Secure your Informations efficiently
SECURITY
: FIREWALL & VPN CLIENTS
Trends – Features – Products and Solutions
The driving force for information security
•
Highly computerization.
•
Heterogeneous computing environment: more
exploits exposed.(About 20 to 40 new
vulnerabilities per month).
•
Internet connectivity.
•
Easy using and automated tools to launch attack
and probing.
The importance and risk of
information security
•
Different kinds of Attacks leads you to lose:
–
Money
–
Time
–
Productivity
–
Reputation
–
Sensitive Information
–
And more…
The growth and trend in
Network security market
“Appliances in the middle price-bands ($1,500 to $10,000) and application security gateways drive growth in 2004 and beyond because of large site-to-site and broadband VPN deployments, upgrades of firewalls to the
latest technology, and SSL VPN deployments for the next generation of enterprise remote access,”.
Revenue from VPN and firewall appliances makes up the majority of
worldwide VPN and firewall hardware and software revenue, while total software revenue and application security gateway revenue make up a smaller portion.
Source: Infonetics Research,
The purposes for information security
Three Main Purposes : C.I.A.
Three Main Purposes : C.I.A.
• Prevent intentional orun-intentional unauthorized access of information
• Remain the availability of information for access
at the right time for the right person
I
ntegrity
I
I
C
onfidentiality
C
C
A
vailability
A
A
Information Security• Prevent modification of unauthorized access
• Prevent illegally modification from authorized users
76%
Rate security as a moderate to high spending priority67%
Rate application/database development as a moderateto high spending priority
55%
Rate storage as a moderate to high spending priority
•
Bandwidth is not the issue•
Distance is not the problem•
More and more applications arerunning through the Internet, which consists of a wide variety of networks devices and security always being the concern
•
Network security is the key issueBusiness Spending Priority
What firewall is and types of
firewall
•
Firewall :
A fireproof wall used as a barrier to
prevent the spread of a fire.
–
American Heritage Dictionary
•
Located at the point between protected
networks and the Internet, functioning as a
device for access control.
Gateway
Network Protection Addresses a Range of Pressing Problems
www.sex.com www.free.com www.game.com Intrusions Viruses, worms Inappropriate Use Malicious email Internet Hacker
Anything that threatens network security or productivity
Packet Filtering Firewall
•
Access Control List (ACL)
–
Source/Destination IP
–
Protocol Number (TCP, UDP)
–
Source/Destination Port
–
Use ACL in sequential order
•
Provided by most Routers
•
Do not log/monitor the network traffic
through firewall
Application Proxy Firewall
•
Use proxy program to act on behalf of
applications
•
Network traffic will be directed to proxy program
which acts as the agent for communication
between internal application services and
external services
•
The proxy program will perform the action
(permit or deny) based on the policies set by
users
•
Each application has its distinctive proxy
programs
•
It operates at Layer 7 in OSI Model and thus the
process speed is much slower
Stateful Inspection Firewall
•
Inspect the contents of packets based on the rules set by users and perform the action(forward or drop)at the packet•
Keep the session information of IP communication within the packet–
After inspecting the new connection session,the session information will be stored into the session state table–
The incoming packet will be inspected against the session information stored in state table. If it is not thecorresponding response to previous IP connection, the session will not be established.
–
Process faster than Packet Filter firewall does–
Process speed is faster than Application proxy but cannot provide the security level that Application proxy can doWhat Firewalls Don’t Prevent
•
Physical Problems–
loss of power–
theft or malicious physical damage•
Social Engineering–
the ability to trick inside people to get user names and passwords or something of the like•
Viruses–
Are imbedded in valid datagrams, so firewalls will let them pass–
A DMZ servers with virus checking could be used here to help solve this problem•
Disgruntle employees who have access through thefirewall
Many Conventional Products are
Needed for a “Complete” Solution
•High Equipment & Software Cost: $20K-$100K+ •Difficult to coordinate and integrate
•Significant IT staff requirements •New attacks are constant threat
www.sex.com www.free.com www.game.com Intrusions Viruses, worms Inappropriate Use Internet Hacker Firewall Malicious email VPN IDS Content Filtering Server & Software
Email Attachment Filtering Software Anti-Virus Software Anti-Virus Update
(
(
(D-Link offers a New Approach
to Network Protection
www.sex.com www.free.com www.game.com Intrusions Viruses, worms Inappropriate Use Internet Hacker Malicious emailComplete Network Protection
DD--Link Link DFL Series
Firewall deployment topology
Switch Switch
(HA, High Availability)
The deployment of two firewall devices is for the purpose of redundant mechanism SMB & Enterprise Internet Router LAN PC Switch DMZ
DMZ used by severs that provide services to internal users. For example, Web server, mail server and authentication servers
Executive Summary
Product Advantage
¾ Provides complete SOHO/SMB/Enterprise network security
firewall solutions, D-Link has competitive advantage in the market.
