Transcript 3DBenefit Project Overview

SafeZone --Classic Encryption--
Issued by_
MixofTix Developers Network Director
Network & Security Overview
Information:
URL: http://www.MixofTix.net
E-Mail: info {AT} mixoftix {DOT} net
Document # 7856-SECU-EHR-01
© MixofTix Developers Network July, 2006







Networking Solutions
Security Between Particles
Total Security Architecture
Anti-Virus
Compare Databases
Compare Develoment Paltforms
Analysis of QoS
© MixofTix Developers Network July, 2006
Networking
Solutions
© MixofTix Developers Network July, 2006
Network Parts
A core zone link to the distributed servers
 Connection between particles is internet
 Connections in core is Ethernet

© MixofTix Developers Network July, 2006
Solutions for internet connection
Leased line
 Point 2 Point
 Satellite

© MixofTix Developers Network July, 2006
Network Protocol

TCP/IP
© MixofTix Developers Network July, 2006
Security
Between
Particles
© MixofTix Developers Network July, 2006
What is a firewall?
 Different firewall technologies
 Firewall functionalities
 Firewall as a part of total security solution

© MixofTix Developers Network July, 2006
What is a Firewall?


A device (usually hardware and software) that enables safe
data communications between networks with different
security policies (e.g. Intranet/Extranet, Intranet/Internet)
Used to carry out network security policy and control
communication between networks
Untrusted
networks
and servers
Trusted networks
Gateway
Internal
network
Internet
Untrusted
users
DMZ
Network segment
for public servers
(e.g. HTTP, SMTP)
Trusted
users
© MixofTix Developers Network July, 2006
Firewall Technologies

Packet filters
 Routers

Application proxies
 Raptor,

Gauntlet
Stateful inspection
 Netscreen,

Cisco PIX
Multi-Layer inspection
 StoneGate
© MixofTix Developers Network July, 2006
Layering Models vs. Real Life
OSI Model
TCP/IP Model
Real Life
© MixofTix Developers Network July, 2006
Packet Filter


Network layer functionality
Filters according to ACLs (Access Control Lists)

Source and Destination IP, Ports
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
PACKET FILTER
© MixofTix Developers Network July, 2006
Packet Filter

Advantages
 High
performance
 Application independence
 Transparency

Disadvantages
 Low
security (no inspection above network layer)
 Large rule bases slow down traffic – difficult to
manage/configure
© MixofTix Developers Network July, 2006
Application Proxies
Application
Telnet
HTTP
FTP
Application
Application
Presentation
Presentation
Presentation
Session
Session
Session
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
PROXY

Application layer
functionality


every service needs its
own proxy
No direct connections are
allowed between
networks

each new connection
established by a proxy
© MixofTix Developers Network July, 2006
Application Proxies

Advantages
 Very
high security
 Application layer screening

Disadvantages
 Poor
Performance
 Limited application support
 No connection failover
© MixofTix Developers Network July, 2006
Stateful Inspection
Application
Application
Presentation
Application
Presentation
Session
Presentation
Session
Transport
Session
Transport
Network
Transport
Network

Packet filter with
enhanced
features

Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
INSPECTION
ENGINE

Historical connection data
(dynamic state tables)
Examines packets up to
the
application layer (vendor
dependent)
Dynamic
state tables
© MixofTix Developers Network July, 2006
Stateful Inspection

Advantages
 Transparency
 Security
 Performance
 Scalability

(add-on products)
Disadvantages
 Limited
application layer screening
© MixofTix Developers Network July, 2006
Multi-Layer Inspection

“A proxy-like stateful inspection”
 Connection
tracking (dynamic state tables)
 Examines data up to the application layer with
protocol agents
 Every packet must either accepted directly by the rule
base, be a part of a previously accepted connection,
or be a part of the related connection
© MixofTix Developers Network July, 2006
Multi-Layer Inspection
Protocol
agents can
inspect upper
layers,
including
application
data, when
needed.
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Physical
Physical
State Tables
Packets are tracked
through state tables by
default, yet individual
rules can allow simple
protocols or
connectionless traffic
through as a basic
packet filter.
Application
Presentation
Session
Data Link
Physical
© MixofTix Developers Network July, 2006
Firewall Functions

Access Control

Authorized connections are allowed
 Unauthorized access to network resources are blocked
 Part of Corporate Network Security Policy

Network Address Translation (NAT)

Enables administrators to use private IP addresses
 Hides hosts and network architecture behind public IP
addresses

