enterprise security gateway esg - dutchitawards.nl · • easily layer next-generation security...
TRANSCRIPT
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Enterprise Security Gateway ESG
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Level 3 Solution
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
PREMISES-BASED SECURITY CHALLENGES
• Single points of vulnerability, resource contention, performance
impacts
• Operational burden of deploying and managing security
technologies at each location
• Maintaining IT Security staff
• Escalating capital expenditures for equipment and maintenance
NETWORK-BASED SECURITY SOLUTION
• Secure: Simplifies centralized management of firewalls and
advanced security technologies
• Provides around-the-clock network protection
• Efficient: Decreases operational complexity of in-house
systems, compounded by lack of security staff
• Helps reduce capex investment
Connected Enterprise
Evolving Network Architecture Connectivity and Protection
3
Future Customer Environment
Secure tunnel (IPsec, GRE)
Unified Threat
Management /
Firewall
Router
Advanced Security
Services
Retail
Remote
Office
Mobile
Employee
HQ
Data
Center
Remote
Office
Remote
Office
Public Internet
Internet Access
VPN
Level 3®
MPLS/IP VPN
Remote
OfficeMobile
Employee
Data
Center
Remote
Office
Remote
Office
HQ
Public
Internet
Router
Retail
Level 3 Enterprise Security
Gateway
• Carrier agnostic
• Service chaining
• Next-gen firewall
• IDS
• AV/AS
• Web content filtering
• Application awareness
and control
• Malware sandboxing
• Data loss protection
VPN
Secure cellular Internet access
Today’s Customer Environment
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Our Solution:
The new Level 3sm Enterprise Security Gateway (ESG) is a network-based layer of protection
against an increasingly complicated threat landscape delivered in the cloud. ESG combines a
wide range of next-generation security technologies that help organizations stay ahead of threats.
Level 3 Value:
Built on the proven foundation of network-based security, Level 3’s Enterprise Security Gateway
delivers cost-effective, flexible and reliable protection wherever business happens — without
sacrificing performance.
The Level 3 network acts as a sensor, you have the visibility and control you need to monitor,
block and report attempts to break into your network.
Take control of your network security. Own your defense.
Level 3 Enterprise Security Gateway (ESG)
4
Level 3’s Solution
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Application
Awareness and
Contol identifies,
reports, and
enforces
applications used
on the network.
Provides usage
and risk ratings.
Anti-malware scans, blocks, and
reports on malicious code found in
network traffic.
Sandboxing places unknown
anomalous payloads in a protected
environment for observation. If the
payload acts malicious, a signature
is created and pushed out to devices
to detect and mitigate future threats.
.
Data Loss
Protection monitors,
prevents, and reports
on attempts to send
sensitive data.
Web Content Filtering service
controls how Internet resources are
used based on URL, Content, or IP
address.
• Inspect and block downloaded
website content for malicious code
before it reaches users.
• Integrate with Active Directory
server for granular policy definition
and reporting.
Threat Intelligence
correlates traffic against
known malicious
communication utilizing
FortiGUARD and
supported by Level 3
proprietary analysis and
threat data.
Level 3 Global Security Operations Centers
Level 3SM Professional Security Services
Level 3SM Threat Research
Labs
Managed Firewall
Application
Awareness
and
Control
Web Content / URL Filtering
Anti-malware (Sandboxing)
Security Analytics /
Threat Intelligence
SIEM Integration
Security Alerts
With Controls
PREVENTIVE MULTI-LAYERED SECURITY
Data Loss Protection
Intrusion Detection
Two-Factor
Authentication
LOGGING, ANALYTICS AND
INTELLIGENCE
Deploying A Multi-Layered Security Approach
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Application Awareness And Control
Allows or denies network application usage based on policies established by
network administrators
Granular controls, limiting usage
of popular apps.
Including databases, web mail,
social networking, IM, file
transfer apps. etc.