¾ Supports NAT, firewall, content filtering, IDS protection &
VPN, D-Link is high compatibility security solution provider.
¾ D-Link intends to provide the most complete solutions and
satisfy users alternative requirements.
Competitive Status.
¾ D-Link meets major competitors in this field, such as Cisco,
Selling Points
DFL-200 DFL-700DFL-1100
Providing Desktop and Rack mount form factor.
Multi-function security application meets enterprise requirement Full firewall functions for easily network admin.
High performance VPN IPSec support
Web-based configuration interface for ease to use. Support SNMP management / monitoring
High Performance with fault tolerance support. (DFL-1100 Only)
Why choose DFL
Why choose DFL
-
-
200/700?
200/700?
The DFL-200/700 are new security
gateway appliances in desktop form factor Versatile security solution, including:
¾ "Stateful inspection" for packet filtering ¾ Office-to-Office and mobile user VPNs ¾ User Authentication
¾ Intrusion Detection / Prevention ¾ Content Filtering
¾ Web-based management
¾ Bandwidth management (DFL-700 only)
D-Link Firewalls are 100%
ICSA
compliant !!
(International Computer Security Association)
DFL-200
Why choose DFL
Why choose DFL
-
-
1100?
1100?
The DFL-1100 is a new security gateway appliance inrack mount form factor.
Versatile Security Solution, including: ¾ “Stateful inspection” for packet filtering ¾ Office-to-Office and Mobile User VPNs ¾ Bandwidth Management
¾ User Authentication
¾ Intrusion Detection / Prevention ¾ Content Filtering
¾ Web-based management ¾ HA (High Availability)
Where to use DFL
Where to use DFL
-
-
200/700/1100?
200/700/1100?
The DFL-200/700/1100 are highly suitable:
¾ as Security Gateway for medium enterprises, where
resilience
and security in combination with a low total cost of ownership are key factors.
¾ as VPN Gateway at small to medium sized remote sites. ¾ as Customer Premise Equipment (CPE) in managed
PRODUCTS: D-Link Firewalls
Price
DFL-200
• Desktop Firewall • Throughput: TBD
• Interfaces: WAN, 4 x LAN • Target Market:
Cosumer/SoHo
• Launch date: prel. June 2004 DFL-700 • Desktop Firewall • 50 Mbps throughput • 20 Mbps AES/3DES • WAN, LAN, DMZ • Target Market: SoHO/SMB
• Launch date: available
DFL-1100
• 19” High Availability Firewall • 250 Mbps throughput
• ~60 Mbps AES/3DES
• WAN, LAN, DMZ, AUX/Sync • Target Market: Upper
SMB/SME
• Launch date: June/July 2004
D
D
-
-
Link Firewall Web GUI for Easy
Link Firewall Web GUI for Easy
Management
Management
Firewall – Policy Traffic Shaping
• Limit–Limit works by limiting
the inbound and outbound traffic to the specified
speed. This is the
maximum bandwidth that can be used by traffic using this policy.
• Guarantee
–By using Guarantee, you can traffic using a policy a minimum bandwidth, this will only work if the traffic limits for the WAN interface are configured correctly.
• Priority
–Defines if the traffic should be considered
Firewall Redundancy Solution – DFL-1100
Alive Monitoring Primary Secondary Switch High Availability Switch IntranetKey Features & Benefits – DFL-200
1. Security
2. Performance
3. Versatile Security Product
4. Low total cost of ownership
• Proprietary OS - no inherited vulnerabilities • Proven, industry-standard algorithms
• Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security
• High throughput
• 3,000 concurrent connections • 80 VPN tunnels
• Integrated VPN (IPSec, L2TP, PPTP) and Content Filtering
• High-end features, including policy-based User Authentication and Intrusion Prevention
• No time-consuming maintenance tasks
• All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc.
