HughesNet Broadband VPN End-to-End Security Using the Cisco 87x



Similar documents
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

PCI Requirements Coverage Summary Table

HughesNet High Availability VPN

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Achieving PCI-Compliance through Cyberoam

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

PCI Requirements Coverage Summary Table

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Virtual Private Networks (VPN) Connectivity and Management Policy

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Optimizing Networks for NASPI

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

November Defining the Value of MPLS VPNs

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Universal Network Access Policy

Understanding the Cisco VPN Client

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Best Practices for Outdoor Wireless Security

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

VPN. Date: 4/15/2004 By: Heena Patel

Network Virtualization Network Admission Control Deployment Guide

Enterprise VPNs: Choose Performance, Reliability, and Low Cost

Cisco Virtual Office Express

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Virtual Private Networks Secured Connectivity for the Distributed Organization

Achieving PCI Compliance Using F5 Products

Network Security Guidelines. e-governance

SonicWALL PCI 1.1 Implementation Guide

WAN Failover Scenarios Using Digi Wireless WAN Routers

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Remote Access Security

ICANWK406A Install, configure and test network security

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

How To Protect Your Data From Being Stolen

How Reflection Software Facilitates PCI DSS Compliance

WAN Traffic Management with PowerLink Pro100

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Consensus Policy Resource Community. Lab Security Policy

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Network Services Internet VPN

NEN Community REANNZ. Design Statement: NEN Edge Device

Chapter 1 Instructor Version

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Becoming PCI Compliant

74% 96 Action Items. Compliance

Virtual Private Network and Remote Access Setup

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Internet Content Provider Safeguards Customer Networks and Services

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Chapter 1 The Principles of Auditing 1

PCI v2.0 Compliance for Wireless LAN

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Introduction. Technology background

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Security Technology: Firewalls and VPNs

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Table of Contents. Introduction

IPsec VPN Application Guide REV:

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Cisco Certified Security Professional (CCSP)

Deploying Firewalls Throughout Your Organization

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

How To Configure L2TP VPN Connection for MAC OS X client

VPN Wizard Default Settings and General Information

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Using a VPN with Niagara Systems. v0.3 6, July 2013

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Cisco SR 520-T1 Secure Router

Securely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM

Added Security for your Traffic Signal Network

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Link Layer and Network Layer Security for Wireless Networks

Global Headquarters: 5 Speen Street Framingham, MA USA P F

ISG50 Application Note Version 1.0 June, 2011

Wireless Controller DWC-1000

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Cisco Integrated Services Routers Performance Overview

IP Telephony Management

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

CISCO IOS NETWORK SECURITY (IINS)

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

IPv6 Fundamentals, Design, and Deployment

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Policies and Procedures

Transcription:

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet the needs of the enterprise customer. APR 2009

White Paper HughesNet Broadband VPN End-to-End Security Using the Cisco 87x Introduction Hughes is one of the world s largest providers of managed broadband services to a wide range of enterprise and government customers for whom a high level of end-to-end security is an absolute requirement. This white paper describes the comprehensive security functions, features, and safeguards that Hughes has designed into its HughesNet managed service capabilities. As illustrated in Figure 1, a typical enterprise end-to-end network architecture covers all information paths from the customer premise equipment (CPE) to the Network Operations Center (NOC), and through to the backhaul terminating at the customer datacenter. Figure 1. Enterprise Network APR 2009

