Secure SD-WAN · Secure SD-WAN service description 2.4 by Open Systems, proprietary...

1 Secure SD-WAN service description 2.4 by Open Systems, proprietary open-systems.com

Secure SD-WAN by Open Systems provides all the benefits of SD-WAN while reducing cyber risk, simplifying regulatory compliance, and eliminating the headachesassociated with managing an «ecosystem».

Secure SD-WAN packages

Business Enterprise Enterprise Plus

SD-WAN Base X X X

Bandwidth Control X1 X X

Path Selection X1 X X

Application Optimization X X

DNS Filter X2 X X

Firewall X X

Secure Web Gateway X X

Unmanaged NDR X X

Managed NDR X

Unified Threat Protection X X X

How Open Systems works and supports your SD-WAN operationsWith Open Systems Mission Control, you are never alone – a well-trained team

of experienced professionals is always behind you. Highly skilled, certified Open

Systems engineers monitor your systems proactively 24x7, handle alerts and

ensure compliance with your security policy. Additionally, they work with your IT

staff according to clearly defined processes in order to inform you of anomalies

as well as perform global changes that are driven by the dynamic needs of your

organization. Contacts are notified instantly by SMS, email or phone.

Open Systems Mission Control

24x7 operations: Security analysis Monitoring Coordination Implementation Change Summary Documentation Topology update Tickets

Proactive intervention

Open a ticket

Execution and report

MC Company Administrator MC Company-Unit Administrator MC Service Administrator manage requirements of • clients • users • partners •…

Customer

Highly skilled engineers monitor your systems proactively 24x7 and ensure compliance with your security policy.

1 Limited scope

2 Standard policy

SERVICE DESCRIPTIONDeveloped in response to

customer needs, Secure

SD-WAN is enabling digital

transformation at some of the

world’s leading enterprises. The

solution significantly reduces

operating costs, enables cloud

adoption, decreases downtime,

increases application

performance and provides

protection against today’s most

advanced cyberthreats.

Secure SD-WAN

Approved for public use.


PeopleCalls to Open Systems Mission Control go directly through to people who have

the knowledge and infrastructure to tackle and resolve highly complex technical

issues. The engineers at Open Systems answer technical questions, analyze the

situation with the necessary skill and experience, and offer solutions. All the

security engineers have attained a high level of technical education and passed a

background check as well as the Open Systems Mission Control certification.

OrganizationOpen Systems is a high availability organization and a reliable partner that

understands security and SD-WAN. Open Systems Mission Control is capable of

reacting quickly to urgent large-scale incidents no matter which global location

is affected, and has access to a global network of incident response and security

teams (FIRST). Open Systems Mission Control Engineers also participate in various

IT-security consortiums to keep abreast of the latest developments, whereas the

Open Systems global customer base reflects the current operational and security

hotspots.

Core processesOpen Systems Mission Control operates according to ISO 27001 standards. The

core processes in the area of Open Systems services are assessed annually by an

independent auditor and results are presented in a SOC 1 report.

Open Systems Customer PortalThe starting page in the Customer Portal shows an overview of services in real time

for all the sites of an organization. A global map summarizes the same data at a

glance, which helps users perceive their networks more naturally.

Starting page of the portal shows an overview of services in real time for all the sites of an organization.

The core processes in the area of Open Systems services are assessed annually by an independent auditor and results are presented in a SOC 1 report.


Graphs of the network utilization, CPU usage and system load are provided for the

machines that the service is running on. A click on a summarizing graph expands

the detailed view, with statistics of the last day, week, month, and year.

Statistics generated in real time. A click on a summarizing graph expands the detailed view.

The Customer Portal offers graphical availability statistics of the various services,

showing uptime, ISP outage, maintenance, connection down and inactive states over

time. Every ISP outage or lost connection are listed as well as the corresponding ticket

if a threshold was reached and the issue escalated to Open Systems Mission Control.

Service availability statistics in the Customer Portal.

Delegated administrationThe Customer Portal distinguishes between permissions for managing services and

permissions for managing users. To work with services, the following Administrator

and Monitor (view only) roles exist for three levels – the whole company, a particular

business unit, or a particular service. Additionally, the service Auditor role permits a

service Administrator or Monitor to view sensitive data such as logs. For example,

you can grant a branch-office employee both the Administrator and Auditor roles

for just the Open Systems service being used at that branch. The employee can

then monitor the local service, look at its audit trail, view the network topology files

associated with the service, create Open Systems tickets and edit notifications. The

employee can also look at the service logs, which is helpful for troubleshooting.

To manage the users who work with the Customer Portal, the following Administrator

and Monitor roles exist for two levels – the whole company, or a particular business

unit. Additionally, the Auditor role permits a user Administrator or Monitor to

view the user log files. For example, you can grant a branch-office employee the

Administrator role for managing the user data of the local business unit.


Sign-offSign-off contacts can be defined at the business-unit or company level. Only a

sign-off contact has the authority to approve changes to a service.

Open Systems services are ISO 27001 certified.

©2020 MS, April 16, 2020

5 Secure SD-WAN Core Functions service description 2.4 by Open Systems, proprietary open-systems.com

Enable secure site-to-site connections.

SD-WAN BaseWAN Encryption and RoutingThe WAN Encryption and Routing feature enables secure site-to-site connections

through the internet, MPLS, VSAT or other WAN transport layers, ensuring that all

traffic between the sites is automatically encrypted and authenticated. Business-

critical data remains secure and the risks of miscellaneous internet eavesdropping

are reduced.

Security hub

Branch office

Branch office Branch office Branch office

Branch office Branch officeBranch office Branch office

Branch office Branch officeBranch office Branch officeBranch office

Branch office

Star topology Partial mesh topology Full mesh topology

Star topology, partial mesh topology and full mesh topology.

The topology of site interconnections is configurable as star, full mesh or partial

mesh. The star topology, also known as «hub and spoke», uses one central switching

point that acts as a security hub. In the full mesh topology, each site is capable

of directly reaching any other site through the logical circuit. The partial mesh

topology, also known as «explicit mesh», does not connect each site to every other

site for practical reasons, but implements a few alternative routes to still ensure

sufficient network redundancy.

