Upload
darlene-oneal
View
212
Download
0
Embed Size (px)
Citation preview
© 2000-2001, Secure Computing Cor© 2000-2001, Secure Computing Corp. All rights reserved.p. All rights reserved.
1
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Countering the Insider Threat with Countering the Insider Threat with Autonomic Distributed Firewall Autonomic Distributed Firewall
(ADF) Technology(ADF) Technology
Black Hat BriefingsBlack Hat BriefingsLas Vegas, NV, 11 July 2001Las Vegas, NV, 11 July 2001
George Jelatis & David PapasGeorge Jelatis & David Papas
David_Papas@[email protected]
Jelatis@[email protected]
www.securecomputing.comwww.securecomputing.com
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.2
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OutlineOutline
• Firewall trends and issuesFirewall trends and issues• Approach & ArchitectureApproach & Architecture• Security policy managementSecurity policy management• Implementation Implementation • ApplicationsApplications• Demonstration ScenariosDemonstration Scenarios
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.3
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Perimeter Firewall IssuesPerimeter Firewall Issues
• Perimeter firewalls have limited visibilityPerimeter firewalls have limited visibility– They cannot see activity behind the firewall They cannot see activity behind the firewall
thus they do little to counter insider threatsthus they do little to counter insider threats– Blurring of the line between insiders and Blurring of the line between insiders and
outsidersoutsiders– IPv6/IPSEC significantly limits perimeter based IPv6/IPSEC significantly limits perimeter based
filtering and intrusion detectionfiltering and intrusion detection– Wireless/mobile computing frustrates policyWireless/mobile computing frustrates policy
• Perimeter firewalls are expensive (but Perimeter firewalls are expensive (but necessary)necessary)
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.4
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Host Based FirewallsHost Based Firewalls
• Operating systems are vulnerableOperating systems are vulnerable– Back Orifice, Melissa, <attack of the week>.Back Orifice, Melissa, <attack of the week>.– Windows 2000 has 25M+ LOC and Windows 2000 has 25M+ LOC and maybe one maybe one
or two security bugsor two security bugs
• Firewalls implemented on vulnerable Firewalls implemented on vulnerable operating systems may suffer from operating systems may suffer from circular logic circular logic
• Many host based firewalls assume the Many host based firewalls assume the user is trusted. Even user is trusted. Even goodgood users do users do badbad things when they unwittingly run hostile things when they unwittingly run hostile code.code.
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.5
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
ADF ApproachADF Approach
• Push the firewall closer to, but not on to, the Push the firewall closer to, but not on to, the host. host. – The host cannot be trusted because the operating The host cannot be trusted because the operating
system may be subverted.system may be subverted.
• Create a “firewall-on-a-Network Interface Card Create a “firewall-on-a-Network Interface Card (NIC)” that is independent from the host(NIC)” that is independent from the host
• Use a master-slave architecture to provide Use a master-slave architecture to provide scalability & centralized security policy scalability & centralized security policy managementmanagement
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.6
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Insider Threat ?Insider Threat ?
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.7
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
ADF ConceptADF Concept
Distribute network layer security onto smart Distribute network layer security onto smart hardware directly in front of critical hostshardware directly in front of critical hosts
• Complements existing perimeter firewallsComplements existing perimeter firewalls– Protects against insider threatProtects against insider threat
• Stronger than existing host/application securityStronger than existing host/application security– Mechanisms cannot be subverted by malicious users or Mechanisms cannot be subverted by malicious users or
code running on a weak operating systemcode running on a weak operating system
• An affordable security solutionAn affordable security solution– Low cost of hardware and softwareLow cost of hardware and software– Incremental deployment to address specific threatsIncremental deployment to address specific threats
• A survivable security solutionA survivable security solution– Transparent to hosts and applicationsTransparent to hosts and applications– Redundant management systemRedundant management system– Fail-safe hardware componentsFail-safe hardware components
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.8
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Technical ObjectiveTechnical Objective
• Provide robust, intrusion tolerant networks via a Provide robust, intrusion tolerant networks via a firewall per hostfirewall per host– Provide defense in depthProvide defense in depth– Provide protection from insiders Provide protection from insiders – Tie distributed firewall to autonomic response mechanismsTie distributed firewall to autonomic response mechanisms
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.9
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
• New approach to network securityNew approach to network security• Addresses needs of complex, partner networksAddresses needs of complex, partner networks
ADF BackgroundADF Background
ADF technology development
COTS NIC• IPSec 3DES encryption• ARM 9 processor
SCC software• Modified NIC firmware• Centralized policy
management
EMBEDDEDEMBEDDED FIREWALL FIREWALL EMBEDDEDEMBEDDED FIREWALL FIREWALL
DARPA
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.10
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Major ComponentsMajor Components
NIC
Driver - Runtime image
ADF Agent
Host OS
Protected host
Controllerdaemon
Auditdaemon
Auditdatabase
Controllerfront end
GUI
ADF Controller
Policydatabase
MIB
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.11
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
NIC ImplementationNIC Implementation
• Isolation from the host operating system Isolation from the host operating system – Separate processorSeparate processor– Isolated memoryIsolated memory
• IPSEC crypto hardware on the NIC IPSEC crypto hardware on the NIC provides high performance provides high performance VPNsVPNs – Windows 2000 based Dec 2000Windows 2000 based Dec 2000– ADFC managed late 2001ADFC managed late 2001
NIC based policy supports servers, NIC based policy supports servers, desktops, telecommuters, and laptopsdesktops, telecommuters, and laptops
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.12
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
NIC Packet FilteringNIC Packet Filtering
• No sniffingNo sniffing– Prevents sniffing passwords and other information Prevents sniffing passwords and other information
• No spoofingNo spoofing– Eliminates distributed denial of service attacks using Eliminates distributed denial of service attacks using
spoofed addresses. spoofed addresses.