User notifications
Customer initiates configuration
changes by raising a ticket
through MyLevel3 Portal
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Anti-malware Sandboxing
Scans, Blocks and Reports on Malicious Code Found in Network Traffic
Pre-Filter
• Traditional filtering to weed out known threats
Observes Behavior- Code Emulation
• Scans files on the network, in emails, in URLs, in network file share locations, and on-
demand
• Inspects code to simulate/assess intended activity of code
• Sandboxing detects and blocks threats by observing actual behavior, rather than relying
on pre-existing (known) signatures
Analyzes Impact(s)- Full Virtual Sandbox
• Executes code within a virtual environment “sandbox”
• Analyzes impact including system changes, exploit efforts, site visits, downloads, botnet
communication etc.
• All activities are logged, analyzed and a risk rating is returned – generates real-time,
custom threat intelligence updates
Changes:
• Customer initiates configuration changes by raising a ticket through MyLevel3 Portal
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Data Loss Protection (DLP)
• Watermarking: digital pattern added to files
• Pattern Matching: examines files/messages for
specific patterns (SSNs, Credit Card #s etc.)
• Document Fingerprinting: tracking movement of
documents based on each documents unique
“fingerprint”
• File Filtering: Files can be filtered based on size,
name and type (for example, .exe, .pdf, .doc)
• Changes: Customer initiates configuration
changes by raising a ticket through MyLevel3
Portal
Examines network traffic and blocks sensitive content from
being distributed outside of a customers organization
Detects potential data breaches
/ data ex-filtration
transmissions in use
Internet
DLP Sensor (Blocks based on
customized or pre-determined
regX etc.)
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Set up multiple, dedicated VLANs that
allow segmentation of assets, such as
databases from web servers (802.1Q)
Deploy VLANs among datacenters or
cloud environments
Engage in Level 3SM Professional
Security Services transformation and
migration workshops to plan secure
transitions
Optimize infrastructure with flexible,
bandwidth-agnostic access methods:
IPsec, GRE (SSL, proxy, is available
12/2016).
Level 3 Enterprise Security Gateway Access Methods
Delivering Improved Security Postures For Organizations
9
VPN Traffic
Internet Traffic
• Next-gen firewall / Intrusion detection
• Web content filtering
• Anti-malware sandboxing
• Data loss protection
• Remote access
• Carrier agnostic Internet access
IPsec-GRE tunnel
Level 3 Enterprise
Security Gateway
Mobile
Employee
Proxy,* SSL* or IPsec tunnel
IP VPN access Level 3 VPN
IP VPN access
Third-party VPN*
LTE IPsec tunnel
Internet
IPsec tunnel
Remote
Offices
Retail
Branch Offices
Head Office
* Note that compatibility with third-party VPN, client proxy, and SSL will be available
in Dec, 2016.
Phase 2
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Deploying ESG Technologies
Internet Enterprise Security Gateway
VPN
IPSec Tunnel
Authentication
Authentication
Global Policy Management
Internet
Bi-Directional Traffic
Remote Office
Global Policy
Level 3 Enterprise Security
Gateway
• Carrier agnostic
• Service chaining
• Next-gen firewall
• IDS
• AV/AS
• Web content filtering
• Application awareness
and control
• Malware sandboxing
• Data loss protection
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
‣ Secure Access Site
• Secure Access Site service allows customers to connect their remote sites’ Local Area Networks to theirLevel 3 MPLS/IPVPN networks securely over the Internet utilizing secure site-to-site IPSEC tunnels.
• Customer can have or procure Internet services from a third party provider (DSL, cable, wireless, etc.)
• This allows a virtual expansion of the MPLS/IPVPN network to unsupported or small office locations.
• It can also be used to back up an MPLS/IPVPN connected site.
