enterprise security gateway esg - dutchitawards.nl · • easily layer next-generation security...

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.

Enterprise Security Gateway ESG


Level 3 Solution


PREMISES-BASED SECURITY CHALLENGES

• Single points of vulnerability, resource contention, performance

impacts

• Operational burden of deploying and managing security

technologies at each location

• Maintaining IT Security staff

• Escalating capital expenditures for equipment and maintenance

NETWORK-BASED SECURITY SOLUTION

• Secure: Simplifies centralized management of firewalls and

advanced security technologies

• Provides around-the-clock network protection

• Efficient: Decreases operational complexity of in-house

systems, compounded by lack of security staff

• Helps reduce capex investment

Connected Enterprise

Evolving Network Architecture Connectivity and Protection

3

Future Customer Environment

Secure tunnel (IPsec, GRE)

Unified Threat

Management /

Firewall

Router

Advanced Security

Services

Retail

Remote

Office

Mobile

Employee

HQ

Data

Center

Remote

Office

Remote

Office

Public Internet

Internet Access

VPN

Level 3®

MPLS/IP VPN

Remote

OfficeMobile

Employee

Data

Center

Remote

Office

Remote

Office

HQ

Public

Internet

Router

Retail

Level 3 Enterprise Security

Gateway

• Carrier agnostic

• Service chaining

• Next-gen firewall

• IDS

• AV/AS

• Web content filtering

• Application awareness

and control

• Malware sandboxing

• Data loss protection

VPN

Secure cellular Internet access

Today’s Customer Environment


Our Solution:

The new Level 3sm Enterprise Security Gateway (ESG) is a network-based layer of protection

against an increasingly complicated threat landscape delivered in the cloud. ESG combines a

wide range of next-generation security technologies that help organizations stay ahead of threats.

Level 3 Value:

Built on the proven foundation of network-based security, Level 3’s Enterprise Security Gateway

delivers cost-effective, flexible and reliable protection wherever business happens — without

sacrificing performance.

The Level 3 network acts as a sensor, you have the visibility and control you need to monitor,

block and report attempts to break into your network.

Take control of your network security. Own your defense.

Level 3 Enterprise Security Gateway (ESG)

4

Level 3’s Solution


Application

Awareness and

Contol identifies,

reports, and

enforces

applications used

on the network.

Provides usage

and risk ratings.

Anti-malware scans, blocks, and

reports on malicious code found in

network traffic.

Sandboxing places unknown

anomalous payloads in a protected

environment for observation. If the

payload acts malicious, a signature

is created and pushed out to devices

to detect and mitigate future threats.

.

Data Loss

Protection monitors,

prevents, and reports

on attempts to send

sensitive data.

Web Content Filtering service

controls how Internet resources are

used based on URL, Content, or IP

address.

• Inspect and block downloaded

website content for malicious code

before it reaches users.

• Integrate with Active Directory

server for granular policy definition

and reporting.

Threat Intelligence

correlates traffic against

known malicious

communication utilizing

FortiGUARD and

supported by Level 3

proprietary analysis and

threat data.

Level 3 Global Security Operations Centers

Level 3SM Professional Security Services

Level 3SM Threat Research

Labs

Managed Firewall

Application

Awareness

and

Control

Web Content / URL Filtering

Anti-malware (Sandboxing)

Security Analytics /

Threat Intelligence

SIEM Integration

Security Alerts

With Controls

PREVENTIVE MULTI-LAYERED SECURITY

Data Loss Protection

Intrusion Detection

Two-Factor

Authentication

LOGGING, ANALYTICS AND

INTELLIGENCE

Deploying A Multi-Layered Security Approach


Application Awareness And Control

Allows or denies network application usage based on policies established by

network administrators

Granular controls, limiting usage

of popular apps.

Including databases, web mail,

social networking, IM, file

transfer apps. etc.