• Additional rules based onAdditional rules based on– IP addressesIP addresses– DirectionDirection– Port rangesPort ranges– Initiate vs. accept connectionsInitiate vs. accept connections
• Possible NIC actions Possible NIC actions – Allow/deny. Passes or drops the packet Allow/deny. Passes or drops the packet – Audit/no audit. Sends audit to the ADF ControllerAudit/no audit. Sends audit to the ADF Controller
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.13
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
NIC Filter Engine NIC Filter Engine
• 64 packet filtering rules supported64 packet filtering rules supported• TCP Syn detection TCP Syn detection
– Allows the NIC to distinguish between accepting or Allows the NIC to distinguish between accepting or initiating connections e.g., Allow outbound Telnet but initiating connections e.g., Allow outbound Telnet but block inbound block inbound
• Actions in response to matching a packet filter Actions in response to matching a packet filter engine rule: engine rule: – Allow/deny. Passes or drops the packet Allow/deny. Passes or drops the packet – Audit/no audit. Sends audit to the ADFC Audit/no audit. Sends audit to the ADFC – Test. Flag packets that matched the packet filter rule Test. Flag packets that matched the packet filter rule
but do not enforce the policy; test new policies firstbut do not enforce the policy; test new policies first
• NoNo support for filtering inside tunnels (e.g., support for filtering inside tunnels (e.g., IPSEC) IPSEC)
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.14
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Embedded Firewall Embedded Firewall
ControllerController
• Provides the policy and audit GUIProvides the policy and audit GUI– Filter mode. Enforces the packet filter rulesFilter mode. Enforces the packet filter rules– Test mode. Does not enforce the policy but Test mode. Does not enforce the policy but
flags packets that matched the packet filter flags packets that matched the packet filter rulerule
• Uses a SQL database for storing policy Uses a SQL database for storing policy and audit dataand audit data
• Runs on Windows 2000 and NTRuns on Windows 2000 and NT• Linux port underwayLinux port underway• Up to 3-way replication for fault toleranceUp to 3-way replication for fault tolerance
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.15
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Security PolicySecurity Policy
Desired policyDesired policy
ClientsClients
• Human resourcesHuman resources– LauraLaura
– MaryMary
• EngineeringEngineering– ChrisChris
– NancyNancy
• SalesSales– PaulPaul
– SamSam
Servers
HR web server
FTP
HTTP
Engineering file
server
NFS
FTP
Sales database
SQL
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.17
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N GTopologies are ComplicatedTopologies are Complicated
BBN Planet Router(Cisco 7505)
.161
gnatSolaris 2.6
Sidewinder
.129
.185
.91
.170 .186 .163 .174
Internal LAN5.12.160.0/26
wormhole(Cisco 3640)
LAN5.12.160.64/26
SSD LAN5.12.129.128/27
CC2-e1 LAN5.12.161.192/27
LAN5.12.121.224/27
.222
.193
.225
york
, N
T4.
0
.121
tsetseSolaris 2.6Sidewinder
.81
DLA LAN5.12.161.160/27
E0
E1
ialab1(Cisco 2514) D
urac
ell
alm
ondj
oy,
NT
.125
E0/1
E0/2 .65
E0/0
E0/3
SQ
LS
erve
r
.76
.225
milkyaySidewinder
Preserves LAN5.12.160.224/28
web
clie
nttw
ix,
NT
web
clie
ntki
tkat
, N
T
.231 .226
mrp
ipp
NT
4/R
H6.