Monitoring and logging

Network traffic load
 Logging


for troubleshooting, for evidence, to track traffic volumes
Authentication

Authenticates users
 Third party authentication software
© MixofTix Developers Network July, 2006
Another Difference in Firewall Technologies

Hardware-based







Software-based
proprietary hardware
proprietary software
expensive to buy; no
other uses for hardware
usually fast – built on
ASICs
also smaller low cost,
low performance HWsolutions
depending on the
solution

no scalability
limited support for
different services



standard hardware






lower investment cost
re-usability option
standard operating system or
dedicated hardened OS
licensing enables scalability
compatibility with other
security solutions
scalability can be achieved
by external load balancing
hardware or software
more flexible to build support
for different services
© MixofTix Developers Network July, 2006
Total Security
Architecture
© MixofTix Developers Network July, 2006
Network
Servers
Back-End
Application & Database
Servers
R&D
Back-End/Internal
Network
Human
Resources
Web
Information
Authentication
Server
CA
Server
Network-based
Intrusion
Detection
DMZ
Content
Scanning
Web
Transaction
Internet
Host-based Intrusion Detection
© MixofTix Developers Network July, 2006
Scalable
Network
HA/LB
Servers
Network
Servers
ScalableBack-End
HA - Back-End
Application
Application&&Database
Database
Servers
Servers
HAAuthentication
Authentication
Server
Server
HA - CA
CA
Server
Server
R&D
Back-End/Internal
Network
Human
Resources
ScalableWeb
HA/LB
Web
Information
Information
Scalable
Intrusion
HA/LB
Detection
Intrusion
Detection
DMZ
Scalable
HA/LB
Content
Content
Scanning
Scanning
Web
Scalable
Transaction
HA/LB
Web
Transaction
Internet
Connection
Providers
Traditional
VPN Connection
© MixofTix Developers Network July, 2006
Scalable
Network
HA/LB
Servers
Network
Servers
Multi-Link VPN
ScalableBack-End
HA - Back-End
Application
Application&&Database
Database
Servers
Servers
HAAuthentication
Authentication
Server
Server
HA - CA
CA
Server
Server
R&D
Back-End/Internal
Network
Human
Resources
ScalableWeb
HA/LB
Web
Information
Information
Scalable
Intrusion
HA/LB
Detection
Intrusion
Detection
DMZ
Scalable
HA/LB
Content
Content
Scanning
Scanning
VPN Connections
Web
Scalable
Transaction
HA/LB
Web
Transaction
Internet
Connection
Providers
Single Points of Failure
© MixofTix Developers Network July, 2006
Network
Scalable
Servers
HA/LB
Network
Servers
ScalableBack-End
HA - Back-End
Application
Application&&Database
Database
Servers
Servers
HAAuthentication
Authentication
Server
Server
HA - CA
CA
Server
Server
R&D
Back-End/Internal
Network
ScalableWeb
HA/LB
Web
Information
Information
Scalable
Intrusion
HA/LB
Detection
Intrusion
Detection
DMZ
Web
Scalable
Transaction
HA/LB
Web
Transaction
Scalable
HA/LB
Content
Content
Scanning
Scanning
VPN Connections
Internet
Connection
Providers
Human
Resources
Remote
Client
with
Firewall
© MixofTix Developers Network July, 2006
Functions of a VPN
VPNs facilitate the connection of LANs
and clients (e.g. notebooks) via the
Internet which is very low-priced and
available worldwide.
 By means of VPNs the corporate access
via the Internet can be effected
confidentially, independent of the selected
media.

© MixofTix Developers Network July, 2006
Tunnelling
Network A
VPNGateway
Network B
Internet
VPN
© MixofTix Developers Network July, 2006
Layer2 VPNs





Work on the OSI-layer 2
 Security layer (data-link layer)
Entire IP packets are „packed “ in the tunnel protocol
Tunnel the point-to-point protocol (PPP)
Use the functions of the PPP infrastructure
 DHCP
 User-oriented authentication
 Compression
A layer-2 tunnel is a “virtual cable”
 Can be set up across any IP structure
 Supports multiple protocols
© MixofTix Developers Network July, 2006
StoneGate VPN







VPN gateway with StoneGate technology
DES, 3DES, AES (256), Blowfish, CAST
Managed through centralized management system
Includes firewall
IPSec compatible
Comes with SG VPN client (includes personal firewall)
Supported user authentication methods:
 RADIUS, TACACS+ or LDAP(S) back-end protocols
 Client certificates
 Smart Cards (PKCS#11, PKCS#15, Microsoft CAPI)
 USB tokens
© MixofTix Developers Network July, 2006
What is a CA
A Certification authority is responsible for
providing and assigning the keys for
encryption, decryption and authentication.
 A CA can issue certificates to a computer,
a user account or a service.

