SafeZone --Classic Encryption--

SafeZone --Classic Encryption-- Issued by_ MixofTix Developers Network Director Network & Security Overview Information: URL: http://www.MixofTix.net E-Mail: info {AT} mixoftix {DOT} net Document # 7856-SECU-EHR-01 © MixofTix Developers Network July, 2006

Networking Solutions • Security Between Particles • Total Security Architecture • Anti-Virus • Compare Databases • Compare Develoment Paltforms • Analysis of QoS © MixofTix Developers Network July, 2006

Networking Solutions © MixofTix Developers Network July, 2006

Network Parts • A core zone link to the distributed servers • Connection between particles is internet • Connections in core is Ethernet © MixofTix Developers Network July, 2006

Solutions for internet connection • Leased line • Point 2 Point • Satellite © MixofTix Developers Network July, 2006

Network Protocol • TCP/IP © MixofTix Developers Network July, 2006

Security Between Particles © MixofTix Developers Network July, 2006

What is a firewall? • Different firewall technologies • Firewall functionalities • Firewall as a part of total security solution © MixofTix Developers Network July, 2006

A device (usually hardware and software) that enables safe data communications between networks with different security policies (e.g. Intranet/Extranet, Intranet/Internet) Used to carry out network security policy and control communication between networks Internal network Untrusted users Trusted users DMZ What is a Firewall? Untrusted networks and servers Trusted networks Gateway Internet Network segment for public servers (e.g. HTTP, SMTP) © MixofTix Developers Network July, 2006

Firewall Technologies • Packet filters • Routers • Application proxies • Raptor, Gauntlet • Stateful inspection • Netscreen, Cisco PIX • Multi-Layer inspection • StoneGate © MixofTix Developers Network July, 2006

Layering Models vs. Real Life OSI Model TCP/IP Model Real Life © MixofTix Developers Network July, 2006

Application Application Presentation Presentation Session Session Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical PACKET FILTER Packet Filter • Network layer functionality • Filters according to ACLs (Access Control Lists) • Source and Destination IP, Ports © MixofTix Developers Network July, 2006

Packet Filter • Advantages • High performance • Application independence • Transparency • Disadvantages • Low security (no inspection above network layer) • Large rule bases slow down traffic – difficult to manage/configure © MixofTix Developers Network July, 2006

Telnet HTTP FTP Application Application Application Presentation Presentation Presentation Session Session Session Transport Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical PROXY Application Proxies • Application layer functionality • every service needs its own proxy • No direct connections are allowed between networks • each new connection established by a proxy © MixofTix Developers Network July, 2006

Application Proxies • Advantages • Very high security • Application layer screening • Disadvantages • Poor Performance • Limited application support • No connection failover © MixofTix Developers Network July, 2006

Application Presentation Application Application Session Presentation Presentation Transport Session Session Network Transport Transport Network Network Data Link Data Link Data Link Physical Physical Physical INSPECTIONENGINE Dynamic state tables Stateful Inspection • Packet filter with enhanced features • Historical connection data (dynamic state tables) • Examines packets up to the application layer (vendor dependent) © MixofTix Developers Network July, 2006

Stateful Inspection • Advantages • Transparency • Security • Performance • Scalability (add-on products) • Disadvantages • Limited application layer screening © MixofTix Developers Network July, 2006

Multi-Layer Inspection • “A proxy-like stateful inspection” • Connection tracking (dynamic state tables) • Examines data up to the application layer with protocol agents • Every packet must either accepted directly by the rule base, be a part of a previously accepted connection, or be a part of the related connection © MixofTix Developers Network July, 2006

Multi-Layer Inspection © MixofTix Developers Network July, 2006

Firewall Functions • Access Control • Authorized connections are allowed • Unauthorized access to network resources are blocked • Part of Corporate Network Security Policy • Network Address Translation (NAT) • Enables administrators to use private IP addresses • Hides hosts and network architecture behind public IP addresses • Monitoring and logging • Network traffic load • Logging • for troubleshooting, for evidence, to track traffic volumes • Authentication • Authenticates users • Third party authentication software © MixofTix Developers Network July, 2006

Hardware-based proprietary hardware proprietary software expensive to buy; no other uses for hardware usually fast – built on ASICs also smaller low cost, low performance HW-solutions depending on the solution no scalability limited support for different services Software-based standard hardware lower investment cost re-usability option standard operating system or dedicated hardened OS licensing enables scalability compatibility with other security solutions scalability can be achieved by external load balancing hardware or software more flexible to build support for different services Another Difference in Firewall Technologies © MixofTix Developers Network July, 2006

Total Security Architecture © MixofTix Developers Network July, 2006

R & D Human Resources Network-based Intrusion Detection Authentication Server CA Server Content Scanning Host-based Intrusion Detection Network Servers Back-End/Internal Network Back-End Application & Database Servers Web Information DMZ Web Transaction Internet © MixofTix Developers Network July, 2006

