DMZ Gateways: Secret Weapons for Data Security



Similar documents
How Managed File Transfer Addresses HIPAA Requirements for ephi

User's Guide. Product Version: Publication Date: 7/25/2011

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

STERLING SECURE PROXY. Raj Kumar Integration Management, Inc.

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Version Listed below are the detailed features in GoAnywhere Services shown with all the licensed options.

SonicWALL PCI 1.1 Implementation Guide

Achieving PCI-Compliance through Cyberoam

March

Best Practices for PCI DSS V3.0 Network Security Compliance

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

A Decision Maker s Guide to Securing an IT Infrastructure

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Installation and Administration Guide

Global Partner Management Notice

74% 96 Action Items. Compliance

How Reflection Software Facilitates PCI DSS Compliance

Axway SecureTransport Ad-hoc File Transfer Service

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

N02-IBM Managed File Transfer Technical Mastery Test v1

The Comprehensive Guide to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Did you know your security solution can help with PCI compliance too?

FTP-Stream Data Sheet

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Using Skybox Solutions to Achieve PCI Compliance

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

IBX Business Network Platform Information Security Controls Document Classification [Public]

White Paper. Securing and Integrating File Transfers Over the Internet

MOVEIT: SECURE, GUARANTEED FILE DELIVERY BY JONATHAN LAMPE, GCIA, GSNA

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

PCI Compliance Updates

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

TIBCO Managed File Transfer Suite

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

U06 IT Infrastructure Policy

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Secure and control how your business shares files using Hightail

IT Security & Compliance. On Time. On Budget. On Demand.

WhiteWave's Integrated Managed File Transfer (MFT)

Consensus Policy Resource Community. Lab Security Policy

Firewall and Router Policy

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Payment Card Industry (PCI) Data Security Standard

FormFire Application and IT Security. White Paper

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Installation and configuration guide

SECURING YOUR REMOTE DESKTOP CONNECTION

vrealize Air Compliance OVA Installation and Deployment Guide

GoAnywhere Director to GoAnywhere MFT Upgrade Guide. Version: Publication Date: 07/09/2015

Building A Secure Microsoft Exchange Continuity Appliance

Elluminate Live! Access Guide. Page 1 of 7

Barracuda Web Site Firewall Ensures PCI DSS Compliance

nubridges Protect TM

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Interwise Connect. Working with Reverse Proxy Version 7.x

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Avaya TM G700 Media Gateway Security. White Paper

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Avaya G700 Media Gateway Security - Issue 1.0

Host/Platform Security. Module 11

A Rackspace White Paper Spring 2010

AlienVault for Regulatory Compliance

Potential Targets - Field Devices

Axway SecureTransport

BANKING SECURITY and COMPLIANCE

White Paper. Managing Risk to Sensitive Data with SecureSphere

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

GlobalSCAPE DMZ Gateway, v1. User Guide

Elluminate Live! Access Guide. Page 1 of 7

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

This presentation describes the IBM Tivoli Monitoring 6.1 Firewall Implementation: KDE Gateway Component.

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

How To Protect A Web Application From Attack From A Trusted Environment

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Transcription:

A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security

A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE SUMMARY Exchanging files with customers and trading partners is commonplace in today s global economy, but keeping that data secure remains a difficult challenge. Add to that the various compliance regulations governing data security, including PCI DSS, HIPAA, SOX, GBLA and more. A common approach for protecting internal/private networks is for companies to install file sharing services (e.g. FTP/S, SFTP, HTTP/S servers) in a public zone for trading partners to access. When those servers and files leave the safety of the private network, however, companies then risk the exposure of those services and data to outside attacks. This white paper will address the following questions: 1. Why is it dangerous for companies to store FTP servers and other file services in the DMZ? 2. How does incorporating a gateway into the file transfer process provide better protection for sensitive data? 3. How do gateways keep an organization s private network insulated from external breach? Publication date: October 1, 2011 Copyright 2011, LINOMA SOFTWARE

