SERVICE DESCRIPTION Firewall



Similar documents
SERVICE DESCRIPTION Wide Area Network

SERVICE DESCRIPTION Web Proxy

SERVICE DESCRIPTION Web Application Firewall

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Lab Configuring Access Policies and DMZ Settings

Chapter 11 Cloud Application Development

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

Chapter 4 Customizing Your Network Settings

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Configuring DHCP Snooping

How to configure DNAT in order to publish internal services via Internet

Remote Firewall Deployment

ASA/PIX: Load balancing between two ISP - options

VMware vcloud Networking and Security Overview

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

GregSowell.com. Mikrotik Security

Chapter 4 Customizing Your Network Settings

For extra services running behind your router. What to do after IP change

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Recommended IP Telephony Architecture

How To Set Up A Pploe On A Pc Orca On A Ipad Orca (Networking) On A Macbook Orca 2.5 (Netware) On An Ipad 2.2 (Netrocessor

Application Note Secure Enterprise Guest Access August 2004

Lab Configuring Access Policies and DMZ Settings

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

VMware vcloud Air Networking Guide

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewall Firewall August, 2003

Gigabit Content Security Router

Release Version 3 The 2X Software Server Based Computing Guide

Application Description

Avaya P333R-LB. Load Balancing Stackable Switch. Load Balancing Application Guide

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Chapter 5 Customizing Your Network Settings

Accessing Remote Devices via the LAN-Cell 2

Fireware XTM Traffic Management

Appendix C Network Planning for Dual WAN Ports

Configuring Your Gateman Proxy Server

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Network Security Topologies. Chapter 11

Tk20 Network Infrastructure

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

Multi-Homing Gateway. User s Manual

GPRS and 3G Services: Connectivity Options

Using VDOMs to host two FortiOS instances on a single FortiGate unit

What would you like to protect?

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

A Network Design Primer

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

Chapter 3 Security and Firewall Protection

Security Awareness. Wireless Network Security

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Appendix D: Configuring Firewalls and Network Address Translation

Polycom. RealPresence Ready Firewall Traversal Tips

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

TS-3GB-S.R0103-0v1.0 Network Firewall Configuration and Control (NFCC) - Stage 1 Requirements

Lecture 23: Firewalls

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Barracuda Link Balancer

GPRS / 3G Services: VPN solutions supported

Step-by-Step Configuration

FTP e TFTP. File transfer protocols PSA1

Configuring a LAN SIParator. Lisa Hallingström Paul Donald Bogdan Musat Adnan Khalid Per Johnsson Rickard Nilsson

Source-Connect Network Configuration Last updated May 2009

Using Ranch Networks for Internal LAN Security

Creating a VPN with overlapping subnets

How do I configure multi-wan in Routing Table mode?

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Application Note - Using Tenor behind a Firewall/NAT

axsguard Gatekeeper Internet Redundancy How To v1.2

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network

RAP Installation - Updated

SIP Trunking with Microsoft Office Communication Server 2007 R2

Firmware Release Notes

Improving Network Efficiency for SMB Through Intelligent Load Balancing

Edgewater Routers User Guide

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

Service Managed Gateway TM. How to Configure a Firewall

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

10 Configuring Packet Filtering and Routing Rules

Palo Alto Networks User-ID Services. Unified Visitor Management

Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Multi-Homing Security Gateway

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

VoIP Network Configuration Guide

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

How to Create a Basic VPN Connection in Panda GateDefender eseries

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

8 Steps for Network Security Protection

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Transcription:

SERVICE DESCRIPTION Firewall Date: 14.12.2015 Document: Service description: Firewall

TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION 4 2.1 Basic service 4 2.2 Options 6 2.2.1 DHCP service 6 2.2.2 Link Balancing 7 2.2.3 Network Segmentation 8 3 ADDITIONAL DOCUMENTS 9 4 DISCLAIMER 9 Copyright United Security Providers AG page 2/9

1 INTRODUCTION This document describes the USP Firewall managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service. Field of application A modern network is subdivided into various zones. The individual zones contain data of different sensitivity levels which can be accessed by different user groups. The different zones are separated by firewalls. The firewalls examine the flow of data against predefined rules and thereby establish the authorizations for the individual zones. Surveillance of the data traffic flow between the zones and the effective blocking of inadmissible data traffic offers a striking increase in security on your network. Every data packet is unambiguously assigned to an active session. Any data packet that cannot be assigned to a valid session is discarded. This is an effective method for preventing attacks from the Internet. All zone transitions are logged. The firewall logs are not only used for later analysis of any attacks, but more often also constitute a valuable tool in the analysis of network problems. Copyright United Security Providers AG page 3/9

2 SERVICE DESCRIPTION 2.1 Basic service The USP Firewall service offers an effective separation between two different network zones, for example an internal company network and the Internet. Name of service Service abbreviation Firewall MSS-FW Service version 2.0 Status Operating hours Operational OH1: Monday Friday, 08:00 18:00 CET OH2: Monday Saturday, 07:00 21:00 CET OH3: Monday Sunday, 0:00 23:59 CET OH4: Monday Friday, 08:00 18:00 local time Availability guarantee ACA: Best effort ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours Usage parameter Description The service is assessed on the basis of the number of IP addresses protected. The Firewall service uses a predefined set of firewall rules to control the transition between the different network zones. The basic service covers one zone transition, between the internal network and the Internet, for example. In conventional firewalls, two rules have to be detected so that communication can flow in both directions between an internal partner A and an external partner B. USP's Firewall service deploys state-controlled filters: if A initiates the communication, the response from B is automatically permitted. B is not permitted to send anything into the internal network if the communication was not started by A. A further essential component of the basic services is the translation of addresses and (NAT and PAT). Predefined rules are applied to redirect data packets to different addresses or ports. The entire data flow between the different zones is monitored and controlled by the Firewall service. This blocks access to sensitive data right at the perimeter of the zones. In this way potential attackers are not only locked out of the data, but also out of the data environment. The data are extremely efficiently protected. Copyright United Security Providers AG page 4/9