Partitioning is used to divide huge virtual networks into parts, and explicit meshing

provides the freedom of selectively connecting any sites according to demand.

Partitioned topology that divides huge virtual networks into parts.

SERVICE DESCRIPTION

• SD-WAN Base

• Application Visibility

• Bandwidth Control

• Path Selection

• Application Optimization

• DNS Filter

Secure SD-WAN Core Functions


Branch office

Branch office

Branch office

Branch office

Security hub

Security hub

Branch office

Branch office

Branch office

Branch office

Branch office

Security hub


The Customer Portal provides the status and usage information about all VPN

connections. Where available, VPN connections are compared with similar links,

and their rating is based on Open Systems customer benchmark data.

The Customer Portal provides the status and usage information about all VPN connections.

The VPN tunnel monitoring statistics show latency, packet loss and traffic volume.

Round-trip time in a VPN tunnel for the last 24 hours.



The graphs are available for the last 24 hours, last week, last month and last year.

Packet loss in a VPN tunnel for the last 24 hours.

Routing is either set up as static or dynamic. Routing information can also be

propagated to the local LAN to enhance the network performance within and

between site-to-site services. The routing table in the Customer Portal shows what

networks are reachable over the WAN, which helps analyze routing issues or acts

as a pre-check for the reachability of a location.

Routing table in the Customer Portal.


On request Open Systems Mission Control can measure the de-facto upload and

download bandwidth (on VPN-connected internet links). This allows a site to verify

the throughput capacity of the ISP line.

Results of real-time bandwidth monitoring from the network toolbox.

DHCP Server

The Dynamic Host Configuration Protocol (DHCP) enables a server to automatically

assign an IP address to a machine. The IP addresses are taken from a defined range

of numbers that are configured for a specific network.

DHCP Server does standalone, local network configuration allocation. It is locally

configured per site and is, therefore, independent of a central security hub or WAN

connection.

Service Delivery Platform with DHCP Server

Branch office

Service Delivery Platform

DHCP response

DHCP request

DHCP Server does standalone, local network configuration allocation.

Proxy auto-configuration, dynamic DNS updates and multiple networks and

network pools are supported.

DHCP RelayDHCP Relay performs centrally defined and locally deployed network configuration

allocation. Local DHCP requests are relayed to the customer’s central DHCP server,

and the answer is sent back to the Service Delivery Platform, which relays it to

the original sender. The delivery of the network configuration is conditional to

a running network connection between the central DHCP server and the Open

Systems Service Delivery Platform. The central DHCP server is usually set up and

maintained by the customer.

Service Delivery Platform with DHCP

Relay

Branch office

Security hub

Service Delivery Platform

DHCP response

DHCP request

Central DHCP server

DHCP Relay performs centrally defined and locally deployed network configuration allocation.

Application Visibility provides an accurate and complete picture of the application landscape on your WAN.


Application VisibilityApplications that perform well are essential to global business. All sorts of

applications constantly compete with each other for network resources, but it is no

longer sufficient to just make the network fast with plenty of bandwidth. Now it is

necessary to find a way of controlling, monitoring, optimizing and governing how

these applications use the network. Additionally, being able to distinguish between

the different types of applications makes it possible to focus on those that are

critical and necessary for business.

Identify, prioritize and monitor the business-critical applications in your network.


Application Visibility provides an accurate and complete picture of the application

landscape on your WAN. You can identify mission-critical business applications

such as SAP, prioritize them and get a direct indicator of how healthy your network

environment is and how it reflects the user experience.

Application Visibility Dashboard in the Customer Portal.

Bandwidth Control is all about traffic – it ensures that your business-critical applications still perform well 24x7 worldwide, even if your WAN links are congested.


Bandwidth ControlBandwidth Control is all about traffic – it ensures that your business-critical

applications still perform well 24x7 worldwide, even if your WAN links are

congested. As not all network traffic situations are the same, your ISPs are grouped

into profiles according to bandwidth, type of link, or link behavior. That way, you

can make profile adjustments so the network reacts faster to your business needs

and so «greedy» applications don’t monopolize the bandwidth.

TopRate=13%

HighRate=13%

MediumRate=50%

LowRate=24%

Rate=25% Rate=75%

1-5 Mbps ISPExamples: 1 Mbps ISP, 3 Mbps ISP, 4 Mbps ISP

TopRate=20%

HighRate=30%

MediumRate=30%

LowRate=20%

Rate=20% Rate=80%

TopRate=12%

HighRate=38%

MediumRate=25%

LowRate=25%

Rate=50% Rate=50%

100 Mbps ISPExamples: 70 Mbps ISP, 100 Mbps ISP, 200 Mbps ISP

TopRate=40%

HighRate=45%

MediumRate=10%

LowRate=5%Rate=60% Rate=40%

High LatencyExamples: 512 Kbps ISP, 1 Mbps Regional ISP, 1 Mbps VSAT, 2 Mbps VSAT

MPLSExamples: 1 Mbps MPLS, 3 Mbps MPLS, 8 Mbps MPLS

Examples of profiles into which ISPs can be grouped and their priority classes.

To make room for top and high-priority traffic, each profile is split into the following

priority classes: top, high, medium, and low. The minimum guaranteed bandwidth

(rate) and maximum allowed bandwidth (limit) can be configured for all priority

classes and subclasses to ensure best reaction times. The Customer Portal shows

the bandwidth settings as percentages as well as actual values.

Configuration of Bandwidth Control in the Customer Portal.


Bandwidth Control statistics show the throughput in total and by application.

Bandwidth Control statistics in the Customer Portal.

The key statistics show the amount of time that traffic was queued per class for a

given time period, and the amount of time that the throughput per class exceeded

its set rate.

Key statistics for Bandwidth Control.


A click on a class opens the details that show the subclasses, throughput by

subclass, packet drops and packet queue.