Key Features & Benefits – DFL-700
1. Security
2. Performance
4. Low total cost
of ownership
No time-consuming maintenance tasks
All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc. High throughput 10,000 concurrent connections 200 VPN tunnels 3. Versatile Security Product
Integrated VPN (IPSec, L2TP, PPTP), Bandwidth Management and Content Filtering
High-end features, including policy-based User Authentication and Intrusion Prevention
Proprietary firmware - no inherited vulnerabilities Proven, industry-standard algorithms
Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security
Key Features & Benefits
Key Features & Benefits
–
–
DFL-
DFL
-
1100
1100
1. Security
2. Performance
3. Versatile Security Product
4. Low total cost of ownership
5. High Availability
• Proprietary OS - no inherited vulnerabilities • Proven, industry-standard algorithms
• Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security
• High throughput
• 200,000 concurrent connections • 1,000 VPN tunnels
• Integrated VPN (IPSec, L2TP, PPTP), Bandwidth Management and Content Filtering
• High-end features, including policy-based User Authentication and Intrusion Prevention
• No time-consuming maintenance tasks
• All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc.
D-Link Firewall Applications
Branch OFFICE DFL-1100 HEADQUARTERS/ DATA CENTER DFL-200 Remote Office Internet Remote VPN Client DFL-700 VPN ClientDS-601/605
Gateway Failover ensure reliable connection
Extensible Authentication Protocols (EAP) for secure user authentication IPSec authentication via DES, 3DES & AES encryption to ensure data security.
Dead Peer Detection (DPD) for easy configuration of tunnel failover at user side.
Support Dynamic Domain Name Service (DDNS) for one-click to connection
Why choose DS
Why choose DS
-
-
601/605?
601/605?
Base on IETF specified IPSec-conformant design compliance with industrial standard.
Fully support gateway failover, EAP, DES/3DES & AES encryption, DPD, DDNS functions for easy VPN remote access.
Support NAT & Transparent mode for easy communication between client and gateway.
Being approved & tested with whole series of D-Link NETDEFEND firewall and 804HV,
DI-808HV, DI-824VUP ensure users seamless connection environment.
DS
What is VPN ?
• VPN stands for Virtual Private Network• Virtual
– No physical circuit. It’s a logical existence in the public network
• Private
– The communication between two or more network devices is confidential. Either can information be gleaned by third parties outside the communication group, nor the
identities/relationships within the group can be known by any outsiders.
• Network
– A system made by numbers of devices that can
communicate via some form of ways ,thus sharing the information.
What is VPN ?
• A private network that is configured within a public network.Common carriers have built VPNs that appear as private national or international networks to the customer, but physically share backbone trunks with other customers.
• VPNs enjoy the security of a private network via access control and encryption, while taking advantage of the economies of scale and built-in management facilities of large public
networks.
• VPNs have been built over public networks such as
– X.25
– Frame Relay(FR)
– Asynchronous Transfer Mode(ATM)
types of VPN
•
Site to site VPN
– Build up VPN tunnel between two VPN gateways
– Suitable for servicing users beyond network gateways
– Integrate into firewalls - D-Link firewall
•
Client to site VPN
– Build up VPN tunnel between VPN gateway and remote users
– For commuters to access the Internet
VPN Feature Comparison
None (User PAP,CHAP…,etc) None (User
PAP,CHAP…,etc) None (User PAP,CHAP…,etc)
User Authentication AH Header None3 None1 Packet Authentication ESP Header None3 None2 Packet Encryption ISAKMP/Oakley,SKIP None3 None1 Key Management Multi-point tunnels; simultaneous VPN and public access Single point-to-point tunnel,
