|
|
|
Today, the internet comprises tens of thousands of networks, interconnected without boundary. In this environment, Network Security is essential because any private network is accessible from any computer in the world, and therefore, potentially vulnerable to threats from individuals who do not require physical access to it. Network Security Products available from eVolution include [1] Stateful Firewall products including CheckPoint Firewall-1 NG, on a variety of operating platforms, and the Cisco PIX security platforms [2] Virtual Private Network [VPN] products including CheckPoint VPN-1 and Cisco IOS VPNs, Cisco PIX VPNs and Cisco Concentrator VPNs [3] Intrusion Detection Systems [IDS] including OPSEC-compliant products and [4] Integrated Intrusion Protection Systems [IPS] including ISS RealSecure and CiscoSecure products. eVolution provides technically qualified Cisco [CCDP/CCNP], CheckPoint [CCSA/CCSE] and Nokia resources to design, install, configure and maintain Stateful Firewalls, Virtual Private Networks [VPNs], Intrusion Detection Systems [IDS] and Intrusion Protection Systems [IPS].
Firewalls A firewall is a router or access server, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists or a security policy to ensure the security of the private network. Different types of firewalls exist, in terms of both implementation and their specific purpose. Firewalls can be either software-based, hardware-based or a combination of both. Today's firewalls generally tend to be purpose-built hardware appliances, with security-hardened operating systems designed solely for the specific purpose of safeguarding your private network and corporate assets. Three specific types of firewalls exist namely, Packet Filtering Firewall, Application-Layer Gateway [Proxy Firewall] and Stateful Inspection Firewall. A Packet Filtering Firewall is simple, inexpensive and fast, but only examine packets on a one-by-one basis at Layer 3/4 only, and then either permits or rejects the packet. Packet Filtering firewalls represent the most basic form of firewall, in that they do not understand connections, or that connections are bi-directional flows.
An Application-Layer Gateway is commonly referred to as a proxy-based firewall, because it proxies application-layer connections on behalf of other clients. All access is controlled at Layer 7 and no client system ever communicates directly with a server system. An Application-Layer Gateway provides daemons or services [server-side components] that emulate the services on the destination server that a client wishes to connect to. A Stateful Inspection Firewall provides the intelligence of Application-Layer Gateways, yet combines these features with the speed of Packet Filtering Firewalls to provide a high performance, scalable and intelligent firewall solution. Stateful Inspection technology uses a connection table to store session state information for all connections currently established through the firewall, ensuring return traffic for each connection is permitted and also ensuring that complex protocols, such as H323 can open dynamic connections securely. The firewall generally separates a private network from a public network. However, it is not uncommon to use a firewall to separate network segments within a private network. Usually a firewall has at least three interfaces [also known as a three-part firewall], which creates three networks, an Inside Trusted Area, an Outside Untrusted Area and a Demilitarized Zone [DMZ or Isolation LAN]. The baseline perspective for a firewall is to perform the following functions [1] Permit no access from the Outside to the Inside [2] Permit limited access from the Outside to the DMZ [3] Permit all access from the Inside to the Outside and [4] Permit limited access from the Inside to the DMZ.
Cisco PIX Firewall Products The Cisco Secure PIX Firewall products currently include five models [506, 515, 520, 525 and 535] dependent upon the throughput [10Mbps-1Gbps] and number of concurrent connections [400-50,000] required. All models include a Secure Real-Time Embedded System [PIX O/S], an Adaptive Security Algorithm [ASA-Stateful Inspection], Cut-Through Proxy and most include Stateful Failover/Hot Standby.
CheckPoint produces a range of application-based/software-based firewall security products for installation onto security-hardened operating systems [Windows NT/2000, Solaris and Linux] or Nokia firewall appliances. CheckPoint's Firewall-1 product can be purchased separately or combined with VPN software - CheckPoint VPN-1/Firewall-1. All CheckPoint firewall products use Stateful Inspection. Security Policies are configured on a SmartCentre Server and downloaded to firewall enforcement modules via secure communications [SIC].
Virtual Private Networks [ VPN's ] A Virtual Private Network [VPN] is a service that offers secure, reliable private network connectivity over a shared public network infrastructure such as the internet. By using VPN technology, you not only secure information, but you also emulate a private network link for each VPN connection. Internet-based VPNs provide a very cost effective alternative to traditional telecommunication service provider WAN links, as private dedicated connectivity is no longer required. VPNs on the internet operate over an IP network, these VPNs are referred to as Layer 3 VPNs. VPNs can also operate at other layers of the OSI model - for example Frame Relay is an example of a Layer 2 VPN technology, as it operates at the data-link layer. IP-based VPNs can provide secure and private communications for a variety of network topologies. There are three basic deployment types for VPNs - Intranet, Remote Access and Extranet.
