SECURITY ACCESS AND DATA FLOW CONTROL IN NETWORKS

Transcription

1 SECURITY ACCESS AND DATA FLOW CONTROL IN NETWORKS

2 Since it significantly increases the usability and value of business information systems, networking within the information systems and between them proves indispensable these days. Modern methods of working and doing business, as well as high market competitiveness all require a fast and reliable flow of large amounts of data to which users can access via different devices such as PC, tablet PC, or smartphone. Such interconnection of devices and systems may only be provided through high-performance, reliable and secure networks. Security risks (intrusion, interference with the functioning, etc.) inevitably brought with the interconnectedness of modern information and communication systems, can only be tackled by using appropriate mechanisms. NIL has more than 15 years of experience in designing and implementing security solutions and systems in the most complex and demanding environments, such as financial and government institutions, the army and the police, public administration and public institutions, international corporations and other institutions. Within the IT-organizations' infrastructure we plan, conduct and manage the access control systems, such as edge authentication and compliance (802.1x, NAC, NAP), firewalls, IPS and content control systems (e.g. content and Web access). Therefore, our recommendation to businesses and organizations is to introduce state of the art security mechanisms into their networks. Using network security solutions provided by NIL brings the following benefits: ability to operate in high risk environments; by introducing appropriate security mechanisms you can also use high risk environments in your business (e.g. internet or other public network infrastructures); affordable investment in network technology to reduce risks; since they include no unnecessary security countermeasures, NIL's environment-customised solutions prove cost-optimal; greater risk reduction compared to generic solutions; addressing specific environments, NIL's solutions bring significant improvement in risk management compared to generic solutions; In implementing the security solutions NIL is taking network security planning approaches that have already been proven, and technological blocks provided by Systems, IBM, F5, RSA. Acronis and Palo Alto, all confirmed by following certifications: Advanced Borderless Network Architecture Specialization ATP Identity Services Engine Advanced Security Specialization RSA SecurWorld Solution Partner our solutions apply to a wide range of environments; our network security solutions can be implemented in a variety of environments ranging from conventional to modern virtualised network infrastructures (e.g. private or hybrid cloud). F5 UNITY Partner Program IBM Advanced Business Partner Acronis Autorized Partner Palo Alto Networks Gold Partner

3 RISK REDUCTION SCOPE SOLUTION / TECHNOLOGY PARTNERS RISK REDUCTION SCOPE SOLUTION / TECHNOLOGY PARTNERS Focused protection of systems and applications against network intrusions Designing and construction of network firewalls including intrusion prevention systems, and content and transaction monitoring systems. These include firewalls (provided by ASA, ASAv, Palo Alto), attack detection and prevention systems ( Firepower), network content viewing systems ( and Web Security, AMP, Palo Alto), web application protecting systems (F5), identity management systems ( ACS, ISE, CDA), and centralised tools for data collection, analysis, communication, and reporting (IBM QRadar). IBM Palo Alto F5 Detection of intrusion and suspicious activities within the entire communication and information system infrastructure Consolidation of underlying network infrastructure Environment-adjusted safety information management systems based on IBM Qradar technology. Solutions for implementation and verification of security controls within the core network infrastructure. IBM Service provided by NIL Protection of sensitive, confidential and personal information during transfer through untrustworthy networks Detailed planning of powerful and reliable solutions for cryptographic transfer security, based on IOS, ASA, and AnyConnect technologies Secure network multi-tenancy Tailored solutions for coexistence of several organizations on the same network infrastructure. Service provided by NIL Secure solutions for remote mobile users Mobile device management solutions User-friendly solutions for remote access and work from remote locations based on the integrated SSL VPN solutions provided by Systems, and strong authentication systems by RSA Security. We enable centralised management for user mobile devices based on MobileIron system. RSA MobileIron Monitoring of access to networks and ensuring of network members' compliance Manageable and scalable access control solutions based on 802.1x, NAC, NAP and ISE technologies for wired, wireless and VPN network access.

4 FOCUSED PROTECTION OF SYSTEMS AND APPLICATIONS AGAINST NETWORK INTRUSIONS The solutions to prevent systems and applications from intrusions from network form one of the basic groups of network security solutions. Traditionally, these solutions are implemented together with firewall systems to execute the following mechanisms: network access minimisation according to security policy, for which the conventional traffic analysis technologies on OSI levels 2-7 are used. These firewall blocks are designed and implemented by NIL, mostly by using ASA, F5 Big-IP, and IOS technologies; detection and prevention of the known intrusions through the mechanisms of detection for signatures of attacks and traffic anomalies on IPS blocks (Intrusion Prevention System). Firewall blocks are planned and implemented by NIL, largely by using FirePower; data flow control by analysing the data and minimising the flow, or by searching for known sensitive or harmful data. Through these, for example, systems may be prevented from unwanted (e.g. ), dangerous, or business or ethically inappropriate content. Furthermore, any intentional or unintentional leakage of data from the organization can also be prevented (DLP - Data Leakage Prevention). These firewall blocks are designed and implemented by NIL, mostly by using and Web Security technologies; application-tailored web security services by using methods for verifying the accuracy and minimising the application data based on F5 burden distribution technologies and data firewalls; protection against various attacks on service barring (DoS Denial of Service) These firewall blocks are designed and implemented by NIL, mostly by using ASA, F5 Big-IP, and IOS technologies. Such protection is often performed at transition points between private and public networks, often because security layers allow building a more reliable security system, even within the stratified private networks of organizations.