2
crus
hN
T4/
RH
6.2
cucu
mbe
rS
olar
is 7
tom
ato
Sol
aris
7
.197 .196 .198 .194
g2BSDSidewinder
DMZ LAN5.12.162.0/26
vortex(Cisco 3640)
E0/2
E0/1
E0/0
E0/3
.82
DMZ LAN10.2.0.0/24
g1Solaris 2.6
Sidewinder
.1
beet
leS
olar
is 2
.6
.1
ia0106 LAN10.10.10.0/24
.5
.254
.39
.33
carr
otS
olar
is 7
.198
surg
eN
T4/
RH
6.2
cana
dadr
yiN
T4/
RH
6.2
Web
Ser
ver
Ana
lyst
.226 .232 .236 .228
Ana
lyst
.227
.234 .233 .230 .229.235
icb
NT
4/R
H6.
2
coke
NT
4/R
H6.
2
pota
toS
olar
is 7
jolt,
SA
RR
EN
T4/
RH
5.2
sprit
e, C
ycN
T4/
RH
5.2
Dat
aso
urce
Clie
nt
File
Ser
ver
skor
, N
TC
CS
GU
I
.135 .130 .131 .132
.101
AFRL/LLTrafficGenerator
.126
.1
Internet
.200 .201
citr
aN
T4/
Win
2K
sunk
ist
NT
4/W
in2K
Laptops
Remote Site
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.19
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Potential Targets Potential Targets withoutwithout ADF ADF
Remote PortsRemote PortsMessage Send ProtocolMessage Send ProtocolChargenChargenFTPFTPSSH remote loginSSH remote loginTelnetTelnetSMTP (mail)SMTP (mail)Host name serverHost name serverWho isWho isLogin host protocolLogin host protocolDomain name serverDomain name serverSQLSQLBootstrapBootstrapTFTPTFTPFingerFingerHTTPHTTPSun RPCSun RPCNetBIOSNetBIOSSNMPSNMPInternet relay chatInternet relay chatHTTP managementHTTP management……
Host Addresses0 32 64 96 128 160 192 224 2555
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.20
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Potential Targets Potential Targets withwith ADF ADF
Remote PortsRemote PortsMessage Send ProtocolMessage Send ProtocolChargenChargenFTPFTPSSH remote loginSSH remote loginTelnetTelnetSMTP (mail)SMTP (mail)Host name serverHost name serverWho isWho isLogin host protocolLogin host protocolDomain name serverDomain name serverSQLSQLBootstrapBootstrapTFTPTFTPFingerFingerHTTPHTTPSun RPCSun RPCNetBIOSNetBIOSSNMPSNMPInternet relay chatInternet relay chatHTTP managementHTTP management……
Host Addresses0 32 64 96 128 160 192 224 2550 32 64 96 128 160 192 224 255
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.21
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Intranet Web server
5.19.42.93
Network Edge SecurityNetwork Edge Security
Core NetworkCore Network - Routing- Routing
- Bandwidth- Bandwidth
Analyst Workstation5.12.161.192
Data Source5.12.161.197
Web Server5.12.161.171
Remote Site5.12.163.142
Intel Resources, Web server5.12.111.23
SQL server5.19.42.93
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.22
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
ImplementationImplementation
LANLAN Firewall
ADF Policy Controller • Built by SCC under DARPA effort• Converts high level policy into low level
packet filtering rules for the NICs• Encrypted communication with NICs• Host cannot disable policy on its NIC• Controller has audit database and
browser
Workstation
Remote user
Server
INTERNET
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.23
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Protects Against Protects Against
Insider ThreatsInsider Threats
Web Server NIC• only accepts http from user systems • only initiates SQL to DB server• accepts SSH/telnet only from admin
Mail Server NIC• only accepts POP from user systems• only accepts/initiates SMTP with other
mail servers • accepts SSH/telnet only from admin
Admin NIC• initiates SSH/telnet to all servers• initiates POP, SQL, and http only to
servers• accepts nothing from anywhere else
User Workstation
Web Server
Mail Server
Database Server
Admin Workstation
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.24
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
NIC
ADF Connects the Warfighter ADF Connects the Warfighter
AttackerMail
serverDatabase
server
Enterprise Network
Attacker’sPC
Triple DESVPN Tunnel
WarFighter
Applications without security patches
Firewall/VPN GatewayIPSec
VPN
OS without security patches
Cable/DSL Modem
IP
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.25
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Virtual SharedServer
NIC
USApp
Server
NIC
PartnerApp
Server
IPSec VPNIPSec VPN
Only allow servers to initiate IPSec connections between each other.
