nse 1 - module 1 - data center firewall

Study Guide for NSE 1: Datacenter Firewall 2016

Study Guide for NSE 1:

Datacenter Firewall

February 1

2016 This Study Guide is designed to provide information for the Fortinet Network Security Expert Program – Level 1 curriculum. The study guide presents discussions on concepts and equipment necessary as a foundational understanding for modern network security prior to taking more advanced and focused NSE program levels.

Fortinet Network Security Solutions


ii |

Contents Figures ..................................................................................................................................................... iii

Data Center Firewall ..................................................................................................................................... 1

Data Center Evolution ............................................................................................................................... 1

Market Trends Affecting Data Centers ..................................................................................................... 1

Infrastructure Integration ..................................................................................................................... 2

Edge vs. Core Data Center Firewalls ..................................................................................................... 2

Data Center Firewall Characteristics ......................................................................................................... 4

Virtual Firewalls .................................................................................................................................... 8

Data Center Network Services ................................................................................................................ 10

Application Systems ............................................................................................................................ 11

Application Services ............................................................................................................................ 12

Summary ................................................................................................................................................. 14

Key Acronyms .............................................................................................................................................. 15

Glossary ....................................................................................................................................................... 17

References .................................................................................................................................................. 20


iii |

Figures Figure 1. Notional edge firewall configuration. ............................................................................................ 3

Figure 2. Notional data center firewall deployment..................................................................................... 4

Figure 3. Data center firewall adaptability to evolving capabilities. ............................................................. 5

Figure 4. Data center in a distributed enterprise network. .......................................................................... 6

Figure 5. Data center firewall requirements. ................................................................................................ 8

Figure 6. North-South (Physical) vs. East-West (Virtual) traffic. ................................................................... 9

Figure 7. Notional network. ........................................................................................................................ 11

Figure 8. Differences between IaaS, PaaS, and SaaS. ................................................................................. 12

Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models. ............................................. 13


1 |

Data Center Firewall Data centers have become abundant in the increasingly technology-based business environment of the

21st Century. Because of this growth, data centers provide a new field for trends in computing and

networking driving revisions to IT infrastructure strategies and, along with new strategies, new methods

to bolster network security. Presented in this module are characteristics and functions of data center

firewalls as they apply to networks and applications.

Data Center Evolution

A common notion in today’s business environment is that “No matter

what business you are in; you are a technology business.” In the 21st

Century, this is not only true of large businesses, but also applies to

successful small and medium businesses (SMB). Modern data centers

typically contain servers with a variety of purposes, including web,

application, and database servers.

Along with growing use of technology came a need to not only develop more specialized applications

but also develop innovative ways to store ever-increasing volumes of digital data. This growing storage

requirement spurred a new sector in the technology operations—the Data Center. As new technologies

for end users of computing platforms evolve, so must security measures for the data centers they will

access for operations such as email, social media, banking, shopping, education, and myriad other

purposes. Developing strategies to keep pace with the accelerating integrated and distributed nature of

technology has become a critical industry in protecting personal, business, and organizational data and

communications from legacy, advanced, and emerging threats.

Market Trends Affecting Data Centers

As mentioned previously, consumer trends influenced data center development; however, the business

sector was also instrumental in spurring on this development. As technology evolved, businesses

learned to step to the leading edge of innovation in order to get ahead—or stay ahead—of competing

enterprises. To this end, changes in business practices that influenced data center development

included:

Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,

network or even an operating system where the framework divides the resource into one or more

execution environments.

Cloud Computing. Computing in which large groups of remote servers are networked to allow the

centralized data storage, and online access to computer services or resources. Clouds can be

classified as public, private or hybrid.

Software-Defined Networks (SDN). An approach to networking in which control is decoupled from

hardware and given to a software application called a controller. Dynamic, manageable, cost-

effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's

applications.


2 |

BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphone

or tablet, in order to interface to the corporate network. According to a Unisys study conducted by

IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee.

Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to

process using traditional databases and software techniques. In many enterprise scenarios, the data

is too big, moves too fast, or exceeds current processing capacity.

