Secure your Informations efficiently. SECURITY: FIREWALL & VPN CLIENTS Trends Features Products and Solutions

Secure your Informations efficiently

SECURITY

: FIREWALL & VPN CLIENTS

Trends – Features – Products and Solutions

The driving force for information security

•

Highly computerization.

•

Heterogeneous computing environment: more

exploits exposed.(About 20 to 40 new

vulnerabilities per month).

•

Internet connectivity.

•

Easy using and automated tools to launch attack

and probing.

The importance and risk of

information security

•

Different kinds of Attacks leads you to lose:

–

Money

–

Time

–

Productivity

–

Reputation

–

Sensitive Information

–

And more…

The growth and trend in

Network security market

“Appliances in the middle price-bands ($1,500 to $10,000) and application security gateways drive growth in 2004 and beyond because of large site-to-site and broadband VPN deployments, upgrades of firewalls to the

latest technology, and SSL VPN deployments for the next generation of enterprise remote access,”.

Revenue from VPN and firewall appliances makes up the majority of

worldwide VPN and firewall hardware and software revenue, while total software revenue and application security gateway revenue make up a smaller portion.

Source: Infonetics Research,

The purposes for information security

Three Main Purposes : C.I.A.

Three Main Purposes : C.I.A.

• Prevent intentional or

un-intentional unauthorized access of information

• Remain the availability of information for access

at the right time for the right person

I

ntegrity

I

I

C

onfidentiality

C

C

A

vailability

A

A

Information Security

• Prevent modification of unauthorized access

• Prevent illegally modification from authorized users

76%

Rate security as a moderate to high spending priority

67%

Rate application/database development as a moderate

to high spending priority

55%

Rate storage as a moderate to high spending priority

•

Bandwidth is not the issue

•

Distance is not the problem

•

More and more applications are

running through the Internet, which consists of a wide variety of networks devices and security always being the concern

•

Network security is the key issue

Business Spending Priority

What firewall is and types of

firewall

•

Firewall :

A fireproof wall used as a barrier to

prevent the spread of a fire.

–

American Heritage Dictionary

•

Located at the point between protected

networks and the Internet, functioning as a

device for access control.

Gateway

Network Protection Addresses a Range of Pressing Problems

www.sex.com www.free.com www.game.com Intrusions Viruses, worms Inappropriate Use Malicious email Internet Hacker

Anything that threatens network security or productivity

Packet Filtering Firewall

•

Access Control List (ACL)

–

Source/Destination IP

–

Protocol Number (TCP, UDP)

–

Source/Destination Port

–

Use ACL in sequential order

•

Provided by most Routers

•

Do not log/monitor the network traffic

through firewall

Application Proxy Firewall

•

Use proxy program to act on behalf of

applications

•

Network traffic will be directed to proxy program

which acts as the agent for communication

between internal application services and

external services

•

The proxy program will perform the action

(permit or deny) based on the policies set by

users

•

Each application has its distinctive proxy

programs

•

It operates at Layer 7 in OSI Model and thus the

process speed is much slower

Stateful Inspection Firewall

•

Inspect the contents of packets based on the rules set by users and perform the action(forward or drop)at the packet

•

Keep the session information of IP communication within the packet

–

After inspecting the new connection session,the session information will be stored into the session state table

–

The incoming packet will be inspected against the session information stored in state table. If it is not the

corresponding response to previous IP connection, the session will not be established.

–

Process faster than Packet Filter firewall does

–

Process speed is faster than Application proxy but cannot provide the security level that Application proxy can do

What Firewalls Don’t Prevent

•

Physical Problems

–

loss of power

–

theft or malicious physical damage

•

Social Engineering

–

the ability to trick inside people to get user names and passwords or something of the like

•

Viruses

–

Are imbedded in valid datagrams, so firewalls will let them pass

–

A DMZ servers with virus checking could be used here to help solve this problem

•

Disgruntle employees who have access through the

firewall

Many Conventional Products are

Needed for a “Complete” Solution

•High Equipment & Software Cost: $20K-$100K+ •Difficult to coordinate and integrate

•Significant IT staff requirements •New attacks are constant threat

www.sex.com www.free.com www.game.com Intrusions Viruses, worms Inappropriate Use Internet Hacker Firewall Malicious email VPN IDS Content Filtering Server & Software

Email Attachment Filtering Software Anti-Virus Software Anti-Virus Update

(

(

(

D-Link offers a New Approach

to Network Protection

www.sex.com www.free.com www.game.com Intrusions Viruses, worms Inappropriate Use Internet Hacker Malicious email

Complete Network Protection

D

D--Link Link DFL Series

Firewall deployment topology

Switch _Switch

(HA, High Availability)

The deployment of two firewall devices is for the purpose of redundant mechanism SMB & Enterprise Internet Router LAN PC Switch DMZ

DMZ used by severs that provide services to internal users. For example, Web server, mail server and authentication servers

Executive Summary

Product Advantage

¾ Provides complete SOHO/SMB/Enterprise network security

firewall solutions, D-Link has competitive advantage in the market.