Secure Access Services – Rolled Up Into ESG
Cost effective connectivity for MPLS/IP VPN Services helps ensure up-time and access
Primary IP VPN
IP SEC
GRE
InternetLevel 3 MPLS/IP VPN
ILEC
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Secure Access Services – Rolled Up Into ESG
Immediate cellular backup in the event a
customers Level 3® MPLS/IP VPN primary
connection fails
Provider carrier agnostic--4G/LTE U.S. nationwide
coverage to provide the best possible cell coverage
available (Verizon and AT&T)
Available with Level 3 MPLS/IP VPN service with
Level 3 provided Managed Router (Cisco or Adtran)
fully managed by Level 3
Packaged with Level 3SM Secure Access Site for
secure backup data transmission via IPsec
Level 3 provided integrated modem/bridge with
backup solution
Simple flat rate MRC with no usage or overage charges
Level 3 Internet
Cellular
Providers
Level 3
MPLS/IP VPN
Network
Secure Access Cellular: Keep businesses going and avoid costly downtime
IP SEC
Branch Offices,Point of Sale locations,
ATMs and KiosksCorporate Headquarters
Data Center
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Remote Access
Network
Anti-malware
Sandboxing
Next-Gen Firewall
Application
Awareness and
Control
Web Content
Filtering
Data Loss
Protection
IDS
• Comprehensive and
real-time visibility in the
MyLevel3SM customer
portal.
Comprehensive Portal Experience
13
• Gateway availability,
event statistics, and
security advisories
available.
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
*Optional log retention and streaming service provides near-real-time
export of logs from the cloud to on-premises SIEM for analysis.
Enterprise Security Gateway Portal
Remote access Firewall Instances Threat Intelligence Application Awareness and ControlESG Availability
14
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
ESG is Backed By Threat Intelligence
Level 3 Threat Research Labs and
Fortinet’s FortiGuard Labs provide
proactive protection against the latest
security threats with active updating of
threat profiles and signatures
Our Global SIEM ingests logs and
threat data to help identify anomalies
and potential vulnerabilities
Security engineers will notify affected
customers when threats are identified
and update enterprise and Managed
Security Services defenses based on
these threats
Level 3 monitors command and control
server (C2) activity and malicious IPs,
and creates rules to block them on our
network and for customers with
configuration updates on the ESG
platform
15
Level 3 Threat Research Labs + FortiGuard Labs
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Backed By Threat Intelligence
16
Level 3 Threat Research Labs + FortiGuard Labs
FortiGuard Labs works 24 x 7 to uncover
vulnerabilities and distribute updates to the ESG
platform – IDS/IPS, Web and AV/AS controls are
updated by Fortinet daily
Tens of millions of updates are made per week –
In Q4 of 2014 they averaged over 50 million new
and updated spam and intrusion prevention rules,
URL ratings and AV definitions
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
ESG Packages
Basic Premium
Firewall (NAT) (100 rule set)
Secure Internet Access (SIA)
5 Basic Changes
Internet Access or VPN IPsec
GREoIPsec
Alerting/Detection (IDS)
Software Updates
Logging & Reporting
Management Services
24x7 SOC Support Services
SIEM forensics & analytics
Log retention (12 mths)
Basic package
+
DLP
Application Awareness
Unlimited Changes
A-la-Carte
Optional Security Services
Advanced Services
i.e >100 Rule
Anti-Malware (sandboxing)
Content/URL Filtering (requires
F/W)
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Securing all employees in any location on any device
Customer Benefits
• Improve your customers security posture as their business evolves
• Deploy segmentation best practices with VLANs
• Easily layer next-generation security technologies
• Operationalize a uniform global security policy
• Increase efficiencies by adopting carrier agnostic, network based
protection with flexible commercial models and access options
• Reduce Costs by moving to an OPEX model and control IT/Security
Headcount
• Simplify management with around-the-clock protection from service
providers Security Operation Center
• Increase Control with real-time reporting and self-service capabilities
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Why Choose Level 3?
19
• Broad Global Coverage
– Proximity to customer improves
latency
– Localized gateways allow regional
support
• Ease Of Deployment
– No client software is required
– Efficiently layer new technologies in
a network-based environment
(cloud)
• Flexible Connectivity Options
– Supports GRE, IPsec, IP VPN
– Hybrid on-premises and cloud-
based deployments
• Breadth of Next-Generation
Technology Options
– Comprehensive suite of optional
services
– Based on next generation firewall
technology
• Increased Efficiencies
– Cloud-based protection with
flexible commercial models
• Comprehensive Visibility and Control
– Centralized policy management with
visibility through a consolidated
portal
– Supported by Level 3 Threat
Research Labs and SOC
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
Thank You
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.