The Internet of Things (IoT). The [once future] concept that everyday objects have the ability to

connect to the Internet & identify themselves to other devices. IoT is significant because an object

that can represent itself digitally becomes something greater that the object by itself. When many

objects act in unison, they are known as having “ambient intelligence.”

Infrastructure Integration

Meeting the challenge of data center growth while maintaining

throughput capability requires the use of technology integration to

reduce potential for signal loss and speed reduction because of

bridging and security barriers between ad hoc arrangements of

independent appliances. There are definitely two camps on what

should be at the heart of a modern firewall, with two types of

hybrid design being prevalent:

CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented by

an off the shelf (OTS) processor.

CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely to

a number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are

designed to handle the specific tasks for which the processor and device is intended, the ability to

process data is enhanced and system performance is optimized.

On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design.

This is the simplest design but suffers from performance degradation. On the other side are those

advocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC),

which are more efficient and may provide the necessary infrastructure to meet the demand for

throughput, growth, and security.

Edge vs. Core Data Center Firewalls

Edge Firewall. Implemented at the edge of a network in order to protect the network against potential

attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—

the gatekeeper. In addition to gatekeeper duties, the edge firewall may have capabilities added as other

security appliances are linked to the firewall. This method, however, leads to a complex architecture

that results in complex network—and security—controls. A typical edge firewall is depicted in Figure 1.


3 |

Figure 1. Notional edge firewall configuration.

Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of

functions. Depending on network size and configuration, the data center firewall may also provide

additional security functions, such as segregating internal resources from access by malicious insiders,

and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data.

These functions are referred to as Multi-Layered Security, and may include:

IP Security (IPSec)

Firewall

Intrusion Detection System/Intrusion Prevention System (IDS/IPS)

Antivirus/Antispyware

Web Filtering

Antispam

Traffic Shaping [1]

These functions work together, providing integrated security for the data center, concurrently providing

consolidated, clear control for administrators while presenting complex barriers to potential threats.

Figure 2 shows a notional data center firewall deployment, providing gatekeeper duty, integrated

security solutions (as depicted in Figure 1, above), with simplified control and complex protection.


4 |

Figure 2. Notional data center firewall deployment.

Data Center Firewall Characteristics

As end user devices and activities evolve, data centers must evolve to ensure both service and security

keep pace. Some market trends affecting data centers include increasing use of mobile devices,

employee device portability—or BYOD, data center consolidation through server virtualization, cloud

computing, and software-defined networking.

The key benefit of a data center network core firewall configuration with high-speed, high-throughput,

low-latency is the ability to evolve as technology develops.

Throughput speeds have potential to double every 18 months

High-speed 40/100 GbE ports are already going into existing systems

External users moving from Internet Protocol version 4 (IPv4) to IPv6

Figure 3 (next page) illustrates how the data center firewall is adaptable to evolving technology and user

trends.


5 |

Figure 3. Data center firewall adaptability to evolving capabilities.

Size Matters. Historically, a determining factor in network firewall selection included consideration

based on the size of users—both internal and external—accessing the network or its components. Using

data center firewalls in small and medium businesses (SMB) makes sense, because modern data center

firewall systems provide higher throughput speeds, higher connectivity (port capacity), and a higher

capacity for concurrent sessions.

As a business or organization grows and network access begins to grow into multiple locations and

thousands of users, the option to consider using an enterprise campus firewall may become a necessary

investment. While the capacity to handle thousands of users and multiple locations may be

accomplished with enterprise firewalls, the trade-off is in the need for redundancy to ensure reliability—

resulting in significantly higher costs and equipment complexity—and the need for extensive training if

an organization intends to self-manage the enterprise firewall. Because of these complexities, enterprise

data centers may reside on-premises at a company site, in a dedicated co-location space in a provider’s

data center facility, or as an outsource service in a multi-tenant provider cloud environment.


6 |

Figure 4. Data center in a distributed enterprise network.