Intranet VPNs are designed to secure communications between different locations within an organisation - a corporate headquarters in one city and dispersed branch offices in other cities. When designing Intranet VPNs, strong data encryption [to secure the sensitive data transmitted over a public network], scalability [head office VPN gateway] and reliability/resilience of VPN devices are critical factors to consider. Remote Access VPNs are used to provide remote access for employees located outside the organisation. The employee uses the internet to establish a VPN connection to the organisation's VPN Gateway, authenticates using their credentials and then granted access to the internal network. The VPN essentially extends the internal network out to the user in a secure fashion - all information transmitted is encrypted. When designing Remote Access VPNs, strong data encryption [to secure the sensitive data transmitted over a public network], scalability [head office VPN gateway] and management [integrated centralised user database] are critical factors to consider. Extranet VPNs are used to provide private communications links between an organisation and another external organisation, such as vendors, partners or customers. The VPN connection provides privacy and confidentiality by encrypting data between a VPN Gateway located at the organisation and a VPN Gateway located at the third-party. When designing an Extranet VPN, you must take into consideration the following requirements - use of standards-based encryption [IPSec], performance [satisfactory throughput of business critical traffic] and quality of service [QoS - prioritisation of business critical traffic]. The standards-based encryption for internet VPNs is IPSec, providing data confidentiality, data integrity and data authentication between participating peers at the IP layer. IPSec consists of the following two main protocols, Authentication Header [AH] and Encapsulating Security Payload [ESP]. IPSec also uses other existing encryption standards to make up a protocol suite. These standards include Data Encryption Standard [DES], Triple DES [3DES], Diffie Hellman [D-H], Message Digest 5 [MD5], Secure Hash Algorithm-1 [SHA-1], Rivest, Shamir and Adelman [RSA] Signatures, Internet Key Exchange [IKE] and Certificate Authorities [CAs]. The Cisco and CheckPoint Network Security products supported by eVolution are all IPSec-based internet VPNs.
Cisco Router/PIX/Concentrator VPNs The Cisco products supporting the latest VPN technology include Cisco VPN-optimised routers [software IPSec], Cisco Secure PIX Firewall [VPN Gateway], Cisco VPN Concentrator series [powerful remote access and site-to-site VPNs], Cisco Secure VPN Clients [Windows-based clients], Cisco CSIDS/Secure Scanner [monitoring and auditing security of VPN] and Cisco Secure Policy Manager/CiscoWorks 2000 [VPN-wide system management]. The Cisco VPN security products support IPSec Access, Intranet and Extranet VPNs.
CheckPoint VPN-1/Firewall-1 CheckPoint produces a range of application-based/software-based VPN security products for installation onto security-hardened operating systems [Windows NT/2000, Solaris and Linux] or Nokia firewall appliances. CheckPoint's VPN-1 Net product can be purchased separately or combined with firewall software - CheckPoint VPN-1/Firewall-1 or VPN-1 Pro. CheckPoint VPN security products include Intranet [Simplified VPNs], Extranet [EMI] and Remote Access [SecuRemote, SecureClient and Clientless VPNs] IPSec/SSL-based VPNs.
Intrusion Detection Systems [ IDS ] & Intrusion Protection Systems [IPS] A firewall is only one, albeit important, component of a security policy. The role of a firewall or router is to either permit or deny access based upon pre-determined criteria. To do this, packet headers are inspected, but the data portion of the packets is not inspected. Consequently, a firewall by itself is inadequate to safeguard the security of your enterprise networks. Intrusion Detection Systems [IDS] provides for accurate threat detection by inspecting packets for known signatures and decodes of network security attacks and viruses. Intrusion Protection Systems [IPS] provides for accurate threat prevention, by proactively preventing further similiar detected attacks occurring in the future. This is achieved by dropping the packets, terminating the session, reconfiguring access control lists on routers and switches, or dynamically modifying the firewall security policy to shun the intruder.