© MixofTix Developers Network July, 2006
Certificate Hierarchies
Trust
Trust
Root CA
Trust
Subordinate CA
Subordinate CA
Subordinate CA
© MixofTix Developers Network July, 2006
Using Public Keys and Private Keys
A private key which is kept confidential
 A public key which is freely given out to all
potential correspondents

© MixofTix Developers Network July, 2006
Anti-Virus
© MixofTix Developers Network July, 2006
Anti Virus Features
Centralized Management
 Automatic Daily Updates
 Minimum Reaction time

© MixofTix Developers Network July, 2006
© MixofTix Developers Network July, 2006
F-Secure


Easy-to-use solution for keeping customers
rapidly and automatically protected against fastspreading Internet-borne viruses and other
malicious code
F-Secure Anti-Virus protects both site-based and
mobile workers, ensuring system availability and
data integrity every minute of every day,
everywhere in the world.
© MixofTix Developers Network July, 2006
Comapre
Databases
© MixofTix Developers Network July, 2006
Technical Comparison of:
Oracle vs. SQL Server vs. MySQL
© MixofTix Developers Network July, 2006
PLATFORM AVAILABILITY
Oracle9i
Oracle9i Database is available on a large selection of hardware
and operating systems, scaling from low-end uni-processor
servers to large symmetrical multiprocessor machines to multinode clusters. Oracle9i Database supports all major Unix
platforms, including Linux, Microsoft operating systems, and a
variety of other systems, including OS/390 mainframes. With
Oracle9i, users are able to upgrade hardware and operating
systems without changing or rewriting their applications.
© MixofTix Developers Network July, 2006
PLATFORM AVAILABILITY
SQL Server 2000
SQL Server 2000 only runs on Microsoft’s operating systems.
Customers wishing to upgrade hardware are limited to
platforms running these systems and must face the cost of
converting their systems completely if they ever outgrow the
capacity of their platform.
© MixofTix Developers Network July, 2006
PLATFORM AVAILABILITY
MySQL
MySQL Database is available on Linux & Microsoft operating
systems, Solaris, Mac OS X
. With MySQL, users are able to upgrade hardware and
operating systems without changing or rewriting their
applications.
© MixofTix Developers Network July, 2006
CONCURRENCY MODEL
Oracle9i
SQL Server 2000
Multi-version read
consistency
Not available
No read locks
Requires shared read locks
to
avoid dirty reads
Non-escalating row-level
locking
Locks escalate
Readers don’t block writers
Readers block writers
Writers don’t block readers
Writers block readers
Minimal deadlocks under
load
Deadlocks can be a serious
problem under load
© MixofTix Developers Network July, 2006
Comparison Chart
Feature
SQL Server
Oracle
MySQL
Independent
Performance
Benchmarks
2nd Place
1st Place
Does not participate –
intended for small to
medium sized systems
Independent
Analysis of
Price/Performanc
e Ratio
1st Place –
licensing is 25%
the cost of
Oracle
Unknown
Does not participate –
commercial licenses are
cheaper than SQL Server
Cross Platform
Compatible
No
Yes
Yes
Fully Relational –
affects data
storage, retrieval
and integrity
Yes
Yes
Somewhat – does not
support foreign key
constraints
Language
Transact-SQL –
considered easy
to use and more
powerful than
MySQL Dialect
PL/SQL –
considered more
powerful than
Transact-SQL but
more difficult to
use
MySQL Dialect – difficult
to use with limited power
Maintainability
Easy
Difficult
Difficult
Open Source
No
No
Yes
© MixofTix Developers Network July, 2006
SQL Server and MySQL limitations
Feature
SQL Server 2000
MySQL v4.1
column name length
128
64
index name length
128
64
table name length
128
64
max indexes per
table
250
32
index length
900
1024
max index column
length
900
255
columns per index
16
16
max char() size
8000
1048543
max varchar() size
8000
1048543
© MixofTix Developers Network July, 2006
SQL Server and MySQL limitations
Feature
SQL Server 2000
MySQL v4.1
max blob size
2147483647
1048543
max number of
columns in GROUP
BY
Limited only by
number of bytes
(8060)
64
max number of
columns in ORDER
BY
Limited only by
number of bytes
(8060)
64
tables per SELECT
statement
256
31
max columns per
table
1024
2599
max table row length
8036
65534
longest SQL
statement
16777216
1048574
constant string size
in SELECT
16777207
1048565
© MixofTix Developers Network July, 2006
Compare
Development
Platforms
© MixofTix Developers Network July, 2006
Comparison Charts
Feature
.Net
Java
Cold Fusion MX
PHP
Compiled Code – Increases
website speed (precompiled
is the fastest)
Yes – both
precompiled and
dynamically
compiled when a
page is
requested
Yes – both
precompiled
and
dynamically
compiled
when a page
is requested
Yes – dynamically
compiled when a
page is requested
No – a 3rd party
accelerator can be
used to increase
performance but it
is not installed on
most shared
hosting servers.
Scripted Language – results
in poor website performance
No
No
Somewhat
Yes – a 3rd party
accelerator can be
used to increase
performance but it
is not installed on
most shared
hosting servers.
Object Oriented – Increases
the ability for code reuse
and provides enhanced
features as well as reduced
development time; since
code is more reusable,
results in fewer bugs that
can be discovered by any
client and fixed for
everyone; encourages
developers to write more
maintainable code
Yes
Yes
Somewhat
No
© MixofTix Developers Network July, 2006
Comparison Charts
Feature
.Net
Java
Cold Fusion MX
PHP
Supported Development
Languages – easier to
find developers
C++, C#,
Visual
Basic.NET,
Jscript.NET,
Python, Perl,
Java (J#),
COBOL, Eiffel,
Delphi – 25
languages
supported
currently
Java
CFML and
CFScript
PHP
Browser Specific HTML
Rendering – different
HTML is automatically
sent to IE than to
Netscape, reducing
incompatibility issues
Yes
No
No
No
Open Source
No
Yes
Somewhat
Yes
© MixofTix Developers Network July, 2006
The same application was rebuilt by both Microsoft and Sun for an
independent competition sponsored by a Company. Below is a comparison of
the results:
.Net 1.1/Windows 2003
J2EE/Wind
ows 2000
Lines of Code
2,094
14,004
Time required for
tuning and optimization
prior to performance
test
2 man-weeks
10 manweeks
Price/Performance Ratio
– the cost per server
divided by the
maximum transactions
per second the server
could handle
$316 – in other words, for a Java
application to handle the same
amount of website traffic as a .Net
application, and additional $989
would need to be spent on server
hardware.
$1,305
Maximum Pages served
per Second
1,400
600
Maximum Number of
Concurrent Users
6,000
4,000
Maximum Number of
Transactions per
Second
117
59
© MixofTix Developers Network July, 2006
Analysis of QoS
© MixofTix Developers Network July, 2006
Applications Requirements






