Secure your Informations efficiently. SECURITY: FIREWALL & VPN CLIENTS Trends Features Products and Solutions [email protected]

Transcription

1 Secure your Informations efficiently SECURITY: FIREWALL & VPN CLIENTS Trends Features Products and Solutions

2 The driving force for information security Highly computerization. Heterogeneous computing environment: more exploits exposed.(about 20 to 40 new vulnerabilities per month). Internet connectivity. Easy using and automated tools to launch attack and probing. The intruders become more skilled.

3 The importance and risk of information security Different kinds of Attacks leads you to lose: Money Time Productivity Reputation Sensitive Information And more

4 The growth and trend in Network security market Appliances in the middle price-bands ($1,500 to $10,000) and application security gateways drive growth in 2004 and beyond because of large siteto-site and broadband VPN deployments, upgrades of firewalls to the latest technology, and SSL VPN deployments for the next generation of enterprise remote access,. Revenue from VPN and firewall appliances makes up the majority of worldwide VPN and firewall hardware and software revenue, while total software revenue and application security gateway revenue make up a smaller portion. Source: Infonetics Research, VPN & Firewall Products Quarterly Market

5 The purposes for information security Three Main Purposes : C.I.A. Prevent intentional or unintentional unauthorized access of information Integrity Confidentiality I C Information Security A Remain the availability of information for access at the right time for the right person Availability Prevent modification of unauthorized access Prevent illegally modification from authorized users Keep consistency and integrity of internal and external data

6 Business Spending Priority 76% Rate security as a moderate to high spending priority 67% Rate application/database development as a moderate to high spending priority 55% Rate storage as a moderate to high spending priority Bandwidth is not the issue Distance is not the problem More and more applications are running through the Internet, which consists of a wide variety of networks devices and security always being the concern Network security is the key issue Source: CRN Business Spending Survey

7 What firewall is and types of firewall Firewall : A fireproof wall used as a barrier to prevent the spread of a fire. American Heritage Dictionary Located at the point between protected networks and the Internet, functioning as a device for access control. Gateway Filter Filter

8 Network Protection Addresses a Range of Pressing Problems Hacker Malicious Viruses, worms Internet Intrusions Inappropriate Use Anything that threatens network security or productivity

9 Packet Filtering Firewall Access Control List (ACL) Source/Destination IP Protocol Number (TCP, UDP) Source/Destination Port Use ACL in sequential order Provided by most Routers Do not log/monitor the network traffic through firewall

10 Application Proxy Firewall Use proxy program to act on behalf of applications Network traffic will be directed to proxy program which acts as the agent for communication between internal application services and external services The proxy program will perform the action (permit or deny) based on the policies set by users Each application has its distinctive proxy programs It operates at Layer 7 in OSI Model and thus the process speed is much slower

11 Stateful Inspection Firewall Inspect the contents of packets based on the rules set by users and perform the action(forward or drop)at the packet Keep the session information of IP communication within the packet After inspecting the new connection session,the session information will be stored into the session state table The incoming packet will be inspected against the session information stored in state table. If it is not the corresponding response to previous IP connection, the session will not be established. Process faster than Packet Filter firewall does Process speed is faster than Application proxy but cannot provide the security level that Application proxy can do D-Link firewall is a stateful firewall

12 What Firewalls Don t Prevent Physical Problems loss of power theft or malicious physical damage Social Engineering the ability to trick inside people to get user names and passwords or something of the like Viruses Are imbedded in valid datagrams, so firewalls will let them pass A DMZ servers with virus checking could be used here to help solve this problem Disgruntle employees who have access through the firewall Improper configuration of the firewall

13 Many Conventional Products are Needed for a Complete Solution Hacker Attachment Filtering Software Malicious Firewall VPN Viruses, worms Anti-Virus ((( Internet IDS Intrusions Software Anti-Virus Update Content Filtering Server & Software Inappropriate Use High Equipment & Software Cost: $20K-$100K+ Difficult to coordinate and integrate Significant IT staff requirements New attacks are constant threat

14 D-Link offers a New Approach to Network Protection Hacker Malicious D-Link DFL Series Viruses, worms Internet Intrusions Inappropriate Use Complete Network Protection

