Upload
vannhi
View
225
Download
0
Embed Size (px)
Citation preview
ProCurve Security Solution Brief
ProCurve and SonicWALL
IntroductionHigh-speed efficient network communications are at
the heart of business productivity and competitiveness.
Yet the tools that offer to heighten profitability are the
very same tools being used as conduits to steal and
destroy valued information. What has changed?
Trends such as Web 2.0, which utilize Web-based
applications, increase total network traffic throughout
the Internet. New communications paradigms such as
YouTube have added 25 petabytes (and growing) of
traffic per month to the Internet. Roughly 70 million
zombie computers have been compromised and are
being utilized to attack computers and dump
unprecedented volumes of e-mail traffic. Today’s more
sophisticated blended threats bypass the simple-to-
prevent front-door attacks and instead take advantage
of this onslaught of traffic to disguise their intensions,
often hiding deep inside the payload of what seems to
be the desired information. Networking defense
systems are overwhelmed and fail to find the hidden
threats.
The new real-time communications paradigmToday’s business is increasingly dependent upon
network communications to provide internal and
external access to mission-critical applications. As
technical advances in remote access, mobility, and real-
time applications extend network functionality, they
also make it more complex. Network communications
no longer rely simply on store-and-forward and
session-based applications such as e-mail, Web pages,
and traditional client/server applications. Rather, they
have expanded to include real-time collaboration tools,
Web 2.0 applications, instant messaging (IM), peer-to-
peer applications, Voice over Internet Protocol (VoIP),
streaming media and online conferencing. This new
paradigm of network communications threatens to
undermine control and policy across network
boundaries and become the new conduit for evolving
threats.
With new methods of gaining entry, increasingly savvy
and financially motivated attackers operate
unchallenged and unrecognized. The recent upsurge in
ultrasophisticated threats to network communications
has increased the risk of data theft and deletion,
systems downtime, loss of productivity, bandwidth
consumption, and, most importantly, the theft of hard
data and hard dollars.
The severe limitations of existing solutionsIn this new world, many of the leading firewall
solutions are rendered ineffective and incapable of
evolving fast enough to meet the security
requirements for today’s ever-expanding networks.
Solutions have routinely focused on blocking ports,
restricting protocols and preventing denial-of-service
attacks at the perimeter, rather than focusing on
deeper inspection applications and content-based
threats proliferating throughout the network. Once
users have been authorized to have network access,
their behavior on the network needs to be monitored
for potential threats.
2
Defining the ideal solutionIn order to overcome these failings, the ideal network
security solution must take a different approach to
securing enterprise networks. This approach must
focus on the broader context of security, the content of
data, the movement of information, and the policy
control of managed and non-managed endpoints over
a wide range of connection and traffic types.
Integrating and correlating this approach across
external, perimeter, and internal networks presents
exceptional challenges, as does the massive inspection
and performance requirements needed to accomplish
such intricate control.
A solution that worksOrganizations of all sizes are increasingly using a
network security technology called Unified Threat
Management (UTM). This is a technology that looks
deep into packet-level traffic and determines if the
traffic is secure, appropriate, and productive based on
network policy. A combination of security technologies
work in concert to provide complete UTM protection.
These include inbound and outbound traffic:
application firewalling, anti-virus, anti-spyware, URL
content filtering, and intrusion prevention.
Unfortunately, not all UTM solutions are effective. The
computational load required to scan every packet
within a network stream can be overwhelming.
Because of this, most UTM solutions limit UTM
throughput and limit the size of files that can be
scanned. SonicWALL has developed an industry-leading
UTM technology called assembly-free deep packet
inspection, which can run at true network speeds
while not limiting file sizes. This technology allows
large businesses to utilize the power of UTM in high-
performance networks. Add to this, the automated
and constant update of UTM signatures pushed to
millions of SonicWALLs worldwide, and CIOs can rest
assured that a SonicWALL solution within a ProCurve
network will dynamically maintain security as new
threats appear.
ProCurve ProActive DefenseStrategyProCurve Network Immunity Manager (NIM) delivers
pervasive intelligent network threat management,
detection, and response to help protect against threats
such as virus attacks. ProCurve NIM leverages internal
attack detection in conjunction with external network
and security information to monitor the network for
internal threats. It can pinpoint the source of security
events and then leverage the network to mitigate those
threats.
ProCurve switches include advanced security
technology such as virus throttling, which can detect a
virus spreading through a network, and sFlow, which
can monitor traffic at each switch port.