Network Security threats can be broadly categorised into four broad themes [1] Unstructured Threats - originate usually from inexperienced individuals using easily available hacking tools, a major source of computer viruses [2] Structured Threats - originate from highly motivated and more experienced individuals, a major source of fraud and theft [3] External Threats - individuals working outside your organisation, gaining unauthorised access via the internet or dial-up access servers and [4] Internal Threats - individuals within your organisation, causing malicious damage or for personal gain. Security is breached by three types of network attacks [1] Reconnaissance Attacks - an intruder attempts to discover and map systems, services and vulnerabilities [2] Access Attacks - an intruder attacks networks or systems to retrieve data, gain access or escalate their personal access privileges [3] Denial Of Service [DOS] Attacks - an intruder attacks your network in such a way that damages or corrupts your system, or denies you and other authorised users access to your networks, systems or services. Basic IDS/IPS functionality can be implemented via software in routers, firewall appliances or dedicated IDS/IPS appliances or modules. CheckPoint provide Content Security Servers within it's firewall software for HTTP, SMTP, FTP and TCP - ability to inspect and deny traffic, based on the content of the data payload portion of packets. Third-Party OpSec-compliant products, such as ClearSwift MailSweeper or WebSense, can also be deployed for CVS and URL filtering. CheckPoint also provides, at additional cost, SmartDefence which uses stateful inspection technology to inspect traffic passing through the firewall, pinpoint attack signatures and block connections. Cisco implements IDS/IPS functionality via integrated software sensor solutions within router, switch or firewall OS, dedicated IDS/IPS appliances [Cisco IDS 4200 Series Sensors] or via a IDSM module for the Cisco Catalyst chassis. Innovative and fully integrated Intrusion Detection and Intrusion Protection Systems currently available include CiscoSecure, based upon the platforms described above and ISS RealSecure for Nokia platforms.
Two-Factor Authentication Systems A successful enterprise network security policy is constantly evolving to meet the challenges of today and to address new security vulnerabilities as they appear. The network security features described above, provide the essential components required to secure today's increasing complex networks. One component commonly overlooked is that of login procedures and user authentication. Do you really know who's accessing your most sensitive networked information assets? Unfortunately, security built on static, reusable passwords has proven easy for hackers to beat.
Increasing popular is the deployment of Two-Factor Authentication systems to secure user access to your enterprise networks, ensuring that only trusted and authenticated users are permitted access. Two-factor authentication systems are based on something you know [a password or PIN], and something you have [an authenticator]. This provides for a much more reliable level of user authentication than reusable passwords only. Used in conjunction with RSA ACE/ServerŽ software, an RSA SecurID authenticator functions like an ATM card for your network, requiring users to identify themselves with two unique factors - something they know and something they have - before they are granted access. RSA SecurID authenticators are used to securely access VPN and Remote Access applications, Web servers and applications, network operating systems and more. The market leader in the provision of innovative and comprehensive two-factor authentication systems is RSA Security. The RSA SecurID solution includes: [1] RSA SecurID Tokens/Authenticators - hardware and software tokens [2] RSA ACE/Server - security engine for RSA SecurIDŽ authentication [3] RSA ACE/Agents - seamlessly integrate two-factor authentication [4] RSA SecurID Passage - smart cards, middleware & USB tokens [5] RSA SecurID Web Express - provisioning solution to rapidly deploy credentials [6] RSA SecurID Select - customised solution.
Following the design and implementation of your chosen network security model, eVolution can provide technically qualified engineers to maintain, manage, configure and troubleshoot your Stateful Firewalls, Virtual Private Networks [VPNs], Intrusion Detection Systems [IDS] and Intrusion Protection Systems [IPS] to maintain optimum network security protection.
eVolution has the commercial experience and technical competence invested within it's System Engineers to successfully manage your strategic IT integration project or programme. To assure you of our dedicated management and support of your project, unlike other IT computer consultancies, eVolution guarantee only to contract to a single client organisation at a time, consequently their is never a conflict of interest between competing clients for our valuable technical and managerial expertise. A true One2One business relationship.
Please visit www.cisco.com for details of available Cisco networking security products and services. Please visit www.checkpoint.com for details of available CheckPoint security products and services. Please visit www.nokia.com for details of available Nokia firewall appliances and security products. Please visit www.opsec.com for details of certified Opsec compliant applications and services. Please visit www.rsasecurity.com for details of RSA SecurID and other available authentication products and services.
|
Contact Details :E-mail : info@evolution-is.com for further details of services, quotations and availability.webmaster@evolution-is.com for comments and questions about this Web Site.Telephone : +44 (0)7810 078141 Facsimile : +44 (0)1902 843047Mail : eVolution Information Systems, Central House, 582-586 Kingsbury Road, Birmingham B24 9ND England. |