¾ Supports NAT, firewall, content filtering, IDS protection &

VPN, D-Link is high compatibility security solution provider.

¾ D-Link intends to provide the most complete solutions and

satisfy users alternative requirements.

Competitive Status.

¾ D-Link meets major competitors in this field, such as Cisco,

Selling Points

DFL-200 DFL-700

DFL-1100

Providing Desktop and Rack mount form factor.

Multi-function security application meets enterprise requirement Full firewall functions for easily network admin.

High performance VPN IPSec support

Web-based configuration interface for ease to use. Support SNMP management / monitoring

High Performance with fault tolerance support. (DFL-1100 Only)

Why choose DFL

Why choose DFL

-

-

200/700?

200/700?

The DFL-200/700 are new security

gateway appliances in desktop form factor Versatile security solution, including:

¾ "Stateful inspection" for packet filtering ¾ Office-to-Office and mobile user VPNs ¾ User Authentication

¾ Intrusion Detection / Prevention ¾ Content Filtering

¾ Web-based management

¾ Bandwidth management (DFL-700 only)

D-Link Firewalls are 100%

ICSA

compliant !!

(International Computer Security Association)

DFL-200

Why choose DFL

Why choose DFL

-

-

1100?

1100?

The DFL-1100 is a new security gateway appliance in

rack mount form factor.

Versatile Security Solution, including: ¾ “Stateful inspection” for packet filtering ¾ Office-to-Office and Mobile User VPNs ¾ Bandwidth Management

¾ User Authentication

¾ Intrusion Detection / Prevention ¾ Content Filtering

¾ Web-based management ¾ HA (High Availability)

Where to use DFL

Where to use DFL

-

-

200/700/1100?

200/700/1100?

The DFL-200/700/1100 are highly suitable:

¾ as Security Gateway for medium enterprises, where

resilience

and security in combination with a low total cost of ownership are key factors.

¾ as VPN Gateway at small to medium sized remote sites. ¾ as Customer Premise Equipment (CPE) in managed

PRODUCTS: D-Link Firewalls

Price

DFL-200

• Desktop Firewall • Throughput: TBD

• Interfaces: WAN, 4 x LAN • Target Market:

Cosumer/SoHo

• Launch date: prel. June 2004 DFL-700 • Desktop Firewall • 50 Mbps throughput • 20 Mbps AES/3DES • WAN, LAN, DMZ • Target Market: SoHO/SMB

• Launch date: available

DFL-1100

• 19” High Availability Firewall • 250 Mbps throughput

• ~60 Mbps AES/3DES

• WAN, LAN, DMZ, AUX/Sync • Target Market: Upper

SMB/SME

• Launch date: June/July 2004

D

D

-

-

Link Firewall Web GUI for Easy

Link Firewall Web GUI for Easy

Management

Management

Firewall – Policy Traffic Shaping

• Limit

–Limit works by limiting

the inbound and outbound traffic to the specified

speed. This is the

maximum bandwidth that can be used by traffic using this policy.

• Guarantee

–By using Guarantee, you can traffic using a policy a minimum bandwidth, this will only work if the traffic limits for the WAN interface are configured correctly.

• Priority

–Defines if the traffic should be considered

Firewall Redundancy Solution – DFL-1100

Alive Monitoring Primary Secondary Switch High Availability Switch Intranet

Key Features & Benefits – DFL-200

1. Security

2. Performance

3. Versatile Security Product

4. Low total cost of ownership

• Proprietary OS - no inherited vulnerabilities • Proven, industry-standard algorithms

• Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security

• High throughput

• 3,000 concurrent connections • 80 VPN tunnels

• Integrated VPN (IPSec, L2TP, PPTP) and Content Filtering

• High-end features, including policy-based User Authentication and Intrusion Prevention

• No time-consuming maintenance tasks

• All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc.

