• No results found

SERVICE DESCRIPTION Firewall

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SERVICE DESCRIPTION Firewall"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

SERVICE DESCRIPTION

Firewall

Date: 14.12.2015

(2)

TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION 4 2.1 Basic service 4 2.2 Options 6 2.2.1 DHCP service 6 2.2.2 Link Balancing 7 2.2.3 Network Segmentation 8 3 ADDITIONAL DOCUMENTS 9 4 DISCLAIMER 9

(3)

1

INTRODUCTION

This document describes the USP Firewall managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service.

Field of application

A modern network is subdivided into various zones. The individual zones contain data of different sensitivity levels which can be accessed by different user groups. The different zones are separated by firewalls. The firewalls examine the flow of data against predefined rules and thereby establish the authorizations for the individual zones.

Benefits

Surveillance of the data traffic flow between the zones and the effective blocking of inadmissible data traffic offers a striking increase in security on your network. Every data packet is unambiguously assigned to an active session. Any data packet that cannot be assigned to a valid session is discarded. This is an effective method for preventing attacks from the Internet.

All zone transitions are logged. The firewall logs are not only used for later analysis of any attacks, but more often also constitute a valuable tool in the analysis of network problems.

(4)

2

SERVICE DESCRIPTION

2.1

Basic service

The USP Firewall service offers an effective separation between two different network zones, for example an internal company network and the Internet.

Name of service Firewall Service abbreviation MSS-FW

Service version 2.0

Status Operational

Operating hours OH1: Monday – Friday, 08:00 – 18:00 CET OH2: Monday – Saturday, 07:00 – 21:00 CET OH3: Monday – Sunday, 0:00 – 23:59 CET OH4: Monday – Friday, 08:00 – 18:00 local time Availability guarantee ACA: Best effort

ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours

Usage parameter The service is assessed on the basis of the number of IP addresses protected.

Description The Firewall service uses a predefined set of firewall rules to control the transition between the different network zones. The basic service covers one zone transition, between the internal network and the Internet, for example. In conventional firewalls, two rules have to be detected so that

communication can flow in both directions between an internal partner A and an external partner B. USP's Firewall service deploys state-controlled filters: if A initiates the communication, the response from B is

automatically permitted. B is not permitted to send anything into the internal network if the communication was not started by A.

A further essential component of the basic services is the translation of addresses and (NAT and PAT). Predefined rules are applied to redirect data packets to different addresses or ports.

Benefits The entire data flow between the different zones is monitored and controlled by the Firewall service. This blocks access to sensitive data right at the perimeter of the zones. In this way potential attackers are not only locked out of the data, but also out of the data environment. The data are extremely efficiently protected.

(5)

The data traffic between the zones is logged in full. Attacks or data theft is often only noticed significantly after the event. The firewall logs are a vital forensic resource in such cases. Analysis of the Firewall service log data contributes to an efficient defence against future attacks.

Key Performance Indicators (KPIs)

Compliance with the SLA parameters is measured against the availability of the service infrastructure.

Reporting The following service-specific values are collated in the monthly reports: - infrastructure workload

- total data volume

- incoming and outgoing data volume per zone - number of sessions

- number of requests allowed, number of requests blocked Measuring points The following measuring points are watched to monitor the service:

- CPU/RAM utilisation - log status

- number of IP addresses in internal networks - number of sessions

- incoming and outgoing data volume per zone

Conditions of use The firewall infrastructure must be implemented redundantly for availability guarantees that are better than ACA.

The Firewall service requires a valid Fortiguard or Forticare subscription for the infrastructure.

(6)

2.2

Options

2.2.1

DHCP service

The firewall infrastructure acts as a DHCP server or forwards DHCP messages to a target segment.

Name of the service option DHCP service

Abbreviation MSS-FW-DHCP

Usage parameter The service option is assessed on the basis of the size of the address range. DHCP relaying is assessed at a fixed amount.

Description Clients need to have a valid address before they are able to use network resources. These addresses are either set statically or assigned dynamically by a DHCP server. If this option is enabled, the firewall infrastructure acts as a DHCP server. Two different versions of this are supported. Either the firewall acts as a DHCP server for one or more internal segments. Or alternatively, the addresses are accepted by the firewall from a remote server and forwarded into the internal segment.

Benefits Often there is no DHCP server available at smaller sites. No additional infrastructure is required if the firewall infrastructure takes on the role of the DHCP server.

Static addressing is not possible if the clients in a segment are not known and change frequently, for example in guest networks. Instead of using a dedicated server and hence additional infrastructure, this job can be taken on by the existing firewall infrastructure.

Key Performance Indicators (KPIs)

Compliance with the SLA is determined using the KPIs for the basic service.

