XO _Hosted Security Product Overview__v.21 (1)

Hosted Security – Product Overview

Copyright 2012. XO Communications, LLC. All rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications. 2

Hosted Security• A network-based security solution.• Fully managed, cloud Security-as-a-Service offering. • Integrates a complete suite of security solutions.

– Helps shield your network and data applications from being compromised or disrupted by security threats.

• Allows you to gain security protection without making capital expenses or having to increase staff.


WHAT DO WE MEAN BY “IN THE CLOUD”• Security can be classified in one of two ways:

– Cloud Based.– Premises Based.

• The cloud refers to the Internet and the millions of servers that connect to it.

• A cloud based solution means that you are getting an application or a service through a server you are accessing through the Internet.

• Hosted Security is a public cloud solution, meaning that it is an open, multi-tenant solution where customers can have service capabilities that are not located on their premise.

• XO is able to support hundreds of customers on a common Unified Threat Management (UTM) platform.


ElementsHosted Security encompasses:• Next-generation Network Firewall security - helps you protect your XO MPLS

VPN data network.• Intrusion Detection and Prevention System service - safeguards your network

from targeted attacks and other known threats.• Web and Content Filtering - prevents users from going to prohibited web sites

and sites with known malware threats.• Secure Remote Access - for mobile workforces to connect back to your private

XO MPLS WAN.• Secure VPN - allows connections from off-net locations.• An online customer portal – allows your organization’s security professionals to:

– Custom design firewall and security policies.– Implement rule changes and configuration requests quickly.– Get online reporting.- Open trouble tickets and view ticket status.


Architecture• Provides high-availability and failover among geographically diverse

physical gateways with network redundancy to ensure business continuity.– Single firewall solution available for customer’s who don’t require geo-

redundancy.• Provides aggregated Internet bandwidth, which can be shared by all

MPLS VPN locations and allows you to save on Internet access costs. • Gives you the flexibility to add the security options you need, as you

need them, to meet ever-changing requirements of end users. • Allows you to modify the Internet bandwidth to the MPLS network

without requiring physical changes to any location.• Integrates XO’s MPLS VPN with Hosted Security into an end-to-end

networking and security management solution—from one service provider on one invoice.


Key Benefits• No need to add staff, deploy new hardware, or undergo extensive

development.• Supports you 24 x 7 x 365 through a certified security partner.• Can be implemented with minimal lead time.• Delivers a high level of network security.• Does not degrade network availability or uptime. • Scalable—easily add locations or users, including off-net

locations with Internet Protocol Security (IP Sec) integration to Internet-based locations.

• Allows you to implement security policies consistently across your network.

• Services are sold individually, so that you can select the services that best meet your needs.


FeaturesFeature Benefit Network Firewall Stateful packet inspection at the edge of the MPLS cloud.

Allows/denies traffic based on IP headers and port addresses. Policy rules can be modified on a per customer basis.

De-Militarized Zone (DMZ) Allows for firewall segmentation for customer who want to partition Internet from private WAN traffic.

Intrusion Detection & Prevention Identifies and stops pre-determined attacks and malicious activity before they can enter your VPN.

Web and Content Filtering Allows you to set up filtering rules to prevent users from downloading content that may be harmful to their computers or to the corporate network, or may be inappropriate based on company policies.

Secure Remote Access Option 1 – XO authenticates users Option 2 – Customer self-authenticates users

Allows your mobile workforce to connect to your corporate VPN through secure, encrypted, on-demand sessions.

Secure Remote Access (Off –Net Connectivity) Allows off-net locations (fixed addresses) to connect to your corporate IP-VPN through an IPsec Tunnel.

Secure, Online Customer PortalIncidence Response Tracking• Event and incident details • Action taken • Date and time data • Attack header and payload

Transaction Audit Details Captures all security-related activities

including: • Device log-ins • Rules updates • Configuration changes • Actions taken • Alerts issued

On-Demand ReportingPresents data on the health and security

configuration of your network that faces the Internet:

• Attack attempts, including attack source and destination

• Attack severity • Targeted systems• Actions taken to address threats

On-Demand Support • Submit support requests online • View status/history of submitted

requests


Network Firewall• Unified Threat Management platform is deployed in XO network points

of presence (POPs) between the MPLS VPN cloud and the Internet.• XO provisions a dedicated unique virtual firewall (Virtual DOMain or

VDOM) on a per customer basis:– Default policy rules allow/deny traffic based on stateful packet inspection

• You can modify policy rules through a secure online web portal.– DeMilitarized Zone (DMZ) allows you to have an isolated segment within the

VDOM for any servers or services that are facing the Internet.• You can have unique security policies and specific rules defined independently

from the IP-VPN for the DMZ network.

• You have the optional choice of a VDOM presence on two or three geographically diverse physical platforms for geographic, as well as local blade-level redundancy.


Intrusion Detection and Prevention• Captures and inspects traffic, (even traffic allowed by the firewall).• Identifies signatures (known attack patterns). • Looks for anomalous data.• Blocks known threat sites and traffic from invalid source IP addresses.• Generates an alert when it finds unauthorized traffic, and takes action

to:– Block/substitute.– Warn/permit.– Allow/track.

• Updates signature database dynamically as threats are identified. • Subscribes to Fortinet’s proprietary signature database.• Supports multiple threat levels from low to high, and takes action

appropriately. • In-house Security Analysts provide internal rules development and

customization.– Service is proactively managed.


Web and Content Filtering• Allows you to set up filtering rules and content policies to prevent users

from downloading content that may be harmful to their computers or to the corporate network, or inappropriate based on company policies and best use practices.– Permits you to translate corporate web usage policies to default rule set on the

firewall.• Filers at multiple levels:

– By content rating (can filter known URLs, or allow corporate policies to be enforced on content that has not been seen before).

– To block a category (for example: pornography or gambling).– By white-lists (allow) and black-lists (deny) for specific URLs.– User security rating: automatically blocks sites known for malware with

warnings before proceeding.– By blocking anonymizers–which enable proxies to hide a user’s real IP

address.

Secure Remote Access• Gives roaming users the ability to connect to your corporate MPLS

VPN using IP Sec tunnels. – You use a pre-installed VPN client for authorization and access.

• Gives roaming users the ability to connect to the corporate MPLS VPN using Secure Sockets Layer (SSL) sessions.– Users log in through a secure on-line portal, or – Can use a proprietary Fortinet SSL VPN client, which would need to be

installed on each user’s PC.• Users are authenticated and authorized before they can access

the corporate network.• You have the choice of having BAE authenticate users, or self-

authenticating users. • SRA uses Security Policy Server (SPS) to authenticate identification

and grant access for an incoming connection.


Off-Net Connectivity / VPN • Allows off-net sites to connect to the MPLS VPN using IP Sec

tunnels. – The IP Sec protocol allows authentication between a host and the

security gateway at the beginning of a session.– Maintains an encrypted IP Sec connection between your location

and the network firewall for as long as traffic exists.– Each IP packet in the data stream is encrypted to ensure security.


Conceptual Illustration


Summary

Hosted Security services use high-speed, multi-threat security gateways,

24 x 7 monitoring and management, and advanced technology to help you better protect

the data traffic that runs over your XOMPLS VPN service.

XO _Hosted Security Product Overview__v.21 (1)

Documents

Transcript of XO _Hosted Security Product Overview__v.21 (1)