Key Features & Benefits – DFL-700

1. Security

2. Performance

4. Low total cost

of ownership

No time-consuming maintenance tasks

All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc. High throughput 10,000 concurrent connections 200 VPN tunnels 3. Versatile Security Product

Integrated VPN (IPSec, L2TP, PPTP), Bandwidth Management and Content Filtering

High-end features, including policy-based User Authentication and Intrusion Prevention

Proprietary firmware - no inherited vulnerabilities Proven, industry-standard algorithms

Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security

Key Features & Benefits

Key Features & Benefits

–

–

DFL-

DFL

-

1100

1100

1. Security

2. Performance

3. Versatile Security Product

4. Low total cost of ownership

5. High Availability

• Proprietary OS - no inherited vulnerabilities • Proven, industry-standard algorithms

• Deep Inspection (IDS/IDP, Content Filtering) for advanced application layer security

• High throughput

• 200,000 concurrent connections • 1,000 VPN tunnels

• Integrated VPN (IPSec, L2TP, PPTP), Bandwidth Management and Content Filtering

• High-end features, including policy-based User Authentication and Intrusion Prevention

• No time-consuming maintenance tasks

• All operations conducted from an easy-to-use web user interface, including firmware upgrades, backup and restore etc.

D-Link Firewall Applications

Branch OFFICE DFL-1100 HEADQUARTERS/ DATA CENTER DFL-200 Remote Office Internet Remote VPN Client DFL-700 VPN Client

DS-601/605

Gateway Failover ensure reliable connection

Extensible Authentication Protocols (EAP) for secure user authentication IPSec authentication via DES, 3DES & AES encryption to ensure data security.

Dead Peer Detection (DPD) for easy configuration of tunnel failover at user side.

Support Dynamic Domain Name Service (DDNS) for one-click to connection

Why choose DS

Why choose DS

-

-

601/605?

601/605?

Base on IETF specified IPSec-conformant design compliance with industrial standard.

Fully support gateway failover, EAP, DES/3DES & AES encryption, DPD, DDNS functions for easy VPN remote access.

Support NAT & Transparent mode for easy communication between client and gateway.

Being approved & tested with whole series of D-Link NETDEFEND firewall and 804HV,

DI-808HV, DI-824VUP ensure users seamless connection environment.

DS

What is VPN ?

• VPN stands for Virtual Private Network

• Virtual

– No physical circuit. It’s a logical existence in the public network

• Private

– The communication between two or more network devices is confidential. Either can information be gleaned by third parties outside the communication group, nor the

identities/relationships within the group can be known by any outsiders.

• Network

– A system made by numbers of devices that can

communicate via some form of ways ,thus sharing the information.

What is VPN ?

• A private network that is configured within a public network.

Common carriers have built VPNs that appear as private national or international networks to the customer, but physically share backbone trunks with other customers.

• VPNs enjoy the security of a private network via access control and encryption, while taking advantage of the economies of scale and built-in management facilities of large public

networks.

• VPNs have been built over public networks such as

– X.25

– Frame Relay(FR)

– Asynchronous Transfer Mode(ATM)

types of VPN

•

Site to site VPN

– Build up VPN tunnel between two VPN gateways

– Suitable for servicing users beyond network gateways

– Integrate into firewalls - D-Link firewall

•

Client to site VPN

– Build up VPN tunnel between VPN gateway and remote users

– For commuters to access the Internet

VPN Feature Comparison

None (User PAP,CHAP…,etc) None (User

PAP,CHAP…,etc) None (User PAP,CHAP…,etc)

User Authentication AH Header None3 None1 Packet Authentication ESP Header None3 None2 Packet Encryption ISAKMP/Oakley,SKIP None3 None1 Key Management Multi-point tunnels; simultaneous VPN and public access Single point-to-point tunnel,

no simultaneous Internet access

Single point-to-point tunnel, no simultaneous Internet access Tunnel Service Security IP,IPX,AppleTalk,etc Layer2

Remote Access via tunneling Client-server L2TP L2TP IP,IPX,AppleTalk,etc Layer 2

Remote Access via tunneling Client-server PPTP PPTP IP Layer3 Intranets, extranets,remote access via tunneling Host-to-host IPSec IPSec Protocols Encapsulated

Note: 1.Not in standard, not offered 2. Vendor-specific implementation only 3. Refers to IPSec for implementation Mode

Purpose

OSI Layer

Protocol Features

PRODUCTS: DFL-Family

16 N/A N/A Virtual LANs Yes No No Policy-based Routing 1.500 500 100 User Authentication, Max Users Yes No No High Availability 2.000 1.000 200 Policies Yes 3 x 10/100 (WAN, LAN, DMZ) Unlimited 200 10.000 Yes Yes 20 Mbps 50 Mbps D-Link DFL-700 Yes 4 x 10/100

