HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
|
|
- Cory Lawson
- 8 years ago
- Views:
Transcription
1 HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by Hughes to meet the needs of the enterprise customer. FEB 2009
2 White Paper HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R Introduction Hughes provides HughesNet managed broadband network services to enterprise customers. As part of the managed services umbrella, Hughes maintains a high level of end-to-end security. From a Hughes perspective, end-to-end is defined as the remote CPE demarcation point through the Hughes NOC to the backhaul terminating at the customer data center. Hughes is very aware of the importance of both data and network security and has designed a robust architecture that addresses the needs of its customers. This paper describes the various security functions, features, and safeguards throughout each point in the customer s network. In addition, this paper provides detailed information on the CPE, Network Operations Center (NOC) and backhaul. Figure 1 illustrates the end-to-end architecture for an enterprise private network. Figure 1. Enterprise Network FEB 2009
3 White Paper Customer Premise Equipment (CPE) The HN7700S-R CPE is a custom-designed platform, using Hughes-developed proprietary hardware and software to deliver private WAN networking using a wide range of connectivity options. The router may be deployed behind any IP WAN access, including private or public (Internet) connections to a Hughes Network Operations Center (NOC), where it communicates with an IP Gateway another Hughes-developed proprietary platform which connects to the customer s data center network. Hughes uses the HN7700S-R to manage the HughesNet broadband VPN service. The HN7700S-R router connects to a modem (not shown in any diagram) in order to transmit/receive traffic over the broadband access network (for example, DSL, cable, wireless, etc.). The modem serves as a Layer 2 bridge and has no routing functionality. The HN7700S-R provides all the Layer 3 routing, security, and management functions. Refer to Figure 2 to see the HN7700S-R. Figure 2. Hughes Enterprise Access Network It is important to understand that the HN7700S-R is not an Internet access router. Rather, it is a secure tunneling router that uses the Internet as a transport. The router s ACL enforces the rule that all traffic is sent over the AES IPSec tunnel. The HN7700S-R must always interoperate with and connect to a Hughes IP Gateway hosted at the Hughes NOC. Between both devices, Hughes establishes, maintains, and monitors an AES IPSec tunnel. Within the AES IPSec tunnel, Hughes establishes, maintains, and monitors a Performance Enhancement Proxy (PEP) tunnel. The PEP tunnel is used to accelerate the traffic from the CPE to the Hughes NOC and is part of the Hughes WAN Optimization feature. Also, all management traffic is transmitted within the AES IPSec tunnel (inclusive of ICMP pings which are used to determine up/down status of the remote site). This ensures that there is no out-of-band attack vector through which an attacker could compromise the network via the CPE s WAN connection. Only packets which are successfully decrypted and authenticated may be consumed by the management software. In addition, a Hughes-proprietary SDL protocol is used to communicate configuration information.
4 The AES IPSec tunnel provides security and encryption functionality protecting all data traffic from the remote site to the Hughes NOC and return. Hughes has both Layer 2 and Layer 3 broadband access architectures. For either option, the network only provides connectivity between the remote site and the Hughes NOC. There is no other connectivity allowed since these are private connections. With Layer 3, the Internet is used as a transport network and the AES IPSec VPN tunnel is administered to maintain security. With the HN7700S-R, however, the same AES IPSec VPN tunnel used in the Layer 3 case is used in the Layer 2 case. The HN7700S-R has many built-in security safeguards. First, the HN7700S-R is designed to transmit/receive traffic with the AES IPSec tunnel established. If the tunnel is not functioning correctly, then the data will not be sent. Also, if there is a security misconfiguration, the router will not transmit. The Hughes router cannot send traffic to the open Internet and over the AES IPSec tunnel simultaneously as it does not have split tunnel functionality. The IPSec tunnel uses the Internet Key Exchange (IKE) protocol between the HN7700S-R and the IP Gateway to dynamically negotiate random encryption keys which are periodically refreshed. The initial pre-shared key is a strong key generated and stored in an encrypted format in a central database, and downloaded to the remote sites via a secure management communications channel. IPSec packets are encapsulated over UDP on a Hughes-assigned port for transport over the WAN network. Only packets, which are addressed to the HN7700S-R on the appropriate port from the configured IP Gateway s IP address, are consumed by the IPSec stack. Therefore, only packets which can be properly decrypted and authenticated are processed by the software. In addition, the IPSec tunnel is only initiated