Secure and Hardened DNS Appliances for the Internet

Transcription

1 Page 1 Datasheet Secure and Hardened Appliances for the Internet SECURE APPLIANCE IN THE INTERNET ENVIRONMENT External servers deliver critical services to your company, such as Internet visibility for your customers, partners and employees, as well as external access to network applications and other critical services such as . Because of the fundamental role they play in Information Technology infrastructure, external servers are exposed to Internet-based attacks and therefore must be secured. Losing service or Internet connectivity due to external attacks could significantly impact a business profitability. EfficientIP delivers reliable and scalable solutions for hardening your Internet architecture. High Availability of Architecture and Services SOLIDserver appliances have built-in mechanisms that support unmatched high availability, to ensure continuity of services. Ethernet Port Failover: The Ethernet port failover mechanism allows you to connect SOLIDserver appliances to two switch ports, an active link and a passive link. In case the active link fails, the passive link will ensure connection continuity in less than 1 second. This feature ensures the physical connection of the device. CARP: CARP is the next generation of VRRP which enables the hiding of several SOLIDservers behind a Virtual IP address. One of them is elected as Leader and will receive all requests from the VIP. In case of unavailability of the leader SOLIDserver, the connection will be switched to an available SOLIDserver in less than 1 second. active link automatic link switching backup link switch VIP switch

2 SECURE AND HARDENED APPLIANCES FOR THE INTERNET Page 2 Datasheet Key benefits of CARP: VIP per network service: Several VIPs can be associated with the same SOLIDserver appliances. A VIP can be associated with services and another to TFTP and another to NTP. CARP exists at the application level. CARP does not only check that the link is up, but also checks the availability of the service. The VIP can be allocated to an unlimited number of SOLIDservers : A VIP can be associated not only to 2 SOLIDservers but to 3, 10 or more SOLIDservers High Availability of the Service SOLIDserver enables you to define a group of servers, with a single Virtual IP address as the master server, for clients. In the case of a server crash the process will automatically and transparently switch all client requests to an available server, ensuring service continuity of your service in less than one second. SOLIDserver VIP Switch Network Clients VIP Smart Architecture : Managing Network Services Architecture The SmartArchitecture is a new approach to IPAM and -DHCP services management to drastically simplify deployment and administration of network services. Thanks to SmartArchitecture, EfficientIP offers the capability to deploy and manage -DHCP services at the architecture level. SmartArchitecture is a library of State of the Art templates of -DHCP architectures, applied on a group of Multi-Vendor servers (Microsoft, Open source, SOLIDserver ) to automatically deploy and manage the architectures as a single entity. Based on the selected SmartArchitecture, the SOLIDserver centralized management platform will automatically configure all -DHCP servers belonging to the SmartArchitecture according to their individual role within the selected template. It is no longer necessary to manually configure each server in order to build the architecture; the entire process is now carried out automatically.

3 SECURE AND HARDENED APPLIANCES FOR THE INTERNET Page 3 Datasheet Step1 Select your Architecture Step2 Import your Data 1 2 DHCP DHCP 20 % 80 % data 3 Pseudo 4 Step3 Insert your Servers Pseudo Hidden Done! Your Architecture is Deployed and Operating SmartArchitecture Key Benefits: Increased reliability and security of your network services by automating the enforcement of & DHCP Best Practices Eliminate deployment complexity: Automate the deployment of -DHCP architectures Ease of management: Simplify the management of network services by directly managing the architecture and automating all server configurations SmartArchitecture Motion: Easy architecture migration and reorganization with Drag and Drop functionality SmartArchitecture is a breakthrough in network services management efficiency, bringing unmatched levels of reliability, scalability and flexibility. SmartArchitecture enables you to perform complex administration tasks very easily and in just a few minutes. Migration of / to Stealth or Multi- is automatically done by selecting the ad hoc SmartArchitecture to apply on the servers. It becomes easy to add or remove servers from the architecture; the centralized management appliance will automatically manage all configuration file modifications. Stealth Smart Architecture SmartArchitecture automates the deployment of robust architectures based on stealth master servers. A stealth server is one which does not appear on any publicly visible NS Records for the domain. This architecture provides a very good level of security, especially within the internet server (reachable from outside the company s network). The goal is to ensure that you do not have your internal hosts exposed to external by interrogation (query or zone transfer). Thanks to SmartArchitecture, deployment of a stealth architecture is simple and fast. All servers belonging to the stealth SmartArchitecture will automatically be configured by the SOLIDserver management appliance, securing communication flows, synchronizing data and ensuring best practices enforcement.