15 Firewall deployment topology SMB & Enterprise Switch (HA, High Availability) The deployment of two firewall devices is for the purpose of redundant mechanism Switch Internet Router LAN PC Switch DMZ Server DMZ used by severs that provide services to internal users. For example, Web server, mail server and authentication servers

16 Executive Summary Product Advantage Provides complete SOHO/SMB/Enterprise network security firewall solutions, D-Link has competitive advantage in the market. Supports NAT, firewall, content filtering, IDS protection & VPN, D-Link is high compatibility security solution provider. D-Link intends to provide the most complete solutions and satisfy users alternative requirements. Competitive Status. D-Link meets major competitors in this field, such as Cisco, NetScreen and Sonicwall.

17 Selling Points DFL-200 DFL-700 DFL-1100 Providing Desktop and Rack mount form factor. Multi-function security application meets enterprise requirement Full firewall functions for easily network admin. High performance VPN IPSec support Web-based configuration interface for ease to use. Support SNMP management / monitoring High Performance with fault tolerance support. (DFL-1100 Only) High Availability solution support. (DFL-1100 Only)

18 Why choose DFL-200/700? The DFL-200/700 are new security gateway appliances in desktop form factor DFL-200 Versatile security solution, including: "Stateful inspection" for packet filtering Office-to-Office and mobile user VPNs User Authentication Intrusion Detection / Prevention Content Filtering Web-based management Bandwidth management (DFL-700 only) D-Link Firewalls are 100% ICSA compliant!! (International Computer Security Association) DFL-700

19 Why choose DFL-1100? The DFL-1100 is a new security gateway appliance in rack mount form factor. Versatile Security Solution, including: Stateful inspection for packet filtering Office-to-Office and Mobile User VPNs Bandwidth Management User Authentication Intrusion Detection / Prevention Content Filtering Web-based management HA (High Availability) DFL-1100

20 Where to use DFL-200/700/1100? The DFL-200/700/1100 are highly suitable: ¾ as Security Gateway for medium enterprises, where resilience and security in combination with a low total cost of ownership are key factors. ¾ as VPN Gateway at small to medium sized remote sites. ¾ as Customer Premise Equipment (CPE) in managed security solution (DFL-700 Only)

21 PRODUCTS: D-Link Firewalls Price DFL-200 Desktop Firewall Throughput: TBD Interfaces: WAN, 4 x LAN Target Market: Cosumer/SoHo Launch date: prel. June 2004 DFL-700 Desktop Firewall 50 Mbps throughput 20 Mbps AES/3DES WAN, LAN, DMZ Target Market: SoHO/SMB Launch date: available DFL High Availability Firewall 250 Mbps throughput ~60 Mbps AES/3DES WAN, LAN, DMZ, AUX/Sync Target Market: Upper SMB/SME Launch date: June/July 2004 Features/Performance

22 D-Link Firewall Web GUI for Easy Management Log

23 Firewall Policy Traffic Shaping Limit Limit works by limiting the inbound and outbound traffic to the specified speed. This is the maximum bandwidth that can be used by traffic using this policy. Guarantee By using Guarantee, you can traffic using a policy a minimum bandwidth, this will only work if the traffic limits for the WAN interface are configured correctly. Priority Defines if the traffic should be considered Normal, High or Critical.

24 Firewall Redundancy Solution DFL-1100 Switch Primary Alive Monitoring High Availability Secondary Switch Intranet

25 Key Features & Benefits DFL Security 2. Performance 3. Versatile Security Product 4. Low total cost of ownership Proprietary OS - no inherited vulnerabilities Proven, industry-standard algorithms Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security High throughput 3,000 concurrent connections 80 VPN tunnels Integrated VPN (IPSec, L2TP, PPTP) and Content Filtering High-end features, including policy-based User Authentication and Intrusion Prevention No time-consuming maintenance tasks All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc.