from the HN7700S-R. Again, the software has no provisions for accepting an incoming IPSec request, which precludes an attack by an imposter IP Gateway. Second, the HN7700S-R does not respond with its public IP address to any third-party destination on the Internet (even if a third party would try to hack the site). The public IP address is known only by the Hughes NOC. Even if a third party were to perform a port scan on the HN7700S-R (not even possible in the Layer 2 scenario since it is a private connection), no address would be sent back to the third party as the router only responds to ICMP echo. Third, the HN7700S-R can establish a connection only with the Hughes IP Gateway hosted in the Hughes NOC. Even if a third party were to attempt to access the HN7700S-R (notwithstanding the previous paragraph), it would not be able to communicate unless there was a properly configured Hughes IP Gateway on the opposite side. Since the connection between the HN7700S-R and the Hughes IP Gateway is proprietary, it is not feasible to replicate this function with a phony Hughes IP Gateway. Although there is no current logging functionality available with the HN7700S-R, any such logging is of limited value from a security standpoint, since the only destination where the data traffic can be sent is to the Hughes IP Gateway at the NOC. Fourth, there is no local (LAN) access to the HN7700S-R to view or modify the configuration. Hence, there is no unauthorized way to alter the configuration for access to the network.
5 Figure 3 shows at a high level, the protocol stack and packet flow for user traffic coming into the HN7700S-R from the WAN. No Other Services ICMP WAN Network Layer IP PPPoE (optional) WAN Link Layer Ethernet WAN PHY 10/100BaseT/TX IPSec HTTP Acceleration (TurboPage) Transport Layer UDP TCP Spoofer (PEP) Services Web Server, DNS Proxy, DCHP Server, etc. NAT (optional) LAN Network Layer IP LAN Link Layer Ethernet LAN PHY 10/100BaseT/TX WAN LAN Figure 3. HN7700S-R Stack Architecture, Data Plane The most important element of this diagram regarding security is the red box on top. As a purpose-built router, the HN7700S-R has no services which are accessible from the WAN interface, other than the encapsulated IPSec tunnel which is initiated by the router itself. This is different from an off-the-shelf router with an ACL. With a commercial router, there are a number of services running on the router, which must be explicitly blocked via configuration to close off possible attack vectors. This is because, as routers they are designed to accept and transmit packets on all interfaces, and their IP stack is common for both the WAN and LAN side. That is, all packets are received and routed according to a common set of instructions. This allows a WAN interface and a LAN interface to operate in the same way, with the same functionality. While this provides flexibility, it also necessitates a complex set of ACLs which must be managed to allow only the desired access from the WAN interface. Figure 4 shows a simplified example of an off-theshelf router. Services Web Server, Telnet, DNS Proxy, DHCP Server, etc. TCP Stack ACL List IP Stack WAN Link Layer Ethernet WAN PHY 10/100BaseT/TX WAN LAN Services TFTP, SNTP, etc. UDP Stack LAN Link Layer Ethernet LAN PHY 10/100BaseT/TX Figure 4. Off-the-shelf Router Stack Architecture, Data Plane
6 With the HN7700S-R, the protocol stacks are separate all the way through not just to the jacks themselves. This provides the unique advantage of seamlessly protecting all access to the device from the WAN interface. With the exception of encrypted IPSec packets, no traffic is accepted from the WAN interface. Hence, the HN7700S-R does not require specific configuration to block access to services which might have exploitable security vulnerabilities. For example, there is no risk of an attacker exploiting a buffer overrun in an on-board web server, since there is no innate capability of processing Internet-sourced packets by any software in the device. The following output of an exhaustive nmap probe shows that there are no services listening on the WAN interface of the HN7700S-R. That is, the device cannot process or respond to any ports or protocols. Starting Nmap 4.62 ( ) at :42 EST Initiating ARP Ping Scan at 09:42 Scanning [1 port] Completed ARP Ping Scan at 09:42, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:42 Completed Parallel DNS resolution of 1 host. at 09:42, 0.70s elapsed Initiating SYN Stealth Scan at 09:42 Scanning [65536 ports] SYN Stealth Scan Timing: About 2.14% done; ETC: 10:05 (0:22:53 remaining) Completed SYN Stealth Scan at 10:05, s elapsed (65536 total ports) Host appears to be up... good. All scanned ports on are filtered MAC Address: 00:80:AE:A9:EF:9B (Hughes Network Systems) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in seconds Raw packets sent: (5.767MB) Rcvd: 1 (42B) Starting Nmap 4.62 ( ) at :43 EST Initiating ARP Ping Scan at 09:43 Scanning [1 port] Completed ARP Ping Scan at 09:43, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:43 Completed Parallel DNS resolution of 1 host. at 09:43, 0.78s elapsed Initiating UDP Scan at 09:43 Scanning [65536 ports] UDP Scan Timing: About 2.14% done; ETC: 10:07 (0:22:53 remaining) Completed UDP Scan at 10:06, s elapsed (65536 total ports) Host appears to be up... good. All scanned ports on are open filtered MAC Address: 00:80:AE:A9:EF:9B (Hughes Network Systems) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in seconds Raw packets sent: (3.670MB) Rcvd: 1 (42B) The only response received was to the initial ping. Even the ability to respond to ICMP Echo Requests (Pings) could be disabled, if it were not needed. To date, there has never been a successful penetration of a HughesNet customer network from the outside world.