The ProCurve Network Immunity Manager performs
network behavior anomaly detection (NBAD) on the
sFlow (sampled port traffic) data to look for abnormal
activity that can indicate an attack. The suspect traffic
identified by the Network Immunity Manager NBAD
engines can then be remotely mirrored to a SonicWALL
UTM for further analysis. The Network Immunity
Manager provides broad coverage and advanced
mitigation options such as MAC lockout, port blocking,
bandwidth limiting, and putting the offender on a
quarantined VLAN.
The ProCurve Network Immunity Manager can also
receive security event alerts from the switches or from
a SonicWALL UTM.
33
Benefits:• Leading network and security companies coming
together to address customer needs
• Multi-layer security protection to mitigate network
threats
• Simple, affordable, and flexible solution that
provides broad coverage with enterprise-level
security technologies
• Visibility to network threats
• Increase network availability
• Enforcement at the edge of the network where users
connect
• Offender tracking for forensics
Driving technological solutionsProCurve and SonicWALL are committed to developing
true open standards solutions.
ProCurve and SonicWALL are committed to improving
the security and productivity of our customers.
Together, ProCurve and SonicWall have driven
powerful solution topologies, including the following
three examples.
Securing an entire network—unveiledProCurve Networking and SonicWALL have formed a
strategic partnership aimed at delivering world-class,
standards-based, secure network solutions. The
teaming of ProCurve—market leader in standards-
based networking—and SonicWALL—market leader in
UTM Security, offers a unique network security
infrastructure. SonicWALL has more than 16 years of
experience delivering innovative and robust security
solutions, while ProCurve has been driving open
standards and leading the market in data networking
for over 25 years. The companies’ combined offering
incorporates the ProCurve Adaptive EDGE
Architecture™ and SonicWALL’s advanced product line
of UTM application firewalls and security services.
The resulting solutions deliver an integrated and easy-
to-use network security solution. It provides superb
functionality in network security, management,
enterprise mobility, and design enhancement.
ProCurve and SonicWALL:“A partnership of protection”ProCurve Networking and SonicWALL have a strong,
long-standing partnership that touches all aspects of
their respective organizations. It is an innovative
technological partnership that provides customers and
partners with greater vendor flexibility.
Integrating SonicWALL UTM Appliances with PCM+/NIMDeployment Four—PortShield Multizone
ProCurve switch
Laptop client Desktop clientFile
server(s)
Router
DMZ
PortShieldinterface
LAN
Sales Marketing Server 1 Server 2
LANLAN
LAN
WAN ISP
PCM+/NIM server
E-mailserver(s)
SonicWALL E-Class orPRO Series UTM Appliance
4
VLAN UTM Scanning— application firewalling betweenVLANsProblem:• Peer-to-peer (P2P) applications are using up available
bandwidth between network segments.
• Instant messaging (IM) applications are notoriously
insecure.
• Company confidential documents must be contained
within the network.
• Unproductive audio and video streaming has become
rampant.
Solution—The SonicWALL UTM device offers
configuration options that inspect traffic between
VLANs. This configuration, often referred to in
SonicWALL documentation as PortShield, leverages a
SonicWALL UTM device as an intra–VLAN application
firewalling/UTM device. Configuring VLANs into
segmented user groups and passing these VLAN tags
through ProCurve switches allows full application
firewalling and UTM services not only for
inbound/outbound Internet traffic but also for all data
flowing between network segments. Activating
predefined or even user-defined signatures on
SonicWALL’s Application Firewall within this topology
enables an administrator to block Yahoo IM between
segments, stop “confidential” documents from leaving
the network, or create any number of custom security
signatures as business requirements change. This is all
possible by leveraging standards-based VLAN
technology.
Benefits of solution:• Helps prevent security breaches by detecting and
responding to internal and external network threats.
• Provides quality of service so that mission-critical
traffic has priority over unproductive audio and
video streaming traffic between network segments,
VPN tunnels, or at the port level of the ProCurve
switch.
• Threat-mitigating UTM service stops IM applications
designed to bypass firewalls.
• Application firewalling offers the option to contain
company confidential documents within a network
as defined by keyword, file type or user, or a
combination of all three.
5
Clean VPNProblem:• Remote offices connecting to headquarters via VPN
typically bypass security policies and enter “trusted”
network segments unchecked.
• Exploits introduced on the LAN of a remote office
could make their way into the network at corporate
headquarters.
