Professional Documents
Culture Documents
Study Guide
for NSE 1:
Datacenter
Firewall
February 1
2016
Fortinet
Network
Security
Solutions
ii |
iii |
1|
Infrastructure Integration
Meeting the challenge of data center growth while maintaining
throughput capability requires the use of technology integration to
reduce potential for signal loss and speed reduction because of
bridging and security barriers between ad hoc arrangements of
independent appliances. There are definitely two camps on what
should be at the heart of a modern firewall, with two types of
hybrid design being prevalent:
CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented by
an off the shelf (OTS) processor.
CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely to
a number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are
designed to handle the specific tasks for which the processor and device is intended, the ability to
process data is enhanced and system performance is optimized.
On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design.
This is the simplest design but suffers from performance degradation. On the other side are those
advocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC),
which are more efficient and may provide the necessary infrastructure to meet the demand for
throughput, growth, and security.
2|
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions. Depending on network size and configuration, the data center firewall may also provide
additional security functions, such as segregating internal resources from access by malicious insiders,
and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data.
These functions are referred to as Multi-Layered Security, and may include:
IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion Prevention System (IDS/IPS)
Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [1]
These functions work together, providing integrated security for the data center, concurrently providing
consolidated, clear control for administrators while presenting complex barriers to potential threats.
Figure 2 shows a notional data center firewall deployment, providing gatekeeper duty, integrated
security solutions (as depicted in Figure 1, above), with simplified control and complex protection.
3|
4|
5|
Because of the increasing size and complexity of data center operations and needs of external usersas
well as the increased costs associated with enterprise firewall equipment and training needs
companies may decide to outsource data center security operations to a third party, or Managed
Security Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide a
wide range of network security services, from one-time servicessuch as configuring routersto
ongoing services such as network monitoring, upgrade, and configuration. This provides small and
medium businesses (SMB) enhanced capabilities without having to increase technical staff, while
providing large and high-visibility businesses with supplemental protection beyond their technical staff.
When deciding on whether to engage an MSSP for network security operations, a number of
considerations must be taken into account. From the most basic perspective, the MSSP should align with
your business and security philosophy. Will they sign a non-disclosure agreement, so details about your
companys security will be secure? The MSSP needs to be highly available to you, especially if you run
24/7 operations and reach a global audience (and who on the Internet doesnt these days?). It is worth a
visit to their facility to check out their operations and talk with staff. The MSSPs service must be
sustainablewhat are their redundancy capabilities in case of primary system failures or disaster; what
is the likelihood they may go out of business (the market is still maturing and the current failure rate is
high). Identify clearly the level of serviceability you can expect from the MSSPdemand a strong service
level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements are
foundational to success with using an MSSP to manage data center security.
6|
7|
8|
9|
10 |
11 |
Application Services
With increasing use of the cloud to enable mobileeven globaluse of applications and access to
organization databases, technology services designed to fulfill the needs of various industries from SMB
to large international corporations developed. In todays marketand the foreseeable futurecloud
services continue to grow quickly. Integral to this broad range of services are three primary
components: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primary
difference between models rests in responsibility tradeoffs between developer (user) and vendor
(provider), as illustrated in Figure 8 [2].
12 |
Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models.
13 |
Summary
From an introduction to the current status of computer network options and configurations, to the
challenges posed by evolving technologies and advanced threats, this module has prepared a foundation
for more focused discussion on emerging threats and the development of network security technologies
and processes designed to provide organizations with the tools necessary to defend best against those
threats and continue uninterrupted, secure operations. An additional module in this program will focus
on the Next Generation Firewall (NGFW), an evolving technology in network security.
14 |
AD
Active Directory
ADC
ADN
Infrastructure as a Service
ICMP
ICSA
AM
Antimalware
API
ID
Identification
APT
IDC
ASIC
IDS
ASP
IM
Instant Messaging
ATP
IMAP
AV
Antivirus
AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU
DDoS
DLP
DNS
DoS
Denial of Service
DPI
DSL
FTP
FW
Firewall
Gb
Gigabyte
GbE
Gigabit Ethernet
Gbps
GSLB
GUI
15 |
IoT
Internet of Things
IP
Internet Protocol
IPS
IPSec
IPTV
IT
Information Technology
J2EE
LAN
LDAP
LLB
LOIC
MSP
NSS Labs
OSI
SPoF
PaaS
Platform as a Service
SQL
PC
Personal Computer
SSL
SWG
SYN
POE
POP3
TCP
Quality of Service
RDP
SaaS
Software as a Service
UDP
SDN
Software-Defined Network
URL
SEG
USB
SFP
UTM
SFTP
SIEM
VM
Virtual Machine
SLA
VoIP
SM
Security Management
VPN
SMB
WAF
SMS
16 |
XSS
Cross-site Scripting
IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion
Prevention System (IDS/IPS)
Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [1]
Databases are simply electronic repositories of data used to store information for the organization in a
structured, searchable, and retrievable format.
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper.
Hypervisor Mode. In hypervisor mode the virtual firewall is not actually part of the virtual network at
all; rather, it resides in the host virtual machineor hypervisorin order to capture and analyze packets
destined for the virtual network.
17 |
Application Awareness
Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond
the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user.
Programming consists of the scripts or computer instructions used to validate data, perform
calculations, or navigate users through application systems.
SDDC. The software-defined data center (SDDC) presents a paradigm that infrastructure such as servers,
network, and storage can be logically and dynamically orchestrated without the need for adding or
configuring new physical appliances or expanding into new facilities.
Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant.
Software as a Service (SaaS). The SaaS model takes the final step of bringing the actual software
application into the set of functions managed by the provider, with the user having a client interface.
18 |
19 |
2.
Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.
3.
20 |