7 White Paper Network Operations Center (NOC) In the Hughes NOC, many devices are deployed to provide a high level of service functionality, as well as to maintain and enforce robust security. The Hughes NOC has several functions. First, the Hughes NOC aggregates traffic from the remote sites regardless of the access transport used. Second, it provides connectivity to third-party entities such as credit processors. Third, it hosts the functionality to perform the HughesNet proactive monitoring service. Fourth, it provides connectivity to the data center(s) via a backhaul. All these functions are supported and maintained in a highly secure environment. Figure 5 shows the Hughes NOC architecture. All NOC equipment requires SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. This is a standard Hughes security practice to ensure only authorized personnel have access to the network. Remote Site Aggregation There are three NOC devices that assist in aggregating remote site traffic; the DSL Provider Edge (PE) router, the Hughes Internet (Inet) router, and the Hughes IP Gateway. The DSL PE router and the Hughes Inet router have similar functions. Both directly aggregate traffic, but the DSL PE router supports the Layer 2 network and the Hughes Inet router supports the Layer 3 network. Both routers forward data through the Hughes IP Gateway and the enterprise LAN for transmission to the data center(s) or the credit card processor network. Figure 5. Hughes NOC
8 The DSL PE router has no connection to the Internet. This router only aggregates sites served via a private Layer 2 connection. So inherently, there is no threat from third-party attacks on the Internet. The only type of attack could be from within the network via the remote site, but since there is no ability to access the HN7700S-R configuration from the remote site, there is no way to alter the configuration to allow for a rogue user to enter the network. The Hughes Inet router has access to the Internet to aggregate traffic from sites using the Layer 3 architecture. The router s ACL is set up to access only HNR UDP traffic and ICMP echo. Both traffic types only would be coming from the HN7700S- R. If neither one of these traffic patterns is sent, it is dropped or is not allowed. So, any third-party entity attempting to gain access to the network would have to emulate a remote site s IP address and the proprietary transport protocols used by the HN devices. Also, penetration tests and port scans are conducted every three months (per the PCI standard) on the Hughes Inet router. The Hughes IP Gateway ultimately is the traffic aggregation device. As mentioned earlier, the Hughes IP Gateway gateway establishes the AES IPSec tunnel and the PEP tunnel to the remote HN7700S-R. To accommodate this tunnel, the Hughes IP Gateway only allows traffic destined for the UDP port. This is enforced by a software packet filter. So, even if a third party initiated a malicious attack from the Internet, the traffic would be dropped, because it would not be in the proper packet format, port, or protocol. Moreover, the Hughes IP Gateway only allows remote HN7700S-Rs with the correct keys to access the network. Lastly, as an additional safeguard, the Hughes IP Gateway does not allow site-to-site connectivity. Hence, if there were ever an issue with a remote site in spite of all the aforementioned precautions since the Hughes IP Gateway does not allow site-to-site connectivity that issue could be localized so as not to cause any impact to the rest of the network. Third Party Network Connectivity The credit processor routers have direct communication with the credit processor network. This architecture is either supported with private line access or public secure VPN access. Regardless of the architecture, Hughes, along with the credit card processor, ensures security. Hughes demarcation is the WAN side of the NAT router. The credit processor routers, collocated at the Hughes NOC, are managed by the third party, not by Hughes. Hughes Proactive Monitoring Service The Hughes Proactive Monitoring router serves to ping the remote sites and does not represent any live enterprise-specific traffic. The proactive monitoring traffic is in the form of Hughes initiated pings. This management traffic is transmitted over the same AES IPSec tunnel as the enterprise data traffic. Optional Firewalls Hughes provides optional firewalls in the NOC. One firewall is used to protect the enterprise LAN from viruses or anomolous traffic. This way, if a remote site is affected, the impact can be quarantined to that site and not impact the corporate network. The second optional firewall is to provide secure Internet access via the NOC. Either open or fenced (white list) Internet access can be provided. The firewall protects the enterprise LAN and remote sites against security threats from the Internet. Backhaul Connectivity The Hughes NOC also supports backhaul connectivity to the data center(s) as described in the next section.