A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security DMZ for Staging Files DMZ stands for demilitarized zone, and it s the neutral network that resides between the Internet and your company s private network. The DMZ is provisioned with a front-end firewall that limits inbound Internet traffic to certain systems within its zone. On the back end, another firewall is placed to prevent unauthorized access from the DMZ into the private network. An organization s DMZ typically contains web servers, FTP/S, SFTP, and HTTP/S servers, as well as other services it wants to make available to its customers and trading partners. To serve their purpose, these services need access to the data files that will be shared with partners. The DMZ often serves as a staging area between an organization s private network and Internet. Above: File servers for trading partners are traditionally placed in the DMZ which requires their files to be staged there as well. The DMZ serves as a staging area between an organization s private network and Internet. In order to share a document with a trading partner, an internal program or employee would first copy the file from the private network onto a server in the DMZ. The partner could then download the file from that server using an approved protocol like FTP/S, SFTP or HTTP/S. When trading partners need to share documents with the organization, they would upload the files to a server in the DMZ. Later, an internal program or employee would scan for the files on that server and pull them into the private network. 2

Dangers in the DMZ While many organizations exchange files using this process, staging files in the publicly accessible DMZ makes them vulnerable to a variety of dangerous exploits. If attackers gain entry to a file server in the DMZ, they may be able to access sensitive trading partner files that were placed there. These files could be downloaded and their contents could be exposed by the attacker. Even encrypted files may be at risk to sophisticated attackers if the keys or passwords can be compromised. This concern is causing an increasing number of compliance auditors to prohibit data storage in the DMZ, encrypted or not. When the file sharing services are in the DMZ, then any user credentials, certificates, etc. needed for authentication are likely maintained there too, which makes them more vulnerable to attacks. Also at risk is the file sharing software itself, especially if it can be administered from within the DMZ. For example, an attacker could create a back door user account into an SFTP server through its admin console. This seemingly legitimate user account could then be used by the attacker to gather sensitive data files over an extended period of time. Audit logs for the software could also be manipulated if they are stored in the DMZ, erasing the attacker s trail. An increasing number of compliance auditors prohibit data storage in the DMZ, encrypted or not. An organization may react to these threats by moving its file sharing services (e.g. FTP/S servers or SFTP servers) and sensitive data files from the DMZ into its private network. However, the private network s inbound ports would traditionally need to be opened, which in turn creates an entirely new set of potential exposures and compliance issues. Consider any organization that processes or stores credit card information, for example. Those companies must meet PCI DSS compliance standards that specifically prohibit direct public access between the internet and any system component in the cardholder data environment. So, if keeping file sharing services and shared files in the DMZ is dangerous, and allowing access to the private network through inbound ports is strongly discouraged, what other options are available? A Better Solution: DMZ Gateways DMZ gateways solve these security concerns by allowing an organization to move file sharing and other public services from the DMZ into the private network without having to open inbound ports. With this approach, data files also remain safe in the private network since they no longer need to be staged in the DMZ. The gateway software, which should be installed on a hardened server in the DMZ, typically includes two proxy services. Its reverse proxy service will handle inbound requests from trading partners. The second service will be a forward proxy for handling outbound file transfer requests from internal employees and systems. 3

Above: Trading partners connect to the gateway, which then communicates with the file servers in the private network. Reverse Proxy As a reverse proxy, the gateway masquerades as the file sharing services. When trading partners need to exchange data with your company, they would connect to the gateway instead. The gateway would then bind those requests to the appropriate back-end services in the private network. It s important to note that adding a gateway will not affect your trading partners since they will be able to connect using the same protocols (e.g. FTP/S, SFTP, HTTP/S, etc.) and ports they ve always used. This partner transparency will greatly minimize the gateway s implementation time and costs. Forward Proxy A gateway may also serve as a forward proxy, fielding file transfer requests from within the private network and making any connections needed to external servers. This will allow an organization to more easily control these requests through its firewall. DMZ Gateways allow file sharing and other public services to be moved into the private network without opening ports into that network. For example, a company may require that any FTP/S or SFTP file transfer requests from within the private network must pass through the gateway s forward proxy. The firewall rules could be configured to allow only the gateway s address (IP and port) for FTP/S or SFTP traffic, blocking all other addresses from performing those requests. The internal users would specify the gateway s proxy address within their file transfer client software. When a user initiates a file transfer, the gateway would be passed the request and would then serve as the middle man between the user and the external server. 4