Bandwidth Control details showing throughput of the medium class, followed by dropped packets and packet queue, and more information about the subclasses.


ISP Lines dashboard

If Bandwidth Control is part of your portfolio, the ISP Lines dashboard is included

to support your capacity planning, so you can check which locations need ISP line

upgrades. All registered ISP lines are shown with key figures such as line availability

and a usage indicator.

ISP Lines dashboard in the Customer Portal.

The Customer Portal shows the statistics for each connected ISP line, no matter

which technology it is based on, for example MPLS and internet. The graph reports

the availability of the ISP line, colored in uptime, downtime, maintenance, and

inactivity. The corresponding ticket is listed if the escalation threshold was reached

and the outage was escalated to Open Systems Mission Control. Customers can

configure escalation notifications to be sent by email or text messages.

Yearly availability statistics for an ISP line.

Path Selection is about how traffic gets from one point to another when multiple paths are involved.


Path SelectionPath Selection is about how traffic gets from one point to another when multiple

paths are involved. Policies define which traffic takes which path and what happens

when a path is no longer usable or has a significant reduction in performance.

Specifying which traffic uses which path.

What happens when a path is no longer available.

What happens when there is a significant reduction in performance.


As with Bandwidth Control, profiles are used for the configuration. The profiles

allow the same policies to be easily applied to multiple locations.

MPLS

ISP

MPLS

ISP

ISP 2

ISP 1

ISP

Profiles make it easy to group locations according to policy.

Policies are set on a specific profile to determine what happens with the traffic, but

it is still possible to use overrides at a specific location to supersede policies in the

profile applied to that location.

MPLS

ISP

A profile that sets a policy at large sites for Skype-for-Business traffic to use MPLS, while Office 365 and Salesforce use the internet.


The statistics for Path Selection are integrated into the application visibility

statistics.

Application visibility information that shows the Path Selection statistics.

Make applications even faster by helping to reduce their footprint in the network.


Application OptimizationWith everyone connecting on the move, more applications and instant file sharing,

bandwidth can be a problem during peak hours at important locations. Due to

congested lines, packet loss or long latencies, application performance might be

reduced to such a low level that the end-user experience is seriously impacted.

The Application Optimization feature makes applications faster by helping reduce

their footprint in the network because more data can be sent, and in some cases,

accessed quicker. A combination of redundancy elimination and optimization

techniques are used.

Caching, compression, and protocol optimization.

• Caching stores certain data locally and is effective for repetitive user behavior,

Content is identified that is suitable for caching and reduces bandwidth through

block-level deduplication. The cache works for uploads and downloads, and

across protocols. The caching engine uses advanced rolling hash and indexing

techniques to quickly and accurately locate blocks. It transports small block

references in place of the original data. This means a file shared via file transfer

will also be offloaded if the same file is uploaded or downloaded via HTTP, e.g. if

a user requests data already accessed by another user in the WAN, a cached

local copy of the data is sent.

• Compression reduces redundancy in real time. Compressed data is transferred

by using a lossless compression protocol. Up to 50% reduction in data volumes

is achieved for many common uncompressed data types such as XML, Office

documents, database queries, file transfers and many web applications.

• Protocol optimization:

• Reduces HTTP message costs by losslessly encoding lengthy header

information.

• Profits from TCP optimization which uses an adaptive congestion control

algorithm of the WAN link to one that is more suitable for links with high

latency or high levels of packet loss. This allows the throughput to be

maintained at a higher level than if using standard congestion control

algorithms which do not cope well with these types of links.

• Improves the efficiency of the chatty CIFS file sharing protocol by using

read-ahead and write-behind optimizations.

Note: Application Optimization is available for the Enterprise and Enterprise+ packages only.


DNS FilterThe DNS Filter feature stops malware before it can become active. It inspects every

DNS query passing through the SD-WAN platform. Responses to DNS queries

which resolve disallowed domains are blocked, preventing the response from being

delivered to the client. Similar to URL filtering on the Secure Web Gateway, the DNS

Filter blocks queries according to domain name categories. A policy defines which

categories are allowed, and which categories are blocked. Blacklists and whitelists

allow fine-tuning of the policy, and configurable error pages raise user awareness.

DNS Filtering Log Viewer showing which queries were blocked.

Stop malware before it can become active.


Integrated Service ManagementAs an intrinsic part of every Open Systems service, Integrated Service Management

delivers flexible technology, maximum transparency, and around-the-clock network

security and monitoring by a high-reliability organization. Integrated Service

Management closes the gap between security policy and operations, and reduces

complexity. The service fee includes the following:

• Service Delivery Platform: All services run on extendable, industrial strength

hardware for reliable 24x7 operation. The location of the hardware is flexible,

be it on your premises, at a data center or in the cloud. The high availability

option provides continuous connectivity if the hardware fails. Open Systems

best practices ensure that a hardened operating system is deployed, where

only essential tools and utilities are activated and, therefore, cannot lead to

unexpected instability and compromised systems. Open Systems Mission Control

makes sure that a technical configuration, contacts and escalation procedures

are defined, and that all appropriate security-related settings are up to date and

configured correctly.

• 24x7 Operations: Highly skilled certified engineers in Open Systems Mission

Control monitor your systems proactively and react to breaches within the

periods defined in the SLA. The engineers ensure compliance with your security

policy and work according to clearly defined processes in order to review

and perform global changes that are driven by the dynamic needs of your

organization.

After extensive testing procedures, all required security updates and patches

are installed on a regular basis, always keeping the systems up to date. The

device is capable of booting different releases, which facilitates an effective

fallback and rapid recovery if required. All environment-specific configurations

are automatically generated, based on the configuration database operated by

Open Systems Mission Control. This is an essential part of an efficient disaster

recovery process because it makes it possible to generate and reinstall an

identical configuration in a very short time.

• Open Systems Customer Portal: The state-of-the-art web portal makes it

easy to communicate with Open Systems Mission Control. The portal provides

transparency over your network and applications in real time, including reports

and tools that support the implementation and management of global IT security

and availability.