5 PROTECTION OF SENSITIVE, CONFIDENTIAL AND PERSONAL INFORMATION DURING TRANSFER THROUGH UNTRUSTWORTHY NETWORKS Today's communication is often running via networks uncontrolled by the informationexchanging organizations. Although it has in various forms been in use for thousands of years, cryptographic data transmitting protection is still vulnerable to human error, complicated to use, and sensitive to technological shortcomings. DETECTION OF INTRUSION AND SUSPICIOUS ACTIVITIES IN THE ENTIRE COMMUNICATION AND INFORMATION SYSTEM'S INFRASTRUCTURE For the most widespread and effective detection of security incidents we integrate our network security solutions into overarching security information managing systems (SIM/ SIEM). Also, we implement the SIEM solutions ourselves or assist with optimising the settings and management of security incidents. In the area of data protection while being transmitted over untrustworthy networks, NIL provides network infrastructure solutions that protect cryptographic data independently from the user, medium and communication mode. Using IP security protocols and IPsec, VPN, EasyVPN, DMVPN, and GET VPN technologies supported by Systems equipment we have set up a wide range of solutions for data transfer security on the international level. They are all designed according to clients' expectations on long-term reliability and security. CONSOLIDATION OF UNDERLYING NETWORK INFRASTRUCTURE Today, the basic network infrastructure (i.e. switches, routers, or wireless access points) is a block whose reliability and security tasks are crucial in supporting business processes. Failure in its functioning or an invasion into such a crucial device may allow attackers to access network applications or hinder their performance, often affecting a great proportion of the organization's network. SECURE REMOTE ACCESS FOR MOBILE USERS Since at the same time information systems are getting increasingly intertwined and the access to them is allowed to both controlled and uncontrolled devices and users, our goal is to maintain high user productivity while reducing security risks related to access. NIL's solutions for secured remote access to organizations' sensitive resources are intended for different users (employees, partners, customers,...) and different devices (laptop, Tablet PC, or phone). They are based on Systems' SSL VPN solutions and integrated into our own solutions, firewall systems, and strong authentication solutions provided by RSA SecurID. However, when tackling security risks, this infrastructure often remains forgotten. When connecting to external networks, organizations do invest in protection, but tend to forget the "soft" core of their own network infrastructure, which is available to any attacker able either to bypass the physical security controls within the organization or, as in the case of wireless networks, only to approach them physically. In addition to assessments of network infrastructure security, we also provide consolidation services for existing infrastructure and consolidated initial infrastructure installation where required.

6 In the context of consolidating the infrastructure we plan and perform the following categories of security controls: protection of network devices from intrusion; protection of network devices from denial of service attacks; protection of network connections from attacks on their service denial; protection of switching and routing protocols; protection of management protocols and processes. MONITORING OF ACCESS TO NETWORKS AND ENSURING NETWORK MEMBERS' COMPLIANCE To increase the productivity of partners and guests, and, indirectly for the benefit of their own business, organizations are more and more often opening their internal wired or wireless networks to these. At the same time the opening may turn out to be quite risky. The entry of a non-compliant and therefore often infected or even malicious user in the network may lead to serious security incidents ranging from partial overload of the network to intrusion into sensitive systems. SECURED MULTI-TENANCY WITHIN THE NETWORK INFRASTRUCTURE Multi-tenancy is an infrastructure property supporting the coexistence of multiple logically separated infrastructures on the same physical infrastructure. During the construction of modern elastic infrastructures (e.g. Private IaaS Cloud), the coexistence can even be carried over into the core network LAN and WAN infrastructure. For such a separation, organizations opt for several reasons: to separate their own different service networks; due to different levels of trust, these need to be easily separated from each other; to host other entities' resources (e.g. organizations or partners) within the organization's network. Separation of NIL's multi-tenancy solutions within the network infrastructure is usually based on VLAN, MPLS VPN and VRF technologies and supported by Systems equipment. On the other hand, organizations are finding that their own network (user) infrastructure is increasingly difficult to protect from unauthorized physical access. Therefore, they are looking for ways to introduce additional controls to provide a "multi-layer" kind of security in cases where the basic countermeasures fail. Solutions provided by NIL to control user access to wired and wireless networks enable organizations to reliably identify and authenticate the users at the edge of their network and categorise them according to level of confidence and level of access required. Though the IEEE 802.1x technology we enable the organizations to keep a centralised monitoring of identities within the wired and wireless network, strong two-way authentication for network access, and simple integration of authentication with the existing systems such as Active Directory. With the active references of IEEE 802.1x solutions within large environments and performance monitoring mechanisms integrated in the NIL Monitor solution we can implement the access control services into large and complex environments. Solutions for ensuring customer systems' compliance with local security policies prior to entering the wired, wireless or VPN network serve to upgrade network access control solutions. The network access solutions are upgraded by NAC, Microsoft NAP, and ISE technologies for which we also have active references in large networks on the international level.

7 NIL Ltd. nil.com