StoneGate Firewall 5.0 Javier Larrea Jaspe Madrid 13/07/2009

Presentación del tema: "StoneGate Firewall 5.0 Javier Larrea Jaspe Madrid 13/07/2009"— Transcripción de la presentación:

1 StoneGate Firewall 5.0 Javier Larrea Jaspe Madrid 13/07/2009
Estimated Time: Less than 3 minutes Direction: Introduce yourself and background Opening remarks thanking prospect for time spent with team in discovery, etc. Room introductions Suggested Script: Thank you for inviting Stonesoft to discuss your current challenges and to provide an overview of Stonesoft and how we can help solve these challenges. Since we were founded, our main goal has been to help our customers significantly simplify the complexity of managing network security. As a result, organizations just like (name of Prospect), are realizing huge benefits as we will share with you. Javier Larrea Jaspe Madrid 13/07/2009

2 Plataforma StoneGate

3 Arquitectura StoneGate
usually only one management system in the whole Enterprise the management system controls all firewall clusters (which can be single firewalls or clusters of multiple nodes) in the enterprise there can be multiple log servers, max. one log server for each firewall cluster GUI client: the user interface used to configure and manage all StoneGate components Monitoring Client: Read only user interface for log viewing Management server: server that stores all configuration information, and passes it to firewall clusters Log server: server that stores all log information Monitoring server: communication server between the Mgmt/Log servers and Monitoring Client(s) GUI clients do not communicate directly with the firewall clusters

4 Plataformas soportadas
Firewall/VPN gateway StoneGate appliance Servidores Intel® x86 VMware Virtual appliance Sistema operativo fortificado para funcionar como firewall/VPN Basado en Debian Linux (kernel ) Sólo incluye los módulos estrictamente necesarios para el funcionamiento de StoneGate FW VPN Client para Microsoft® Windows® Sistema de gestión basado en Java (SMC)

5 Multi-Layer Inspection
Combina tres tecnologías: Packet filtering Stateful inspection Application layer inspection (Protocol Agents) Protocol Agents Validan del funcionamiento del protocolo (ej.: las conexiones SIP deben cumplir la RFC 3261) Modifican el payload del paquete si es necesario (ej.: NAT en el protocolo H.323) Conexiones relacionadas (e.g. FTP data connection) Redirección a CIS (e.g. FTP, HTTP, SMTP)

6 Deep Packet Inspection
Funcionalidades de un IPS en el firewall para HTTP,SIP, IMAP, POP y SMTP Protocol validation Misuse detection (basado en firmas) HTTPS server/client inspection Configuración en otro grupo de reglas: Inspection Rules Dynamic updates Firmas presonalizables (ej.: filtrado de URLs) Detección de uso de aplicativos

7 Whitelisting impide el bloqueo no deseado
Blacklisting Reglas en tiempo real Provocadas por el IPS Activadas por el administrador Whitelisting impide el bloqueo no deseado Traffic can be blacklisted manually through the Management client. Manual blacklisting from the Management client requires that the firewall’s policy has an Apply Blacklist rule with the Local Management Server granted for blacklisting. If a connection is allowed by a rule placed above the blacklist rule in the firewall rule base, the connection is allowed regardless of the blacklist entries (=> whitelisted traffic).

8 Cluster FW activo-activo
Cluster hasta 16 nodos Proporciona escalabilidad y HA Gestionado como un sólo firewall/VPN Soporte plataforma heterogénea No se requieren ventanas de mantenimiento en la actualización Node 1 33% Node 2 33% Node 3 33% Estimated Time: 2-3 minutes Direction: Detailed slide on Always-on Connectivity – Drop-in Active Clustering Suggested Script: Drop-in active clustering enables the unique clustering of up to 16 devices so that organizations can achieve the highest levels of Five Nines availability. We call it “drop-in” because the surrounding routers and switches don’t need special static configurations or services added in order to support the devices in active-active mode. Built-in load sharing capabilities allow security engines to dynamically balance connections and provide seamless failover in the case of a node overload or failure, or if it is taken offline. Synchronization across the cluster allows for continuation of connections including network address translations (NAT) and VPN tunnels. Stonesoft’s clustering technology allows for disparate software and hardware versions to continue active-active in cluster. So production hour upgrades are possible and frequently executed by our customers. Wish to test the new code release on one of your production engines before committing to the entire cluster? Want to add processing capacity with an extra node or replace an node without working the late shift? (Insert a customer upgrade story here, such as Endurance Insurance making a major upgrade in the middle of the day.) Stonesoft’s patented clustering technology is built in with all of our solutions – firewall/VPN, IPS/IDS and SSL VPN – both physical and virtual. Firewall/VPN Cluster