For more information, see the «Integrated Service Management» service description.


©2020 MS, April 16, 2020

21 Firewall service description 2.3 by Open Systems, proprietary open-systems.com

Distributed firewalls reflect both the local demands of single sites and global filtering requirements.

A distributed firewall policy is defined centrally and is automatically installed and

updated on multiple sites. The policy enforces granular, customer-specific filter

rules. Uniform firewall rules can thus be set up at every site of an organization and

can include flexible site-specific rules where needed. It includes a stateful packet

filter that protects the site from the internet and filters the traffic according to the

active modules. For example, a service can include all filter rules that protect the

site from the internet and also the rules that allow users to surf through the proxy.

Maintained by local IT

Managed by global IT

Local deployment

Global policy

Local

Local

Local

Ideal balance between security and operability. Global IT defines a global corporate security policy. Local IT maintains and updates local firewall objects.

The network resources of the distributed firewall policy consist of internal and

external components. All internal components are modeled with distributed

firewalls, and are the network resources that are under your control. For example,

they can be the IP address of an internal web server, the external address for a

web server, an internal LAN network or a dynamic IP group that represents all local

networks of all sites in the WAN. External resources can be, for example, the IP

addresses of the Bloomberg servers.

Distributed firewalls reflect both the local demands of single sites and global filtering

requirements. The process of setting up a global firewall policy is as follows: first

the global network is segmented into different security zones.

Production

Internet

LAN WAN

1. Zoning: The global network is segmented into different security zones.

SERVICE DESCRIPTIONThe Firewall protects an

organization’s network servers

and end-user machines by

filtering traffic from both

the internal network and the

internet. The firewall offers

several major advantages for

corporate security, such as

central management, logging

and access-control granularity,

which make it easy to deploy a

corporate security policy.

Firewall



For each zone transition, the policy is defined: drop, reject, or accept. For example,

general communication from the LAN to the internet is rejected.

LAN

Production

Internet

WAN

2. Zone transition policy: For each zone transition, the policy is defined: drop, reject, or accept.

Firewall rules are implemented whenever an exception from the general zone

transition policy is needed. For example, using Skype from the LAN to the internet

is allowed. Firewall rules can be defined for IPs, DNS names, protocols, ports and

applications.

Production

Internet

LAN WAN

3. Firewall rules: Firewall rules are implemented whenever an exception from the general zone transi-tion policy is needed.

Firewall objects or groups for global rules can be defined (per location). Hence,

each local administrator can advise which IPs or network segments belong to a

certain group (for example the local print servers). All the standard services will

automatically be working through the implemented global firewall rules.

Production

Internet

LAN WAN

4. Object/Group definition Firewall objects or groups for global rules can be defined (per location).



The use of dynamic IP group objects and dynamic install targets reveals the full

power of distributed firewalls. They allow you to define network resources at an

abstract level and avoid manual and error-prone listing of network elements. Every

new site that is joined to the WAN automatically becomes part of a firewall and is

immediately compliant with the security policy.

Dynamic IP group name Description

LAN / DMZ network The LAN or DMZ network of the site

(network at a specific interface)

Site networks All networks of the site

(everything behind all internal interfaces)

Customer WAN The set of networks that build the customer WAN

External interface IP address IP address of the external interfaces of the site

Install targets of distributed firewall rules can be defined based on the location in

the WAN or presence of modules. The following table lists the installation conditions

that can be defined. A rule is only applied at a specific site if the installation criteria

are fulfilled.

Context Description

Running module x Installation if a certain module is subscribed

In country x Installation if service is in a certain country

Being in VPN partition x Installation if service is in a certain VPN partition

Log ViewerThe Firewall Log Viewer shows the firewall logs in real time and it is possible to filter

by a specific port, IP address, rule ID or interface, as well as by protocol or action.

Firewall Log Viewer with filter criteria for searches.


Rules, configuration, distributed policy and ticketsThe configuration for the Distributed Firewall is available in the Open Systems

Customer Portal. It shows the current firewall policy, routing table and interface

configuration. It is also possible to view previous versions of the distributed firewall

policy.

The current firewall policy shows the rulebase and is fully auditable

Each distributed firewall rule is linked to the corresponding tickets, showing

timestamps, detailed descriptions and the complete course of events. If you

double-click on a rule, the additional context information is shown.

Each rule is linked to the corresponding tickets. .


DNS objectsThe network and application landscape changes rapidly – especially the introduction

of cloud applications results in high dynamics, making it cumbersome to use filters

based on IP addresses. In such cases, it is preferable to create filter rules based

on an application‘s domain name. The firewall makes it possible to create filter

rules based on DNS objects, allowing access to applications even if the application

server changes or adds additional IP addresses. To provide a reliable resolution

and be capable of dealing with DNS load balancing and GeoIP, it is crucial that the

preceding DNS traffic passes through the firewall so that the service dynamically

learns the relevant IP addresses for a connection and remembers them until the

TTL value of the DNS record expires.

The following figure shows a rule with DNS objects in the destination section.

Wildcards are possible, e.g. *.office.com applies to all subdomains of office.com.

A rule with DNS objects in the destination section.


Virtual Packet TrackerThe Virtual Packet Tracker tool makes it possible to track a virtual packet through

the firewall. The tool shows how the packet is routed and how it is handled by the

firewall policy.

The Virtual Packet Tracker shows how the packet is routed and handled by the firewall policy.






• Service Delivery Platform: The service runs on extendable, industrial strength

hardware for reliable 24x7 operation. The location of the hardware is flexible,

be it on your premises, at a data center or in the cloud. The high availability

option provides continuous connectivity if the hardware fails. Open Systems

best practices ensure that a hardened operating system is deployed, where

only essential tools and utilities are activated and, therefore, cannot lead to

unexpected instability and compromised systems. Open Systems Mission

Control makes sure that all appropriate security-related settings are up to date

and configured correctly.


Control monitor your systems proactively, ensure compliance with your security



organization.










