Net Screen Technologies Innovative Technologies Applied for Network

  • Slides: 21
Download presentation
Net. Screen Technologies Innovative Technologies Applied for Network Security Page: 1

Net. Screen Technologies Innovative Technologies Applied for Network Security Page: 1

Agenda • Application scenarios – – – – • • • High speed Internet

Agenda • Application scenarios – – – – • • • High speed Internet Firewall and VPN Central Site Medium Enterprise Large Enterprise Data Centre Internet Data Centre Multi Security Innovation Unique Architectures Threats and Responses VPN leadership Total cost of ownership VPN and Security Management Page: 2

Agenda • Application scenarios – – – – High speed Internet Firewall and VPN

Agenda • Application scenarios – – – – High speed Internet Firewall and VPN Central Site Medium Enterprise Large Enterprise Data Centre Internet Data Centre Multi Department Security Campus Security • VPN and Security Management Page: 3

Complete VPN Functionality Cost effective remote site VPN – Complete range of HW –

Complete VPN Functionality Cost effective remote site VPN – Complete range of HW – Hub & Spoke or Full Mesh VPN – NAT Traversal – VPN Dial backup Complete RA VPN Support – Remote VPN client – Security Client – Personal FW + VPN – ANG for centralized & user auth – Certificate & smart card support – Compatibility w/ Certicom PDA client Internet Easy deployment & NW integration – NAT, NAT-T, Transparent Mode – Device or policy based management – NAT, DHCP, PPPo. E – Integrated Firewall Global PRO Comprehensive Mgmt – Policy Based Mgmt – VPN Monitoring – Detailed reporting & trending Page: 4 Comprehensive Authentication Support – PKI (versign, … – Radius – LDAP – XAUTH – Secure. ID Robust connectivity for major Sites – Active-Active HA – Redundant Gateway VPN tunnels – VPN Monitoring – Full Mesh – OSPF & BGP Routing – Virtual Systems – 3 DES & AES encryption w/ ASIC acceleration – Traffic management – FIPs & ICSA Certified

Firewall with High Speed Internet Firewall Private Network – – – Internet PSTN (1

Firewall with High Speed Internet Firewall Private Network – – – Internet PSTN (1 -800) Corp HQ Private Network perceived as “secure” RAS for mobile / home office WAN access multiple T 1 s (>1. 5 Mbps) Promotional Web site All employees “trusted” can access all parts of the network RAS DMZ • Net. Screen delivers – Increased Security / Easier Support / Higher Performance & Scalability / Cost effective solution Page: 5

VPN Intranet & Central Site Firewall Remote Access VPN • • Internet • Private

VPN Intranet & Central Site Firewall Remote Access VPN • • Internet • Private & dial network replaced by VPN intranet Remote VPN devices provide additional security because they are also Firewalls Central Firewall turns on VPN Central Site VPN Acceleration • Corp HQ • • Central Firewall unable to handle VPN traffic needs acceleration Net. Screen device used for VPN termination Leverage advanced features eg Hub & Spoke Firewall/VPN consolidation • Net. Screen-Global PRO Page: 6 Net. Screen replaces existing firewall due to unnecessary duplication of costs (maintenance, admin, and support)

Medium Enterprise Serious Traffic (web) and VPN Requirements Integrated VPN, FW and Traffic Mgmt

Medium Enterprise Serious Traffic (web) and VPN Requirements Integrated VPN, FW and Traffic Mgmt Internet T 1, SDSL, etc DMZ Web & Email Servers – VPN • No Special Licenses or Additional Hardware • >100 Remote Sites or RA Users • Class leading VPN for Central Site – 1000 tunnels & 185 M 3 DES – Firewall • Stateful Inspection FW, NAT, PPPo. E and DHCP client, server & relay • Class Leading FW for Central Site – 100 K+ sessions & 19 K ramp rate – Traffic Management • Reduce BW for non-business critical traffic • Better utilize / reduce expensive WAN BW – High Availability • Stateful fail over FW & VPN Net. Screen-Global PRO Page: 7

