270 likes | 580 Views
AT&T Network-Based Firewall Service. Client Business Drivers. Compliance Drivers. Market Drivers. On-Line Business 24 x 7, Always on Globalization Virtual Enterprise Business Process / IT Alignment. Federal Reserve/ SEC / Comptroller Sound Principles Sarbanes-Oxley Act of 2002
E N D
Client Business Drivers Compliance Drivers Market Drivers • On-Line Business • 24 x 7, Always on • Globalization • Virtual Enterprise • Business Process / IT Alignment • Federal Reserve/ SEC / Comptroller Sound Principles • Sarbanes-Oxley Act of 2002 • Gramm-Leach-Bliley / HIPAA • Check 21, USA PATRIOT, Basel II Customers Financial Drivers Risk Drivers • CapEx / OpEx Reduction • Off Shoring • TCO/ROI Focus • Focus on Growth • Broader Threats • Increased Vulnerability • Greater Risk and Exposure • Focus on Business Continuity/Security Partners Organizational Drivers Technology Drivers Suppliers • Productivity Focus • Scarce Qualified Resources • Rightsizing • Consolidation • Managed Services / Outsourcing • Intelligent / Application Networking • Exponential Storage Growth/ILM • Mobility / PDAs / Wi-Fi / Wider-Fi • Application Mgmt & Performance Visibility • Utility / Grid Computing, Netsourcing • Natural / Intelligent User Interfaces Employees AT&T Network Security Services
Remote access to the corporate network • Internet access from the corporate network Enterprise-to-enterprise networks E-commerce Threats are a #1 Priority for Businesses • Cost of computer crime totaled $141,496,560 • Source: 2004 CSI/FBI Computer Crime and Security Survey, CERT • In May 2004, a total of 959 new viruses were released on the Internet, the highest number since December 2001 • Source: Information Week, 06/04 • Security is the #1 priority for over 50% of CIO’s • Source: CSFB CIO Survey, 08/04 Security threats have become more frequent and more complex AT&T Network Security Services
Network-Based Solutions Service provider security investment in the network Security elements deployed by provider across the network Broad-based network attacks are defended in the network Centralized security policy, administration, alerting and reporting Easy to scale Efficient, cost-effective, holistic Premises-Based Solutions Major customer security investment at edge IDS, Firewalls, Anti-Virus, Anti-SPAM deployed by customer Broad-based network attacks difficult to defend against at individual locations Disparate security policies for Internet connected endpoints Difficult to scale Inefficient, expensive, non-holistic 3rd Party Network Primary Provider IP Network Edge Edge Client Enterprise Client Enterprise Embed Security Intelligence into Network Current State of Industry: “Distributed Enterprise Edge Security” ..and more Efficient, Economical Alternative: AT&T Network “Intelligence and Security” Security built into the network, protecting customer network & applications 3rd Party Network AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Edge Edge Firewall, IDS, Anti-Virus, etc. Client Enterprise Client Enterprise AT&T Network Security Services
Secure access for your AT&T Frame Relay, ATM and/or VPN Wide Area Networks Transparent, stateful firewall Reports via customer accessible website Static and many-to-one Network Address Translation (NAT) VPN tunneling through static NAT Hardened external DNS Service from 1.55 Mbps to 45 Mbps (higher bandwidth available) Easily Upgrade Speeds & Add Sites as Usage Grows Dynamic user authentication and URL filtering Virus screening and spam filtering Helps you enforce consistent security policies across many locations, tailored to your user communities Customer Internet Branch Partner IP Enabled Frame & ATM Wide Area Network DSL/Dial Customer Network DMZ Remote Employees Main Location/HQ Web Radius SMTP AT&T Network-Based Firewall Service Applying AT&T Network-Based Security AT&T Network Security Services
Network Based Firewall Benefits • Central Application of Outbound or Inbound/Outbound Security Policies across Many Locations • Easily Upgrade Speeds & Sites as Traffic Grows • Fully Managed Solution for Simplified Design, Deployment & Management • Leverage WAN Investments AT&T Network Security Services