• Open Systems Customer Portal: The state-of-the-art web portal makes it easy

to communicate with Open Systems Mission Control 24x7. The portal provides



and availability.


Delegated administrationThe Open Systems Customer Portal distinguishes between permissions for

managing services and permissions for managing users.

To work with services, the following Administrator and Monitor (view only) roles

exist for three levels: the whole company, a particular business unit, or a particular

service. Additionally, the service Auditor role permits a service Administrator or

Monitor to view sensitive data such as logs. For example, you can grant a branch-

office employee both the Administrator and Auditor roles for just the Open Systems

service being used at that branch. The employee can then monitor the local service,

look at the audit trail, view the network topology files associated with the service,

create Open Systems tickets and edit notifications. The employee can also look at

the service logs, which is helpful for troubleshooting.

To manage the users who work with the Customer Portal, the following Administrator

and Monitor roles exist for two levels – the whole company, or a particular business

unit. Additionally, the Auditor role permits a user Administrator or Monitor to

view the user log files. For example, you can grant a branch-office employee the

Administrator role for managing the user data of the local business unit.

Sign-offSign-off contacts can be defined at the business-unit or company level. Only a

sign-off contact has the authority to approve changes to a service.


©2020 MS, January 27, 2020

28Secure Web Gateway service description 2.3 by Open Systems, proprietary open-systems.com

Secure Web Gateway enforces internet access security policy for all requests in the public internet.

This service provides a proxy server for HTTP and FTP. SSL connections are checked

against the security policy and tunneled through if granted. The company-wide

distribution of the proxy configuration is supported with proxy auto-configuration

(PAC). It stores a configuration file on the proxy server, which is fetched by clients

for dynamic configuration.

Web Gateway Dashboard in the Customer Portal.

Blacklisted entries based on IP addresses, domains, domain names or hostnames

can be customized in the proxy. Additional flexibility and broader configuration

options can be achieved with the URL Filter, introducing category-based access

rules and customizable blacklists and whitelists. Group and port access policies are

granularly definable and assign access rules to groups of network resources such

as IP addresses and ports.

SERVICE DESCRIPTIONThe Secure Web Gateway acts

as an intermediary enforcing an

organization’s internet access

security policy for clients that

request access to resources

located in the public internet.

Depending on the modules

that are activated, it increases

the level of protection of client

machines against malicious

content and restricts access to

URL categories.

Secure Web Gateway



All statistics and operational figures are pulled from the systems and processed at

the time of display. They provide information about performance and utilization,

blocked requests, connectivity errors, top second-level domains or proxy clients,

connectivity error details, and policy violation attempts. Detailed malware statistics

are also displayed if activated.

All statistics and operational figures are pulled from the systems and processed at the time of display.

The built-in load balancing capability of the proxy offers great flexibility to extend

the throughput of web traffic from 10 Mbit/s up to Gigabit speed. The Secure Web

Gateway also offers dual-stack capability, which enables users to reach IPv6 sites

in the internet from an IPv4 network.

The internet browsing policy, defined at a central point and visualized in the Open

Systems Customer Portal, is distributed to all Secure Web Gateway services. This

provides a unique global policy and, therefore, an efficient approach to global

internet access policy enforcement.



If users go against policy or are faced with errors, the proxy displays error pages

that inform users in a clear way about what happened, why, and what to do next.

The error pages are configurable and, together with the report link, make it possible

to set up an efficient support process that lowers operations effort.

Example of an error page that informs users about what happened, why and what to do next.

Monthly browser compliance and traffic volume reports provide an overview

of the company’s browser distribution and web traffic, and are tailored to an

executive management audience. The figures are benchmarked against the overall

performance of all Open Systems Web Gateway services worldwide. The reports

are downloadable in PDF and Excel format, giving full portability and reusability to

the statistical data.

Consolidated report for executive management, showing traffic volumes and browser distribution.


The Customer Portal offers graphical availability statistics of the various services,

showing uptime, ISP outage, maintenance, connection down and inactive states

over time. Every ISP outage or lost connection are listed as well as the corresponding

ticket if a threshold was reached and the issue escalated to Open Systems Mission

Control.

Service availability statistics in the Customer Portal.

The Customer Portal features a log viewer that allows authorized personnel

to display and access log information either in real time or based on historical

data. It offers detailed data about every web request, including scanned HTTPS

connections, which gives insight into each step that a request takes when passing

through the proxy. The filterable output displays information relevant to a particular

browsing session and, therefore, supports an organization’s staff in locating internet

access issues reported by their users.


The log viewer also consolidates the log of the load balanced proxy clusters. For

URL filtering, the log viewer shows the category of each URL. Additionally, the

logged names and group memberships of authenticated users give a brief overview

about which group policy was applied.

The Log Viewer allows authorized personnel to display and access log information either in real time or based on historical data.

The log files can be delivered using secure copy (SCP) or file transfer protocol

(FTP) in customizable and periodic time intervals. Syslog forwarding continuously

forwards the syslog entries as soon as they are available on the proxy.


A powerful utility for network traffic capture is available to employees with audit

privileges. They can follow the high-level packet information directly in the live view

or download the PCAP file to inspect it on their computers in more detail and get a

better idea of the traffic that passes through the Secure Web Gateway.

Network traffic capture utility that is available to selected employees with audit privileges.


Ever wondered how a proxy handles a specific request to a website? The URL

Tracker will show you every step of a request through the proxy. This lets you easily

verify which group policy gets applied and which decisions and actions the proxy

takes.

The URL Tracker shows every step of a request through the proxy.


User AuthenticationSecure Web Gateway is available with the following protocols to authenticate

users, and grant or disallow internet access:

• Kerberos is a security protocol that provides mutual authentication by

establishing session keys between two entities with the help of a trusted third

party and symmetric cryptography. It is based on the Needham-Schroeder

protocol and is widely used in Microsoft Windows domain environments

without being limited to specific architectures. Kerberos is the most secure and

reliable of the generally available authentication protocols for integrated proxy

authentication.