Advance Resource Reservation
Reservation Policy
Agreement Protocol
Security
Simplicity
Scalability
© MixofTix Developers Network July, 2006
Advance Resource Reservation
The system should support mechanisms for
advance, immediate, or ‘on-demand’ resource
reservation.
Advance reservation is particularly important when
dealing with scarce resources, as is often the
case with high-end resources made available.
© MixofTix Developers Network July, 2006
Reservation Policy
The system should support a mechanism that
allows resource owners to enforce their policies
governing when, how, and who can use their
resource. This should be undertaken while
decoupling reservation and policy entities, in
order to improve reservation flexibility
© MixofTix Developers Network July, 2006
Agreement Protocol
The system should assure the clients of their
advance reservation status, and the resource
quality they expect during the service session.
Such assurance can be contained in an
agreement protocol, such as Service Level
Agreements (SLAs).
© MixofTix Developers Network July, 2006
Security
The system should prevent malicious users penetrating,
or altering, data repositories that hold information
about reservations,policies and agreement protocols.
In addition to a secure
channel between an application and the resources it
uses, a security infrastructure that provides support for
authentication,authorization and access control should
be provided.
© MixofTix Developers Network July, 2006
Simplicity
The QoS enhancement should have a reasonably
simple design that requires minimal changes to
be made to existing computation,storage or
network infrastructure.
© MixofTix Developers Network July, 2006
Scalability
The approach should be scalable to a large
number of entities, since the System is a globalscale infrastructure. This is especially true as the
System are expected to be open and dynamic,
with resources and users joining and leaving the
System in a nondeterministic manner.
© MixofTix Developers Network July, 2006
Conception Model
Firewalls
Gateway
Backup Server
Web Server
Firewall
Authentication
Server & Monitoring
Internet
DB Server
Special Web Server Filter
Clients
CA Server
Application Server
© MixofTix Developers Network July, 2006
Discussion - Q&A
© MixofTix Developers Network July, 2006