2014 ForeScout Technologies, Page 1 Matthias Meier VP Engineering, bw digitronik 2013 ForeScout Technologies, Page 1 2014 ForeScout Technologies, Page 1 Inadequate Visibility Inadequate Collaboration Inadequate Automation 2013 ForeScout

More information

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0 Avaya Solution & Interoperability Test Lab Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0 Abstract These Application Notes describes a procedure for

More information

NetFlow Analytics for Splunk

NetFlow Analytics for Splunk NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...

More information

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

RECORDING VoIP TRAFFIC via PORT MIRRORING

RECORDING VoIP TRAFFIC via PORT MIRRORING Recording. Solutions. Redefined. OrecX will easily record your VoIP traffic once your VoIP traffic is seen on the server interface. Use (SPAN, port spanning or port monitoring) to get the right traffic

More information

Policy Management: The Avenda Approach To An Essential Network Service

Policy Management: The Avenda Approach To An Essential Network Service End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda

More information

Automating Server Firewalls

Automating Server Firewalls Automating Server Firewalls With CloudPassage Halo Contents: About Halo Server Firewalls Implementing Firewall Policies Create and Assign a Firewall Policy Specify Firewall-Related Components Managing

More information

Networking and High Availability

Networking and High Availability TECHNICAL BRIEF Networking and High Availability Deployment Note Imperva appliances support a broad array of deployment options, enabling seamless integration into any data center environment. can be configured

More information

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org

More information

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, 2013 2:32 pm Pacific

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, 2013 2:32 pm Pacific Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide Revised February 28, 2013 2:32 pm Pacific Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide

More information

Application Note - Using Tenor behind a Firewall/NAT

Application Note - Using Tenor behind a Firewall/NAT Application Note - Using Tenor behind a Firewall/NAT Introduction This document has been created to assist Quintum Technology customers who wish to install equipment behind a firewall and NAT (Network

More information

Workload Firewall Management

Workload Firewall Management Workload Firewall Management Setup Guide Contents: About Halo Workload Firewalls Implementing Halo Workload Firewalls Creating Firewall Policies Define Firewall-Related Components Create Inbound Rules

More information

Sygate Secure Enterprise and Alcatel

Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and

More information

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series Good MDM Integration with Cisco Identity Service Engine Secure Access How -To Guides Series Author: Imran Bashir Date: December 2012 Table of Contents Mobile Device Management (MDM)... 3 Overview... 3

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

VLANs. Application Note

VLANs. Application Note VLANs Application Note Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static

More information

Detecting rogue systems

Detecting rogue systems Product Guide Revision A McAfee Rogue System Detection 4.7.1 For use with epolicy Orchestrator 4.6.3-5.0.0 Software Detecting rogue systems Unprotected systems, referred to as rogue systems, are often

More information

Enterprise Buyer Guide

Enterprise Buyer Guide Enterprise Buyer Guide Umbrella s Secure Cloud Gateway vs. Web Proxies or Firewall Filters Evaluating usability, performance and efficacy to ensure that IT teams and end users will be happy. Lightweight

More information

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of

More information

CCNA Security 1.1 Instructional Resource

CCNA Security 1.1 Instructional Resource CCNA Security 1.1 Instructional Resource Chapter 4 Implementing Firewall Technologies 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe numbered, named, standard and extended IP ACLs. Configure

More information

Ranch Networks for Hosted Data Centers

Ranch Networks for Hosted Data Centers Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch

More information