R & D Authentication Server HA - CA Server CA Server HA Authentication Server Internet Traditional VPN Connection Connection Providers Scalable HA/LB Network Servers Network Servers Back-End/Internal Network Human Resources Scalable HA - Back-End Application & Database Servers Back-End Application & Database Servers Scalable HA/LB Intrusion Detection Intrusion Detection Scalable HA/LB Web Information Web Information DMZ Web Transaction Scalable HA/LB Web Transaction Scalable HA/LB Content Scanning Content Scanning © MixofTix Developers Network July, 2006

R & D Authentication Server HA - CA Server CA Server HA Authentication Server Internet Multi-Link VPN Single Points of Failure Connection Providers Scalable HA/LB Network Servers Network Servers Back-End/Internal Network Human Resources Scalable HA - Back-End Application & Database Servers Back-End Application & Database Servers Scalable HA/LB Intrusion Detection Intrusion Detection Scalable HA/LB Web Information Web Information DMZ Web Transaction Scalable HA/LB Web Transaction Scalable HA/LB Content Scanning Content Scanning VPN Connections © MixofTix Developers Network July, 2006

R & D Authentication Server HA - CA Server CA Server HA Authentication Server Internet Remote Client with Firewall Connection Providers Network Servers Scalable HA/LB Network Servers Back-End/Internal Network Human Resources Scalable HA - Back-End Application & Database Servers Back-End Application & Database Servers Scalable HA/LB Intrusion Detection Intrusion Detection Scalable HA/LB Web Information Web Information DMZ Web Transaction Scalable HA/LB Web Transaction Scalable HA/LB Content Scanning Content Scanning VPN Connections © MixofTix Developers Network July, 2006

Functions of a VPN • VPNs facilitate the connection of LANs and clients (e.g. notebooks) via the Internet which is very low-priced and available worldwide. • By means of VPNs the corporate access via the Internet can be effected confidentially, independent of the selected media. © MixofTix Developers Network July, 2006

Tunnelling Network A Network B © MixofTix Developers Network July, 2006

Layer2 VPNs • Work on the OSI-layer 2 • Security layer (data-link layer) • Entire IP packets are „packed “ in the tunnel protocol • Tunnel the point-to-point protocol (PPP) • Use the functions of the PPP infrastructure • DHCP • User-oriented authentication • Compression • A layer-2 tunnel is a “virtual cable” • Can be set up across any IP structure • Supports multiple protocols © MixofTix Developers Network July, 2006

StoneGate VPN • VPN gateway with StoneGate technology • DES, 3DES, AES (256), Blowfish, CAST • Managed through centralized management system • Includes firewall • IPSec compatible • Comes with SG VPN client (includes personal firewall) • Supported user authentication methods: • RADIUS, TACACS+ or LDAP(S) back-end protocols • Client certificates • Smart Cards (PKCS#11, PKCS#15, Microsoft CAPI) • USB tokens © MixofTix Developers Network July, 2006

What is a CA • A Certification authority is responsible for providing and assigning the keys for encryption, decryption and authentication. • A CA can issue certificates to a computer, a user account or a service. © MixofTix Developers Network July, 2006

Certificate Hierarchies Trust Trust Root CA Trust Subordinate CA Subordinate CA Subordinate CA © MixofTix Developers Network July, 2006

Using Public Keys and Private Keys • A private key which is kept confidential • A public key which is freely given out to all potential correspondents © MixofTix Developers Network July, 2006

Anti Virus Features • Centralized Management • Automatic Daily Updates • Minimum Reaction time © MixofTix Developers Network July, 2006

F-Secure • Easy-to-use solution for keeping customers rapidly and automatically protected against fast-spreading Internet-borne viruses and other malicious code • F-Secure Anti-Virus protects both site-based and mobile workers, ensuring system availability and data integrity every minute of every day, everywhere in the world. © MixofTix Developers Network July, 2006

PLATFORM AVAILABILITYOracle9i Oracle9i Database is available on a large selection of hardware and operating systems, scaling from low-end uni-processor servers to large symmetrical multiprocessor machines to multi-node clusters. Oracle9i Database supports all major Unix platforms, including Linux, Microsoft operating systems, and a variety of other systems, including OS/390 mainframes. With Oracle9i, users are able to upgrade hardware and operating systems without changing or rewriting their applications. © MixofTix Developers Network July, 2006

PLATFORM AVAILABILITYSQL Server 2000 SQL Server 2000 only runs on Microsoft’s operating systems. Customers wishing to upgrade hardware are limited to platforms running these systems and must face the cost of converting their systems completely if they ever outgrow the capacity of their platform. © MixofTix Developers Network July, 2006

PLATFORM AVAILABILITYMySQL MySQLDatabase is available on Linux & Microsoft operating systems, Solaris, Mac OS X . With MySQL, users are able to upgrade hardware and operating systems without changing or rewriting their applications. © MixofTix Developers Network July, 2006

The same application was rebuilt by both Microsoft and Sun for an independent competition sponsored by a Company. Below is a comparison of the results: © MixofTix Developers Network July, 2006

SafeZone --Classic Encryption--

SafeZone --Classic Encryption--

Presentation Transcript

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Encryption

Minneapolis SafeZone

SafeZone : Our Group Resume

What is Avast SafeZone Browser?

Avast SafeZone

Encryption

Encryption

Encryption

Wat is Avast SafeZone-browser?