Large Enterprise High Traffic and VPN Requirements Branch Office Regional Office Very Integrated VPN,

Large Enterprise High Traffic and VPN Requirements Branch Office Regional Office Very Integrated VPN, FW and Traffic Mgmt – VPN • No Special Licenses or Hardware • Thousands of Remote Sites or RA Users • Class leading VPN for Central Site – 10 K tunnels & 250 M 3 DES – Firewall • Stateful Inspection FW, NAT, PPPo. E and DHCP client, server & relay • Class Leading FW for Central Site – 250 K sessions & 22 K ramp rate – Traffic Management • Reduce BW for non-business critical traffic • Better utilize / reduce expensive WAN BW – High Availability – Active-Active • Stateful fail over FW & VPN Small Office Internet DMZ Web & Email Servers Net. Screen-Global PRO Page: 8

Multi-Department Security Traditional Solution • Multiple Firewalls required to provide internal security Internet Corp

Multi-Department Security Traditional Solution • Multiple Firewalls required to provide internal security Internet Corp HQ Net. Screen-500 Solution • Virtual Systems employed to provide departmental security • Can also be used for additional DMZs, security domains and for extranets • Trust limited to “Need to know” employees DMZs Finance Dept M & A Group Engineering Dept Page: 9

Multi-Department with remote users • Firewall Finance Dept remote worker – Traffic sent to

Multi-Department with remote users • Firewall Finance Dept remote worker – Traffic sent to the Finance dept is firewall-ed by the Finance Vsys – Finance SOHO worker firewall-ed from the Internet Finance Dept mobile worker • VPN – Remote finance workers VPN connections terminate in the Finance Virtual System – Essentially extending the finance intranet to include those workers Corp HQ Finance Vsys DMZs Finance Dept Page: 10

Enterprise or Campus Backbone • Campus Gateway Building A Building B Finance Engineering DMZs

Enterprise or Campus Backbone • Campus Gateway Building A Building B Finance Engineering DMZs Web Email Dept Servers Bonded GE Links Page: 11 – Performance = LAN Speeds – Segmentation • Buildings, Departments, Servers & WLAN A/P’s – Multi-port • Up to 24 GE • Trunked links – Vsys & VLANs • Mapped to switch infrastructure – Gig. E DMZs • Web & Email • Dept Servers – High Availability

High Speed WAN access – OC 12/GE • Massive # VPN Connections 10, 000

High Speed WAN access – OC 12/GE • Massive # VPN Connections 10, 000 s of Connections – 1000 s of Remote/Branch office VPN or Gigabits of VPN or • Large BW single tunnel VPN connections – Fiber based metro services • Large consolidated Internet access – High Profile Public Presence Millions of Hits • Sophisticated HA Page: 12 – Stateful FW & VPN

Enterprise Data Center • High Density & Performance – Up to 72 FE &

Enterprise Data Center • High Density & Performance – Up to 72 FE & 6 Gig. E or 24 x Gig. E – Superior small packet performance • • Internal attack prevention on every interface Every interface a security zone /unique policy Stateful High Availability Bonded Links to Disaster Site – which can be Encrypted Page: 13

Internet Data Center NS Remote, 5, 200 • High performance multicustomer solution Customers www

Internet Data Center NS Remote, 5, 200 • High performance multicustomer solution Customers www Access Internet Customer Access (VPN) NS-5200 (Firewall & VPN) Mirrored Data Center Internet Data Center Untrust Trust VLAN 1 VLAN 2 VLAN 3 Front End • • • VLAN 4 • Differentiated services VLAN 5 Front End Net. Screen 500 Net. Screen 200 Front End • Customer site VPN • Additional Backend or Database security Dedicated VPN and / or FW solution High Bandwidth FW and VPN without having load balanced security devices • • Shared Hosting / Core Systems or Low end dedicated Net. Screen 25 Back End Back. E nd Vsys # 1 Vsys # 2 Reduced Capital Cost Rapid Deployment Low support burden Vsys # 3 Page: 14 • High speed VPN between Data Centers