9 Balanceo saliente de ISPs(1/3)
Server SYN El cliente inicia la conexión y manda un paquete SYN: SYN-ACK StoneGate replica el paquete SYN a través de todos los ISPs con diferentes direcciones origen NAT Internet El servidor responde a los paquetes SYN con un SYN-ACK RST El ISP que entrega el paquete SYN-ACK más rápidamente es el seleccionado SYN LAN El FW envia un RST a través del resto de los ISPs Client

10 Balanceo saliente de ISPs(2/3)
Server El ISP más rápido se cachea por destino Siempre se usará el ISP cacheado para un mismo destino Si la conexión no puede progresar por el ISP cacheado se ejecutará el algoritmo RTT de nuevo Internet Otros métodos de balanceo saliente Ratio Basado en QoS class Activo/standby LAN Client

11 Balanceo entrante de ISPs (1/3)
Client El cliente hace una consulta al DNS El servidor DNS responde con varias direccione IPs Internet El cliente hace una petición al servidor utilizando la ip de uno de los ISPs StoneGate hace un NAT de destino DNS Server LAN La paquetes de vuelta los devuelve por el mismo ISP Server

12 Balanceo entrante de ISPs(2/3)
Client Si falla uno de los ISPs normalmente el cliente reintenta utilizando otra ip disponible Internet DNS Server LAN Server

13 Balanceo entrante de ISPs(3/3)
Client StoneGate firewall prueba la disponibilidad haciendo tests ICMP Si el ping falla en ISP se considera caido, y el firewall envía una actualización DDNS para eliminar la dirección ip del registro DNS. Internet ping ping ping DDNS DNS Server LAN Server

14 Multi-Link VPN Multi-Link VPN crea tantos subtúneles como combinaciones posibles de IPSs Cliente VPN VPNs topologías full mesh, estrella y VPN hub LAN Internet ISP A ISP B ISP C ISP X ISP Y Multi-Link monitoriza el estado y el rendimiento de cada uno de los subtúneles y basandose en ello asigna el tráfico Si falla un subtúnel mantiene las sesiones activas asignándolas al resto de los subtúneles Soporta modo activo/standby

15 Balanceo de servidores
Las conexiones se balancean basándose en la disponibilidad del servidor El firewall monitoriza los servidores usando ping o el software Monitoring Agent(* Puede ser usado en combinación con Multi-Link *) Monitoring Agent is available for Windows®, Linux® and SolarisTM

16 Clasificación de tráfico basandose en
QoS Clasificación de tráfico basandose en DSCP matching Firewall policy QoS policy por (VLAN) interfaz Prioridades, garantías y límites [% ó kbps] Marcado DSCP

17 UTM FW-310, FW-1030 & FW-1060 Modelos con capacidades de antivirus de red

18 SMC – Gestión centralizada
Reutilización de objetos, políticas en diferentes engines Base de datos única Repositorio central de todas las configuraciones- políticaqs, configuración de red,… Reutilización = menos errores Disaster recovery Backups SMC automatizados Administración basada en perfiles Administración simultanea Dominios de cliente Estimated Time: 2-3 minutes Direction: Detailed slide on Proactive Control – Central Repository Suggested Script: The StoneGate Management Center also has a built-in central repository. Using a common interface and central repository for configuring all StoneGate appliances reduces complexity and error for security system administrators. Common elements such as server, application and network groups created for use in firewall policy can be re-used in all other configurations, such as IPS, alert policies, filters and reports. In addition, by updating an element in the repository it will automatically update all configurations that reference the element. Remember that Gartner said “99% of security breaches are caused by misconfigured devices.” Configuring and storing all aspects of the security appliances, from OS settings and routing to security policies, through the StoneGate Management Center results in less manual administrative work, thus to no misconfigurations errors. If you want to pre-configure devices all the information can be pre-configured and initial configuration saved to a memory stick. If you want to replace a device…no problem since the central repository stores pushes all previous configurations from basic to advanced settings. The Always-on Connectivity technologies built in to the StoneGate solution extends to the central repository, too. Our StoneGate Platform supports up to five management servers running concurrently for implementation across multiple disaster recovery sites. In addition to server synchronization, administration tasks such as backup and log archives can be scheduled. Access management can be set up to best match the business processes of an enterprise IT organization or MSSP environment. In addition, with the introduction of StoneGate 5.0 , organizations can manage different customer environments with a single management server – a major development for large organizations and MSSPs challenged by the administration and cost of managing multiple servers for each domain. Since configurations can be shared across domains, administrators can quickly make configuration changes or reuse configurations.

