1 / 38

93 年度台北市教育局防火強訓練課程 DFL-1500 VPN Firewall

93 年度台北市教育局防火強訓練課程 DFL-1500 VPN Firewall. Agenda. Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution Product Specifications & Applications Why Buy D-Link VPN Firewalls?. Agenda. Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution

oren
Télécharger la présentation

93 年度台北市教育局防火強訓練課程 DFL-1500 VPN Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 93 年度台北市教育局防火強訓練課程DFL-1500 VPN Firewall

  2. Agenda Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution Product Specifications & Applications Why Buy D-Link VPN Firewalls?

  3. Agenda • Security Overview • Internet Threats • D-Link VPN Firewall Strategy & Solution • Product Specifications & Applications • Why Buy D-Link VPN Firewalls?

  4. 全方位資訊安全產品 攻擊入侵偵測 Intrusion Detection 阻斷服務 後門程式 遠端掃描 防火牆 Firewall VPN 本地掃描 防毒程式 Anti-Virus 病毒入侵 身份認證 Authorization 密碼破解 資料加密 Encryption 監聽 個人 學校 /企業

  5. Agenda Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution Product Specifications & Applications Why Buy D-Link VPN Firewalls?

  6. 非經授權的使用者 :威脅 非授權的無線用戶 被侵入的電腦 被侵入的主機 非授權的無線用戶 內部惡意學生 現今學校可能遇到的網路威脅 高中/ 職 國中/小 VPN VPN Internet VPN 行動工作者 Firewall 教育局 VPN DMZ Servers Servers

  7. 新安全架構建置理念 • 預防內部及外部的威脅一樣重要 • 相同的攻擊可能發生於內部或是外部網路 • 內部攻擊可能來自於外部的攻擊 – 例如已被侵入的服務主機 • 內部網路資源的存取應該被限定在“need to know” – 都比照server來看待 • 保密性對於外部及內部網路都一樣重要 – 例如: Wireless LANs

  8. Agenda Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution Product Specifications & Applications Why Buy D-Link VPN Firewalls?

  9. Performance / Features 10 100 500 1,000 Capacity / # of Users D-Link Products DFL-1500 DFL-900 DFL-600 DFL-100

  10. Specification Summary

  11. Agenda Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution Product Specifications & Applications Why Buy D-Link VPN Firewalls?

  12. Firewall function • 位於受保護的網路與Internet之間,或其他網路之間.用來限制存 • 取的一個或一組設備 • 提供網路位置轉換(NAT) • 防禦外界網路的攻擊 -- 辨別惡意及異常的攻擊封包,將外界駭客 • 的攻擊阻擋在防火牆外,保護內部主機的安全。 • 管制進出網路的活動--管制哪些人可以使用哪些通訊協定,從何處 • 來,往何處去。By source, destination, protocol, • service (ftp , smtp ,http , telnet , pop3…..) • 減少網路資源暴露的危險--屏蔽網路上的電腦,讓不需要出現的服 • 務或資源隱藏起來,減少暴露在互聯網上的信息,提昇保護網路 • 的效果。 • 紀錄監視網路活動—對進出防火牆的活動加以監視與紀錄或稽核 • 提供非戰區(DeMilitarizedZone) – 提供給對外服務的伺服器使用的 • 區域,介於內部網路與外部網路之間,讓外界用戶可以存取非戰區 • 主機的服務而不影響內部網路。

  13. Firewall Application Corporation Network Remote Office DFL-100 DFL-1500 DFL-600 Remote Office 000000000000000000000000000 000000000000000000000000000 Deny Traffic 000000000000000000000000000 Deny Some Attacks 000000000000000000000000000 Allow Traffic 00000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000 000000000000000000000 00000000000000000000000000000 000000000000000000000000000 000000000000 DFL-1500 Firewall Provides Access Control

  14. VPN technology & function • 穿隧傳輸技術(Tunneling) • IPSec , PPTP , L2TP • 加解密技術(Encryption & Decryption) • DES , 3DES , AES …. • 密鑰管理技術(Key Management) • ISAKMP/Oakley (IKE) , SKIP • 使用者與設備身分認證技術 (User Authentication) • X.509 , MD5 , SHA-1

  15. VPN Application Vendor Branch Office ADSL Modem ADSL Modem DFL-100 Access Point VPN Client Software DFL-600 Internet ADSL Modem Tele-communicator DFL-1500 Headquarters Web Server Access Point DMZ E-mail Server Finance Server

  16. Load-Balance function • 單一網際網路連線故障風險 • Multi-homing: 使用多個ISP來提供持續、不斷線的Internet • 確保Incoming Traffic有效地從不同ISP分配至企業網路內 • 有效管理由ISP所分配的IP address • 有效分配 Inbound and outbound traffic • 動態選擇最佳ISP Link • Multiple links 容錯機制

