Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity



Similar documents
Securely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

The Technology Behind Liebert Monitoring Services. Services For Business-Critical Continuity TM

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

IP Security. Ola Flygt Växjö University, Sweden

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Chapter 10. Network Security

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

CS 4803 Computer and Network Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Securing IP Networks with Implementation of IPv6

CCNA Security 1.1 Instructional Resource

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Chapter 32 Internet Security

Implementing and Managing Security for Network Communications

Security vulnerabilities in the Internet and possible solutions

Using IPSec in Windows 2000 and XP, Part 2

LinkProof And VPN Load Balancing

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Corente Cloud Services Exchange

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

athenahealth Interface Connectivity SSH Implementation Guide

Protecting The Critical IT Infrastructure of the United States

GNAT Box VPN and VPN Client

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Protocol Security Where?

Security Technology: Firewalls and VPNs

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Site to Site Virtual Private Networks (VPNs):

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

21.4 Network Address Translation (NAT) NAT concept

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

z/os Firewall Technology Overview

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

VPN. VPN For BIPAC 741/743GE

Computer Networks. Secure Systems

Introduction to Security and PIX Firewall

Lab Configure a PIX Firewall VPN

Hospital IT and Facilities Special Report Top concerns in the hospital include budget, power requirements

Case Study for Layer 3 Authentication and Encryption

Unisys Internet Remote Support

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Lecture 10: Communications Security

Network Access Security. Lesson 10

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Chapter 7 Transport-Level Security

DCIM Readiness on the Rise as Significant Data Center Capacity Remains Unused. A Research Report from the Experts in Business-Critical Continuity TM

Branch Office VPN Tunnels and Mobile VPN

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Scenario: IPsec Remote-Access VPN Configuration

Configuring a VPN between a Sidewinder G2 and a NetScreen

RevShield Software Suite Network Security Review

Using BroadSAFE TM Technology 07/18/05

Understanding the Cisco VPN Client

Laboratory Exercises V: IP Security Protocol (IPSec)

BlackRidge Technology Transport Access Control: Overview

This section provides a summary of using network location profiles to identify network connection types. Details include:

VMware vcloud Air Networking Guide

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Chapter 4 Virtual Private Networking

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Cornerstones of Security

Technical Note: Comparing R407C and R410A as Alternatives for R22. A Technical Note from the Experts in Business-Critical Continuity

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

IT White Paper IP TELEPHONY AND RELIABILITY: PROTECTING MISSION-CRITICAL PHONE SYSTEMS FROM POWER THREATS

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Network Security. Lecture 3

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Introduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces

Virtual Private Networks

Cisco Integrated Services Routers Performance Overview

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

SIP Trunking Configuration with

White Paper. BD Assurity Linc Software Security. Overview

COORDINATED THREAT CONTROL

Lecture 17 - Network Security

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Overview. Protocols. VPN and Firewalls

Scenario: Remote-Access VPN Configuration

Transcription:

Secure Remote Monitoring of the Critical System Infrastructure An Application Note from the Experts in Business-Critical Continuity

TABLE OF CONTENTS Introduction................................................2 Liebert Virtual Ntegrity Infrastructure Components..............2 Secure Proactive Monitoring..................................2 Secure Remote Device Connectivity...........................3 Traceability and Audit Trail....................................4 Security Standards...........................................4 Encapsulating Security Payload (ESP).....................4 Internet Key Exchange (IKE).............................4 Two-Phase IKE Negotiations.............................5 Firewall Provisioning.........................................5 Summary...................................................5 1