19 Hierarchical Policies
Gestor de políticas Políticas basadas en plantillas Un cambio en la plantilla afecta a todas las politicas dependientes. Las reglas de la política principal pueden “ejecutar” subpolíticas Mejora el rendimiento y la gestión Posibilidad de asignar perfiles de administración permitiendo modificación de reglas a distintos niveles. Otras herramientas Contador de hits Busqueda de objetos Validación de políticas Comentarios Creación de reglas desde los logs

20 Toman un valor en función del firewall donde se instala la política
Objetos Alias Toman un valor en función del firewall donde se instala la política Permite reutilizar la misma política en diferentes firewalls Compartir parte de la política en una plantilla

21 Monitorización de estado a través del GUI en tiempo real
Detección temprana Monitorización de estado a través del GUI en tiempo real Estado de los engines, VPNs, servers (información detallada) Alertas activas Estadísticas en tiempo real Monitorización vía SNMP Sistema de escalado de alertas (smtp, sms, snmp, script)

22 Visión de logs de todos los engines gestionados. Filtrado
Gestor de logs Visión de logs de todos los engines gestionados. Filtrado Exportado de logs Alto rendimiento StoneGate Log Views: Log Records Log Statistics Log Details Recursividad en el análisis de los logs

23 Reporting y cumplimiento de regulaciónes
Informes gráficos predefinidos y personalizables Automatizables Registros de auditoría. Informes Análisis comparativo de políticas Estimated Time: 2 minutes Direction: Detailed slide on Proactive Control – Interactive Reporting & Compliance Suggested Script: Keeping up with the stringent regulatory requirements – whether it’s PCI, Sarbanes-Oxley, HIPAA, FISMA or other standards – can be a challenge. It means you’re under constant pressure to maintain the auditing and reporting necessary to avoid non-compliance fees and damaging your corporate credibility. Without the right tools in place, achieving regulatory compliance can become extremely costly and time-consuming. (click) With the release of StoneGate 5.0, the StoneGate solutions come with enhanced customizable graphical reports, in addition to the reports that are already available. These reports can be set up to be automatically generated and distributed. The StoneGate Management Center gathers the data on all network events and presents them in clear and easy-to-understand auditing reports. You can get detailed inventories about engines and administrators, security settings and system changes, as well as comparative analysis of the security policies that you have in place – all at the press of a button.

24 Monitorización en tiempo real
Monitorización personalizable Geolocations Web portal Estimated Time: 2 minutes Direction: Detailed slide on Proactive Control – Real-time Monitoring & Alerts Suggested Script: Efficiencies govern the entire design of the StoneGate Management Center – from the easy-to-interpret , customizable dashboard views of events occurring in real time, to the drill-down accuracy of selecting a single log entry for scrutiny. The central command center uses the latest technology to provide real-time views of what’s happening in your network compared to other systems that offer a crude snapshot of events at best. In addition, you have the flexibility to set up alert escalation to match your organizations’ processes – whether based on time of day or incident severity, someone needs to be notified through visual alerts, /SMS messaging or SNMP trapping. (click) With the release of StoneGate 5.0, organizations can also see real-time visual geographical representations of network traffic to quickly spot anomalies and attacks. Coupled with StoneGate’s drill-down and filtering capabilities, administrators can troubleshoot more efficiently. In addition, we’re introducing a Web portal for administrators and MSSPs’ end customers to easily monitor security anytime, anywhere and from any device. In addition, MSSPs can create customized user interfaces for their end-customers.