9 Backhaul The backhaul network connects the Hughes NOC to the customer data center(s). The NOC backhaul routers connect to the enterprise network routers at the data center(s). There are two different architectures to support the backhauls. First, there is the private line backhaul which is supported with the enterprise backhaul router from the NOC. This router is connected to an enterprise router on the enterprise network at the data center. As with all the equipment in the NOC, both routers require SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. Second, there is also an option for an IPSec VPN tunnel from the NOC to the data center(s). This is supported with the enterprise backhaul VPN router connected to the enterprise router at the data center. Both routers have restricted ACLs which permit only IPSec on the Internet interface for a VPN peer. The IPSec VPN is 3DES strength, using a pre-shared secret key with a 15-minute lifetime. There is no NAT supported for end-user client Internet access. Also, as explained above, SSL security is required for management access with two-factor authentication. The authentication request is logged through an RSA server. Figure 6 shows the backhaul architecture. Figure 6. Backhaul Architecture 9
10 Security Management Hughes has been evaluated on various business practices based on the Payment Card Industry (PCI) standards. In addition to the configuration of the network, Hughes takes pride in the processes and procedures in order to maintain the high level of security. This includes a structured and consistent installation procedure ensuring that only the correct configurations are deployed in the network by authorized personnel. Any changes in the network configuration are first reviewed and verified in a test environment before being launched in the production environment by authorized personnel. All critical NOC component configurations are reviewed, and anti-virus programs run on a consistent basis. Additionally, Hughes has a process in place to identify new security risks and and to test the network for vulnerabilities. Logging occurs in case of unauthorized access to a critical NOC component. Lastly, Hughes strictly adheres to both physical and logical security. Only authorized personnel are allowed in controlled areas. Two-factor authentication is consistently used for logical access to sensitive equipment. Summary Hughes has an extremely comprehensive network security system. From the CPE to the NOC to the backhaul, all components have robust security. This is supported by the successful PCI review of the HughesNet Managed Network Services solution. By adhering to PCI standards, not only does Hughes provide strong protection and security for customer traffic, but the processes and procedures used for implementation, monitoring, and change management provide for continuous improvement. The end result is a highly secure and reliable managed broadband VPN service for the enterprise customer. Proprietary Statement All rights reserved. This publication and its contents are proprietary to Hughes Network Systems, LLC. No part of this publication may be reproduced in any form or by any means without the written permission of Hughes Network Systems, LLC, Exploration Lane, Germantown, Maryland HUGHES, HughesNet, IPoS, TurboPage, SPACEWAY, AIReach, Broadband Unbound, and Connect to the future are trademarks of Hughes Network Systems, LLC. All other trademarks are the property of their respective owners Hughes Network Systems. LLC. All information is subject to change. All rights reserved. HUGHES PROPRIETARY H39058 ID FEB Exploration Lane Germantown, MD USA
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet
More informationVirtual Private Networks (VPN) Connectivity and Management Policy
Connectivity and Management Policy VPN Policy for Connectivity into the State of Idaho s Wide Area Network (WAN) 02 September 2005, v1.9 (Previous revision: 14 December, v1.8) Applicability: All VPN connections
More informationUnderstanding the Cisco VPN Client
Understanding the Cisco VPN Client The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is a software program that runs on a Microsoft Windows -based PC. The VPN Client on a
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationWAN Failover Scenarios Using Digi Wireless WAN Routers
WAN Failover Scenarios Using Digi Wireless WAN Routers This document discusses several methods for using a Digi wireless WAN gateway to provide WAN failover for IP connections in conjunction with another
More informationHögskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :
Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationUTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:
HiPER 840 4-WAN Broadband Gateway/Router Overview HiPER 840 4-WAN Broadband Gateway/Router is a purpose-built solution designed for small-sized Internet cafés, broadband communities and schools which require