Solution—This configuration leverages a SonicWALL
UTM device at the gateway of two physically separated
networks. The networks are securely linked by an AES
encrypted VPN tunnel and the SonicWALL solutions on
both ends perform full UTM scanning before passing
traffic to downstream ProCurve switches. This
SonicWALL/ProCurve configuration provides
bidirectional protection. The ProCurve Manager and
Network Immunity Manager can also safely and
securely manage ProCurve switches at the remote sites
across the tunnel.
Benefits of solution:
• UTM inspection checks data entering the network
from remote offices for security compliance.
• A heightened level of security is provided for remote
office management from a central location with deep
packet inspection through the SonicWALL VPN
tunnel and ProCurve Manager Plus (PCM+) and
Network Immunity Manager (NIM).
ProCurve switch
Laptop client
Laptop clientLaptop client Desktop clientFile
server(s)
File server(s)
File server(s)
Router
Router
RouterDMZ
LAN LAN
LAN
LAN
WANLAN
ISP
E-mailserver(s)
SonicWALL E-Class orPRO Series UTM Appliance
ProCurve switch
ProCurve Switch
ProCurve PCM+/NIM Server
Remote officeMain office
Remote office
VPN to/from remote
VPN to/from remote
SonicWALL TZ 180W
SonicWALL TZ 190W
6
SonicWALL can route alerts to the ProCurve Network
Immunity Manager (NIM) to reconfigure ports on the
switch to counter the attack, thereby mitigating the
threat.
Benefits of solution:
• Employing SonicWALL’s UTM, along with ProCurve’s
NIM, provides a way to apply security policy at the
switch, protecting users from internal threats and
resulting in total network security.
• Using industry standards, SonicWALL and ProCurve
can offer a dynamic solution that mitigates threats
and without introducing proprietary technology that
will affect other IT systems.
• It quarantines offenders by shutting down physical
ports on the offending computer or another
networked device it is connected to.
SonicWALL E-Class orPRO Series UTM Appliance
Integrating SonicWALL UTM Appliances with PCM+/NIMDeployment Three—One-port IDS mode
ProCurve switch
Laptop client Desktop client Fileserver(s)
RouterThird-partyfirewall
LAN
LAN
LAN LANLAN
LAN
WAN/L2Bmode
WAN
ISP
PCM+/NIM server
E-mailserver(s)
UTM IDS modeProblem:• Port-level security is required for many networks.
• Available solutions are very expensive and tend to
force users into other product requirements due to
proprietary system interoperability (vendor locking).
• Many solutions today only detect attacks, but the
ideal solution must be able to mitigate threats by
port as they happen.
Solution—This configuration leverages a SonicWALL
UTM device as a sensor within a network. If the
ProCurve Network Immunity Manager’s NBAD
engines identify suspect traffic, they can configure a
port on a ProCurve switch to mirror the suspect
traffic to the SonicWALL UTM. This will allow the
SonicWALL to determine if any internal threats exist
in the data stream. If there are any threats, the
Prerequisites for this Implementation• SonicWALL PRO-series UTM appliances must have
SonicOS Enhanced 4.0.0.4 or later installed in order
be interoperate with PCM+ and NIM.
7
SonicWALL UTM appliances that interoperate withPCM+ and NIM• SonicWALL PRO 2040
• SonicWALL PRO 3060
• SonicWALL PRO 4060
• SonicWALL PRO 4100
• SonicWALL NSA E5500
• SonicWALL NSA E6500
• SonicWALL NSA E7500
• SonicWALL E-Class series UTM appliances must have
SonicOS Enhanced 5.0.0.7 or later installed in order
be interoperate with PCM+ and NIM.
• You must have a current service contract for the
Gateway AntiVirus, Gateway AntiSpyware, and
Gateway Intrusion Protection features on the
SonicWALL UTM appliance in order to use the
stream-based scanning and protection features.
Failure to keep the services renewed may seriously
impact the security level and protection capabilities
of your network architecture.
• HP ProCurve Manager Plus must be updated to
Version 2.2 or later, with all current patches.
• HP Network Immunity Manager must be updated to
Version 1.0 or later, with all current patches.
Other sample topologies
• ProCurve Manager Plus (PCM+)
• Network Immunity Manager (NIM)
• SonicWALL UTM devices
Integrating SonicWALL UTM Appliances with PCM+/NIMDeployment One—Gateway mode
ProCurve switch
Laptop client Desktop clientFile
server(s)
Router
DMZ
LAN
LAN LANLAN
LAN
WANISP
PCM+/NIM server
E-mailserver(s)
SonicWALL E-Class orPRO Series UTM Appliance
8
Supporting customersProCurve and SonicWALL are firmly committed to the
success of their customers. ProCurve and SonicWALL
products have gone through formalized
interoperability testing and certification that provides
comprehensive, pre-qualified solutions. This solid,
established partnership enables customers to deploy
secure network infrastructure with confidence. In
addition, most ProCurve products have an industry-
leading, lifetime warranty that includes next-business-
day advanced replacement and free software updates
for as long as the customer owns the product.