25 Certificaciones Common Criteria Certification EAL 4+
ICSA Labs Certified IPS StoneGate IPS – Only production-ready IPS that has met the latest ICSA certification requirements ICSA Labs Certified Firewall VMware VMware Technology Alliance Partner VMware certified – StoneGate Virtual IPS & StoneGate Virtual Firewall/VPN VMsafe technology partner Top 5 VMware virtual appliance – StoneGate Virtual IPS RSA Secured VPN Consortium Certifications IPsec VPN and SSL VPN Estimated Time: 1 minute Direction: Quick slide – don’t need to go into all the detail below, it is here for your reference Suggested Script: Another testament to our reliability and performance is that Stonesoft’s solutions have met the most demanding industry certifications, including: Common Criteria certification: The StoneGate Firewall/VPN appliances have received the Common Criteria Evaluation Assurance Level EAL 4+ certification. The EAL 4+ is the highest commercially feasible certification level. FIPS certification: The StoneGate Firewall/VPN appliances have received the Federal Information Processing Standard certification for standard 140-2, which ensures cryptographic security of connections. ICSA Labs Network Intrusion Prevention certification : Stonesoft is the only vendor that has received and retained the Network Intrusion Prevention certification from ICSA Labs for our a production-ready IPS. This is proof of our commitment to continually improving our solutions, as well as to the demanding requirements mandated by ICSA Labs. Only two other vendors have this certification. ICSA Labs Firewall certification: The StoneGate Firewall/VPN appliances have received Firewall certification from ICSA Labs. ICSA Labs IPsec certification: The StoneGate Firewall/VPN appliances have also received IPse certification from ICSA Labs. VPN Consortium certifications: The StoneGate Firewall/VPN and StoneGate SSL VPN have been tested and certified for interoperability. RSA Secured: StoneGate solutions have been award RSA SecurID Ready certification showing compatibility with RSA’s authentication technology. VMware certification: The StoneGate Virtual Firewall/VPN and StoneGate Virtual IPS are both certified for the VMware Platform. In fact, the Virtual IPS was recently ranked as one of the top five VMware virtual appliances. Our Virtual IPS will support VMware’s VMsafe technology. Industry recognition: In addition to recognition in Gartner’s Magic Quadrants, we’ve received several publication awards from Information Security magazine and SC Magazine. Most recently, the StoneGate SSL VPN solution is a finalist for this year’s SC Magazine Readers Trust awards in the Best IPsec/SSL VPN category. In addition, the StoneGate FW-310 recently received 5-star ratings for value for money and for support in an SC Magazine firewall review.

26 Referencias en el ámbito internacional
Financial Government Technology Legal United Nations U.S. State Department Communications/ Utilities Manufacturing/ Logistics Services/Healthcare Education GENOPTIX Estimated Time: 30 seconds Direction: Quick slide Highlight the customers in the same industry as the organization you are meeting with Suggested Script: Stonesoft’s StoneGate solutions are installed at more than 10,000 sites and with ca 4,000 organizations around the globe, including our rapidly expanding presence in the Americas. In fact, we currently have more than 400 customers across multiple industries in the Americas and Europe. Our customers range from Fortune 500 enterprises and large government agencies to mid-size businesses. Some of our customers include…(highlight organizations in the same industry/geographic area as the prospect). Note: Hyperlinks to Xerox, AIT, Wise, MedicAlert, Plaza or Conyer Dill & Pearman case studies. We will continue to add success stories. LVMH

27 Real-Time Monitoring & Alerts
Estimated Time: 2 minutes Direction: Detailed slide on Proactive Control – Real-time Monitoring & Alerts Suggested Script: Efficiencies govern the entire design of the StoneGate Management Center – from the easy-to-interpret , customizable dashboard views of events occurring in real time, to the drill-down accuracy of selecting a single log entry for scrutiny. The central command center uses the latest technology to provide real-time views of what’s happening in your network compared to other systems that offer a crude snapshot of events at best. In addition, you have the flexibility to set up alert escalation to match your organizations’ processes – whether based on time of day or incident severity, someone needs to be notified through visual alerts, /SMS messaging or SNMP trapping. (click) With the release of StoneGate 5.0, organizations can also see real-time visual geographical representations of network traffic to quickly spot anomalies and attacks. Coupled with StoneGate’s drill-down and filtering capabilities, administrators can troubleshoot more efficiently. In addition, we’re introducing a Web portal for administrators and MSSPs’ end customers to easily monitor security anytime, anywhere and from any device. In addition, MSSPs can create customized user interfaces for their end-customers.

28 Network Security Simplified