The Kerberos authentication method uses Kerberos v5, typically supported by

Microsoft Windows 2000 and newer. Kerberos can seamlessly authenticate a

supported client (integrated authentication) against the Secure Web Gateway

by making use of an organization’s Active Directory infrastructure. The

authentication takes place within the HTTP conversation with the help of the

SPNEGO mechanism (HTTP Negotiate).

• The LDAP authentication method uses the LDAP protocol. LDAP can

authenticate a user against the Secure Web Gateway by making use of an

organization’s LDAP infrastructure. The user is presented with a pop-up

window that requests the user credentials. Authentication is done by a bind

operation to the LDAP directory. Internet policy memberships can be assigned

to a user, based on LDAP group attributes.

Additional Internet PolicyAn additional internet policy creates a new set of Secure Web Gateway configuration

parameters (group policy) that can be used on every Open Systems Web Gateway.

This is used to distinguish malware protection, URL filtering and SSL scanning for

different departments or groups of people.

Policy mapping for different departments or groups of people.

The assignment is either based on the client IP address or the Active Directory/

LDAP group if used in conjunction with the Distributed Proxy Policy module.


Malware ProtectionThis feature performs malware protection with protocol scanning technologies for

HTTP and FTP. It uses a combination of several filters to detect both known and

unknown malware.

Configuration options for specific characteristics of internet browsing traffic such

as archive handling policies and media type filters can be defined and are visualized

in the Customer Portal.

Configuration options for specific characteristics of internet browsing traffic.

The following figure shows the configuration for media type filters, including

skipped and blocked media types as well as blocked extensions.

Configuration of media type filters defining skipped and blocked media types, and blocked extensions as part of Malware Protection.


Malware Protection provides additional proxy functionality with an FTP proxy. This

enables FTP access for native FTP clients. SSL connections are checked against the

security policy and are tunneled through if granted.

Real-time malware protection reports are available online in the Open Systems

Customer Portal.

Blocked malware types and their frequency in one month.

Executive management reports are automatically generated on a monthly basis

and summarize the logs of all Malware Protection modules operated by Open

Systems Mission Control. They give an excellent overview of the top and last viruses

including the change from the previous month.

Executive management report showing the monthly statistics for Malware Protection.


Advanced Malware ProtectionAdvanced Malware Protection in the Web Gateway detects malware by using

artificial intelligence concepts. The basis for the feature is a global, cloud-based

system that provides state-of-the-art, dynamic file classification.

UserSecure Web

Gateway

Real-time lookup in the cloud with artificial intelligence

Downloaded files

10’000virus strains added every day

6’000file properties for statistical analysis

100’000’000participants updating regularly

200’000suspicious files scanned daily

State-of-the art classification of binary and executable files in real time.

A real-time lookup is performed in the cloud to check whether the downloaded

files contain known malware. Unknown executables or binary files are uploaded to

the cloud and then analyzed for similarity to other malware variants. Consequently,

rapidly evolving malware can be tracked and blocked in real time. As Advanced

Malware Protection is done in the cloud, it becomes impossible for malware authors

to test their new malware against existing signatures.

Advanced Malware Protection makes use of a self-teaching platform that implements

machine learning to quickly analyze and classify unseen software. Extraction of

several thousand file properties are used for the dynamic classification that greatly

benefits from the collective intelligence gained from more than 100,000,000

participants who regularly upload malicious and benign files to the cloud-based

system. This approach makes it possible to detect and block advanced threats

such as CryptoLocker ransomware. Due to prior fingerprint checks, there is no

significant use of extra bandwidth.

While behavioral analysis by a standard sandboxing solution adds considerable

delay, Advanced Malware Protection classifies a file within seconds. With real-time

analysis there is no gap in protection until pending signature updates are applied.

URL FilterThe URL Filter enforces an organization’s internet access policy and protects against

risks associated with the employees’ internet use. It reduces legal liability, enhances

web security, increases productivity and preserves bandwidth for business-related

activities.

The URL Filter does category-based content filtering with both predefined and

customizable categories. The predefined categories are managed and monitored,

which provides a comprehensive and proven source of millions of global URLs that

are organized into categories.


The Secure Web Gateway uses innovative cloud technology for a live update of its

category database. Categories of previously unknown URLs are updated in near

real time. New websites are automatically detected and forwarded to the vendor

for categorization. The newly developed live technology offers zero-hour security

against phishing and malware content. A tool in the Customer Portal makes it

possible to look up URL categories so that recategorizations can be requested.

All web access over the web proxy is checked against Google’s Safe Browsing

database to prevent access to harmful, malicious or phishing websites.

Configuration options for category-based content filtering with predefined and customizable catego-ries and time-based conditions.


Real-time reports display the number of blocked requests that were rejected by the

URL filter, and Google safe browsing, or caught by the malware scanner in one day,

one week, one month or one year – on one host or the whole service. Additional

real-time reports display information about the top blocked categories.

Real-time report about blocked requests in one week on a specific host.


The monthly executive management report summarizes the total number of

violation attempts and their top five categories. The number of connection requests

and blocked attempts are shown for each category, giving a clear overview of

the category statistics. URL category log consolidation with the proxy server’s

access log can be done on a daily basis before the log files are deposited on an

organization’s log server.

Executive management report for the proxy, which gives a monthly overview of URL filtering.


SSL ScanningSSL Scanning is an addition to the Malware Protection and URL Filter module.

SSL Scanning applies the existing security and internet usage policy to the HTTPS

protocol and, therefore, enforces an organization’s policy even for encrypted traffic.

It prevents viruses, spyware and Trojans from bypassing the malware protection by

using the HTTPS tunnel, a common and often unprotected hole in the perimeter.

SSL Scanning makes it possible to validate server certificates and define customized

actions to be taken for not fully trusted certificates. Depending on the policy, such

certificates can be allowed, blocked, or the decision can be passed on to the user.

SSL certificate mimicking uses the extensive built-in certificate handling in modern

browsers. Instead of completely hiding a web server’s SSL certificate from the user’s

visibility, certificate mimicking shows the user some critical information about the

original server certificate, which helps him or her decide whether to accept the

server certificate.