Reporting The following data is added to the reported data: - number of addresses assigned per day - addresses assigned concurrently

Measuring points The number of addresses assigned concurrently is monitored.

Conditions of use The option is offered for segments with no more than 50 protected IP addresses or for guest segments.

(7)

2.2.2

Link Balancing

Where a site has a number of Internet links, they can be used in common with this option.

Name of the service option Link Balancing

Abbreviation MSS-FW-LB

Usage parameter The service option is assessed on the basis of the size of the basic service. Description This option distributes the data traffic over the available links. Various

strategies can be used for this:

- source IP-based: standard, links selected in sequence by the round-robin method, depending on the source IP.

- weighted load balance: based on the configured weighting of the links.

- spillover: the second link is only selected once a specified bandwidth is exceeded on the first link.

Equal Cost Multipath Routing (ECMP) is generally used on these set-ups. As an alternative to using both links, one line can also be used as a pure backup line.

As an alternative to the strategies listed above, it is also possible to define the load distribution on the basis of predefined rules.

Benefits Connection to the Internet is of enormous importance for many companies. Pure availability is just as important in this context as the performance of the link. This option allows the achievement of an improvement in

performance by distributing the load over a number of links.

Very high availability can be achieved by using multiple links. Should one link fail, the entire data flow will be taken on by the remaining links so that connectivity is assured and you benefit from a constant connection to the Internet.

Key Performance Indicators (KPIs)

Compliance with the SLA is determined using the KPIs for the basic service.

Reporting The following data is added to the reported data: - availability of Internet links

- utilisation of Internet links

Measuring points The availability of the links is checked by sending pings. The relevant interfaces on the firewall are additionally monitored.

Conditions of use The Internet links are provided by the customer and are not a part of this service option.

USP recommends that the USP Security Operations Center is made change-authorised with the ISP so that changes and incidents can be handled as quickly as possible.

(8)

2.2.3

Network Segmentation

This option operates a further zone and manages the relevant rule sets.

Name of the service option Network Segmentation

Abbreviation MSS-FW-NS

Usage parameter The service option is assessed on the basis of the size of the basic service. Description This option operates an additional network segment. The segment is

terminated at the firewall infrastructure. The data traffic between the zones is defined using predefined firewall rules. The zones can be terminated at a physical interface or be implemented as VLANs.

Benefits Data of differing security sensitivity is stored in different zones. Security is significantly enhanced by the fact that all zone transitions are monitored and logged by the firewall infrastructure.

Reporting Incoming and outgoing data traffic for the additional segment is added to the existing report.

Measuring points The incoming and outgoing data volume is measured. Conditions of use The conditions of use for the basic service apply.

(9)

3

ADDITIONAL DOCUMENTS

The present document describes the functional scope of USP's Firewall service. General information on the Service Level Agreement and on operation may be found in the additional documents.

Service management and SL catalogue

This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees.

Services catalogue The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. Price list The prices of all services and options are laid down in the price list.

4

DISCLAIMER

This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement.

USP's General Terms and Conditions shall apply unless higher-ranking provisions apply.

References

Download now ( PDF - 9 Page - 316.72 KB )

Related documents

TECHNICAL AND VOCATIONAL EDUCATION AND TRAINING (TVET) SYSTEM\ IN INDIA FOR SUSTAINABLE DEVELOPMENT

National Conference on Technical Vocational Education, Training and Skills Development: A Roadmap for Empowerment (Dec. 2008): Ministry of Human Resource Development, Department

Master Validation Plan

[r]

Chapter 7

b In cell B11, write a formula to find Condobolin’s total rainfall for the week.. Use Fill Right to copy the formula into cells C11

Medicine Shelf Stuff

○ If BP elevated, think primary aldosteronism, Cushing’s, renal artery stenosis, ○ If BP normal, think hypomagnesemia, severe hypoK, Bartter’s, NaHCO3,

Evaluating the Performance of Public Urban Transportation Systems in India

The purpose of this study was to evaluate the rela- tive performance of 26 public urban transportation organizations in India using various criteria.. We grouped these 19 criteria

Unscheduled absence. Appendix 4

When compared with agencies that experienced an increase in unscheduled absence, AGD, DVA and DoHA appear to have implemented a similar range of strategies but experienced a

The Diffusion of E-commerce at the Firm Level: Theoretical Implications and Empirical Evidence

Thus, even from a theoretical perspective, e-commerce can be likened to the traditional mail order channel. In this connection, one cannot rule out a priori that e-commerce will

Information technology and learning: Their relationship and impact on organisational performance in small businesses $

The nature of the work performed in small businesses within higher knowledge-intensity sectors (in our study, software companies) required higher level of use of information