Raptor Firewall Products

Raptor Firewall Products

Raptor Firewall Products

Axent Technologies, Ltd

>100M Users on WWW

E Commerce Shift

150,000 Crooks on Net

Billions Lost to Cyberthieves

National Security Threats

Security Cannot Be Ignored

Products

Products

u

u

Virtual Private Networks

_{Virtual Private Networks}

t

t

Encryption of Internet Packets between two systems/sites

Encryption of Internet Packets between two systems/sites

t

t

Huge costs savings and

Huge costs savings and

convienence

convienence

u

u

Firewalls

_Firewalls

t

t

Perimeter security of internal network from the Internet

Perimeter security of internal network from the Internet

t

Ø

Ø

Economics

Economics

Dedicated T-1 between offices

Dedicated T-1 between offices

$10k - $100k per month

$10k - $100k per month

Internet

$2-4k/month

Ø

Ø

Convenience

Convenience

VPN

VPN

Why Do It?

Why Do It?

$100s/month/person

$100s/month/person

$15/month/person

$15/month/person

Thousands of Modems

VPN

VPN

VPN Cost Justification

VPN Cost Justification

u

u

Shave over 75% off your

_{Shave over 75% off your}

remote access costs

remote access costs

t

t

100 Users

100 Users

t

t

Dial in for 30 minutes per day

Dial in for 30 minutes per day

t

t

VPN in for unlimited time per

VPN in for unlimited time per

day

day

u

u

Annual Cost:

_{Annual Cost:}

t

t

Dial in: $180,000

Dial in: $180,000

(does not include

(does not include

equipment cost)

equipment cost)

t

t

VPN: $42,000

VPN: $42,000

(includes server,

(includes server,

license, client and token software cost)

license, client and token software cost)

$0

$20.000

$40.000

$60.000

$80.000

$100.000

$120.000

$140.000

$160.000

$180.000

1 year cost

Dial In

VPN

Hotel

Home

Small Office

Mobile User to Office VPN

Mobile User to Office VPN

Branch Office

Supplier/Partner

Office to Office VPN

Office to Office VPN

How It Works

How It Works

Packet Transforms

Packet Transforms

Internet

“Hello, Bob”

Original

Packet

“Hello, Bob”

To: 172.168.1.1 From: 10.1.11.1

128.1.1.1

204.1.1.1

172.168.1.1

10.1.1.1

Authentication

“Hello, Bob”

Checksum: 54321

Encryption

DES or 3-DES

“Hello, Bob”

To: 10.1.1.1 From: 172.168.1.1 MD-5 Checksum Encryption Header

Key: 10101

New IP Header

(Encapsulation)

@#$%)*@#$%)*%^%&^_(#@(

How It Works

How It Works

Packet Transforms

Packet Transforms

Internet

128.1.1.1

204.1.1.1

172.168.1.1

10.1.1.1

Decapsulate

@#$%)*@#$%)*%^%&^_(#@(

“Hello, Bob”

Decrypt

Key: 1010101

Re-Checksum

Checksum: 54321

“Hello, Bob”

Original

Packet

“Hello, Bob”

@#$%)*@#$%)*%^%&^_(#@(

Products

Products

u

u

Virtual Private Networks

_{Virtual Private Networks}

t

t

Encryption of Internet Packets between two systems/sites

Encryption of Internet Packets between two systems/sites

t

t

Huge costs savings and

Huge costs savings and

convienence

convienence

u

u

Firewalls

_Firewalls

t

t

Perimeter security of internal network from the Internet

Perimeter security of internal network from the Internet

t

TCP/IP

Internet

Router

Firewall Gateway

Computer

Web

Server

DMZ

Subnet Firewall

System

Architecture

Architecture

Firewalls

Firewalls

Architecture

Architecture

Firewall Types

Firewall Types

Application Level Firewall

Stateful Packet Filter

Ø

Ø

Per Session Processing

Per Session Processing

Ø

Ø

Protection against application level

Protection against application level

attacks

attacks

Ø

Ø

EASY to manage

EASY to manage

Ø

Ø

Never routes packets - prone to

Never routes packets - prone to

“fail-safe”

“fail-safe”

Ø

Ø

Per Packet Processing - CPU Intensive

Per Packet Processing - CPU Intensive

Ø

Ø

No Protection Against Application Level

No Protection Against Application Level

Attacks

Attacks

Ø

Ø

VERY Hard to Manage - Security holes

VERY Hard to Manage - Security holes

appear due to

appear due to mis

mis-management

-management

Ø

“fail-Network Interface

IP

TCP

Hardware

SMTP

gwcontrol

Raptor

Architecture

Architecture

Firewall Internals

Firewall Internals

TCP

IP

Network Interface

Hardware

Email

TCP

IP

Network Interface

Hardware

Mail Server

Host IN

Host OUT

10.1.1.1

204.3.2.1

Separation and Examination

What Can a Firewall NOT Do?