Keeping Inbound Ports Closed The gateway should interact with the company s private network in the most secure way possible. A properly designed gateway will come with an additional component (i.e. service broker) that is installed in the private network. The service broker will communicate with the gateway in the DMZ over a proprietary control channel, keeping inbound ports closed into the private network. Above: Trading partners connect to the gateway, which then communicates with the service broker in the private network. The service broker binds the request to the appropriate file service for performing the data exchange. The gateway uses the control channel to alert the service broker when a trading partner wants to initiate a file exchange. The service broker then connects to the appropriate backend service and creates a new outbound data channel through which the data exchange will be conducted. Any data channels needed are opened from the back-end services and through the gateway, again requiring no inbound ports. Gateways Streamline File Transfers In addition to the security risks associated with storing files and credentials in the DMZ, file transfers can be a time-consuming process for an organization s programmers who are writing scripts to help manage those transfers. For example, consider a company that has a SFTP server installed in the DMZ. Trading partners upload files to this SFTP server throughout the day. One of the company s programmers has written a script that repeatedly scans a folder on the SFTP server every few minutes for new files. If files are found, the script then moves the files from the DMZ into the company s private network. Gateways both improve security and streamline file transfers since files do not need to be staged in the DMZ. This scenario is typical, but definitely not foolproof. Here are a few of its potential issues. If the script fails to run, the files will remain in the DMZ, leaving them vulnerable to attacks. If the script lacks good error reporting or alerts, the company does not immediately know when a problem occurred. 5

If the company adds additional trading partners, new scripts have to be written and maintained by a programmer, costing the company more time and money. To improve the process and minimize the risks, the same company could install a gateway in the DMZ and move the SFTP server into its private network. Now the trading partners would make their connections to the gateway and the files would stay in the private network. Scripts could be streamlined or even eliminated since the files are automatically put in the right place, thus improving the overall efficiencies and quality of the company s data transfers. Conclusion Even when files are encrypted and transferred through a secure protocol, data is still at risk if files, file servers and user credentials are stored within the DMZ. A gateway installed in the DMZ reduces the likelihood of a security breach. A gateway removes that risk because it facilitates file transfers directly between trading partners and organizations without allowing direct access to an organization s private network. As critical data breaches continue to make news, many organizations are searching for better ways to keep data secure and meet the compliance regulations of their industries. By incorporating a gateway into the managed file transfer process, not only can internal staff s time and effort be redirected, customers and trading partners can feel confident that the files they exchange with organizations equipped with a gateway will be safe. 6

Managed File Transfer Solutions Secure & Automate Data Transfers with Products from Linoma Software GoAnywhere is a managed file transfer (MFT) solution that allows organizations to secure and automate the exchange of data with their trading partners, customers, employees and internal systems. It is designed for virtually all platforms including Windows, Linux, IBM i (iseries), IBM p (AIX), IBM z (Mainframe), UNIX and HP-UX, Solaris and Mac OS. The GoAnywhere solution is comprised of the GoAnywhere Director, GoAnywhere Services and GoAnywhere Gateway products. Together they help companies comply with PCI DSS, HIPAA/HITECH, SOX, GLBA and other state privacy regulations.. GoAnywhere Director GoAnywhere Director streamlines and manages data movement through an innovative centralized approach. It allows your organization to connect to almost any system (internal or external) and securely exchange data using a wide variety of standard protocols. With support for FTP/S, SFTP, HTTP/S, AS2, SMTP, ZIP, multiple databases, error handling and so much more, GoAnywhere Director can manage the most complex business requirements to secure and manage your transfers. GoAnywhere Managed File Transfer Solutions features: Browser-based administration Support for popular encryption and file transfer standards Robust workflows DMZ gateway Detailed audit logs GoAnywhere Services GoAnywhere Services allows trading partners, customers and employees to securely connect to your organization and easily download or upload files. GoAnywhere Services includes the popular file transfer server protocols of FTP/S, SFTP, AS2 and HTTP/S with an intuitive browser-based interface, extensive security features, and audit trails. GoAnywhere Gateway GoAnywhere Gateway is both an enhanced reverse proxy and forward proxy, providing an an additional layer of network security when your organization needs to safely exchange data with your trading partners. With GoAnywhere Gateway, no incoming ports need to be opened into your private/internal network and no sensitive information needs to be stored in the DMZ. Learn More About GoAnywhere To get more information about GoAnywhere products or to download a free trial, visit our website: www.goanywheremft.com 8

Electronic Contact Information Sales: sales@linoma.com Support: support@linoma.com Website: Phone Numbers Toll-free: 800.949.4696 Outside USA: 402.944.4242 Fax: 402.944.4243 Address Linoma Software 1409 Silver Street Ashland, NE 68003 USA

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information