(WAN, LAN, DMZ, AUX/Sync) Unlimited 1.000 200.000 Yes Yes ~70 Mbps 250 Mbps D-Link DFL-1100 No 4 x 10/100 + 4 port switch (WAN, DMZ, LAN) Unlimited 50 3.000 Partial Yes/No 10 Mbps 20 Mbps D-Link DFL-200 Number of users IDS/IDP Content Filtering VPN Throughput Traffic Shaping Ethernet Interfaces VPN Tunnels Connections Throughput

Comparison Chart – DFL-200

Brand D-Link Cisco NetScreen SonicWall Zyxel Model Name DFL-200 PIX-501 5GT SOHO3 ZyWALL 30W Photograph

MSRP US$ 300 ~ 400 US$ 446* US$ 415.99* US$ 445* US$ 365 Interface

1 x WAN 10/100, 1 x DMZ, 4 x LAN

10/100

4 x 10/100 BaseTX 5 x 10 Ethernet 1 x WAN, 1 x LAN_10/100

1 x WAN, 1 x LAN 10BaseT, 1 x WLAN (Upgrade) User License Unlimited 10 / 50 / Unlimited 10 / Unlimited 10 / 50 N/A

Firewall Performance 75Mbps 10Mbps 75Mbps 75Mbps 25Mbps Concurrent session 3,000 3,500 2,000 3,000 N/A New sessions/second 3,000 N/A 2,000 N/A N/A Build-in DES/3DES Yes License Require Yes License Require Yes 3DES 15Mbps 3Mbps 20Mbps 20Mbps 15Mbps Dedicated VPN Tunnels 80 5 10 10 30 NAT Traversal Yes No Yes Yes Yes Policy 500 N/A 100 100 N/A Schedule Yes (256) N/A Yes (256) Yes Yes Remark: *: 10 users license only.

Main Specification

* Price source: www.pricewatch.com & www.cnet.com(July., 2004). The final selling price should be decided by yourself for each territory.

Comparison Chart – DFL-700

Brand D-Link Cisco NetScreen SonicWall Zyxel Model Name DFL-700 PIX-506E 25 PRO 100 ZyWALL 100 Photograph

MSRP US$ 548~708* US$ 890 US$ 3242 US$ 1400 US$ 950 Interface 1x WAN, 1 x DMZ, 1

x LAN 10/100 2 x 10/100BaseTX 4 x 10 Ethernet

1 x WAN, 1 x DMZ, 1 x LAN 10/100

1 x WAN, 1 x LAN 10/100 User License Unlimited Unlimited Unlimited Unlimited N/A Throughput 50Mbps 100Mbps 100Mbps 75Mbps 32Mbps VPN Throughput 20Mbps 17Mbps 20Mbps 20Mbps 16Mbps Concurrent session 10.000 25.000 2.000 3.000 N/A IDP Yes Yes No No No Content Filtering Yes Yes No Yes Yes VPN Tunnels 200 25 25 / 100 50 100 Traffic Shaping Yes No Yes No Yes Remark: *: The price interval is from UK website, ZD.Net & Kelkoo.co.uk.

Main Specification

* Price source: www.pricewatch.com & www.cnet.com(July., 2004). The final selling price should be decided by yourself for each territory.

Comparison Chart – DFL-1100

Brand D-Link Cisco NetScreen SonicWall

Model Name DFL-1100 PIX-515E 50 PRO 300

Photograph

MSRP US$ 2268~2546* US$ 2068 US$ 6500 US$ 2092

Interface

1 x WAN 10/100, 1 x DMZ, 1 x LAN, 1

x Sync port, 10/100

2 x 10/100 BaseTX 4 x 10/100BaseTX 3 x 10/100BaseTx

Firewall Performance 250Mbps 188Mbps 170Mbps 190Mbps

Concurrent session 200,000 125,000 32,000 128,000

New sessions/second 8,000 N/A 7,000 N/A

Build-in DES/3DES Yes License Require Yes Yes

3DES 34Mbps 63Mbps 50Mbps 45Mbps

AES 84Mbps No Yes No

Dedicated VPN Tunnels 1,000 2,000 100 1,000

NAT Traversal Yes No Yes Yes

Policy 2,000 N/A 1,000 200

Remark: *: The price interval retrive from UK website, www.dealtime.co.uk

Main Specification