The data traffic between the zones is logged in full. Attacks or data theft is often only noticed significantly after the event. The firewall logs are a vital forensic resource in such cases. Analysis of the Firewall service log data contributes to an efficient defence against future attacks. Key Performance Indicators (KPIs) Reporting Measuring points Conditions of use Compliance with the SLA parameters is measured against the availability of the service infrastructure. The following service-specific values are collated in the monthly reports: - infrastructure workload - total data volume - incoming and outgoing data volume per zone - number of sessions - number of requests allowed, number of requests blocked The following measuring points are watched to monitor the service: - CPU/RAM utilisation - log status - number of IP addresses in internal networks - number of sessions - incoming and outgoing data volume per zone The firewall infrastructure must be implemented redundantly for availability guarantees that are better than ACA. The Firewall service requires a valid Fortiguard or Forticare subscription for the infrastructure. Copyright United Security Providers AG page 5/9

2.2 Options 2.2.1 DHCP service The firewall infrastructure acts as a DHCP server or forwards DHCP messages to a target segment. Name of the service option Abbreviation Usage parameter Description DHCP service MSS-FW-DHCP The service option is assessed on the basis of the size of the address range. DHCP relaying is assessed at a fixed amount. Clients need to have a valid address before they are able to use network resources. These addresses are either set statically or assigned dynamically by a DHCP server. If this option is enabled, the firewall infrastructure acts as a DHCP server. Two different versions of this are supported. Either the firewall acts as a DHCP server for one or more internal segments. Or alternatively, the addresses are accepted by the firewall from a remote server and forwarded into the internal segment. Often there is no DHCP server available at smaller sites. No additional infrastructure is required if the firewall infrastructure takes on the role of the DHCP server. Static addressing is not possible if the clients in a segment are not known and change frequently, for example in guest networks. Instead of using a dedicated server and hence additional infrastructure, this job can be taken on by the existing firewall infrastructure. Key Performance Indicators (KPIs) Reporting Measuring points Conditions of use Compliance with the SLA is determined using the KPIs for the basic service. The following data is added to the reported data: - number of addresses assigned per day - addresses assigned concurrently The number of addresses assigned concurrently is monitored. The option is offered for segments with no more than 50 protected IP addresses or for guest segments. Copyright United Security Providers AG page 6/9

2.2.2 Link Balancing Where a site has a number of Internet links, they can be used in common with this option. Name of the service option Abbreviation Usage parameter Description Link Balancing MSS-FW-LB The service option is assessed on the basis of the size of the basic service. This option distributes the data traffic over the available links. Various strategies can be used for this: - source IP-based: standard, links selected in sequence by the roundrobin method, depending on the source IP. - weighted load balance: based on the configured weighting of the links. - spillover: the second link is only selected once a specified bandwidth is exceeded on the first link. Equal Cost Multipath Routing (ECMP) is generally used on these set-ups. As an alternative to using both links, one line can also be used as a pure backup line. As an alternative to the strategies listed above, it is also possible to define the load distribution on the basis of predefined rules. Connection to the Internet is of enormous importance for many companies. Pure availability is just as important in this context as the performance of the link. This option allows the achievement of an improvement in performance by distributing the load over a number of links. Very high availability can be achieved by using multiple links. Should one link fail, the entire data flow will be taken on by the remaining links so that connectivity is assured and you benefit from a constant connection to the Internet. Key Performance Indicators (KPIs) Reporting Measuring points Conditions of use Compliance with the SLA is determined using the KPIs for the basic service. The following data is added to the reported data: - availability of Internet links - utilisation of Internet links The availability of the links is checked by sending pings. The relevant interfaces on the firewall are additionally monitored. The Internet links are provided by the customer and are not a part of this service option. USP recommends that the USP Security Operations Center is made changeauthorised with the ISP so that changes and incidents can be handled as quickly as possible. Copyright United Security Providers AG page 7/9

2.2.3 Network Segmentation This option operates a further zone and manages the relevant rule sets. Name of the service option Abbreviation Usage parameter Description Reporting Measuring points Conditions of use Network Segmentation MSS-FW-NS The service option is assessed on the basis of the size of the basic service. This option operates an additional network segment. The segment is terminated at the firewall infrastructure. The data traffic between the zones is defined using predefined firewall rules. The zones can be terminated at a physical interface or be implemented as VLANs. Data of differing security sensitivity is stored in different zones. Security is significantly enhanced by the fact that all zone transitions are monitored and logged by the firewall infrastructure. Incoming and outgoing data traffic for the additional segment is added to the existing report. The incoming and outgoing data volume is measured. The conditions of use for the basic service apply. Copyright United Security Providers AG page 8/9

3 ADDITIONAL DOCUMENTS The present document describes the functional scope of USP's Firewall service. General information on the Service Level Agreement and on operation may be found in the additional documents. Service management and SL catalogue Services catalogue Price list This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees. The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. The prices of all services and options are laid down in the price list. 4 DISCLAIMER This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement. USP's General Terms and Conditions shall apply unless higher-ranking provisions apply. Copyright United Security Providers AG. All rights reserved. Copyright United Security Providers AG page 9/9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information