More informationNETASQ MIGRATING FROM V8 TO V9
UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4
More informationConfiguring IPSec VPN Tunnel between NetScreen Remote Client and RN300
Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway.
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationEnterprise VPNs: Choose Performance, Reliability, and Low Cost
Enterprise VPNs: Choose Performance, Reliability, and Low Cost IT executives are always asked to provide more with less, particularly in this challenging economic environment. There is constant pressure
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationOverview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP
Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2
More informationSecuring Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
More informationFirewall Defaults, Public Server Rule, and Secondary WAN IP Address
Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N
More informationImplementing Secured Converged Wide Area Networks (ISCW) Version 1.0
COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationVOICE OVER IP SECURITY
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationFirewall VPN Router. Quick Installation Guide M73-APO09-380
Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,
More informationMulti-Homing Dual WAN Firewall Router
Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet
More informationNetwork Access Security. Lesson 10
Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.
More informationFireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway
Fireware How To VPN How do I set up a manual branch office VPN tunnel? Introduction You use Branch Office VPN (BOVPN) with manual IPSec to make encrypted tunnels between a Firebox and a second IPSec-compliant
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationCisco Integrated Services Routers Performance Overview
Integrated Services Routers Performance Overview What You Will Learn The Integrated Services Routers Generation 2 (ISR G2) provide a robust platform for delivering WAN services, unified communications,
More informationThe BANDIT Device in the Network
encor! enetworks TM Version A.1, March 2010 2013 Encore Networks, Inc. All rights reserved. The BANDIT Device in the Network The BANDIT II and the BANDIT III, ROHS-compliant routers in the family of BANDIT
More informationApplication Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )
Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationTable of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2
Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 2 Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server
More informationProfessional Integrated SSL-VPN Appliance for Small and Medium-sized businesses
Professional Integrated Appliance for Small and Medium-sized businesses Benefits Clientless Secure Remote Access Seamless Integration behind the Existing Firewall Infrastructure UTM Security Integration
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationGigabit SSL VPN Security Router
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the
More informationHughesNet High Availability VPN
HughesNet High Availability VPN HughesNet High Availability VPNs provide a nationwide solution expressly designed to deliver cost-effective, highly available IP networking for distributed enterprises using
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationCisco SR 520-T1 Secure Router
Secure, High-Bandwidth Connectivity for Your Small Business Part of the Cisco Small Business Pro Series Connections -- between employees, customers, partners, and suppliers -- are essential to the success
More informationThe BANDIT Products in Virtual Private Networks
encor! enetworks TM Version A.1, March 2010 2010 Encore Networks, Inc. All rights reserved. The BANDIT Products in Virtual Private Networks One of the principal features of the BANDIT products is their
More informationConfiguring IPsec VPN with a FortiGate and a Cisco ASA
Configuring IPsec VPN with a FortiGate and a Cisco ASA The following recipe describes how to configure a site-to-site IPsec VPN tunnel. In this example, one site is behind a FortiGate and another site
More informationSteelcape Product Overview and Functional Description
Steelcape Product Overview and Functional Description TABLE OF CONTENTS 1. General Overview 2. Applications/Uses 3. Key Features 4. Steelcape Components 5. Operations Overview: Typical Communications Session
More informationIOS NAT Load Balancing for Two ISP Connections
IOS NAT Load Balancing for Two ISP Connections Document ID: 100658 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot
More informationHow To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key
How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key Objective This article will detail how to setup Cyberoam VPN Client to securely connect to a Cyberoam for the
More informationReadyNAS Remote White Paper. NETGEAR May 2010
ReadyNAS Remote White Paper NETGEAR May 2010 Table of Contents Overview... 3 Architecture... 3 Security... 4 Remote Firewall... 5 Performance... 5 Overview ReadyNAS Remote is a software application that