What Can a Firewall NOT Do?

u

u

Prevent Session Hijacking

_{Prevent Session Hijacking}

t

t

Wait until a session is established through the firewall

Wait until a session is established through the firewall

u

u

Prevent Snooping of network data

_{Prevent Snooping of network data}

t

t

Data is not encrypted

Data is not encrypted

u

u

Prevent Modification of network data

_{Prevent Modification of network data}

t

t

Data is not

Data is not

checksummed

checksummed

u

u

Prevent Re-routing of network data

_{Prevent Re-routing of network data}

t

t

Firewall cannot establish fixed routes

Firewall cannot establish fixed routes

u

u

Prevent spoofing of network messages

_{Prevent spoofing of network messages}

t

Firewalls

Firewalls

Raptor Firewall

Raptor Firewall

u

u

Strengths/Uniqueness

Strengths/Uniqueness

t

t

Part of larger family of AXENT Security products

Part of larger family of AXENT Security products

t

t

3rd generation application proxies

3rd generation application proxies

n

n

High degree of security intelligence

High degree of security intelligence

n

n

Enterprise features

_{Enterprise features}

n

n

High performance

High performance

t

t

Automatic System Hardening

Automatic System Hardening

n

n

At installation

_{At installation}

n

n

Continuous thereafter

Continuous thereafter

t

t

“Best Fit” Rule Ordering

“Best Fit” Rule Ordering

t

t

1st call customer support

1st call customer support

t

Raptor Firewall

Raptor Firewall

u

u

Authorization (Access Control)

_{Authorization (Access Control)}

t

t

IP addresses, Services, Time, Users

IP addresses, Services, Time, Users

t

t

URL Filtering

URL Filtering

t

t

Application Level Controls and Attack Filtering

Application Level Controls and Attack Filtering

n

n

Telnet, FTP, HTTP, SMTP, SQL*NET, CFIS, NNTP, NTP,

Telnet, FTP, HTTP, SMTP, SQL*NET, CFIS, NNTP, NTP,

RealAudio

RealAudio

u

u

Authentication

_{Authentication}

t

t

Strong - S/Key, ACE, CryptoCard, Defender

Strong - S/Key, ACE, CryptoCard, Defender

t

t

Weak - Gateway, NT Domain, Radius, TACCAS+

Weak - Gateway, NT Domain, Radius, TACCAS+

u

u

Logging

_Logging

t

t

Passive security management

Passive security management

t

t

Non-repudiation

Non-repudiation

u

u

Notification

_Notification

t

t

Email, Beeper, SNMP, Audible, Custom Script

Email, Beeper, SNMP, Audible, Custom Script

u

u

Enterprise Features

_{Enterprise Features}

t

t

High Availability (Qualix and Veritas Support)

High Availability (Qualix and Veritas Support)

t

t

Transparency

Transparency

t

t

Load Balancing of Servers

Load Balancing of Servers

t

WindowsNT - Intel

Sun Solaris - Ultra Sparc

HP/UX - PA-RISC

Raptor Firewall

Raptor Firewall

TCP/IP / VPN / Packet Filtering

Access Control / Logging / Management

TELNET

FTP

HTTP

GOPHER

SMTP

_Future

Proxies

RealAudio

Generic

Proxy

Vulture - Continuous System Hardening and

Raptor Remote Firewall

Raptor Remote Firewall

Raptor

Raptor

Enterprise

Enterprise

The Raptor Enterprise

The Raptor Enterprise

GUI is used to configure

GUI is used to configure

the remote gateway

the remote gateway

Firewall to Firewall VPN

Firewall to Firewall VPN

Capability.

Capability.

Use the Internet as “cheap”

Use the Internet as “cheap”

private lease line.

private lease line.

Raptor

Raptor

Remote

Remote

Raptor Mobile

Raptor Mobile

Encrypted IP Datagrams

Internet

Dial up (PPP),

Dial up (PPP),

ISDN, or LAN

ISDN, or LAN

Raptor

Raptor

Firewall

Firewall

Router

•

• Network Level Encryption

Network Level Encryption

•

• Smart Tunneling

Smart Tunneling

•

• Various forms of authentication

Various forms of authentication

•

Q & A

Q & A