4 SECURE AND HARDENED APPLIANCES FOR THE INTERNET Page 4 Datasheet CP ster DHCP Pseudo Hidden 0 % 80 % SPLIT DHCP STEALTH Hybrid Engine aster MULTIMASTER Whereas most servers run a single engine, EfficientIP s SOLIDserver Hybrid En- gine (HDE) combines three engines, the BIND name server sofware, Unbound and NSD from NLnet Labs, all managed in a single appliance. One is active, the other two on stand by mode. If the server is attacked, it is possible to switch to one of the other two engines, while the security patch is installed and tested on the primary engine. This innovative (and unique) approach provides greater protection to large enterprises, operators and ISPs as it eliminates single point of failure following security alerts and creates a highly complex security footprint. V odèle d administration Furthermore, EfficientIP s SmartArchitecture enables effortless deployment of hybrid architectures. Designing, deploying and managing a / architecture with servers running on Classique BIND and servers running on NSD is easy with SmartArchitecture templates. Vue du Mana Hybrid Engine blocks Zero-Day vulnerabilities, strengthens architecture security foundation, ( Classiq enhances agility & risk management to security threats and improve performances to mitigate DoS attacks. Hybrid Engine Key Benefits: Block Zero-Day Vulnerabilities Strengthen Architecture Security Foundation Enhance Agility & Risk Management to Security Threats Improve Performances to Mitigate DoS Attacks

5 SECURE AND HARDENED APPLIANCES FOR THE INTERNET Page 5 Datasheet Disaster Recovery Plan SOLIDserver has a local embedded database with integrity control mechanisms which requiring no ongoing maintenance. The local database of all SOLIDserver appliances can be replicated in real time on an appliance called SOLID. The database replication includes the entire service, network and system configurations of the appliances. This means that the architecture is its own backup architecture. Backups can also be done on an FTP server. Primary SOLID Recovery SOLID SOLID Replication Flow Network Services Replication Flow Firewall External servers represent one of the most vulnerable entry point to enterprises network and are therefore regularly targeted by hackers. -based malwares are particularly dangerous as they re used to steal critical data, from you and from your customers. EfficientIP s Firewall proactively protects SOLIDserver appliances and Linux- based infrastructure by detecting and blocking malware activity, identifying infected devices and preventing new attacks. Cache Poisoning Attack Protection cache poisoning attacks occurs when a server caches false information, such as a wrong A record mapping with a «wrong» IP address. Once a server has received such non-authentic data and caches it for future performance enhancement, it is considered poisoned, supplying the non-authentic data to clients of the server. EfficientIP s SOLIDserver appliances include protection mechanisms that will preserve your architecture. cache poisoning attacks are mitigated by randomizing the source port and the transaction IDs of queries in order to eliminate the risk of ID spoofing. Additional protections include the dropping of inbound queries related to zones that are not associated with the organization s domain. SOLIDserver Stateful Firewall SOLIDserver embeds a stateful firewall to secure flows. The SOLIDserver firewall uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as Simple Stateful logic.