Redundant Security Infrastructure in the IDC Redundant WAN and IP Connectivity Consolidated Management tools for more control over individual sites Basic Intrusion Detection Functionality included in Network Firewall Service Increased DDOS protection for sites shielded behind large IP connections in the AT&T Data Center • Premises-Based Managed Security Solution • 20 Physical Sites, T-1 at each location for Internet Access: • MIS+ Connectivity $750 MRC • Cisco PIX –Small Office Firewall (PIX 501) $500 MRC • Net Cost per site = $1250 • Total for 20 sites = $25,000 MRC • Network-Based Managed Security Solution • 20 physical sites sharing a 15 Mb Network Firewall Connection (2:1 over-subscription assumed for shared connection) • Total Cost= $16,850 – bundled price includes WAN connectivity, Security Service, and IP connection delivered in AT&T data center • Net cost reduction = $8,150/month • Greater than 30% cost savings* Network-Based Security Cost Benefits * The example assumes existing site to site connectivity provided by IP VPN solution AT&T Network Security Services
Transparent, Stateful firewall Static and Many-to-One NAT VPN Tunneling through static NAT (Protocols 47, 50 and UDP 500) Customer Reporting Access via Secure GUI Customer monitoring and Security Policy viewing via Secure GUI Hardened External DNS Intrusion Detection System Separate unique DMZ policy (Secure Net) available Secure Nets maintain Layer 2 and above separation until the traffic passes through their security policies into the common IP layer for routing to/from Internet or to other Secure Nets. Standard Reporting and Session Logging Service from 1.55Mbps to 45Mbps (Higher bandwidth Available) Standard Features AT&T Network Security Services
Optional Features • Dynamic User Authentication • Customer hosted RADIUS on their DMZ • Dynamic URL Filtering • SurfControl Database (41 categories) • IP Based Filtering as an option • Black List and White Lists • Search Engine Keyword Block List • Virus Screening & Spam Filtering • Built on top of AT&T Secure E-Mail Gateway • Inbound & outbound AT&T Network Security Services
Service Description • Base Service: • Service Levels - 1,2,3,4 & 5 • Bandwidth (1.55Mbps – 45Mbps) • Optional Features Selectable– All Feature Levels: • URL filtering • Optional Features Selectable– Feature Levels 2-5 • Anti-virus/Anti-spam – use SMTP MR on separate order for feature • Additional SecNets • Public IP Addresses (block of 8 or a /29) • Public IP Addresses (block of 256 or a /24) • Additional Firewall rules (block of 5) • Consulting/Design (block of 8 hours) • Multiple Site Egress/Ingress • Site Failover AT&T Network Security Services
Service Levels 1- 5 Feature Availability AT&T Network Security Services
What is a Secure Network? • Any routable IP network or group of networks between which you want secure communications, or for which you want secure Internet access. • Each SecNet maintains L2 separation into its own Security Policy in the SDC. • Typical Configurations of Secure Networks • A HQ LAN for the corporate offices which will have secure HTTP to and mail access to and from the Internet. • A HQ DMZ LAN into which dealers and other potentially untrusted traffic access special applications and mail. • Regional LANs with full IP connectivity via PVCs to the HQ LAN and to each other and with secure HTTP access to the Internet. • (4-7) Four (4) unaffiliated distributor networks for which you wish to provide limited access to a HQ LAN Distributor Web Site and POP server, and with secure HTTP access to the Internet. There is no access from any individual distributor network to another. AT&T Network Security Services
Dealer #1 Dealer #2 Dealer #3 Dealer #4 4-7 CER CER CER Secure Network #4-7 CER Internet 4 Dealer MFS-NB2 128kbps CIR PVCs ea. HSPS Region 1 Internet-bound 3 Regional traffic CER IPFR Secure Network #3 PER Regional MFS-NB2-IPFR MER/FW 384kbps CIR PVC Region 2 MFS-NB2 PER HQs-bound Regional traffic PER CER PER 1 2 Secure Network #1 IPFR E-PVCs HQs Direct LAN Secure Network #2 512kbps CIR PVC HQs DMZ LAN 128kbps CIR PVC CER Customer Customer Network CER = Customer Edge Router HQ LAN DMZ PER = Provider Edge Router MER = MFS-NB2 Edge Router Secure Network Examples AT&T Network Security Services