Introduction Enterprises seeking to improve the availability of business-critical systems can now utilize the Internet to dynamically control service access into their protected networks, while still shielding their assets from ongoing security threats. Liebert, through its partnership with ComBrio, has pioneered the use of this technology in delivering robust remote monitoring of the critical system infrastructure to provide early detection and faster response to problems that could affect the availability of businesscritical systems. This white paper describes how this service is delivered with particular focus on network security. The Liebert Virtual Ntegrity Infrastructure (VNI) solution consists of three components that work together to create a unique, policy-based Secure Connection between the Liebert command center and customer location. Liebert Virtual Ntegrity Infrastructure Components The Liebert Virtual Ntegrity Infrastructure (VNI) solution consists of three components that work together to create a unique, policy-based Secure Connection between the Liebert command center and customer location. 1. Virtual Ntegrity Gateway - Compact hardware appliance placed within the enterprise private network or DMZ that collects information from devices being monitored and provides remote access to devices being managed. 2. Virtual Ntegrity Administrator - Server located at the Liebert High Availability Response Center that monitors information reported from the Virtual Ntegrity Gateways at enterprise locations, and dynamically applies rules and policies upon remote access requests. 3. Virtual Ntegrity Manager - Server located at Liebert High Availability Response Center accepts mutually consented Secure Connection between a Liebert device on the enterprise network and a specially trained Liebert Customer Engineer. Upon completion of remote access needs, all policies and rules are removed leaving no open path for security vulnerability. Secure Proactive Monitoring The Virtual Ntegrity Infrastructure provides a unique method to assure security to the enterprise network for both proactive monitoring and on-demand network device access. 2

This closed architecture assures customers that visibility and access to their critical network elements is restricted only to authorized Liebert personnel. The Virtual Ntegrity Gateway continuously monitors the health of the target devices on the enterprise network it has been provisioned to manage, and sends its heartbeat via an encrypted out-bound initiated SSL session back to the Liebert High Availability Response Center (HARC). These heartbeats are sent once a minute to the Virtual Ntegrity Administrator. Upon delivery confirmation of the heartbeat, the SSL session is completely removed until the next scheduled update; so with every heartbeat, an SSL session is dynamically set up and taken down. Delivering these heartbeats with dynamic SSL sessions, versus a permanent (nailedup) connection, eliminates the risk of a man-in-the-middle attack. This, in turn, eliminates the ability for anyone to capture session information for reuse or mimic. VNI status heartbeats utilize a push method of information flow where all communications are securely initiated and driven from the Virtual Ntegrity Gateway at the enterprise location to the Virtual Ntegrity Administrator in the Liebert High Availability Response Center. This allows for remote monitoring without the concern of security vulnerability due to inbound holes placed in firewalls between the enterprise network and the Liebert High Availability Response Center. Secure Remote Device Connectivity In the event an authorized Liebert Customer Engineer needs to access a monitored network device at the enterprise location, the Secure Connection allows the Engineer to setup an on-demand IPsec-based session to the target device from the High Availability Response Center. Similar to VNI's status heartbeats, IPsec sessions on the Secure Connection are initiated by the Virtual Ntegrity Gateway upon request from a Virtual Ntegrity Administrator, again requiring no open inbound holes in the firewall of the enterprise network. When a Secure Connection request is initiated, the Virtual Ntegrity Administrator defines and distributes the unique dynamic routing policies and rules to the Virtual Ntegrity Manager and customer's Virtual Ntegrity Gateway. These rules define the IPsec session from the target device to the authenticated Engineer making the Secure Connection request. The visibility of a Secure Connection is limited only to the target device, eliminating the access risk to unauthorized network devices on the enterprise network. Upon completion of a remote management session over a Secure Connection, closure of a Secure Connection will automatically remove the unique session rules and policies that were assigned for the Secure Connection from both end points, leaving no risk for reuse by man-in-the-middle attacks. This closed architecture assures customers that visibility and access to their critical network elements is restricted only to authorized Liebert personnel. 3

