Professional Documents
Culture Documents
technical challenges with advanced storage solutions and global data management strategies.
Internet Access and Security Solution: Description of Security Features and Benefits
TECHNICAL REPORT
TECHNICAL REPORT
TECHNICAL REPORT
Table of Contents
1. Introduction 2. Internet Security Challenges 3. NetApp Solution Components 4. NetCache Appliance Security Features 4.1. Hardened TCP Stack 4.2. Authentication 4.3. Access Control Lists 4.4. Integrated SSL Termination 4.5. Secure Administration 4.6. Bandwidth Management 4.7. Secure Log File Pushing 5. Third-Party Software Security Features 5.1. Virus Scanning 5.2. URL and Content Filtering 5.3. IM and P2P Filtering 5.4. Spyware Protection 5.5. Phishing 5.6. Usage Reporting 6. Summary
1. Introduction
Most organizations today use the Internet as a valuable business tool and depend upon it for their livelihood. However, that same Internet access exposes corporate resources to an ever-increasing number of security vulnerabilities. Whenever data is transferred between a company's internal network and an outside source, there are multiple risksall of which can jeopardize data integrity. Many vendors offer disparate technologies to protect against these security risks. Only Network Appliance, however, has combined these technologies into a complete, integrated solution for securing Internet data access. This document summarizes these security features and describes their benefits as part of the overall solution.
TECHNICAL REPORT
Preventing the exploitation of Internet access privileges by employees The NetApp Internet access and security solution consolidates the deployment and administration of many security technologies into a complete security solution for Web access, alleviating the aforementioned vulnerabilities and lowering management costs.
TECHNICAL REPORT
Figure 1) Network Appliance Internet access and security solution functional diagram.
4.2. Authentication
NetCache offers extensive authentication support for easy integration into preexisting RADIUS, RSA SecureID, LDAP, NTLM, Kerberos, and SSO authentication environments. Users and groups can be authenticated using any of the above methods, as well as the built-in appliance user database. Once a user is authenticated for a configured protocol, a multistep process is performed before the request is fulfilled (refer to Table 3).
TECHNICAL REPORT
Description
Examples
Allow, auth, cache, deny, drop, icap, nolog, Actions Actions control client requests for access redirect, rewrite to Web content and supported protocols. Variables Variables, including those specific to streaming media, are used to create pattern-matching expressions. Table 1) ACL actions and variables. Accel, bitrate, cache-ip, client-domain, client-ip, client-port, contains, group, server-domain, server-ip, time, url, Smartfilter, wwfilter
<variable> <value> - server-port 1 - 1024 <value> <variable> matches <regex> URL matches "^http://[09.]+/redcodeworm.asp\?X+"
TECHNICAL REPORT
Order 1 2
Description Check global settings that control authentication for protocol requests. Check ACL permission settings for the applicable group in the appliance user database. User and group rules explicitly allow, deny, or redirect requests. User and group ACLs have precedence over request type, global, contentfiltering application, and group access permissions.
Request type rules control specific types of traffic. Access control rules are processed only for requests of a particular type or protocol, such as HTTP. Request type access controls have precedence over global and content-filtering (Smartfilter, Websense, and Webwasher) access controls. If a request type rule explicitly allows, denies, or redirects a request, the rule is implemented regardless of any rules configured in the global ACL option and any content category restrictions set in the content-filtering options.
4 5
Accelerator Global
If a request originates from a Web accelerator (reverse proxy), this ACL is checked. Global rules impose restrictions on traffic by allowing you to specify variables, such as a user name and a URL. Global access controls have precedence over content-filtering applications such as SmartFilter, Websense, and WebWasher. If a global rule explicitly allows, denies, or redirects a request, the rule is implemented regardless of any content category restrictions set in the content-filtering options.
Content-filtering applications
Control filters (Smartfilter, Websense, and Webwasher) restrict access to Web sites that contain objectionable content. These rules apply only to URLs that are not explicitly allowed, denied, or redirected by global or request type options. Group access permissions specify default access to services for groups and control rewrites or redirects for blocked requests. Default rules apply to requests that have no rule matches.
TECHNICAL REPORT
This set of ACL entries forms a policy that can be stated as follows: Authenticate all HTTP requests with one of the configured databases. If the authenticated user is a member of group "lazypeople" and that user requests one of the filter list's blocked URLs in the games category between 9:00 a.m. and 5:00 p.m., deny the request. Otherwise, allow HTTP access for non-game-related Web sites to the group "lazypeople" and allow unrestricted HTTP access to other authenticated users who are not members of "lazypeople." Allow clients to access only streaming media content encoded at a bit rate less than 220kb per second between the work hours of 9:00 a.m. and 5:00 p.m. Deny any FTP requests.
TECHNICAL REPORT
TECHNICAL REPORT
Security filters. To detect embedded objects and media types such as JavaScript, macros, and ActiveX content Advertising filters. To eliminate pop-up windows, banner ads, scripts, applets, and flash animations accompanying Web pages and URLs Privacy filters. For protection from cookies, Web bugs, and referrers Customer categories.7 Added for more granular control for URL filtering Coaching.8 Provides an information page and then allows or blocks access
5.5. Phishing
The NetCache URL-filtering feature enables you to block users from visiting phishing sites, which fool the user into thinking that they are legitimate sites and attempt to collect confidential information such as credit card details, bank account details, and so on from the user.
6. Summary
The NetApp Internet access and security solution plays a fundamental role in controlling access to information. The solution's ability to integrate into preexisting security architectures allows organizations to gain greater control over their network access and usage while minimizing implementation and management costs.
1 2
In a forward-proxy deployment, the NetCache appliance acts as a client accelerator, intercepting and making requests for content on behalf
TECHNICAL REPORT
of the client. Internet gateway deployments, for example, are typically in forward-proxy mode.
3
In a reverse-proxy deployment, the NetCache appliance acts as a server accelerator, servicing client requests on behalf of the server. Web
acceleration helps to offload busy Web servers and adds a layer of protection between the server and clients.
4 5
The Webwasher CSM suite incorporates virus-scanning engines from McAfee and Computer Associates. For more information on ICAP, visit www.i-cap.org. All the filters listed are supported through the Webwasher off-box solution. Supported also through the Secure Computing off-box solution. Supported also through Secure computing off-box solution. Security partners: Secure Computing, Websense, and Webwasher. www.netapp.com/tech_library/3333.html. www.netapp.com/ftp/spyware-security-threat.pdf.
10
11
2005 Network Appliance, Inc. All rights reserved. Specifications subject to change without notice. NetApp, NetCache, and the Network Network Appliance Inc. Appliance logo are registered trademarks and Network Appliance, DataFabric, and The evolution of storage are trademarks of Network Appliance, Inc., in the U.S. and other countries. Oracle is a registered trademark of Oracle Corporation. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such.
10