Internet Secure Internet access – outbound and inbound Customer Web Access A Typical Architecture for Retail Web Site(s) Partner Shipping or Logistics using separate Point to Point PVC (secured from Corporate Traffic) HSPS Stores IPFR Shipping/Logistics Partner Company MPLS Multiple SecNets 1 -- Partner to Company HQ 2 -- Internal Traffic, inbound and outbound SMTP and outbound Internet via IPFR. 3 – Inbound to Company DMZ allows inbound web traffic and other DMZ based services 4 –VPN Passthrough Support Company Network DMZ HQ Web Radius SMTP AT&T Network Security Services
AT&T Network Security GNOC AT&T World Class Security Operations • World Class Security NOC • Physical Redundancy • Documented Operational Security Procedures • 24x7 monitoring and management • State of the art systems that monitors and manages thousands of machines • Systems that collect terabytes of data • Correlate thousands of security events • Top Notch Security Expertise • CCNP, CCIE, GCIA, CISSP, MCSE, and Unix certified professionals • Strong Security Skills – Incident Handling and Intrusion Detection • In depth understanding of TCP/IP • Many Years of experience AT&T Network Security Services
Why AT&T Security Services? • Proven Security Solution Execution • Supported by Best-in-class vendor & AT&T Labs developed security solutions • Rapid deployment of updates based upon security & industry events • Proof of Service through Service Level Agreements • Performance made visible by AT&T’s client portal • Supported by AT&T’s “TRUSTED” secured infrastructure • Global, Robust Managed Security Services Choices • Interoperable solutions - Network, Customer Premise, AT&T Data Center, & Off-Net • Advanced integrated correlation & analysis capabilities with detailed reporting • Ability to serve the customer’s entire business requirements • Comprehensive security life cycle management • Customer specific event response based on business rules • Financial Effectiveness with Continued Innovation • Minimized capital & asset expenditures • Operational efficiencies thru infrastructure investment • On-going technology & capability updates AT&T Network Security Services
Zombies Legitimate Users Storage Web/App Server Legitimate Users Internet Browsing Internet AT&T IP MPLS DDoS Defense Remote Offices Network Under Fire Zombies AT&T Network-Based Security Portfolio Network-Based Security Services • AT&T Internet ProtectSM • AT&T DDoS Defense • AT&T Network-Based Firewall • AT&T Personal Firewall • AT&T Token Authentication • AT&T IDS, Anti-Virus Services • AT&T Secure E-Mail Gateway AT&T Network Security Services
Comprehensive attack detection & prevention Dynamic signature based attack detection Snort and iPolicy based signatures Simple, session (stateful) based, multi-event based, pattern based attacks Attack Parameter Controls Comprehensive attack categories Customizable rule language signatures, applications and parameters Protocol anomaly Detection TCP/IP, UDP/IP, application protocols (HTTP, FTP, SMTP, H323,…) In-line Intrusion Protection or Passive Intrusion Detection mode SQoS for DDoS and Dos Over 2000 Signatures Available for tuning active IDS/IPS actions IDS Starter Kit Customers are given a “IDS Starter Kit” of 50 effective signatures with close to 2000 more available for activation if their security profile would warrant activation of certain types or categories Intrusion Detection (IDS) Feature AT&T Network Security Services
Pricing based on Feature Level and Throughput Additional Cost Options URL Filtering (all Feature Levels) User based pricing in Tiers of Users 100 , 500 , 1000 , 3000 , 5000 , unlimited Anti-Virus Scanning (Feature Levels 3,4,5) Pricing based on # of Messages per month., 25K, 100K, 250K, 500K, 1M , unlimited Additional Firewall Rules (Feature Levels 2,3,4,5) Purchased in blocks of 5 rules Additional Secure Networks (Feature Levels 2,3,4,5) Priced per additional network Additional Public IP Addresses (Feature Levels 2,3,4,5) Priced per block of /30 or /24 Additional Site Egress (Feature Level 2) Additional Site Ingress or Egress (Feature Levels 3,4,5) Site Failover (Feature Levels 3,4,5) Pricing AT&T Network Security Services