User notifications

Customer initiates configuration

changes by raising a ticket

through MyLevel3 Portal


Anti-malware Sandboxing

Scans, Blocks and Reports on Malicious Code Found in Network Traffic

Pre-Filter

• Traditional filtering to weed out known threats

Observes Behavior- Code Emulation

• Scans files on the network, in emails, in URLs, in network file share locations, and on-

demand

• Inspects code to simulate/assess intended activity of code

• Sandboxing detects and blocks threats by observing actual behavior, rather than relying

on pre-existing (known) signatures

Analyzes Impact(s)- Full Virtual Sandbox

• Executes code within a virtual environment “sandbox”

• Analyzes impact including system changes, exploit efforts, site visits, downloads, botnet

communication etc.

• All activities are logged, analyzed and a risk rating is returned – generates real-time,

custom threat intelligence updates

Changes:

• Customer initiates configuration changes by raising a ticket through MyLevel3 Portal


Data Loss Protection (DLP)

• Watermarking: digital pattern added to files

• Pattern Matching: examines files/messages for

specific patterns (SSNs, Credit Card #s etc.)

• Document Fingerprinting: tracking movement of

documents based on each documents unique

“fingerprint”

• File Filtering: Files can be filtered based on size,

name and type (for example, .exe, .pdf, .doc)

• Changes: Customer initiates configuration

changes by raising a ticket through MyLevel3

Portal

Examines network traffic and blocks sensitive content from

being distributed outside of a customers organization

Detects potential data breaches

/ data ex-filtration

transmissions in use

Internet

DLP Sensor (Blocks based on

customized or pre-determined

regX etc.)


Set up multiple, dedicated VLANs that

allow segmentation of assets, such as

databases from web servers (802.1Q)

Deploy VLANs among datacenters or

cloud environments

Engage in Level 3SM Professional

Security Services transformation and

migration workshops to plan secure

transitions

Optimize infrastructure with flexible,

bandwidth-agnostic access methods:

IPsec, GRE (SSL, proxy, is available

12/2016).

Level 3 Enterprise Security Gateway Access Methods

Delivering Improved Security Postures For Organizations

9

VPN Traffic

Internet Traffic

• Next-gen firewall / Intrusion detection


• Anti-malware sandboxing


• Remote access

• Carrier agnostic Internet access

IPsec-GRE tunnel

Level 3 Enterprise

Security Gateway

Mobile

Employee

Proxy,* SSL* or IPsec tunnel

IP VPN access Level 3 VPN

IP VPN access

Third-party VPN*

LTE IPsec tunnel

Internet

IPsec tunnel

Remote

Offices

Retail

Branch Offices

Head Office

* Note that compatibility with third-party VPN, client proxy, and SSL will be available

in Dec, 2016.

Phase 2


Deploying ESG Technologies

Internet Enterprise Security Gateway

VPN

IPSec Tunnel

Authentication

Authentication

Global Policy Management

Internet

Bi-Directional Traffic

Remote Office

Global Policy

Level 3 Enterprise Security

Gateway

• Carrier agnostic

• Service chaining

• Next-gen firewall

• IDS

• AV/AS


• Application awareness

and control

• Malware sandboxing



‣ Secure Access Site

• Secure Access Site service allows customers to connect their remote sites’ Local Area Networks to theirLevel 3 MPLS/IPVPN networks securely over the Internet utilizing secure site-to-site IPSEC tunnels.

• Customer can have or procure Internet services from a third party provider (DSL, cable, wireless, etc.)

• This allows a virtual expansion of the MPLS/IPVPN network to unsupported or small office locations.

• It can also be used to back up an MPLS/IPVPN connected site.