  17. ISP A Internet T1 Leased Line 1.5 MB ISP B 1 Weight 3=75% Weight 1=25% xDSL/ Cable Modem 512 KB 2 Load Balance Application • Weighted load balance • For example: Bandwidth of T1 leased line (WAN1) is three times faster than 512K ADSL line (WAN2). We could assign load weight 3: 1 for WAN1 vs. WAN2. DFL-1500

  18. IDS function • 入侵侦测系统Intrusion Detection System (IDS)為一安全系統‚ 用來監 控電腦系統與網路的交通流量‚ 並分析企業內外電腦系統與網路交通中的可能惡意攻擊封包。 同時也分析針對源自企業內部的系統濫用與攻擊行為。藉由搜尋已知的攻擊模式、或是檢視任何不正常的行為,來尋找特定的攻擊行為‚ 並可以採取適當的處理機制。例如紀錄,警示,阻絕,更改其他設備達成防禦效果。 • IDS較防火牆擁有更多的智慧型偵測機制,了解更多攻擊行為的模式,IDS專注於入侵行為,而防火牆是用以減少網路資源暴露的危險,IDS可以在關閉漏洞知會管理者或警方等方, 提供相當大的協助。

  19. IDS technology • 特徵分析 ( Signature Based Analysis ) • 依據已知的攻擊模式, 擷取特定的欄位作為攻擊特徵(signature) • 協定分析( Protocol Analysis ) • 分析網路流量中特定協定(protocol)是否符合其應有的運作機制標準 • 異常分析 ( Anomaly Detection ) • 依據網路交通流量不同時期的分析, 比較前後期流量是否有異常情況。

  20. DetectedAttacks False Alarms UndetectedAttacks Attacks Reachthe Victim !!! IDS Application Corporation Network Remote Office DFL-1500 DFL-100 DFL-600 Remote Office 000000000000000000000000000 000000000000000000000000000 Deny Traffic 000000000000000000000000000 Deny Some Attacks 000000000000000000000000000 Allow Traffic 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DFL-1500 Firewall provides access control DFL-1500 IDS provides attack monitoring

  21. Bandwidth Management function • 針對應用軟體‚人或服務‚分配不同的頻寬 • 確保重要的人/應用系統/通訊適當的頻寬 • 掌握,分析及控制企業網路頻寬的使用狀況 • 隨時依企業的任務需求‚調整網路頻寬使用政策 • 做資料與語音的結合,提供QoS --在WAN線路上傳送VoIP、NetMeeting、Video Conferencing、Internet Phone等 • ------------------------------------------------------------------------------- • 監視(Monitoring) :即時顯示網路上的流量狀態 • 分類及分流(Classifying and shaping : • 可依時間、流量方向、應用類別、實體線路、機器名稱、網段、特定IP、IP子網段族群來分類並設定控管條件與規則 • 報告(Reporting):提供強大的分析及報表工具

  22. DFL-1500 Outlook Console Port 5 10/100Base-TX Fast Ethernet Ports Port 1: WAN1 Port 2: WAN2 Port 3: DMZ Port 4: LAN1 Port 5: LAN2 Power Supply 110-220VAC Switching Power

  23. DFL-1500 Features Product Features: • Five 10/100M Ethernet port • Default two 10/100M Ethernet WAN ports, two 10/100M Fast Ethernet LAN ports and one 10/100M Fast Ethernet DMZ port • IEEE 802.3 / 802.3u compliance • Support auto-MDIX • Standard Protocol: TCP/IP, UDP, ARP, ICMP, TFTP, Telnet, SNMP, HTTP • Routing Protocol: Static Routing , RIP1/2, policy route, IGMP v1/v2 , IP alias (multi-home) • Transparent , Route , NAT mode support • DHCP client/server support • PPPoE support for ADSL & cable modem connection • PPTP, L2TP and IPSec support for VPN • Built-in hardware accelerator for DES (56 bit) / 3DES (128 bit) / AES / PKI (X.509) • Stateful Packet Inspection (SPI) Firewall & protection for DoS ( Denial of Service) • Web-based management

  24. DFL-1500 DFL-1500 Specifications Firewall Security • Stateful Packet Inspection • Packet Filter • IP/TCP/UDP Protocol Filter • Access Control • Attack Alert and log • Real time log • Denial of Service • Filtering packets in VPN tunnel NAT • IP Network Address Translation ( NAT ) • Traditional IP Network Translation ( Traditional NAT ) • Protocol Complications with IP Network Address Translation • Support one-one, one-many, many-many

  25. DFL-1500 Specifications Virtual Private Network Tunnel Protocol • IPSec • L2TP • PPTP Connection Modes • Site to Site • Clint to Site Encryption Algorithms • DES ( 56 bit ) , 3DES (128 bit) • AES • PKI (X.509) ( with hardware accelerator aid ) DFL-100 DFL-100 DFL-1500 Authentication Algorithms • MD-5 • SHA-1 Advanced Key Management • Internet Security Association and Key Management Protocol – ISAKMP    • Internet Key Exchange – IKE