Because of the increasing size and complexity of data center operations and needs of external users—as

well as the increased costs associated with enterprise firewall equipment and training needs—

companies may decide to outsource data center security operations to a third party, or Managed

Security Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide a

wide range of network security services, from one-time services—such as configuring routers—to

ongoing services such as network monitoring, upgrade, and configuration. This provides small and

medium businesses (SMB) enhanced capabilities without having to increase technical staff, while

providing large and high-visibility businesses with supplemental protection beyond their technical staff.

When deciding on whether to engage an MSSP for network security operations, a number of

considerations must be taken into account. From the most basic perspective, the MSSP should align with

your business and security philosophy. Will they sign a non-disclosure agreement, so details about your

company’s security will be secure? The MSSP needs to be highly available to you, especially if you run

24/7 operations and reach a global audience (and who on the Internet doesn’t these days?). It is worth a

visit to their facility to check out their operations and talk with staff. The MSSP’s service must be

sustainable—what are their redundancy capabilities in case of primary system failures or disaster; what

is the likelihood they may go out of business (the market is still maturing and the current failure rate is

high). Identify clearly the level of serviceability you can expect from the MSSP—demand a strong service

level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements are

foundational to success with using an MSSP to manage data center security.


7 |

As cloud services and software-defined networks (SDNs) became prevalent, network functions

virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical devices,

encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual appliances

within the same physical devices. The emergence of OpenFlow from behind the research lab walls and

into mainstream management in cellular, TELCO, and data center operations has brought major network

operators and manufacturers onboard in making OpenFlow the standard protocol for communications

between controllers and network switches in the SDN—or virtual—environment. The OpenFlow

protocol abstracts the network control plane from the data control plane in order to program network

traffic flows to be more dynamic and automated.

As virtualization and SDN deployment expanded, the practice became available for implementation by

private individuals and organizations outside traditional boundaries of those with large amounts of

available capital and resources. With broad availability of open-source software enabling low-cost

network development, cloud computing has reached into the realm of private and personal clouds. One

popular open-source platform for cloud computing is OpenStack, which provides capability to develop

and manage private and public clouds, even providing compatibility with popular enterprise and open-

source technologies for controlling large pools of data center computing, storage, and networking

resources.

By designing and implementing network infrastructures combining high throughput with a dynamic

software-defined network (SDN), the data center firewall provides the capability to evolve with

consumer and industry trends. To accomplish this, data center firewalls must focus on three primary

areas as foundations for security: performance, segmentation, and simplification.

Performance. As the need for network speeds to accelerate continues, the data center will be at the

forefront of network design enabling higher performance through high-speed, high-capacity, and low

latency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, with

an expectation by large company data center users that throughput may be increased up to an

aggregate 100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of

10 Gigabits for Ethernet ports on the data center firewall, with some capabilities already expanding in

the 40-100 Gigabit range.

Segmentation. With the evolution of IT devices and evolving network threats, organizations using data

centers have adopted network segmentation as a best practice to isolate critical data against potential

threats. Common data isolation criteria include applications, user groups, regulatory requirements,

business functions, trust levels, and locations. To support the use of network segmentation in network

security schema, data center firewalls must provide high density and logical abstraction supporting both

physical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned from

unauthorized access for security and compliance purposes, limiting lateral movement of advanced

threats that gain initial footholds in the network, and ensure employees and users have access to only

the services and applications for which they are authorized.


8 |

Simplification. Because data centers extend to external users of varying trust levels, the need to extend

a “Zero-Trust” model for data access beyond the traditional data center edge and into the segmentation

throughout the network’s core. This requires a consolidated—simplified—security platform that can

manage multiple functions while supporting high speed network operations. In order to further simply

data center firewall operations, integration of network routing and switching functions into firewall

controls provides added centralized visibility and control to network functions and security monitoring.

Consolidation may also be accomplished by putting multiple physical server workloads onto a shared

physical host by using virtual machines on a hypervisor.

A good example of a data center core firewall that incorporates all the requirements of low-latency, high

throughput, and high performance is the FortiGate platform line. These firewalls include models that

deliver over 100 Gbps performance with less than 5 µs latency (Figure 5).