Customers also benefit from free network design and
configuration services from ProCurve Design Center.
Joint success storyFollowing is an example of how ProCurve and other
ProCurve Alliance members, including SonicWALL,
have provided a total solution that enables real
businesses to solve business needs.
SonicWALL and ProCurve Networking by HP deliversecure VoIP for Glentel through Gold PartnerNetceteraGlentel is the largest cellular product retailer in Canada
and a leading provider of wireless communications
solutions in North America. Glentel currently operates
close to 250 locations throughout Canada, with
roughly 80 percent of its business in retail cellular
products, and 20 percent in integrated end-to-end
wireless communications solutions for business,
industry, and government. When the communications
giant decided to update its own 20-year-old internal
PBX system to VoIP, it brought in experts from
Vancouver-based Netcetera, a SonicWALL Gold Partner.
The challenge: deliver secure VoIP to a fast-growingdistributed network“Over the last five years, our business has grown at an
annual compounded rate of 25 percent, adding 50 new
business locations last year alone,” said Frank Chay,
director of Information Technology and Services.
“Much of this growth has been through acquisition,
with corresponding legacy phone and data systems
inherited at distributed sites. We needed a secure
platform to consolidate these islands of technology.”
This configuration is identical to the one depicted
above, with the exception being that the SonicWALL
UTM device is installed inline behind a third-party
firewall in “transparent” or bridge mode. This allows
legacy firewall infrastructure to remain in place
without compromising security.
Integrating SonicWALL UTM Appliances with PCM+/NIMDeployment Two—In-line L2B mode
ProCurve switch
Laptop client Desktop client Fileserver(s)
RouterThird-partyfirewall
DMZ
LAN/L2Bmode
LAN/L2Bmode
LAN/L2Bmode
LAN/L2B mode
LAN/L2B mode
WANISP
PCM+/NIM server
E-mailserver(s)
SonicWALL E-Class orPRO Series UTM Appliance
9
While Glentel has quadrupled in size, its IT staff has
grown at only half that that rate. At the same time,
Glentel has expanded its services. Given these resource
constraints, Glentel required a solution that would ease
centralized control of all voice and data traffic and
security, as well as reduce deployment costs and
complexity. The conversion to VoIP also presented
Glentel with a new IT priority: voice security. Because
VoIP uses IP as its conduit, it is vulnerable to the same
sorts of attacks as other Internet traffic, including
viruses, trojans, eavesdropping, and denial-of-service
attacks. Glentel needed a way to protect its VoIP traffic
as thoroughly and rigorously as it protected the rest of
its network data.
The solution: a secure VoIP platform integratingSonicWALL with HP ProCurveTo reduce costs and enhance return on its investment
in technology, Glentel chose to build its VoIP solution
upon its existing infrastructure. Glentel already
applied SonicWALL Unified Threat Management (UTM)
over SonicWALL PRO and TZ network security
appliances at all of its corporate locations. This
provided Glentel with real-time deep packet inspection
combined with dynamically updated gateway anti-
virus, anti-spyware, intrusion prevention, enforced
desktop anti-virus, and Web content filtering.
Significantly, SonicWALL also provided extensive built-
in VoIP capabilities. “When we started looking at
different VoIP solutions such as Cisco and 3Com, they
wanted us to forego our existing infrastructure with
their proprietary platforms,” said Chay. “That was not
in the cards.”
To leverage SonicWALL VoIP functionality, Chay
implemented 2626 switches across his network,
replacing outdated D-Link switches. The HP ProCurve
offering had the advantage of open non-proprietary
industry standards such as Link Layer Discovery
Protocol-Media Endpoint Discovery (LLDP-MED)
extensions to enable plug-and-play deployment. The
ProCurve solution also offered IEEE 802.3af Power over
Ethernet (POE) capabilities, which enables deployment
of digital phone sets without adding corresponding AC
power outlets. For phone equipment, Chay chose Mitel,
a leading partner with Microsoft® Office
Communications Server (OCS) that also supports LLDP-
MED and POE, which is also a ProCurve Alliance
Member.