Customer Premises Equipment (CPE) As illustrated in Figure 2, HughesNet Managed Services employs the Cisco 87x family of routers at customer sites to enable virtual private networks (VPNs). In particular, the Cisco 877 is used for DSL circuits incorporating an integrated modem and connected directly to the twisted pair copper wire jack. The Cisco 871 is used for any non-dsl site and connects to a cable or wireless modem via Ethernet (not shown in the diagram) in order to transmit/receive traffic over the non-dsl broadband access network. In both cases, the modem serves as a Layer 2 bridge and has no routing functionality. Both models, the 871 and 877, provide all the Layer 3 routing, security, and management functions. The following discussion applies to both the 871 and 877, as the same implementation, configuration, and management rules apply. The HughesNet standard configuration of the Cisco 87x router is in a PCI-compliant architecture that does not allow open Internet connectivity. The configuration management system ensures that the router configuration allows only one route, which is to the 3DES IPSec tunnel, terminating at the Hughes NOC. The router s ACL has rules to ensure that all traffic is sent over the tunnel. Within the 3DES IPSec tunnel, HughesNet establishes, maintains, and monitors an L2TP tunnel. All management traffic is transmitted within the 3DES IPSec tunnel, including ICMP pings that are used to determine up/down status of the remote site. In addition, HughesNet can support a PCI-compliant, split-tunneling architecture, which provides simultaneous open Internet and secure tunneling. This requires an Intrusion Detection System (IDS) and/or Intrusion Prevention System (IPS) to maintain proper security of the secured tunnel traffic from the open Internet traffic. This document does not focus on the split-tunneling configuration and only discusses the standard secured tunneling approach. The 3DES IPSec tunnel provides security and encryption functionality protecting all data traffic from the remote site to the Hughes NOC and return. HughesNet supports both Layer 2 and Layer 3 broadband access architectures. For either option, the network only provides connectivity between the remote site and the Hughes NOC. There is no other connectivity allowed since these are private connections. With Layer 3, the Internet is used as a transport network, and the 3DES IPSec VPN tunnel is administered to maintain security. The same 3DES IPSec VPN tunnel used in the Layer 3 case is also used in the Layer 2 case. There is no local (LAN) access to the Cisco 87x to view or modify the configuration. Hence, there is no Figure 2. Hughes Enterprise Access Network

unauthorized way to alter the configuration for access to the network. Hughes implements two-factor authentication, and each user has his/her own username/password combination. All configurations are managed at the NOC and are pushed out to the remote sites. Hughes goes to great lengths to ensure proper configuration management. When a specific configuration is sent to the customer site, there are various quality assurance steps. Any potential mis-configuration that could impact security at the remote site is automatically crosschecked against the router s configuration capabilities. For example, if the configuration mistakenly allows open Internet connectivity and there is no IDS or IPS on the CPE, then the configuration management system will not allow the configuration to be sent. It will be reviewed and changed to the correct configuration. Very careful attention is paid to the remote site configuration to ensure proper safety guidelines. Network Operation Center (NOC) In the Hughes NOC, many devices are deployed to provide a high level of service functionality, as well as to maintain and enforce robust security. The Hughes NOC has several functions. First, it aggregates traffic from the remote sites regardless of the access transport used. Second, it provides connectivity to third-party entities such as credit processors. Third, it hosts the functionality to perform the Hughes Proactive Monitoring Service. Fourth, it provides connectivity to the datacenter(s) via a backhaul. All these functions are supported and maintained in a highly secure environment. Figure 3 shows the Hughes NOC architecture. Figure 3. Hughes NOC

All NOC equipment requires SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. It is a standard Hughes security practice to ensure that only authorized personnel have access to the network. Remote Site Aggregation There are four NOC devices to assist in aggregating remote site traffic; the DSL Provider Edge (PE) router, Hughes Internet (Inet) router, the L2TP router, and the IPSec firewall. The DSL PE router and the Hughes Inet router have similar functions. Both directly aggregate traffic, but the DSL PE router supports the Layer 2 network and the Hughes Inet router supports the Layer 3 network. Both routers forward data to the IPSec firewall, then to the LT2P router, and then to the enterprise LAN for transmission to the datacenter(s) or the credit card processor network. The DSL PE Router has no connection to the Internet. This router only aggregates sites served via a private Layer 2 connection, therefore, there are no inherent threats from third-party attacks on the Internet. The only type of attack could be from within the network via the remote site, but since there is no ability to access the Cisco 87x configuration from the remote site, there is no way to alter the configuration to allow for a rogue user to enter the network. The Inet router has access to the Internet to aggregate traffic from sites using the Layer 3 architecture. The router s ACL is set up to access traffic only from a remote site sent over the proper port with the proper protocol. Any third-party entity attempting to gain access to the network would have to emulate a remote site s IP address, emulate the Inet router s IP address, emulate the transport protocol, and send over the correct port. Also, penetration tests and port scans are conducted every three months (per the PCI standard) on the Inet router. After the traffic flows through either the DSL PE router (for Layer 2 traffic) or the Inet router (for Layer 3 traffic), it flows to the IPSec firewall. The IPSec firewall terminates the IPSec tunnel from the 87x located at the remote site. After the IPSec firewall is terminated, the traffic is sent to the L2TP router. The L2TP router terminates the L2TP tunnel. After this tunnel is terminated, the traffic is forwarded to the enterprise LAN for delivery to the corporate headquarters (via the backhaul) or the credit processor network. Third-Party Network Connectivity The credit processor routers have direct communication with the credit processor network. This architecture is supported either with private line access or public secure VPN access. Regardless of the architecture, Hughes, along with the credit card processor, ensures security. Hughes demarcation is the WAN side of the NAT router. The credit processor routers, collocated at the Hughes NOC, are managed by the third party, not by Hughes. Hughes Proactive Monitoring Service The Hughes proactive monitoring router serves to ping the remote sites and does not represent any live enterprise-specific traffic. The proactive monitoring traffic is in the form of Hughes-initiated pings. This management traffic is transmitted over the same 3DES IPSec tunnel as the enterprise data traffic. Optional Firewalls Hughes provides optional firewalls in the NOC. One firewall is used to protect the enterprise LAN from viruses or anomolous traffic. This way, if a remote site is affected, the impact can be quarantined to that site and not impact the corporate network. The second optional firewall is to provide secure Internet access via the NOC. Either open or fenced (white list) Internet access can be provided. The firewall protects the enterprise LAN and remote sites against security threats from the Internet. Backhaul Connectivity The Hughes NOC also supports backhaul connectivity to the datacenter(s) as described in the next section.