Figure 5. Data center firewall requirements.

One of the benefits to a data center network core firewall configuration as illustrated in Figure 10 is the

ability to evolve as trends in technology develop. With an estimated potential for throughput speeds to

double every 18 months, and adoption of high-speed network interfaces such as 40/100Gb Ethernet

ports into existing architectures, data center firewalls will need to be ready for the challenge. With these

developments, and as external users move from transmitting traffic using Internet Protocol version 4

(IPv4)—which currently carries over 95% of the world’s Internet traffic—to IPv6, firewalls such as the

FortiGate line provide ability to keep pace and maintain data center service and security.

Virtual Firewalls

Traditional firewalls protect physical computer networks—those running on physical hardware and

cabling. As such, the most effective means of security was and still is a physical, locked, fire door. This is

also referred to as “North-South” traffic. Unlike physical machines and networks, virtual machines

operate in a virtual environment, isolated on a host but acting as though it were an independent system


9 |

or network. Even as a virtual reality, however, the network may be subject to threats and intrusion from

external sources. Virtual traffic—that traffic moving laterally between servers without leaving the data

center—is referred to as “East-West” traffic (Figure 6).

Today, 60-70% of traffic is E-W because of the trend in virtualization and consolidation –

which is why virtual networks are of vital importance in the emergence of data centers

and need for reliable and adaptable data center security in modern networks.

Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical

switch—to secure data being transmitted between virtual machines in a virtual network, the virtual

firewall was developed. A virtual firewall is simply a firewall service running entirely within the virtual

environment, providing the typical packet filtering and monitoring that would be expected when using a

physical device in a physical network. The virtual firewall may take a number of forms: it may be loaded

as a traditional software firewall on the virtual host machine, it can be built into the virtual environment,

it can be a virtual switch with additional capabilities, or it can be a managed kernel process within the

host hypervisor for all virtual machine activity.

Figure 6. North-South (Physical) vs. East-West (Virtual) traffic.

Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridge

mode or hypervisor mode. A virtual firewall operating in bridge mode acts like a physical firewall,

normally situated at an inter-network switch or bridge to intercept network traffic needing to travel

over the bridge. In this way, the virtual firewall may decide to allow passage, drop, reject, forward, or


10 |

mirror the packet. This was the standard for early virtual networks and some current networks still

retain this model.

In hypervisor mode the virtual firewall is not actually part of the virtual network at all; rather, it resides

in the host virtual machine—or hypervisor—in order to capture and analyze packets destined for the

virtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network

in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examples

of popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV.

As these developments in virtual capabilities occurred, they necessarily gave way to a new paradigm by

which to consider the definition of the data center itself. Instead of the need for a traditional physical

infrastructure that defines the data center—such as a building or a server room within a structure—

what if the paradigm shifted to a data center that resided within a software-defined space? Because of

continued evolution of virtual technology, this capability is a reality. The software-defined data center

(SDDC) presents a paradigm that infrastructure such as servers, network, and storage can be logically

and dynamically orchestrated without the need for adding or configuring new physical appliances or

expanding into new facilities. Because of the virtual nature of these SDDCs, the emergence of on-

demand data centers was enabled that provided benefits to small consumers and SMBs, such as pay-as-

you-use infrastructure, delivery on demand without extended provisioning times, and no requirement

for long-term obligations or contracts. In other words, the emergence of SDDCs provided new paths for

economical flexibility in data center definition and operation.

In summary, the flexible deployment capability for data center firewalls provides for targeting of the

threats identified as most important to the network or system. Deploying the firewall at the network

edge is effective to block external intrusions from accessing the network. Deploying the firewall at the

network core provides segmentation in the event that an external threat gains access to the network. At

the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).