ESG Use Cases
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.22
Secure The Remote Workforce And Reduce Internet
Latency
Customer Challenge:
• Internet-connected remote workers have introduced security risk vectors
into the organization.
• Organizations are unable to react proactively to Internet-based attacks.
• Security controls often provide a manual response to threats.
• Internet-based network deployments are broadening, introducing increased risk.
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.23
Level 3 Solution: Enterprise
Security Gateway
Router
Secure tunnel
(IPsec, GRE)
Level 3® Enterprise Security Gateway
•Secure Access Site connections
•Intrusion Detection Service (IDS)
•Anti-virus / Anti-spam
•Web content and URL filtering
•Application awareness and control
•Data Loss Protection (DLP)
• Moves inspection of all processes/files from the premises to network edge.
• Provides prevention of inbound and outbound exploits.
• Inspects all traffic for zero day exploits.
• Blocks threats leveraging threat intelligence.
• Scans and filters Internet traffic (browser and application) for APT's and malware.
• Provides centralized policy control.
• Analyzes and correlate threat intelligence into a single SIEM.
• Disseminates updated signatures to network and endpoints.
• Optional data loss prevention (DLP) for all devices available.
Remote
Employee
Remote
Office
IPsec
Level 3 ESG
www
www
www
Pubic Internet
IPsec
Remote
Office
IPsec
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.24
Secure Hybrid Networks: Maintain Cost Efficiencies and
Performance
Customer Challenge:
• Due to gains in Internet speeds, organizations are moving to hybrid networking
environments to improve costs.
• Introducing more Internet connections in the network can increase the attack
surface and risk.
• Reducing connectivity cost to connect remote users to the corporate network can
sacrifice security and performance.
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.25
• Remote office locations connect to Level 3 Enterprise Security Gateway (ESG) over the
Internet using IPsec.
• Inbound and outbound communications are protected by the ESG firewall and web
filtering.
• Cost to interconnect offices is reduced due to use of Internet instead of IP VPN.
• Increase in performance due to elimination of backhaul.
IPsec
Remote
Employee
Remote Office
IPsec
Level 3 ESG
www
www
www
Remote
Office
www
IPsec
IPsec
Remote Office
Router
Secure tunnel
(IPsec, GRE)
Level 3® Enterprise Security Gateway
•Secure Access Site connections
•Intrusion Detection Service (IDS)
•Anti-virus / Anti-spam
•Web content / URL filtering
•Application awareness and control
•Anti-malware sandboxing
•Data Loss Protection (DLP)
Level 3 Solution: Enterprise
Security Gateway
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.26
Customer Challenge:
• As security deployments grow, organizations face an operational burden of deploying
and managing security technologies at each location.
• Attracting and maintaining IT Security staff is difficult in an under-resourced job
market.
• Capital expenditures for equipment and maintenance is escalating.
A Hybrid Approach to Security Management Can Reduce
Risk and Augment Support
© 2016 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential.27
• Remote office location and data center connect to Level 3 Enterprise Security
Gateway (ESG) over the Internet using IPsec.
• Anti-malware with sandboxing protects all connections.
• Customer can maintain management of premise firewalls by opening the ESG
firewall to pass (any-any) traffic unimpeded, and enable anti-malware to inspect
traffic.
• 24 x 7 Global Security Operations Center support.
Remote Office Datacenter
IPsec
IPsec
Level 3 ESG
www
www
Pubic Internet
Level 3 Solution: Enterprise
Security Gateway
Router
Secure tunnel
(IPsec, GRE)
Level 3® Enterprise Security Gateway
•Secure Access connectivity
•Intrusion Detection Service (IDS)
•Anti-virus / Anti-spam
•Web content /URL filtering
•Data Loss Protection (DLP)
•Application awareness and control
•Anti-malware sandboxing