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationInternet Security Specialist Compaq Computer
Internet Security Specialist Compaq Computer Proof of Concept Partners Projects Workshop Seminars Customer Briefings Compaq White Paper Performance White Papers ASE Symposium $40-80 billion potential
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationIPsec VPN Security between Aruba Remote Access Points and Mobility Controllers
IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Application Note Revision 1.0 10 February 2011 Copyright 2011. Aruba Networks, Inc. All rights reserved. IPsec VPN Security
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
More informationUIP1868P User Interface Guide
UIP1868P User Interface Guide (Firmware version 0.13.4 and later) V1.1 Monday, July 8, 2005 Table of Contents Opening the UIP1868P's Configuration Utility... 3 Connecting to Your Broadband Modem... 4 Setting
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationThe next generation of knowledge and expertise Wireless Security Basics
The next generation of knowledge and expertise Wireless Security Basics HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404 (fax), www.hta-inc.com
More informationLab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM
Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM Objective Scenario Topology In this lab, the students will complete the following tasks: Prepare to configure Virtual Private Network (VPN)
More informationTable of Contents. Introduction
viii Table of Contents Introduction xvii Chapter 1 All About the Cisco Certified Security Professional 3 How This Book Can Help You Pass the CCSP Cisco Secure VPN Exam 5 Overview of CCSP Certification
More informationCconducted at the Cisco facility and Miercom lab. Specific areas examined
Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security
More informationHow To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key
How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationFirewall Defaults and Some Basic Rules
Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004
ZyWALL 5 Internet Security Appliance Quick Start Guide Version 3.62 (XD.0) May 2004 Introducing the ZyWALL The ZyWALL 5 is the ideal secure gateway for all data passing between the Internet and the LAN.
More informationSecure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity
Secure Remote Monitoring of the Critical System Infrastructure An Application Note from the Experts in Business-Critical Continuity TABLE OF CONTENTS Introduction................................................2
More informationReverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006
Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006 Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed
More informationISG50 Application Note Version 1.0 June, 2011
ISG50 Application Note Version 1.0 June, 2011 Scenario 1 - ISG50 is placed behind an existing ZyWALL 1.1 Application Scenario For companies with existing network infrastructures and demanding VoIP requirements,
More informationCisco RV180 VPN Router
Data Sheet Cisco RV180 VPN Router Secure, high-performance connectivity at a price you can afford. Figure 1. Cisco RV180 VPN Router (Front Panel) Highlights Affordable, high-performance Gigabit Ethernet
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationMANAGED SECURITY SERVICES
MANAGED SECURITY SERVICES Security first Safety first! Security is becoming increasingly important for companies, especially for the extension of networking to mission-critical environments, with new intranet
More information- Introduction to PIX/ASA Firewalls -
1 Cisco Security Appliances - Introduction to PIX/ASA Firewalls - Both Cisco routers and multilayer switches support the IOS firewall set, which provides security functionality. Additionally, Cisco offers
More informationViewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355
VPN This chapter describes how to configure Virtual Private Networks (VPNs) that allow other sites and remote workers to access your network resources. It includes the following sections: About VPNs, page
More informationProtecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network
Protecting a Corporate Network with ViPNet Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network Introduction Scope ViPNet technology protects information systems by means
More informationInnominate mguard Version 6
Innominate mguard Version 6 Configuration Examples mguard smart mguard PCI mguard blade mguard industrial RS EAGLE mguard mguard delta Innominate Security Technologies AG Albert-Einstein-Str. 14 12489
More informationCONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
1 Chapter 10 CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK Chapter 10: CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK 2 OVERVIEW Configure and troubleshoot the TCP/IP protocol Connect to a wireless
More informationInternet Security Firewalls
Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA
More informationNovell Access Manager SSL Virtual Private Network
White Paper www.novell.com Novell Access Manager SSL Virtual Private Network Access Control Policy Enforcement Compliance Assurance 2 Contents Novell SSL VPN... 4 Product Overview... 4 Identity Server...