6 SECURE AND HARDENED APPLIANCES FOR THE INTERNET Page 6 Datasheet SOLIDserver stateful filtering treats traffic as a bi-directional exchange of packets comprised of a session conversation. It has matching capabilities to determine if the session conversation between the originating sender and the destination are following the valid procedure of bi-directional packet exchange. Any packets that do not properly fit the session conversation template are automatically rejected as impostors. SOLIDservers enable you to log firewall messages and review after-the-fact information such as which packets have been dropped, which addresses they came from and where they were going - empowering you to track down attackers. SEC SOLIDserver enables you to deploy Secure (SEC-RFC 2535: rfc2535.txt) cryptographic electronic signatures signed with a trusted public key certificate that will determine the authenticity of the data. SEC eliminates the risk of cache poisoning attacks. EfficientIP partners with Thales to provide a highly secure SEC solution. Thales nshield appliances work with SOLIDserver appliances to secure the private keys used for SEC signatures. When you modify your domain names, SOLIDserver transfers them to Thales nshield appliances that automatically sign them. nshield appliances can be integrated in EfficientIP hidden master SmartArchitectures. Secure Data Stream The security of exchanges is guaranteed by the implementation of the state of the art security protocols such as Transaction SIGnature (TSIG), Domain Name System Security Extensions (SEC), Secure Sockets Layer (SSL), and SNMP v3. Advanced Access Control List (ACL) enables control of server accesses: authorization of modifications, transfers and requests. SOLIDserver supports multiple network interfacing combinations such as exploitation interface, management interface and 802.1q Virtual LAN (VLAN) capabilities. Dedicated Network Interfaces for Administrative Tasks and Backups EfficientIP provides appliances with at least 2 Ethernet interfaces and up to 4 interfaces. This allows you to: Clearly separate productive flows (, DHCP) from management flows Use a dedicated interface for backup tasks to avoid overloading the productive network. State of the Art Respecting Internet naming conventions, SOLIDserver is based on the latest release of BIND engine and is fully compliant with its features and file configurations. Features for daily and advanced admin tasks include: Zone creation on-the-fly Ability to switch zone slave to master Reorganize views Automatic reverse zone delegation

7 SECURE AND HARDENED APPLIANCES FOR THE INTERNET Page 7 Datasheet Resource Record (RR) mass update (ex: name, TTL) Search RR across your whole data (servers, views, zones) Migrate, duplicate and rename zone Import/export data Hardened Integrated Operating System The SOLIDserver operating system is hardened, and includes only necessary services and the minimum number of open ports, thus minimizing security threats. An integrated firewall, dedicated to flows and service management, enhances the security level by checking and limiting exchanges to necessary traffic only. Simplify Management SOLIDserver is based on an intuitive web interface for a quick and efficient access to all information at a glance. This Web Graphical User Interface (GUI) enables you to manage, update, backup and restore your services very efficiently. Through the multi-criteria search engine you can filter targeted data for executing administration tasks, exporting or simply displaying it. SOLIDserver is error-free: all configurations are thoroughly checked prior to any deployment, ensuring service availability as well as overall consistency control within your architecture. SOLIDserver permits an unlimited level of administrative delegation, according to the requirements of your organization. Each user s access is strictly limited to his or her resource pool. Performance & Capacity When a restarts, it impacts service delivery and can lead to significant interruptions. EfficientIP s service is configurable on-the-fly without restarting the server. This feature allows you to create a new zone and resource records (RR) instantaneously on servers loaded with more than 100,000 zones and 1,000,000 RR. Automated updates and Upgrades SOLIDservers can be updated with "One Touch" from the web interface. All appropriate back-up will be carried out automatically to ensure a quick and easy roll back. There is no more compromise between optimizing security and minimizing operation costs. Monitoring and Statistics Internet services are critical services that require monitoring. SOLIDserver provides performance indicators enabling proactive and preventive management. Copyright 2013 EfficientIP, SAS. All rights reserved. EfficientIP and SOLIDserver logo are trademarks or registred trademarks of EfficientIP SAS. All registered trademarks are property of their respective owners. EfficientIP assumes no responsability for any inaccuracies in this document or for any obligation to update information in this document. EUROPE EfficientIP SAS 4 rue de l abreuvoir Courbevoie - France USA EfficientIP Inc. 14 West Chestnut, Street West Chester, PA USA