The Secure Web Gateway signs server certificates with its own certificate authority,

which is set up during installation. The client machine is required to accept this

certificate authority. Customer representatives manage the certificate authority

acceptance processes.

Example of an SSL scanning policy, which enforces the security policy of the organization even for encrypted traffic.


All connections with client certificates need to be tunneled through without

scanning.

Example of a configuration for trusted certificate authorities.

Web Traffic TapAs the majority of web traffic is encrypted, network security monitoring solutions

have limited visibility. In combination with SSL Scanning, the Web Traffic Tap closes

the blind spot and provides full visibility of all proxy traffic including web traffic that

is normally encrypted.

The Web Traffic Tap is a designated network interface on which simulated

connections between the client and server can be passively monitored. The

behavior is similar to what could be observed on the network if a client connected

to a web server, with the difference that decrypted HTTPS traffic can be observed

in plain text. Threat detection solutions are configured to monitor the proxy traffic

on the Web Traffic Tap interface like they would be configured to monitor any other

network traffic.







• Service Delivery Platform: The service runs on extendable, industrial strength

hardware for reliable 24x7 operation. The location of the hardware is flexible – it

can be it on your premises, at a data center, or set up as a virtual platform in the

cloud. Open Systems best practices ensure that a hardened operating system

is deployed, where only essential tools and utilities are activated and, therefore,

cannot lead to unexpected instability and compromised systems. Open Systems

Mission Control makes sure that all appropriate security-related settings are up

to date and configured correctly.


Control monitor your systems proactively, ensure compliance with your security



organization.













and availability.


Service Delivery Platform Options10-Gigabit InterfacesThis option provides two concurrent 10-Gigabit connections. The following

enhanced small form-factor pluggable (SFP+) fiber optical transceivers are

included in the price:

• 10GBase-SR (850 nm wavelength) LC connectors

• 10GBase-LR (1310 nm wavelength) LC connectors

Note: This option is available for Platform Node L. The minimum throughput of the service applies. Higher throughput cannot be guaranteed and is provided based on best effort.


©2020 MS, January 27, 2020

45 Network Detection and Response (NDR) service description 2.3 by Open Systems, proprietary open-systems.com

NDR closes the gap between traditional detection by aggregating enterprise-wide security sensor capabilities.

In today’s world, a breach is inevitable and will eventually happen to every company or

organization. Network Detection and Response closes the gap between traditional

detection combined with security monitoring and costly SIEM/SOC solutions by

aggregating enterprise-wide security sensor capabilities and providing a unified

presentation layer that shows the full scope from management-friendly global risk

scores to packet-level details.

Focus on detectionThe NDR finds compromised systems quickly and enables efficient analysis and

response. The service provides a holistic view of which hosts behave suspiciously

in a monitored network by assigning a threat score to each of them. Contrary to

conventional detection systems, Network Detection and Response is built around

and focuses on the security of end users rather than on individual events.

A combination of protocol and signature inspection methods are used to analyze

network traffic and detect network threats, making it possible to respond to suspected

intrusions quickly. Due to multilayer event processing by a central correlation unit,

the generated alerts have maximum relevance in the security context.

No more blind spotsIt is crucial to gain visibility into all network segments that pose a risk to your company

if compromised. The implementation of Network Detection and Response on all your

network nodes gives you a fine-meshed sensor network and eliminates your blind

spots.

If Secure Web Gateway is part of your portfolio, the Web Traffic Tap allows you to

monitor even encrypted web traffic.

WorkflowManaged NDRFor Managed NDR, engineers at Open Systems Mission Control perform a triaging

process on high threat-score hosts to provide an initial classification of the

alerts based on contextual information and event analysis. Host alerts classified

as «suspicious» are escalated to you for verification and further action, while

«uninteresting» or «imprecise» alerts are kept away from your analysts and resolved

by Open Systems Mission Control.Threat DetectionWith

Managed Threat Detection Customer

Start investigation

Classification: Uninteresting

Classification: Suspicious

Triage

Process feedback

Host alert

Learning End investigation

Managed NDR: Open Systems engineers perform the triaging process.

Managed NDR is available for the Enterprise Plus package of Secure SD-WAN, or as part of Managed Detection and Response (MDR).

SERVICE DESCRIPTIONNDR finds compromised

systems quickly and enables

efficient analysis and response.

Network Detection and Response (NDR)



Unmanaged NDR In this scenario, you manage the triaging process internally. Your analysts can

access detailed contextual and event information for their analyses.Threat DetectionWithout

Managed Threat Detection Customer

Start investigationHost alert

Learning End investigation

Unmanaged NDR: You are in charge of your triaging process.

ComponentsNDR consists of three main components: sensors, threat scores, and the dashboard

and Security Center in the Open Systems Customer Portal.

Monitored host Threat score

Dashboard and Security Center

Sensor

Sensor

Sensor

Main components of NDR.

• Sensors monitor the network, match traffic against their signature base, and

generate events upon a match.

• Threat scores indicate whether an infection and/or malicious or unwarranted

behavior is likely. A threat score is assigned to each monitored host.

• Dashboard and Security Center provide a real-time overview of the global

threat scores allowing you to drill down to the host details and further down to

the single event details.



Threat scoreThe threat score is the fundamental concept and metric behind Detection and

Response. It consists of a single metric between 0 and 10, and provides an indicator

of the likeliness of an infection and/or malicious or unwarranted behavior. A threat

score is assigned to each monitored host.

The host threat score is determined by the most critically scored event for that

host. Focusing on hosts rather than single events makes it possible to get better

leverage of contextual information about the host, including historical behavior or

related events. The inherent prioritization of hosts based on threat scores allows

every company – no matter how much security personnel is available – to focus on

analyzing the hosts with the highest threat scores first.

The threat score is the fundamental metric behind NDR.