26 Key Features & Benefits DFL Security 2. Performance 3. Versatile Security Product 4. Low total cost of ownership Proprietary firmware - no inherited vulnerabilities Proven, industry-standard algorithms Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security High throughput 10,000 concurrent connections 200 VPN tunnels Integrated VPN (IPSec, L2TP, PPTP), Bandwidth Management and Content Filtering High-end features, including policy-based User Authentication and Intrusion Prevention No time-consuming maintenance tasks All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc.

27 1. Security Key Features & Benefits DFL-1100 Proprietary OS - no inherited vulnerabilities Proven, industry-standard algorithms Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security 2. Performance 3. Versatile Security Product 4. Low total cost of ownership High throughput 200,000 concurrent connections 1,000 VPN tunnels Integrated VPN (IPSec, L2TP, PPTP), Bandwidth Management and Content Filtering High-end features, including policy-based User Authentication and Intrusion Prevention No time-consuming maintenance tasks All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc. 5. High Availability Prevent single point of failure

28 D-Link Firewall Applications HEADQUARTERS/ DATA CENTER Branch OFFICE DFL-1100 DFL-700 Internet Remote VPN Client DFL-200 Remote Office VPN Client

29 DS-601/605 Gateway Failover ensure reliable connection Extensible Authentication Protocols (EAP) for secure user authentication IPSec authentication via DES, 3DES & AES encryption to ensure data security. Dead Peer Detection (DPD) for easy configuration of tunnel failover at user side. Support Dynamic Domain Name Service (DDNS) for one-click to connection Support NAT & Transparent mode.

30 Why choose DS-601/605? Base on IETF specified IPSec-conformant design compliance with industrial standard. Fully support gateway failover, EAP, DES/3DES & AES encryption, DPD, DDNS functions for easy VPN remote access. Support NAT & Transparent mode for easy communication between client and gateway. DS-601/605 Being approved & tested with whole series of D- Link NETDEFEND firewall and DI-804HV, DI- 808HV, DI-824VUP ensure users seamless connection environment.

31 DS-601/605 GUI

32 VPN stands for Virtual Private Network Virtual What is VPN? No physical circuit. It s a logical existence in the public network Private The communication between two or more network devices is confidential. Either can information be gleaned by third parties outside the communication group, nor the identities/relationships within the group can be known by any outsiders. Network A system made by numbers of devices that can communicate via some form of ways,thus sharing the information.

33 What is VPN? A private network that is configured within a public network. Common carriers have built VPNs that appear as private national or international networks to the customer, but physically share backbone trunks with other customers. VPNs enjoy the security of a private network via access control and encryption, while taking advantage of the economies of scale and built-in management facilities of large public networks. VPNs have been built over public networks such as X.25 Frame Relay(FR) Asynchronous Transfer Mode(ATM) Internet

34 types of VPN Site to site VPN Build up VPN tunnel between two VPN gateways Suitable for servicing users beyond network gateways Integrate into firewalls - D-Link firewall Client to site VPN Build up VPN tunnel between VPN gateway and remote users For commuters to access the Internet Client software is needed for encryption/decryption

35 VPN Feature Comparison Features Protocol PPTP L2TP IPSec Mode Client-server Client-server Host-to-host Purpose Remote Access via tunneling Remote Access via tunneling Intranets, extranets,remote access via tunneling OSI Layer Layer 2 Layer2 Layer3 Protocols Encapsulated IP,IPX,AppleTalk,etc IP,IPX,AppleTalk,etc IP Security User Authentication None (User PAP,CHAP,etc) None (User PAP,CHAP,etc) None (User PAP,CHAP,etc) Packet Authentication None1 None3 AH Header Packet Encryption None2 None3 ESP Header Key Management None1 None3 ISAKMP/Oakley,SKIP Tunnel Service Single point-to-point tunnel, no simultaneous Internet access Single point-to-point tunnel, no simultaneous Internet access Multi-point tunnels; simultaneous VPN and public access Note: 1.Not in standard, not offered 2. Vendor-specific implementation only 3. Refers to IPSec for implementation Source: Infonetics Research, Inc. 1997