Anti-Virus Net. Screen-Trend CSP Solution Net. Screen-Trend CSP Internet Legitimate traffic still allowed 1:

Anti-Virus Net. Screen-Trend CSP Solution Net. Screen-Trend CSP Internet Legitimate traffic still allowed 1: Email packet arrives at the Net. Screen device; Net. Screen begins hijacking the TCP connection 2: Net. Screen buffers beginning of email session and creates CSP session with the Inter. Scan server CSP Inter. Scan 3: Email data continues to flow in and is passed to Inter. Scan via CSP 4: Inter. Scan receives entire Email session including file and scans file and replies with scan result 5: Net. Screen creates Email session with destination email gateway Page: 15

Global PRO Deployments Net. Screen-Global PRO Express & Net. Screen-Global PRO Architecture • Global

Global PRO Deployments Net. Screen-Global PRO Express & Net. Screen-Global PRO Architecture • Global PRO & Global PRO Express Global PRO UI Reporting Configuration Policy Manager server Monitoring Oracle DB • Historical Report Server Data Collector(s) Page: 16 – Complete turnkey management solution – Configuration/policy management, real time monitoring – Integrated Net. Screen-Remote VPN client management – Multi-admin/role-based admin – Pre-installed and configured on a Sun Netra Server Global PRO – Sophisticated historical reporting – Log data correlation/reduction – Designed to scale to 10, 000 devices – Extensible Web-based report templates; 3 rd party report integration, i. e. HP/OV

Global PRO Deployments Point & Click Policy Management Small Offices / Branch Offices Regional

Global PRO Deployments Point & Click Policy Management Small Offices / Branch Offices Regional Offices All boxes in VPN updated with new configurations Teleworkers New device added to policy group Internet Remote Users Web & Email Servers DMZ Firewall & VPN polices automatically applied to the new device Net. Screen-Global PRO Page: 17 • Ability to add devices or users to network quickly & easily • All required VPN and firewall rules are created automatically • Allows for rapid response to attacks • Quickly create full mesh, hub & spoke, and site-tosite VPNs

Global PRO Deployments Managing Remote Client VPN Policies • Users authenticate to Net. Screen-Global

Global PRO Deployments Managing Remote Client VPN Policies • Users authenticate to Net. Screen-Global PRO Internet Net. Screen-Remote Users VPN tunnels established • DMZ Private LAN • SSL • Web & Email RADIUS Server NT Domain External authentication server queried Users policy retrieved Net. Screen-Global PRO Page: 18 • Improved in Global PRO 3. 1 Remote user launches Net. Screen-Remote login to connect – User authenticates to Net. Screen. Global PRO or Net. Screen-Global PRO Express – External authentication servers may be queried Users VPN policy securely downloaded to Net. Screen-Remote client via SSL VPN tunnels established to Net. Screen devices Upon logout, VPN policy and keys are purged from users PC Add new users through RADIUS

Global PRO Deployments Threat Mitigation, Analysis & Response Branch Offices Regional Offices Remote Users

Global PRO Deployments Threat Mitigation, Analysis & Response Branch Offices Regional Offices Remote Users • Suspicious activity detected via Net. Screen-Global PRO Realtime Monitor • Push appropriate “Deny” policy to all devices • Assess and analyze threat • Push out new or revised security policies Internet Hacker Web & Email Servers DMZ Net. Screen-Global PRO Page: 19

Net. Screen’s Security Product Line Product Max Throughput Max Sessions Max # VPN tunnels