Detailed Architecture DSL/Dial Internet Customer Data Center Remote Employees (IPSEC Pass-Through) Customer Router LAN Contivity MFS-NB SDC ATM Router Company Location MPLS Network ePVC to MPLS VPN Customer Headquarters Customer Router LAN AT&T FR/ATM Network Contivity ePVC to MPLS VPN Company Location ATM ePVC to Network Based Firewall Solution Customer Router Filtered traffic from Customer Data Center to Headquarters) VLAN (802.1q) to keep traffic logically separate “Internet” Traffic Flow RAS/Contivity traffic flow (IPSEC pass-through) AT&T Network Security Services
Traffic Flow Overview Internet Customer Data Center MFS-NB SDC ATM Company Location MPLS Network Customer Headquarters AT&T FR/ATM Network Company Location Internet Traffic AT&T Network Security Services
Logical Overview and Components Internet Access BGP used for load balancing over multiple trunks and dynamic failover “Internet” Inbound Separation based on VLAN Termination of VLAN Trunking on inbound port Multiple OC48s Route Traffic to the DMZ for DNS support, VIM or Internet Access Aggregation of /30 addresses Logical Separation based on VLAN Inbound and outbound VLAN Trunking for VLAN Aggregation and forwarding. Gig-Ethernet trunking Firewall / VLAN Separation Additional Services: Authentication/IDS URL Screening IP Packets at NAT’d to public (outbound) or private (inbound) IP addresses. Policies based on VLAN ID and source IP VLAN Tags kept intact Complete Logical Separation of Private traffic utilizing VLAN and VRF technology. Multiple point for monitoring of the NB-FW to insure that proper resources are available to all customers and that there is no congestion Logical Separation based on VLAN Customer VLAN traffic is aggregated and forwarded on based on VLAN Tag Logical Separation based on VRF ATM ePVCs are terminated along with the /30 define by the customer Each NB-FW customer is defined by a logically separate VRF Traffic is tagged with a VLAN tag (802.1q) and forwarded off over the VLAN trunk Customer Location(s) Layer 2 Switching Direct PVC to Security Data Center configured with one /30 defined by the Customer or L3 from MPLS. Logical Separation via Layer 2 ATM IP Based Traffic Inbound and Out bound Routing – Static/Rip Subnet Termination Customer Assigned IPs FR-ATM Or ATM PVC or VCC Only DLCI or VCI/VPI “Inbound” from Customer Sites Customer “A” AT&T Network Security Services
Security Data Centers • MFS-NB Security Data Centers (SDCs) • Located in hardened Hosting Centers (IDC’s) with access to high-capacity AT&T packet and IP networks. • Currently deployed in New Jersey, Arizona, and the U.K. • Global Customer Support Center • Raleigh/Durham, NC • Health, turn-up, configuration, monitoring, recovery • SDCs exist at “edge” ATM OC48 Sonet Rings at IDC’s • ATM or FR-ATM through Service Interworking (SIW) • No direct Frame Relay PVC access • Primed for IP-enabled services (EVPN or IPeFR/IPeATM) • Selectable Bandwidth for customers up to 45Mbps (155Mbps Possible) • The larger the customer the better • Backup (standby) ePVC’s are provisioned in case of primary circuit failure • Failover between SDC’s possible if provisioned • 3rd ePVC to alternate site required • Sync’d customer at alternate site required • Multiple Regional Egress Points possible • Global MPLS Network chooses closest SDC based on AS (autonomous system) routing AT&T Network Security Services
Failover/Redundancy Concepts • Current Intra-SDC infrastructure redundancy: • All SDC networks and components provisioned in load-balancing/redundant mode • Intra-SDC failover in 1-15 seconds • Customer traffic completely segregated from management traffic • Customer SecNet failover (single SDC) • Standby SecNet offered standard for all MPLS VPN’s (EVPN, IPeFR and IPeATM SecNets) • Failover from active SecNet to backup in less than 2 minutes (90-120 seconds) • Inter-SDC geographic failover • Additional customer feature • Maintain redundant standby Security Policies in designated backup center • Designated backup center standby only – not load sharing • Failover will be automatic; failback will be manual • Minimum of two minutes before failover to avoid “flapping” • State not maintained AT&T Network Security Services