Secure Access Services – Rolled Up Into ESG

Cost effective connectivity for MPLS/IP VPN Services helps ensure up-time and access

Primary IP VPN

IP SEC

GRE

InternetLevel 3 MPLS/IP VPN

ILEC


Secure Access Services – Rolled Up Into ESG

Immediate cellular backup in the event a

customers Level 3® MPLS/IP VPN primary

connection fails

Provider carrier agnostic--4G/LTE U.S. nationwide

coverage to provide the best possible cell coverage

available (Verizon and AT&T)

Available with Level 3 MPLS/IP VPN service with

Level 3 provided Managed Router (Cisco or Adtran)

fully managed by Level 3

Packaged with Level 3SM Secure Access Site for

secure backup data transmission via IPsec

Level 3 provided integrated modem/bridge with

backup solution

Simple flat rate MRC with no usage or overage charges

Level 3 Internet

Cellular

Providers

Level 3

MPLS/IP VPN

Network

Secure Access Cellular: Keep businesses going and avoid costly downtime

IP SEC

Branch Offices,Point of Sale locations,

ATMs and KiosksCorporate Headquarters

Data Center


Remote Access

Network

Anti-malware

Sandboxing

Next-Gen Firewall

Application

Awareness and

Control

Web Content

Filtering

Data Loss

Protection

IDS

• Comprehensive and

real-time visibility in the

MyLevel3SM customer

portal.

Comprehensive Portal Experience

13

• Gateway availability,

event statistics, and

security advisories

available.


*Optional log retention and streaming service provides near-real-time

export of logs from the cloud to on-premises SIEM for analysis.

Enterprise Security Gateway Portal

Remote access Firewall Instances Threat Intelligence Application Awareness and ControlESG Availability

14


ESG is Backed By Threat Intelligence

Level 3 Threat Research Labs and

Fortinet’s FortiGuard Labs provide

proactive protection against the latest

security threats with active updating of

threat profiles and signatures

Our Global SIEM ingests logs and

threat data to help identify anomalies

and potential vulnerabilities

Security engineers will notify affected

customers when threats are identified

and update enterprise and Managed

Security Services defenses based on

these threats

Level 3 monitors command and control

server (C2) activity and malicious IPs,

and creates rules to block them on our

network and for customers with

configuration updates on the ESG

platform

15

Level 3 Threat Research Labs + FortiGuard Labs


Backed By Threat Intelligence

16

Level 3 Threat Research Labs + FortiGuard Labs

FortiGuard Labs works 24 x 7 to uncover

vulnerabilities and distribute updates to the ESG

platform – IDS/IPS, Web and AV/AS controls are

updated by Fortinet daily

Tens of millions of updates are made per week –

In Q4 of 2014 they averaged over 50 million new

and updated spam and intrusion prevention rules,

URL ratings and AV definitions


ESG Packages

Basic Premium

Firewall (NAT) (100 rule set)

Secure Internet Access (SIA)

5 Basic Changes

Internet Access or VPN IPsec

GREoIPsec

Alerting/Detection (IDS)

Software Updates

Logging & Reporting

Management Services

24x7 SOC Support Services

SIEM forensics & analytics

Log retention (12 mths)

Basic package

+

DLP

Application Awareness

Unlimited Changes

A-la-Carte

Optional Security Services

Advanced Services

i.e >100 Rule

Anti-Malware (sandboxing)

Content/URL Filtering (requires

F/W)


Securing all employees in any location on any device

Customer Benefits

• Improve your customers security posture as their business evolves

• Deploy segmentation best practices with VLANs

• Easily layer next-generation security technologies

• Operationalize a uniform global security policy

• Increase efficiencies by adopting carrier agnostic, network based

protection with flexible commercial models and access options

• Reduce Costs by moving to an OPEX model and control IT/Security

Headcount

• Simplify management with around-the-clock protection from service

providers Security Operation Center

• Increase Control with real-time reporting and self-service capabilities


Why Choose Level 3?