Factors that increase or decrease the threat score:

• Categorizing a host or events will directly update the threat score of a host. The

system assumes that after a categorization the host is tracked internally, and

past events no longer attribute to the most current threat score. Categorizing

events or hosts also increases or decreases the impact on future threat scores

depending on the selected category.

• Creating whitelist entries and filter rules will directly influence the threat score

of future events and originating hosts. For example, if an event filter with action

«log» is created, corresponding events will no longer trigger a high threat score.


DashboardThe world map in the dashboard shows the location of monitored hosts and their

sensors with threat scores in the high, moderate and low threat levels. A sensor is

listed as high if it monitors a host that currently has a high threat score. The metrics

can be used as an indicator of the threat observed for a specific location or the

company as a whole.

World map in the dashboard shows the location of the hosts and sensors as well as their threat levels.


Security CenterA click on a sensor in the Threat Protection widget on the starting page of the

portal opens the Security Center with key statistics for the sensor, and an overview

of all suspicious hosts monitored by the sensor.

Security Center in the Customer Portal.

A monitored host can have four different threat levels:

• High: The host triggered events which are highly indicative of an infection and/

or malicious behavior. It should be closely monitored and the root cause for

triggering these events analyzed.

• Moderate: The host triggered events which lead to a moderate threat score and

thus should be prioritized over hosts with a low threat score. You may choose to

investigate such hosts internally depending on your security policy.

• Low: The events that were triggered by this host lead to a low threat score

and thus have low security relevance. These events are usually not related to

infections but may still indicate noteworthy behavior of hosts. A typical example

are policy violations.

• None: No events were triggered for the monitored host. The threat score is zero.


Host detailsA click on any of the monitored host links listed under the three threat levels opens

the host details, which include events triggered since the last categorization,

traffic patterns for the host and its history regarding previous threat scores and

investigations. The information serves as the basis for analysis by your operations

team or by Open Systems Mission Control whenever there is a host alert.

SECURITY EVENTS tab of the Host Details page.

The HOST INFORMATION tab of the Host Details page shows more statistics about

the host.

HOST INFORMATION tab of the Host Details page.


The HISTORY tab of the Host Details page shows what happened to the host in

the past.

HISTORY tab of the Host Details page.

Investigation CenterThe Investigation Center can be thought of as a company-internal «to do» list for

hosts that are marked for investigation. It allows you to track the most pressing

threat indicators and helps specify tasks outside of Open Systems ticket handling.

Investigation Center for internal tracking at your site.


Log viewerThe log viewer in the Open Systems Customer Portal provides an overview of all

logged threat detection events. It offers powerful functionality to categorize groups

of events in just a few mouse clicks.

The log viewer provides an overview of all logged threat detection events.

To focus on the events that are currently important to you, it is possible to filter the

event log by various criteria, such as signature, IP address or status. Additionally,

it is possible to choose between four types of events: All, New, Pending and

Categorized. By default, the new events of the past week are shown. The list of

events can be grouped by signature, conversation, source or destination, or it can

be ungrouped. A double-click on an event or event group shows more information

about it by drilling down to a deeper level.

ReportingOpen Systems Mission Control issues a monthly NDR report that focuses on an

executive management audience. On the introduction and summary page, the

event occurrences and event categories are compared with previous months, so

that trends are visible.


Service Delivery Platform Options10-Gigabit InterfacesThis option provides two concurrent 10-Gigabit connections. The following enhanced

small form-factor pluggable (SFP+) fiber optical transceivers are included in the price:

• 10GBase-SR (850 nm wavelength) LC connectors

• 10GBase-LR (1310 nm wavelength) LC connectors

Note: This option is available for Platform Node L. The minimum throughput of the service applies. Higher throughput cannot be guaranteed and is provided based on best effort.


©2020 MS, April 7, 2020

1 Unified Threat Protection service description 2.4 by Open Systems, proprietary open-systems.com

By protecting against the two dominant attack vectors, the risk of becoming infected is dramatically reduced.

Most of the successful cyberattacks start with browsing a compromised website, or

receiving a malicious email. By protecting against the two dominant attack vectors,

the risk of becoming infected and of financial and reputational damage caused by

a successful cyberattack is dramatically reduced.

Attacks coming in via web browsing or email most often include communication

between an end user and a malicious entity in the internet. This entity is usually

a URL (evil.com/downloadvirus.js), a domain (badguy.org), or an IP address

(66.66.66.66). Blocking access to such entities stops malware from being installed,

or fraud from happening.

Threat Protection Dashboard in the Customer Portal.

Unified Threat Protection aggregates different third-party databases and threat

intelligence feeds which deliver known malicious URLs, domains, and IP addresses

in real time. These feeds combine information from millions of end users and

devices to classify the URLs and domains.

The service consists of selections of threat intelligence feeds of different focus that

are consumed by the subscribed Open Systems services. The selections consist of

commercial as well as open source feeds and are consumed on all Open Systems

services where meaningful. The current coverage is for Secure Web Gateway, DNS

Filter and Secure Email Gateway.

SERVICE DESCRIPTIONUnified Threat Protection is

available for the following

services in Secure SD-WAN:

• Secure Web Gateway

• DNS Filter

• Secure Email Gateway

Unified Threat Protection


2 Unified Threat Protection service description 2.4 by Open Systems, proprietary open-systems.com

Extensive reporting capabilities contain geographical overviews, reporting by

category, and reporting by Open Systems service that blocked the access, including

drill-down capabilities.

The used threat intelligence feeds are curated by Open Systems engineers and

security specialists to always have a powerful and first-class quality set of feeds

covering different attack vectors from various threat intelligence vendors.







Control monitor your systems proactively and react to breaches within the

periods defined in the SLA. The engineers ensure compliance with your security



organization.













and availability.


Quickly detecting and blocking access to malicious entities stops malware from being installed or fraud from happening.


©2020 MS, April 7, 2020

Secure SD-WAN · Secure SD-WAN service description 2.4 by Open Systems, proprietary...

Documents

Transcript of Secure SD-WAN · Secure SD-WAN service description 2.4 by Open Systems, proprietary...