Netcetera was critical to the successful rollout“First, we configured the SonicWALL PRO 5060 to
segment off separate VLANs for voice and data,” said
Steve Weeks, president and CEO, Netcetera. “Then we
enabled the ProCurve’s IP Helper feature to pass
through DHCP requests. This is where the LLDP comes
in. As soon as a Mitel phone powers up, it signals
ProCurve to have its data placed upon the VLAN with
voice priority, instead of bogging down network
throughput with broadcasts.”
The results: secure hand-off between offices, experts,and skill setsNow all of Glentel’s voice and data between the
locations is fully protected by SonicWALL UTM, along
with automatic intrusion prevention, anti-virus, and
content filtering. Glentel also uses the SonicWALL
Global Management System (GMS) to centrally control
and manage the solution, which adds VoIP monitoring,
troubleshooting, and compliance controls through
dynamic live reporting of active calls, audit logs, and
custom reports of all VoIP signals and media streams.
“Previously, Web conferencing was rarely used because
it was cost prohibitive,” said Chay. “Now it’s an
affordable and effective business tool.” Another benefit
has been in ease of deployment. “Today I can have two
staff move a department of 15 people to another
location and have them all fully operational in two
hours,” said Chay. “It’s literally plug and play. The
biggest time factor is unraveling cables.”
The future: more responsive and flexible businesscommunicationsOpen standards give Glentel greater freedom to extend
its VoIP solution. SonicWALL is interoperable with all
leading VoIP vendors, and plug-and-protect support
will automatically accommodate any VoIP device that
is added or removed.
“Over this next year, we plan to consolidate what were
19 independent legacy phone systems into one using
VoIP,” said Chay. Instead of maintaining 18 service
dispatch coordinators at each office, we can centralize
two or three, increasing issue visibility and improving
responsiveness. The SonicWALL VoIP solution has
enabled better hand-off between offices, experts, and
skill sets. For example, a smaller branch will be able to
more easily access a product expert at a larger office,
cutting redundant training costs and driving better
customer support.”
“We also expect to take advantage of extended
integration between Mitel and OCS for dual forking,
allowing a call to simultaneously ring at the user’s desk
phone, at the user’s PC using OCS and at the user’s cell
phone. This will provide seamless, more responsive
communications to our branch offices with traveling
mobile staff," said Chay.
SonicWALL is engineered to appropriately manage
available bandwidth to accommodate time-sensitive
VoIP traffic. Still, Chay is looking at ever-increasing
bandwidth demands. “We process over a million e-
mails a month internally, with attachments over 100
MB,” said Chay. “Now we plan to add streaming media
to interactive marketing displays at retail locations,
where a customer picking up a headset would
automatically activate corresponding digital signage.”
Chay already knows where to find a solution to meet
Glentel’s expanding enterprise performance needs.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change withoutnotice. The only warranties for HP products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting an additionalwarranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft is a U.S. registered trademark of Microsoft Corporation.
4AA1-9147ENW, April 2008
To find out more about ProCurve Networking products and solutions, please visit www.procurve.com
SummaryAs real-time networking moves to the forefront in
today’s business and as data assets become
exponentially more valuable than physical assets, it is
critical that IT professionals build security, flexibility,
and long-term value into their networking strategy
and design. An adaptive network is essential. Building
an adaptive network today will become a competitive
differentiator as market, threat, or expense pressures
affect markets and squeeze competition. Protecting
data assets today with dynamic UTM technology, while
not locking into an end-to-end monolithic platform,
will provide the choices needed to stay competitive
while avoiding network downtime because of security
breach, loss or leakage of data, or unexpected budget
overruns. Don’t buy ProCurve because of the brand,
buy ProCurve and ProCurve Alliance Solutions because
of the value.
For more informationProCurve Networking product overviews:http://www.hp.com/rnd/products/switches/ProCurve_
Switch_3500yl-5400zl_Series/overview.htm (ProCurve
Switch 3500yl/5400zl Series)
www.hp.com/rnd/products/switches
/switch2600series/overview.htm (ProCurve Switch
2600 series)
www.hp.com/rnd/products/switches
/switch5300xlseries/overview.htm (ProCurve Switch
5300xl Series)
ProCurve Networking convergence solutions:www.hp.com/rnd/solutions/convergence.htm
ProCurve Networking Design Centerwww.hp.com/rnd/design_center/index.htm
White papers:www.hp.com/rnd/library/whitepapers.htm (ProCurve
Networking)
ProCurve/SonicWALL announcements:www.procurve.com/alliance/members/sonicwall.htm
SonicWALL corporate site:www.sonicwall.com
SonicWALL demo site:http://livedemo.sonicwall.com/