Traceability and Audit Trail The Liebert Virtual Ntegrity Infrastructure supports regulatory compliance. Every Secure Connection session is logged, providing for an audit trail of who, where, what, and when a remote session was performed. This assures that both the enterprise being monitored and Liebert have information transfer traceability to meet internal and external audit requirements. Every Secure Connection session is logged, providing for an audit trail of who, where, what, and when a remote session was performed. Security Standards The Liebert Virtual Ntegrity Infrastructure uses standard, proven protocols to ensure the highest level of end-to-end security and authenticity. Secure Sockets Layer (SSL) is used to transport the VNI heartbeats and IPsec is used for the tunnel between the Virtual Ntegrity Manager and Virtual Ntegrity Gateways. The utilization of IPsec provides authentication and encryption at the IP (Internet Protocol) level. This requires a higher-level protocol (IKE) to set things up for the IP-level services Encapsulating Security Payload (ESP). SSL secures a single application socket. IPsec encrypts everything between two hosts. With this approach, IPsec can be used behind any Network Address Translation (NAT) device by converting ESP into UDP. Additionally, the dual channel closed system (SSL and IPsec) combination guarantees the authenticity of the connection. The Virtual Ntegrity Infrastructure incorporates the following security standards and policies: Encapsulating Security Payload (ESP) The encryption in the ESP encapsulation protocol is done with a block cipher, DES. Two versions of DES are used in the industry for encryption: DES and Triple DES (3DES). The default block cipher used by the VNI is 3DES. Internet Key Exchange (IKE) The IKE protocol sets up IPsec connections after negotiating appropriate parameters (algorithms to be used, keys, and connection lifetimes) for them. This is accomplished by exchanging packets on UDP port 500 between the devices in the VNI. 4

Whether systems are operating in the data center, a network closet or the warehouse floor, mission-critical power and cooling technologies should be employed to ensure resistance to failure and the ability to adapt to increases in criticality. Two-Phase IKE Negotiations Phase one The two gateways negotiate and set up a two-way Internet Security Association and Key Management Protocol (ISAKMP) Security Association (SA), which they can then use to handle phase two negotiations. One such SA between a pair of gateways can handle negotiations for multiple tunnels. Phase two Using the ISAKMP SA, the gateways negotiate IPsec (ESP) SAs as required. IPsec SAs are unidirectional (a different key is used in each direction) and are always negotiated in pairs to handle two-way traffic. There may be more than one pair defined between two gateways. Both phases use the UDP protocol and port 500 for their negotiations. After both IKE phases are complete, IPsec SAs carry the encrypted data. These use the ESP protocols. The RSA algorithm is a very widely used public key cryptographic technique. It is used in IPsec as one method of authenticating gateways for Diffie-Hellman key negotiation. The VNI uses a custom matched pair system using 2192 bits per key in the Virtual Ntegrity Gateway and the Virtual Ntegrity Manager. Firewall Provisioning All firewall changes required to implement the Virtual Ntegrity Infrastructure are outbound only. No inbound firewall ports are necessary for this solution. The following ports are required by Liebert: UDP Port 4500: used for port floating in NAT traversal UDP Port 500: used for IKE IPsec key exchange TCP Port 443: used for SSL communication and monitoring Summary Liebert Virtual Ntegrity Infrastructure provides a unique, secure, remote access solution that utilizes the best of multiple encryption technologies to achieve a high level of security while at the same time takes the burden off customers to deploy and manage the service. In addition, this solution incorporates various deployment methods, ensuring compliance with our customer's security policies and requirements. 5

Liebert Corporation 1050 Dearborn Drive P.O. Box 29186 Columbus, Ohio 43229 800.877.9222 (U.S. & Canada Only) 614.888.0246 (Outside U.S.) Fax: 614.841.6022 www.liebert.com While every precaution has been taken to ensure accuracy and completeness in this literature, Liebert Corporation assumes no responsibility, and disclaims all liability for damages resulting from use of this information or for any errors or omissions. Specifications subject to change without notice. 2006 Liebert Corporation. All rights reserved throughout the world. Trademarks or registered trademarks are property of their respective owners. Liebert and the Liebert logo are registered trademarks of the Liebert Corporation The Emerson logo is a trademark and service mark of the Emerson Electric Co. Printed in U.S.A. 0106 AN106 Emerson Network Power. The global leader in enabling business-critical continuity. EmersonNetworkPower. com AC Power Systems Connectivity DC Power Systems Embedded Power Power Protection Integrated Cabinet Solutions Outside Plant Precision Cooling Site Monitoring and Services

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information