ESafe Exposure Aladdin Knowledge Systems © 2003, version 2.0, slide 1 of 23 eSafe Implementation...
-
Upload
hannah-beach -
Category
Documents
-
view
214 -
download
2
Transcript of ESafe Exposure Aladdin Knowledge Systems © 2003, version 2.0, slide 1 of 23 eSafe Implementation...
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 1 of 23
eSafe Implementation Topologies
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 2 of 23
CVP Implementations
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 3 of 23
Using ESG CVP + ESM SMTP
Mail Relay
Mail ServerExchange Server
DMZ
Internal Network
ESG CVP
ESM SMTP
HTTPFTP
SMTP
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 4 of 23
Load balancing with ESG CVP
Mail Relay
Mail ServerExchange Server
DMZ
Internal Network
ESG CVP
ESG CVP
Options1. Using an extra CR for HTTP, FTP and SMTP
2. Using an extra CR for SMTP only
3. Using FW-1 CVP load-sharing
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 5 of 23
NitroInspection™
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 6 of 23
Standard ESG NitroInspection implementation
Mail Relay
Mail ServerExchange Server
DMZ
Internal Network
HTTPSMTPFTP
ESG
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 7 of 23
ESG NI (NitroInspection) + ESM SMTP
Mail Relay
Mail ServerExchange Server
DMZ
Internal Network
ESM SMTP
HTTPFTP
SMTP
ESG
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 8 of 23
ESM for Exchange + ESM SMTP
Mail Relay
Mail Server
DMZ
Internal Network
ESM forExchange
Mail Traffic
ESM SMTP SMTP
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 9 of 23
Load Balancing--
High Availability
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 10 of 23
Multi-LAN ESG NI
Mail Relay
Mail ServerExchange Server
DMZ
Internal Network
ESG NI
Second Network
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 11 of 23
Load balancing with ESG NitroInspection
Mail Relay
Mail Server
DMZ
Internal Network
ESGCR+CI
ESGCI
ESGCI
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 12 of 23
ESG NI with Hardware load-balancers (Alteon, F5, CSS…)
Mail Relay
Mail Server
DMZ
Internal Network
ESGESGLoad balancers
+HA
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 13 of 23
ESG NI smart L4/L7 switches(no single-point-of-failure)
Web server
Mail Server
DMZ
Internal Network
ESG
L4/L7 switch
Only HTTP traffic is redirected
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 14 of 23
ESG NI load-balancing with StoneSoft SecurityCluster
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 15 of 23
High Capacity Content Security(With Radware CID)
Internal Network
Aladdin/RadwareContent Manager
HTTPHTML Only
HTTP/FTPZIP Only
HTTP/FTPAll other
SMTPOnly
Other protocols and Trusted HTTP traffic bypasses Content Inspectors (according to MIME type)
MIME type based content routing
Built in high-availability and load-balancing ESGHTML only inspector
ESGHTML/FTP archive
inspector
ESGHTML all
other content inspector
ESMSMTP content
inspector
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 16 of 23
LAN
eSafe Content Security Farm
Radware CSD-AV
FW
Potentially Malicious Content
EXE, ZIP, HTML
ESG1 ESG2 ESG3 ESM1
ESG1 – HTTP traffic, only HTMLs
ESG2 – HTTP/FTP traffic, only archive (zip) files
ESG3 – HTTP/FTP all other traffic
ESM1 – SMTP traffic
High Capacity Content Security(With Radware CID)
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 17 of 23
HTTP Proxy environments
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 18 of 23
ESG NI in a DMZ with a Firewall and a Proxy
Mail ServerExchange Server
DMZ
Internal Network
HTTPESGall internal IPs are defined as Trusted Destinations
Mail Relay
ESM SMTP
Proxy
Only HTTP/FTP requests from the proxy are inspected
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 19 of 23
ESG NitroInspection™with a switch and a Proxy
Mail ServerExchange Server
DMZ
Internal Network
ESG NI
Proxy
ESM SMTP SMTP
Proxy’s Default Gateway
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 20 of 23
Throughput
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 21 of 23
Internet Connection Naming Convention
• ISDN = 64Kbit/sec• USA:
– DS1/T1 – 24 * ISDN = 1.544Mbit– DS2/T2 – 4 * T1 = 6.176Mbit– DS3/T3 – 28 * T1 = 44.736Mbit
• Europe:– E1 = 2Mbit– E2 = 8Mbit– E3 = 34Mbit
• OC1 = 55Mbit• OC3 = 155Mbit
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 22 of 23
eSafe Gateway (NitroInspection)
Bandwidth / Number of Users
T1/E1(1.5-2Mbit)
T2(6Mbit)
E2/2*T2(8-12Mbit)
T3/OC1(45-55Mbit)
OC3 (155Mbit)
CR +CI
CR +CI
CR +CI
CR +CI
CR +CI
10-200 1 1 1 2 N/A N/A
200-1000 1 * HTTP1 * SMTP
1 * HTTP1 * SMTP
2 2 * HTTP1 * SMTP
2 N/A N/A
1000+ N/A 1 * HTTP1 * SMTP
3 3 * HTTP2 * SMTP
3 10* HTTP2 * SMTP
10 N/A
1000+High Capacity
N/A N/A N/A 4 * HTTP2 * SMTP
8 * HTTP2 * SMTP
•Load balancing is done using 3rd party device•High-capacity is done using Radware CSD
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 23 of 23
eSafe Gateway CVP
Bandwidth /
Number of Users
T1/E1(1.5/2Mbit)
T2(6Mbit)
E2/2*T2(8/12Mbit)
T3/OC1(45/55Mbit)
OC3(155Mbit)
CR CR CR CR CR
10-200 1 2 3 N/A N/A
200-1000 1 * HTTP1 * SMTP
2 * HTTP1 * SMTP
3 * HTTP1 * SMTP
N/A N/A
1000+ N/A 3 * HTTP1 * SMTP
4 * HTTP2 * SMTP
N/A N/A
* Load balancing for CRs is done using CVP
eSaf
e E
xpo
sure
Aladdin Knowledge Systems © 2003, version 2.0, slide 24 of 23
eSafe Mail / SMTP
• One eSafe Mail is capable of processing on average:– 40,000 to 60,000 emails in one hour– 10,000 employees sending/receiving 50
email in one working day
• Load balancing can be done:– Check Point CVP– DNS MX records– 3rd party load balancer (Radware, F5,
CSS, Alteon etc.)