  26. DFL-1500 Specifications Content Filter • HTTP content level • URL blocking • Key word blocking • Java/Active/Cookie/Proxy blocking • Dynamic URL filtering • (need integrated external database such as: Web Sense) • Application proxy • POP3 / SMTP / FTP • Content Filter within VPN tunnels IDS (Intrusion Detection System ) • On-line pattern update • Specific domain attack • Attack alarm (via E-mail) • Provide build-in complete analysis report and packet logging

  27. DFL-1500 Specifications Load Balance • Supports two Ethernet broadband connections • Provide multi and redundant ISPs links • Automatically check status of WAN connections • Weighted load balance mode • Build-in real-time monitoring mode and remote control via Web browser • WAN backup setup support • Remote control via WEB browser Bandwidth Management • Guaranteed bandwidth • Maximum bandwidth • Priority-bandwidth utilization • DiffServ stamp • Class-based policies • Application-specific traffic class • Subnet-specific traffic class • Session bandwidth control within VPN tunnels

  28. DFL-1500 Specifications Authentication • Built-in (internal) database – up to 1500 user limit • Support RADIUS client • Support LDAP client • Support RADIUS authentication accounting • Web-based authentication Logging & Monitoring • Graphic statistics display • Firewall access violation log • Web access log • DHCP table (active hosts) • IDS intrusion alarm/alert log • System utilization statistics • B/W Monitoring • Mail log • VPN tunnel monitor • Event logs and alarm

  29. DFL-1500 Specifications System Management • WebUI (HTTP and HTTPS) • Command line interface (telnet) • Wizard/Quick install • Secure Command Shell (SSH v1 compatible) • Support RADIUS authentication accounting • All management via VPN tunnel on any interface

  30. DFL-1500 Advantages • Provide more secure functions in VPN tunnel • Packet filtering enable on encrypted packets • Content filtering enable on encrypted packets • Provide session bandwidth control in VPN tunnel • Bandwidth control enable on encrypted packets • Integrated load balancer • Automatically check the status of WAN connections • WAN backup supported • Weighted load balance • Build-in real-time monitoring mode and remote control via Web browser • Superior firewall/VPN performance (400Mbps/100Mbps)

  31. DFL-1500 Advantages 高中/職 學區 ADSL 國中/小學區 DFL-100 DFL-100 Internet VPN Tunnels Hacker Router 教育局 WWW Server DMZ DFL-1500 OS server OS server

  32. Agenda Security Overview Internet Threats D-Link VPN Firewall Strategy & Solution Product Specifications & Applications Why Buy D-Link VPN Firewalls?

  33. DFL-1500 防禦內外攻擊示意圖 Internet 被攻陷之外部主機 • 所有interface皆有防禦功能來防止內外部的攻擊 • 內部惡意學生的攻擊會被管制在發起的網段 • 外界的攻擊活動一樣由 untrust interface 阻止在防火牆外面 DMZ Servers Servers 惡意的內部學生 = 威脅來源 = 攻擊防禦與 & Policy 檢視

  34. DFL-1500 防禦內外攻擊示意圖 Internet 已受危害的主機 • 任何安全區域之間的存取都需要經過policy check • 進入或是離開每個 Security interface 的活動都需被檢視 • 已受危害主機無法再擴大威脅到其他網段 • 意圖不軌的員工無法擅自進入不被授權的網路 Web Server DMZ App Server Finance Servers 意圖不軌學生 = 威脅來源 = 攻擊防禦與 & Policy 檢視

  35. DFL-1500 防禦內外攻擊示意圖 Internet • 自行定義給Wireless LAN使用的安全區域 • 針對進入或是離開的無線網路活動進行檢查管制 • WLAN結合VPN 的優點 • 以WLAN給使用者方便的網路 • 使用VPN clients 來防止用戶在wireless 網路中的竊聽行為 • 企業內的 wireless traffic 在解密後進行 policies check來決定准許或是拒絕通往其他的安全區域。 未被授權的無線用戶 Finance Servers VPN Clients Wireless Zone = 威脅來源 = 攻擊防禦與 & Policy 檢視

  36. DFL-1500防禦內外攻擊示意圖 未被授權的人員 Regional Office Small Office • 整合VPN & Firewall • 更滴水不漏的分散式架構 • ASIC晶片達成強固及高效能的環境需求 • 所有介面皆可防禦攻擊 • 降低內部以及外部的威脅 • 任何interface皆可建立VPN • 增加extranets 或是 wireless 網路的安全性 未被授權的無線使用者 被入侵的電腦 Internet Teleworker 未被授權的無線使用者 DMZ 被入侵的主機 Servers 惡意的內部學生 Finance Servers

  37. Conclusions • Network security is a SERVICE business • Although challenging, D-Link is well positioned in the VPN Firewall market • We should provide a complete family of VPN Firewalls instead of various products • Key success factors: • Long-term, stable and reliable source • Pre-sale and after-sale service

  38. Q&A

More Related