Net. Screen’s Security Product Line Product Max Throughput Max Sessions Max # VPN tunnels Max # Policies Max # Vsys HA Net. Screen 5400 12 G FW & 6 G VPN 1, 000 25, 000 40, 000 500 Yes A/P* Net. Screen-5200 4 G FW & 2 G VPN 1, 000 25, 000 40, 000 500 Yes A/A 700 M FW & 250 M VPN 250, 000 10, 000 25 Yes A/A 550 M/400 M FW & 200 M VPN 128, 000 1, 000 4, 000 NA Yes A/A Net. Screen-100 200 FW & 185 VPN 128, 000/ 64, 000 1, 000 4, 000 NA Yes A/A Net. Screen-50 170 M FW 50 M VPN 8, 000 1, 000 NA Yes A/P Net. Screen-25 100 M FW 20 M VPN 4, 000 25 500 NA No Net. Screen-5 XT 70 M FW 20 M VPN 2, 000 10 100 NA No Net. Screen-5 XP 20 M FW 13 M VPN 2, 000 10 100 NA No Varies by PC NA 1 NA NA No Net. Screen -500 Net. Screen-204/208 Net. Screen-Remote VPN & Security Clients A/A = Active-Active High Availability A/P = Active-Passive High Availability Page: 20 * To be updated to Active-Active – 1 HCY 03

Net. Screen Scalable Security Solutions Page: 21

Net. Screen Scalable Security Solutions Page: 21

YIPLED ICE SCREEN RENTAL SCREEN Transparent Led ScreenYIPLED ICE SCREEN RENTAL SCREEN Transparent Led Screen
Screen Name IPMB Screen Use The IPMB ScreenScreen Name IPMB Screen Use The IPMB Screen
Screen Printing What is a screen A screenScreen Printing What is a screen A screen
YIPLED ICE SCREEN RENTAL SCREEN Transparent Led ScreenYIPLED ICE SCREEN RENTAL SCREEN Transparent Led Screen
Screen Printing What is a screen A screenScreen Printing What is a screen A screen
Screen Printing What is screen printing Screen printingScreen Printing What is screen printing Screen printing
Using Green Screen Screen Casts Green Screen ApplicationsUsing Green Screen Screen Casts Green Screen Applications
Screen Name IPDK Screen Use The IPDK screenScreen Name IPDK Screen Use The IPDK screen
vitanoblepowerpoints net vitanoblepowerpoints net vitanoblepowerpoints net vitanoblepowerpoints netvitanoblepowerpoints net vitanoblepowerpoints net vitanoblepowerpoints net vitanoblepowerpoints net
Net Linear Net Tree Net Graph Net ReverseNet Linear Net Tree Net Graph Net Reverse
alonrotbezeqint net alonrotbezeqint net alonrotbezeqint net alonrotbezeqint netalonrotbezeqint net alonrotbezeqint net alonrotbezeqint net alonrotbezeqint net
Net Screen500 June 11 2001 1 Net ScreenNet Screen500 June 11 2001 1 Net Screen
Applied Descriptive Ethics Applied ethics Applied ethics isApplied Descriptive Ethics Applied ethics Applied ethics is
Innovative products Innovative technologies www semicon com plInnovative products Innovative technologies www semicon com pl
The International Network on Innovative Apprenticeship INNOVATIVE APPRENTICESHIPSThe International Network on Innovative Apprenticeship INNOVATIVE APPRENTICESHIPS
Cold vacuum system FCC beam screen Beam screenCold vacuum system FCC beam screen Beam screen
SCREEN DIRECTION FORCES AND CLOSURES Screen Forces 1SCREEN DIRECTION FORCES AND CLOSURES Screen Forces 1
The initial screen Familiarisation of the screen layoutThe initial screen Familiarisation of the screen layout
Screen Irssi yzlin yzlincs nctu edu tw ScreenScreen Irssi yzlin yzlincs nctu edu tw Screen
FOSI for screen and print u A screenFOSI for screen and print u A screen