19

• Broad Global Coverage

– Proximity to customer improves

latency

– Localized gateways allow regional

support

• Ease Of Deployment

– No client software is required

– Efficiently layer new technologies in

a network-based environment

(cloud)

• Flexible Connectivity Options

– Supports GRE, IPsec, IP VPN

– Hybrid on-premises and cloud-

based deployments

• Breadth of Next-Generation

Technology Options

– Comprehensive suite of optional

services

– Based on next generation firewall

technology

• Increased Efficiencies

– Cloud-based protection with

flexible commercial models

• Comprehensive Visibility and Control

– Centralized policy management with

visibility through a consolidated

portal

– Supported by Level 3 Threat

Research Labs and SOC


Thank You


ESG Use Cases

© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.22

Secure The Remote Workforce And Reduce Internet

Latency

Customer Challenge:

• Internet-connected remote workers have introduced security risk vectors

into the organization.

• Organizations are unable to react proactively to Internet-based attacks.

• Security controls often provide a manual response to threats.

• Internet-based network deployments are broadening, introducing increased risk.


Level 3 Solution: Enterprise

Security Gateway

Router

Secure tunnel

(IPsec, GRE)

Level 3® Enterprise Security Gateway

•Secure Access Site connections

•Intrusion Detection Service (IDS)

•Anti-virus / Anti-spam

•Web content and URL filtering

•Application awareness and control

•Data Loss Protection (DLP)

• Moves inspection of all processes/files from the premises to network edge.

• Provides prevention of inbound and outbound exploits.

• Inspects all traffic for zero day exploits.

• Blocks threats leveraging threat intelligence.

• Scans and filters Internet traffic (browser and application) for APT's and malware.

• Provides centralized policy control.

• Analyzes and correlate threat intelligence into a single SIEM.

• Disseminates updated signatures to network and endpoints.

• Optional data loss prevention (DLP) for all devices available.

Remote

Employee

Remote

Office

IPsec

Level 3 ESG

www

www

www

Pubic Internet

IPsec

Remote

Office

IPsec


Secure Hybrid Networks: Maintain Cost Efficiencies and

Performance

Customer Challenge:

• Due to gains in Internet speeds, organizations are moving to hybrid networking

environments to improve costs.

• Introducing more Internet connections in the network can increase the attack

surface and risk.

• Reducing connectivity cost to connect remote users to the corporate network can

sacrifice security and performance.


• Remote office locations connect to Level 3 Enterprise Security Gateway (ESG) over the

Internet using IPsec.

• Inbound and outbound communications are protected by the ESG firewall and web

filtering.

• Cost to interconnect offices is reduced due to use of Internet instead of IP VPN.

• Increase in performance due to elimination of backhaul.

IPsec

Remote

Employee

Remote Office

IPsec

Level 3 ESG

www

www

www

Remote

Office

www

IPsec

IPsec

Remote Office

Router

Secure tunnel

(IPsec, GRE)


•Secure Access Site connections



•Web content / URL filtering


•Anti-malware sandboxing



Security Gateway


Customer Challenge:

• As security deployments grow, organizations face an operational burden of deploying

and managing security technologies at each location.

• Attracting and maintaining IT Security staff is difficult in an under-resourced job

market.

• Capital expenditures for equipment and maintenance is escalating.

A Hybrid Approach to Security Management Can Reduce

Risk and Augment Support


• Remote office location and data center connect to Level 3 Enterprise Security

Gateway (ESG) over the Internet using IPsec.

• Anti-malware with sandboxing protects all connections.

• Customer can maintain management of premise firewalls by opening the ESG

firewall to pass (any-any) traffic unimpeded, and enable anti-malware to inspect

traffic.

• 24 x 7 Global Security Operations Center support.

Remote Office Datacenter

IPsec

IPsec

Level 3 ESG

www

www

Pubic Internet


Security Gateway

Router

Secure tunnel

(IPsec, GRE)


•Secure Access connectivity



•Web content /URL filtering



•Anti-malware sandboxing

enterprise security gateway esg - dutchitawards.nl · • easily layer next-generation security...

Documents