36 PRODUCTS: DFL-Family D-Link DFL-200 D-Link DFL-700 D-Link DFL-1100 Throughput 20 Mbps 50 Mbps 250 Mbps VPN Throughput 10 Mbps 20 Mbps ~70 Mbps IDS/IDP Yes/No Yes Yes Content Filtering Partial Yes Yes Connections VPN Tunnels Policies Number of users Unlimited Unlimited Unlimited User Authentication, Max Users Ethernet Interfaces 4 x 10/ port switch (WAN, DMZ, LAN) 3 x 10/100 (WAN, LAN, DMZ) 4 x 10/100 (WAN, LAN, DMZ, AUX/Sync) Virtual LANs N/A N/A 16 Traffic Shaping No Yes Yes High Availability No No Yes Policy-based Routing No No Yes

37 Comparison Chart DFL-200 Brand D-Link Cisco NetScreen SonicWall Zyxel Model Name DFL-200 PIX-501 5GT SOHO3 ZyWALL 30W Photograph MSRP US$ 300 ~ 400 US$ 446* US$ * US$ 445* US$ 365 Main Specification Interface 1 x WAN 10/100, 1 1 x WAN, 1 x LAN 1 x WAN, 1 x LAN x DMZ, 4 x LAN 4 x 10/100 BaseTX 5 x 10 Ethernet 10BaseT, 1 x 10/100 10/100 WLAN (Upgrade) User License Unlimited 10 / 50 / Unlimited 10 / Unlimited 10 / 50 N/A Firewall Performance 75Mbps 10Mbps 75Mbps 75Mbps 25Mbps Concurrent session 3,000 3,500 2,000 3,000 N/A New sessions/second 3,000 N/A 2,000 N/A N/A Build-in DES/3DES Yes License Require Yes License Require Yes 3DES 15Mbps 3Mbps 20Mbps 20Mbps 15Mbps Dedicated VPN Tunnels NAT Traversal Yes No Yes Yes Yes Policy 500 N/A N/A Schedule Yes (256) N/A Yes (256) Yes Yes Remark: *: 10 users license only. * Price source: & ). The final selling price should be decided by yourself for each territory.

38 Comparison Chart DFL-700 Brand D-Link Cisco NetScreen SonicWall Zyxel Model Name DFL-700 PIX-506E 25 PRO 100 ZyWALL 100 Photograph MSRP US$ 548~708* US$ 890 US$ 3242 US$ 1400 US$ 950 Main Specification Interface 1x WAN, 1 x DMZ, 1 1 x WAN, 1 x DMZ, 1 x WAN, 1 x LAN 2 x 10/100BaseTX 4 x 10 Ethernet x LAN 10/100 1 x LAN 10/100 10/100 User License Unlimited Unlimited Unlimited Unlimited N/A Throughput 50Mbps 100Mbps 100Mbps 75Mbps 32Mbps VPN Throughput 20Mbps 17Mbps 20Mbps 20Mbps 16Mbps Concurrent session N/A IDP Yes Yes No No No Content Filtering Yes Yes No Yes Yes VPN Tunnels / Traffic Shaping Yes No Yes No Yes Remark: *: The price interval is from UK website, ZD.Net & Kelkoo.co.uk. * Price source: & ). The final selling price should be decided by yourself for each territory.

39 Comparison Chart DFL-1100 Brand D-Link Cisco NetScreen SonicWall Model Name DFL-1100 PIX-515E 50 PRO 300 Photograph MSRP US$ 2268~2546* US$ 2068 US$ 6500 US$ 2092 Main Specification 1 x WAN 10/100, 1 Interface x DMZ, 1 x LAN, 1 x Sync port, 2 x 10/100 BaseTX 4 x 10/100BaseTX 3 x 10/100BaseTx 10/100 Firewall Performance 250Mbps 188Mbps 170Mbps 190Mbps Concurrent session 200, ,000 32, ,000 New sessions/second 8,000 N/A 7,000 N/A Build-in DES/3DES Yes License Require Yes Yes 3DES 34Mbps 63Mbps 50Mbps 45Mbps AES 84Mbps No Yes No Dedicated VPN Tunnels 1,000 2, ,000 NAT Traversal Yes No Yes Yes Policy 2,000 N/A 1, Remark: *: The price interval retrive from UK website, * Price source: & ). The final selling price should be decided by yourself for each territory.

40 THANK YOU