Data Center Network Services

As technology evolved, more and more services moved from running as physically resident to virtual or

cloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among

other benefits. Data center traffic has increased because of factors such as the increased number of

users depending on mobile applications to access data anytime and anyplace, businesses aggregating

and storing increasing amounts of data to enable analytics, and increased use of SaaS cloud storage over

local physical drive storage appliances. Because of these shifts, networks from distributed enterprises

down to SMB and home businesses began to depend on virtual and cloud applications for remote and

mobile capability. This led to a parallel focus on development of threats to the application layers of the

Open Systems Infrastructure (OSI), which will be discussed later in this book. The remainder of this

module will focus on how the data center serves to facilitate the use of applications in the modern

mobile, virtual and cloud-based technology environment.


11 |

Application Systems

Application systems typically consist of user interfaces, programming (logic), and databases. A user

interface is the control or method by which the user interacts with the computer, system, or network,

often consisting of screens, web pages, or input devices. Some application systems have non-visual

interfaces that exchange data electronically with other systems in a network. Figure 7 illustrates a

notional network.

Programming consists of the scripts or computer instructions used to validate data, perform

calculations, or navigate users through application systems. Many large computers use more than one

computer language to drive the system and connect with networks. This allows linking of systems

performing specialized functions into a centrally-manageable network.

Databases are simply electronic repositories of data used to store information for the organization in a

structured, searchable, and retrievable format. Most databases are configured to facilitate access for

downloading, updating, and—when applicable—sharing with other authorized network users.

Figure 7. Notional network.


12 |

Computer systems are simply sets of components that are assembled into an integrated package. The

heart of a computer system is the central processing unit (CPU), around which various other

components such as data storage, drives, displays, memory, input devices, and other peripherals are

built. Computer system components may vary in size and complexity and can be designed for single or

multiple purposes.

Control is accomplished through user interfaces. The level of application control found in Next

Generation Firewalls (NGFWs) is not generally necessary as a data center core firewall, primarily

because of the lack of end-users running in the data center itself. Typically, data center applications are

accessed and used as cloud services or database information, rather than platforms for writing and

execution of programming by external users.

Application Services

With increasing use of “the cloud” to enable mobile—even global—use of applications and access to

organization databases, technology services designed to fulfill the needs of various industries from SMB

to large international corporations developed. In today’s market—and the foreseeable future—cloud

services continue to grow quickly. Integral to this broad range of services are three primary

components: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primary

difference between models rests in responsibility tradeoffs between developer (user) and vendor

(provider), as illustrated in Figure 8 [2].

Figure 8. Differences between IaaS, PaaS, and SaaS.


13 |

Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service

provider creates the infrastructure, which becomes a self-service platform for the user for accessing,

monitoring, and managing remote data center services. The benefit to IaaS is that the user does not

have to invest large amounts into infrastructure and ongoing upgrades and service, while retaining

operational flexibility. The down side is that this model requires the user to have a higher degree of

technical knowledge—or at least know or employ someone who does. Examples of businesses using the

IaaS model appear in Figure 9.

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond

the IaaS model. In this model, the provider not only builds the infrastructure, but also provides

monitoring and maintenance services for the user. Users of PaaS cloud services have access to

“middleware” to assist with application development, as well as inherent characteristics including

scalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user to

focus on what is most important to their business—their application(s). In particular, businesses large or

complex enough to employ an enterprise data center model benefit greatly from PaaS because it

reduces the amount of coding necessary and automate business policy. Examples of businesses using

the PaaS model appear in Figure 14.

Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues to

grow. This model takes the final step of bringing the actual software application into the set of functions

managed by the provider, with the user having a client interface. Because the application resides in the

cloud itself, most SaaS applications may be operated through a web browser without the need to

download or install resident software on individual physical systems. This allows businesses to develop

software and operational requirements, but to have those requirements written and fulfilled by a third

party vendor—although such designs typically involve customization of pre-existing software

applications, because SaaS does not provide the broad flexibility of software development options

available in the PaaS model. Examples of businesses using the SaaS model appear in Figure 14 [3].

Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models.


14 |

The Shared Security Responsibility (SSR) Model. When using application services—“the cloud”—for

applications and access to databases, these services come with a shared responsibility for security and

operations split between the cloud provider and the cloud tenant. Depending upon which model is

chosen for operations—IaaS, PaaS, or SaaS—your level of security responsibility changes in magnitude.