More information1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network
WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What
More informationDigi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering
Introduction Digi Connect Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering The Digi Connect supports five features which provide security and IP traffic forwarding when using incoming
More informationConfiguring an IPsec VPN to provide ios devices with secure, remote access to the network
Configuring an IPsec VPN to provide ios devices with secure, remote access to the network This recipe uses the IPsec VPN Wizard to provide a group of remote ios users with secure, encrypted access to the
More informationSafeguards Against Denial of Service Attacks for IP Phones
W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationEndpoint Security VPN for Mac
Security VPN for Mac E75 Release Notes 8 April 2012 Classification: [Protected] 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by
More informationMicrosoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.
Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Foundstone Labs October, 2003 Table of Contents Table of Contents...2 Introduction...3 Scope and Approach...3
More informationGigabit Multi-Homing VPN Security Router
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is a ideal to help the SMBs increase the broadband
More informationIP-VPN Architecture and Implementation O. Satty Joshua 13 December 2001. Abstract
Abstract Virtual Private Networks (VPNs) are today becoming the most universal method for remote access. They enable Service Provider to take advantage of the power of the Internet by providing a private
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationTotal solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack
Network Security Total solution for your network security With the growth of the Internet, malicious attacks are happening every minute, and intruders are trying to access your network, using expensive
More informationGigabit Multi-Homing VPN Security Router
Gigabit Multi-Homing VPN Security Router Physical Port 1~2 x 10/100/1000 Base-T RJ-45, configurable with LAN 1 (Mirror Port) 3~4 x 10/100/1000 Base-T RJ-45, configurable with WAN 4 (WAN 4 / LAN2 / DMZ)
More informationSonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging
SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION:
More informationVirtual Private Networks Secured Connectivity for the Distributed Organization
Virtual Private Networks Secured Connectivity for the Distributed Organization FORTINET VIRTUAL PRIVATE NETWORKS PAGE 2 Introduction A Virtual Private Network (VPN) allows organizations to securely connect
More informationLecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
More informationRemote Connectivity for mysap.com Solutions over the Internet Technical Specification
Remote Connectivity for mysap.com Solutions over the Technical Specification June 2009 Remote Connectivity for mysap.com Solutions over the page 2 1 Introduction SAP has embarked on a project to enable
More informationCisco RV082 Dual WAN VPN Router Cisco Small Business Routers
Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers Secure Remote Access at the Heart of the Small Business Network Highlights Dual WAN connections for load balancing and connection redundancy
More informationBT Business Broadband
Small Office Network Guide BT Business Broadband with the BT Business Hub www.btbroadbandoffice.com Notice to users Updates and additions to software may require an additional charge. Subscriptions to
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationManaging Digital Signage Over 3G Using Intel Active Management Technology (Intel AMT)
WHITE PAPER Intel vpro Technology Embedded Computing Managing Digital Signage Over 3G Using Intel Active Management Technology (Intel AMT) Implementing out-of-band (OOB) secure advanced remote management
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationChapter 4 Security and Firewall Protection
Chapter 4 Security and Firewall Protection This chapter describes how to use the Security features of the ProSafe Wireless ADSL Modem VPN Firewall Router to protect your network. These features can be
More information