no simultaneous Internet access
Single point-to-point tunnel, no simultaneous Internet access Tunnel Service Security IP,IPX,AppleTalk,etc Layer2
Remote Access via tunneling Client-server L2TP L2TP IP,IPX,AppleTalk,etc Layer 2
Remote Access via tunneling Client-server PPTP PPTP IP Layer3 Intranets, extranets,remote access via tunneling Host-to-host IPSec IPSec Protocols Encapsulated
Note: 1.Not in standard, not offered 2. Vendor-specific implementation only 3. Refers to IPSec for implementation Mode
Purpose
OSI Layer
Protocol Features
PRODUCTS: DFL-Family
16 N/A N/A Virtual LANs Yes No No Policy-based Routing 1.500 500 100 User Authentication, Max Users Yes No No High Availability 2.000 1.000 200 Policies Yes 3 x 10/100 (WAN, LAN, DMZ) Unlimited 200 10.000 Yes Yes 20 Mbps 50 Mbps D-Link DFL-700 Yes 4 x 10/100(WAN, LAN, DMZ, AUX/Sync) Unlimited 1.000 200.000 Yes Yes ~70 Mbps 250 Mbps D-Link DFL-1100 No 4 x 10/100 + 4 port switch (WAN, DMZ, LAN) Unlimited 50 3.000 Partial Yes/No 10 Mbps 20 Mbps D-Link DFL-200 Number of users IDS/IDP Content Filtering VPN Throughput Traffic Shaping Ethernet Interfaces VPN Tunnels Connections Throughput
Comparison Chart – DFL-200
Brand D-Link Cisco NetScreen SonicWall Zyxel Model Name DFL-200 PIX-501 5GT SOHO3 ZyWALL 30W Photograph
MSRP US$ 300 ~ 400 US$ 446* US$ 415.99* US$ 445* US$ 365 Interface
1 x WAN 10/100, 1 x DMZ, 4 x LAN
10/100
4 x 10/100 BaseTX 5 x 10 Ethernet 1 x WAN, 1 x LAN10/100
1 x WAN, 1 x LAN 10BaseT, 1 x WLAN (Upgrade) User License Unlimited 10 / 50 / Unlimited 10 / Unlimited 10 / 50 N/A
Firewall Performance 75Mbps 10Mbps 75Mbps 75Mbps 25Mbps Concurrent session 3,000 3,500 2,000 3,000 N/A New sessions/second 3,000 N/A 2,000 N/A N/A Build-in DES/3DES Yes License Require Yes License Require Yes 3DES 15Mbps 3Mbps 20Mbps 20Mbps 15Mbps Dedicated VPN Tunnels 80 5 10 10 30 NAT Traversal Yes No Yes Yes Yes Policy 500 N/A 100 100 N/A Schedule Yes (256) N/A Yes (256) Yes Yes Remark: *: 10 users license only.
Main Specification
* Price source: www.pricewatch.com & www.cnet.com(July., 2004). The final selling price should be decided by yourself for each territory.
Comparison Chart – DFL-700
Brand D-Link Cisco NetScreen SonicWall Zyxel Model Name DFL-700 PIX-506E 25 PRO 100 ZyWALL 100 Photograph
MSRP US$ 548~708* US$ 890 US$ 3242 US$ 1400 US$ 950 Interface 1x WAN, 1 x DMZ, 1
x LAN 10/100 2 x 10/100BaseTX 4 x 10 Ethernet
1 x WAN, 1 x DMZ, 1 x LAN 10/100
1 x WAN, 1 x LAN 10/100 User License Unlimited Unlimited Unlimited Unlimited N/A Throughput 50Mbps 100Mbps 100Mbps 75Mbps 32Mbps VPN Throughput 20Mbps 17Mbps 20Mbps 20Mbps 16Mbps Concurrent session 10.000 25.000 2.000 3.000 N/A IDP Yes Yes No No No Content Filtering Yes Yes No Yes Yes VPN Tunnels 200 25 25 / 100 50 100 Traffic Shaping Yes No Yes No Yes Remark: *: The price interval is from UK website, ZD.Net & Kelkoo.co.uk.
Main Specification
* Price source: www.pricewatch.com & www.cnet.com(July., 2004). The final selling price should be decided by yourself for each territory.
Comparison Chart – DFL-1100
Brand D-Link Cisco NetScreen SonicWall
Model Name DFL-1100 PIX-515E 50 PRO 300
Photograph
MSRP US$ 2268~2546* US$ 2068 US$ 6500 US$ 2092
Interface
1 x WAN 10/100, 1 x DMZ, 1 x LAN, 1
x Sync port, 10/100
2 x 10/100 BaseTX 4 x 10/100BaseTX 3 x 10/100BaseTx
Firewall Performance 250Mbps 188Mbps 170Mbps 190Mbps
Concurrent session 200,000 125,000 32,000 128,000
New sessions/second 8,000 N/A 7,000 N/A
Build-in DES/3DES Yes License Require Yes Yes
3DES 34Mbps 63Mbps 50Mbps 45Mbps
AES 84Mbps No Yes No
Dedicated VPN Tunnels 1,000 2,000 100 1,000
NAT Traversal Yes No Yes Yes
Policy 2,000 N/A 1,000 200
Remark: *: The price interval retrive from UK website, www.dealtime.co.uk
Main Specification