Referring back to Figure 8, as you relinquish more control of operations and decision-

making/configuration to the vendor/provider, such as with the SaaS model, your degree of security

responsibility also declines. Conversely, if you decide to retain more management, such as in the IaaS

model, your security responsibility increases in magnitude.

Summary

From an introduction to the current status of computer network options and configurations, to the

challenges posed by evolving technologies and advanced threats, this module has prepared a foundation

for more focused discussion on emerging threats and the development of network security technologies

and processes designed to provide organizations with the tools necessary to defend best against those

threats and continue uninterrupted, secure operations. An additional module in this program will focus

on the Next Generation Firewall (NGFW), an evolving technology in network security.


15 |

Key AcronymsAAA Authentication, Authorization, and Accounting

AD Active Directory

ADC Application Delivery Controller

ADN Application Delivery Network

ADOM Administrative Domain

AM Antimalware

API Application Programming Interface

APT Advanced Persistent Threat

ASIC Application-Specific Integrated Circuit

ASP Analog Signal Processing

ATP Advanced Threat Protection

AV Antivirus

AV/AM Antivirus/Antimalware

BYOD Bring Your Own Device

CPU Central Processing Unit

DDoS Distributed Denial of Service

DLP Data Leak Prevention

DNS Domain Name System

DoS Denial of Service

DPI Deep Packet Inspection

DSL Digital Subscriber Line

FTP File Transfer Protocol

FW Firewall

Gb Gigabyte

GbE Gigabit Ethernet

Gbps Gigabits per second

GSLB Global Server Load Balancing

GUI Graphical User Interface

HTML Hypertext Markup Language

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IaaS Infrastructure as a Service

ICMP Internet Control Message Protocol

ICSA International Computer Security Association

ID Identification

IDC International Data Corporation

IDS Intrusion Detection System

IM Instant Messaging

IMAP Internet Message Access Protocol

IMAPS Internet Message Access Protocol Secure

IoT Internet of Things

IP Internet Protocol

IPS Intrusion Prevention System

IPSec Internet Protocol Security

IPTV Internet Protocol Television

IT Information Technology

J2EE Java Platform Enterprise Edition

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

LLB Link Load Balancing

LOIC Low Orbit Ion Cannon

MSP Managed Service Provider

MSSP Managed Security Service Provider

NGFW Next Generation Firewall

NSS NSS Labs

OSI Open Systems Infrastructure


16 |

OTS Off the Shelf

PaaS Platform as a Service

PC Personal Computer

PCI DSS Payment Card Industry Data Security Standard

PHP PHP Hypertext Protocol

POE Power over Ethernet

POP3 Post Office Protocol (v3)

POP3S Post Office Protocol (v3) Secure

QoS Quality of Service

Radius Protocol server for UNIX systems

RDP Remote Desktop Protocol

SaaS Software as a Service

SDN Software-Defined Network

SEG Secure Email Gateway

SFP Small Form-Factor Pluggable

SFTP Secure File Transfer Protocol

SIEM Security Information and Event Management

SLA Service Level Agreement

SM Security Management

SMB Small & Medium Business

SMS Simple Messaging System

SMTP Simple Mail Transfer Protocol

SMTPS Simple Mail Transfer Protocol Secure

SNMP Simple Network Management Protocol

SPoF Single Point of Failure

SQL Structured Query Language

SSL Secure Socket Layer

SWG Secure Web Gateway

SYN Synchronization packet in TCP

Syslog Standard acronym for Computer Message Logging

TCP Transmission Control Protocol

TCP/IP Transmission Control Protocol/Internet Protocol (Basic Internet Protocol)

TLS Transport Layer Security

TLS/SSL Transport Layer Security/Secure Socket Layer Authentication

UDP User Datagram Protocol

URL Uniform Resource Locator

USB Universal Serial Bus

UTM Unified Threat Management

VDOM Virtual Domain

VM Virtual Machine

VoIP Voice over Internet Protocol

VPN Virtual Private Network

WAF Web Application Firewall

WANOpt Wide Area Network Optimization

WLAN Wireless Local Area Network

WAN Wide Area Network

XSS Cross-site Scripting


17 |

Glossary ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular

use, as opposed to a general-purpose device.

Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to

process using traditional databases and software techniques. In many enterprise scenarios, the data is

too big, moves too fast, or exceeds current processing capacity.

Bridge Mode. A virtual firewall operating in bridge mode acts like a physical firewall, normally situated

at an inter-network switch or bridge to intercept network traffic needing to travel over the bridge.

BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,

whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a

Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were

owned by the employee.

Cloud Computing. Computing in which large groups of remote servers are networked to allow the

centralized data storage, and online access to computer services or resources. Clouds can be classified

as public, private or hybrid.

Computer systems are simply sets of components that are assembled into an integrated package.

CPU. The heart of a computer system is the central processing unit (CPU), around which various other

components are built. A CPU is the electronic circuitry within a computer that carries out the

instructions of a computer program by performing the basic arithmetic, logical, control, and

input/output (I/O) operations specified by the instructions.

Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of

functions, including:

IP Security (IPSec)

Firewall

Intrusion Detection System/Intrusion

Prevention System (IDS/IPS)

Antivirus/Antispyware

Web Filtering

Antispam

Traffic Shaping [1]

Databases are simply electronic repositories of data used to store information for the organization in a

structured, searchable, and retrievable format.

Edge Firewall. Implemented at the edge of a network in order to protect the network against potential

attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall—

the gatekeeper.

Hypervisor Mode. In hypervisor mode the virtual firewall is not actually part of the virtual network at

all; rather, it resides in the host virtual machine—or hypervisor—in order to capture and analyze packets

destined for the virtual network.


18 |

Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service

provider creates the infrastructure, which becomes a self-service platform for the user for accessing,

monitoring, and managing remote data center services.

Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to

the Internet & identify themselves to other devices. IoT is significant because an object that can

represent itself digitally becomes something greater that the object by itself.

OpenFlow. OpenFlow enables network controllers to determine the path of network packets across a

network of switches. The controllers are distinct from the switches. This separation of the control from

the forwarding allows for more sophisticated traffic management than is feasible using access control

lists (ACLs) and routing protocols. OpenFlow allows switches from different vendors — often each with

their own proprietary interfaces and scripting languages — to be managed remotely using a single, open

protocol.

NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall

appliance instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities

of a traditional firewall with advanced features including:

Intrusion Prevention (IPS) Deep Packet Inspection (DPI) Network App ID & Control

Access Enforcement Distributed Enterprise Capability

“Extra Firewall” Intelligence

Third Party Management Compatibility

VPN Application Awareness

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond

the IaaS model. In this model, the provider not only builds the infrastructure, but also provides

monitoring and maintenance services for the user.

Programming consists of the scripts or computer instructions used to validate data, perform

calculations, or navigate users through application systems.

SDDC. The software-defined data center (SDDC) presents a paradigm that infrastructure such as servers,

network, and storage can be logically and dynamically orchestrated without the need for adding or

configuring new physical appliances or expanding into new facilities.

Shared Security Responsibility (SSR) Model. When using application services—“the cloud”—for

applications and access to databases, these services come with a shared responsibility for security and

operations split between the cloud provider and the cloud tenant.

Software as a Service (SaaS). The SaaS model takes the final step of bringing the actual software

application into the set of functions managed by the provider, with the user having a client interface.


19 |

Software-Defined Networks (SDN). An approach to networking in which control is decoupled from

hardware and given to a software application called a controller. Dynamic, manageable, cost-effective,

and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications.

Virtual Firewall. A virtual firewall is simply a firewall service running entirely within the virtual

environment, providing the typical packet filtering and monitoring that would be expected when using a

physical device in a physical network.

Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,

network or even an operating system where the framework divides the resource into one or more

execution environments.

VLAN. Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical

switch.


20 |

References 1. UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

2. Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.

3. Bray, G., SaaS vs PaaS vs IaaS. 2010, Stack Exchange.

nse 1 - module 1 - data center firewall

Documents