Backhaul The backhaul network connects the Hughes NOC to the customer datacenter(s). The NOC backhaul routers connect to the enterprise network routers at the datacenter(s). There are two different architectures to support the backhauls. First, there is the private line backhaul, which is supported by the enterprise backhaul router from the NOC. This router is connected to an enterprise router on the enterprise network at the datacenter. As with all the equipment in the NOC, both routers require SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. There also is an option for an IPSec VPN tunnel from the NOC to the datacenter(s). This is supported by the enterprise backhaul VPN router connected to the enterprise router at the datacenter. Both routers have restricted ACLs that permit only IPSec on the Internet interface for a VPN peer. The IPSec VPN is 3DES strength, using a pre-shared secret key with a 15-minute lifetime. There is no NAT supported for end-user client Internet access. Also, as explained above, SSL security is required for management access with two-factor authentication. The authentication request is logged through an RSA server. Figure 4. Backhaul Architecture

Security Management Hughes has been evaluated on various business practices based on Payment Card Industry (PCI) standards. In addition to the configuration of the network, Hughes takes pride in the processes and procedures that are in place in order to maintain its high level of security. This includes a structured and consistent installation procedure ensuring that only the correct configurations are deployed in the network by authorized personnel. Any changes in the network configuration are first reviewed and verified in a test environment before being launched in the production environment by authorized personnel. All critical NOC component configurations are reviewed and anti-virus programs run on a consistent basis. Additionally, Hughes has a process in place to identify new security risks and test the network for vulnerabilities. Logging occurs in case of unauthorized access to a critical NOC component. Lastly, Hughes strictly adheres to both physical and logical security. Only authorized personnel are allowed in controlled areas. Two-factor authentication is consistently used for logical access to sensitive equipment. Summary From the CPE to the NOC to the backhaul, all components in the HughesNet managed broadband service architecture have robust security. This has been validated by the successful PCI review of the HughesNet Managed Services conducted by the Cardholder Information Security Program (CISP) in 2006. By adhering to PCI standards, not only does Hughes provide strong protection and security for customer traffic, but the processes and procedures used for implementation, monitoring, and change management call for continuous improvement. The end result is a highly secure and reliable HughesNet managed broadband VPN service for even the most demanding enterprise customer. Proprietary Statement All rights reserved. This publication and its contents are proprietary to Hughes Network Systems, LLC. No part of this publication may be reproduced in any form or by any means without the written permission of Hughes Network Systems, LLC, 11717 Exploration Lane, Germantown, Maryland 20876. HUGHES, HughesNet, IPoS, TurboPage, SPACEWAY, AIReach, Broadband Unbound, and Connect to the future are trademarks of Hughes Network Systems, LLC. All other trademarks are the property of their respective owners. 2009 Hughes Network Systems. LLC. All information is subject to change. All rights reserved. HUGHES PROPRIETARY H39083 ID APR 09 7 11717 Exploration Lane Germantown, MD 20876 USA

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information