Joomla Templates and Joomla Extensions by JoomlaVision.Com

Telecom Review North America

Latest Issue

Telecom Review's Interview with Marc Halbfinger, CEO of PCCW Global

Telecom Review Summit 2017

Jeff Seal Interviews Zayo President Mike Strople

Telecom Review's Jeff Seal Moderates Submarine Fiber Optic Gathering

Socialize with us

Cloud Firewalls PDF Print E-mail
Wednesday, 21 December 2011 03:56

Integra Telecom Offers Filtering at the Application Level for Enterprise Customers

Integra Telecom is introducing their “Cloud Firewall Service”, which will be the first in a comprehensive suite of Cloud Security Services from Integra that protects a business by guarding the perimeter of a network while providing inbound and outbound Internet access through a secure managed gateway. Integra’s Cloud Firewall Service prevents unauthorized access to network infrastructure, prohibits access to inappropriate web content, restricts downloads of infected files, and ensures secure use of your organization’s corporate IP-VPN network. This managed service provides a consistent enforcement of security policies to all enterprise facilities including staff working from home or on the road.

Telecom Review North America recently met with Integra Telecom to get a feel for some of the challenges of cloud firewalls and to give our readers some ideas about the importance of the firewalls. Integra Telecom Inc. provides business-grade networking, communications and cloud solutions to thousands of business and carrier customers in 11 Western states, including Arizona, California, Colorado, Idaho, Minnesota, Montana, Nevada, North Dakota, Oregon, Utah and Washington. The company owns and operates a nationally acclaimed fiber-optic network consisting of a 5,000-mile high-speed long-haul fiber network and a 3,000-mile metropolitan access network including more than 1,700 fiber-fed buildings.

Cloud Security is Vital

Application visibility and control of network security is vital. The reason is obvious: applications can easily slip by traditional port-based firewalls. Employees, contractors, and partners will leverage any available application they need to get their job done—often indifferent to or unaware of the risk that poses to the business. Nearly every network security provider has acknowledged that application control is an increasingly critical part of network security. While the “Next Generation Firewall” is well defined by Gartner as leading edge and enterprise-focused, many network security providers are claiming a Next Generation Firewall is a subset of other functions such as Unified Threat Management (UTM) or Intrusion Prevention System (IPS). Most traditional network security vendors are attempting to provide application visibility and control by using a limited number of application signatures supported in their IPS or other external database. But underneath, these capabilities can be poorly integrated and the products are still based on legacy 10 requirements for Next Generation Managed Cloud Firewall port-blocking technology, not Next Generation Firewall technology. These vendors are missing the point since it’s not about blocking applications, but safely enabling them. Unfortunately, the solutions offered by legacy network security providers ignore much of what businesses do with applications today in that they use them to enable their business, and as such, need to make sure that those applications run securely.

There are substantial differences between NGMCF and UTMstyle devices in terms of architecture and security model. These differences have dramatic impacts on real-world functions and features, operations, and performance. There are three areas that differentiate NGMCF: security functions, operations, and performance. The security function elements correspond to the efficacy of the security controls, and the ability for businesses to manage risk associated with network traffic. From an operations perspective, the big question is, “Where does application policy live, and how

hard or complex is it to manage”? The performance difference is simple: Can the firewall do what it’s supposed to do at the throughput it’s supposed to do it in?

In building the Next Generation Firewall, vendors have taken one of two architectural approaches:

1) Build application identification into the firewall as the primary classification engine.

2) Add application signatures to an Intrusion Prevention System or IPS-like pattern matching engine which is then added to a port-based firewall.

Both can recognize applications, but with varying degrees of success, usability, and relevance. Most importantly, these architectural approaches dictate a specific security model for application policies—either positive (default deny), or negative (default allow). Firewalls use a positive security model, or “default deny”. Default deny means that administrators write policies to ALLOW traffic (e.g., allow WebEx, GoToMyPC), and then everything else is denied or blocked. Negative policies (e.g., block Limewire) can be used in this model, but the most important fact is that the policy in a positive security model says, “all else deny.” One of the key implications of this approach is that all traffic must be classified in order to allow the appropriate traffic. So visibility of traffic is easy and complete, and policies enable applications. Another key result of this approach is that any unknown traffic is, by default, denied. In other words, the best Next Generation Firewall is a firewall. Intrusion prevention systems (IPS) typically employ a negative security model, or “default allow”. Default allow means that IPS identifies and blocks specific traffic (traditionally threats), and everything else is passed through. Traditional network security providers are adding application signatures to an IPS-style engine and bolting it onto a traditional port-based firewall. The result is an “application prevention system.” The application control is in a negative security model—in other words, it’s not in a firewall. The outcome is that one only sees what is expressly looked for, and unknown traffic is, by default, allowed. While this paper is focused on the 10 specific things your NGMCF must do, knowledge of the architecture and models as outlined above are prerequisites to understanding the different capabilities of the many solutions on the market and their ability to deliver these critical functions.

The Integra entry level solution is a cost-effective, integrated perimeter security service that includes application-based protection and standard reports. Cloud Firewall Service Standard is intended for smaller organizations who want the peace of mind that a managed firewall service can provide.

The “plus” level adds intrusion detection and intrusion Prevention, URL filtering, customizable reports, and the ability to tailor rules and policies to meet individual requirements. They have also made an optional VPN client for remote users available. Cloud Firewall Service Plus is intended for businesses that need additional security protection, customized policies and reports, and the ability to view log files.

The Premium version adds anti-virus and anti-spyware protection along with file and data content filtering. Cloud Firewall Service Premium is intended for customers requiring the highest level of security and protection.

Integra Features to Meet Security Needs Today, Tomorrow, and in the Future

Integra’s Cloud Firewall Service offers next generation multi-layered security protection. Integra’s service meets all security requirements today and can grow as requirements change in the future. As new threats are detected and new protection techniques developed, Integra will evaluate, test, and deliver these new protection solutions seamlessly and efficiently. Integra’s next generation protection includes:

All security functions reside within Integra’s secure private network. Integra’s Cloud Firewall Service enforces traffic separation among customers by establishing a Private virtual Circuit (PvC) from a business’ private network to filter traffic coming in or going to the internet. Cloud Firewall Service is fully integrated with Integra’s network, delivering managed internet security for all locations and users.

With Integra’s Cloud Firewall Service customers will benefit from increased protection, more flexibility, extended support, and a clear return on investment. The customer can eliminate the need to purchase, staff, and manage premise-based Internet security infrastructure.


Top Content