Protects Data Sharing Protects Data Sharing among Partnersamong Partners
USLAN
PartnerLAN
Controller
Firewall Internet
Locally initiated connections
Controller
Firewall
Do not allow shared servers to initiate inbound connections
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.26
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Simple Shared ServerSimple Shared Server
Windows NT 4/2000 box FTP server
IIS IPSEC software
Internet
FirewallNIC
Cable modem / DSL modemOr Router
FirewallNIC
Partner
DistributedFirewall Controller
US Userworkstations
USLAN
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.27
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Demo ScenariosDemo Scenarios
1.1. Management of INFOCON shift Management of INFOCON shift
2.2. Controlled sharing using protected Controlled sharing using protected servers servers
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.28
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
INFOCON AlphaINFOCON Alpha
• Protocols and/or addresses can be restricted on Protocols and/or addresses can be restricted on a per host basis as INFOCON changesa per host basis as INFOCON changes– Block all port x traffic to a user’s machineBlock all port x traffic to a user’s machine– Block a service from a specific subnetBlock a service from a specific subnet
Experimental LAN4.22.160.64/26
yor
k, N
T4.0
.121
alm
ondj
oy, W
in2K
.122
prin
gle,
NT4
.0
.76
Internet
snic
ker,
Win
2K
.100
Experimental LAN4.22.160.64/26
yor
k, N
T4.0
.121
yor
k, N
T4.0
.121
alm
ondj
oy, W
in2K
.122
alm
ondj
oy, W
in2K
.122
prin
gle,
NT4
.0
.76
prin
gle,
NT4
.0
.76
InternetInternet
snic
ker,
Win
2K
.100
snic
ker,
Win
2K
.100
Alpha Alpha
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.29
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
INFOCON BravoINFOCON Bravo
Experimental LAN4.22.160.64/26
yor
k, N
T4.0
.121
alm
ondj
oy, W
in2K
.122
prin
gle,
NT4
.0
.76
Internet
snic
ker,
Win
2K
.100
Experimental LAN4.22.160.64/26
yor
k, N
T4.0
.121
yor
k, N
T4.0
.121
alm
ondj
oy, W
in2K
.122
alm
ondj
oy, W
in2K
.122
prin
gle,
NT4
.0
.76
prin
gle,
NT4
.0
.76
InternetInternet
snic
ker,
Win
2K
.100
snic
ker,
Win
2K
.100
Bravo Alpha
• Each host can be at a different INFOCON levelEach host can be at a different INFOCON level• Changing INFOCON is easyChanging INFOCON is easy
• No rebooting requiredNo rebooting required• No user action requiredNo user action required
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.30
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Controlled SharingControlled Sharing
• Controlled sharing provides a shared application Controlled sharing provides a shared application server while protecting the each LAN from the server while protecting the each LAN from the other coalition partnerother coalition partner
Virtual SharedServer
CoalitionLAN
USLAN
ADFC
NIC
CoalitionApp
Server
Router
ADFC
NIC
USApp
Server
RouterInternet
Locally initiated connection Locally initiated connection
IPSEC VPN
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.31
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Distributed Defense in DepthDistributed Defense in Depth
• Uses the master/slave Uses the master/slave architecturearchitecture
• Provides centrally managed Provides centrally managed – VPN management and PKIVPN management and PKI
– Packet filtering policiesPacket filtering policies
– AuditAudit
• Provides protection forProvides protection for– Always online connectionsAlways online connections
– Field officesField offices
– Remote locationsRemote locations Node
Manager
Internet
Mobile Field Agent
Local Server
GatewayFirewall
ForeignField office
NIC NIC
NIC NIC
NIC NIC
NIC
NIC
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.32
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
ConclusionConclusion
• ADF provides affordable, survivable Defense in ADF provides affordable, survivable Defense in DepthDepth
• Complements existing paradigmsComplements existing paradigms– Firewall keeps unauthorized outsiders outFirewall keeps unauthorized outsiders out– Embedded Firewall controls where insiders goEmbedded Firewall controls where insiders go– Host and apps provide fine grained access controlHost and apps provide fine grained access control
• OS and application transparentOS and application transparent• Redundant, distributed management with fail-safe Redundant, distributed management with fail-safe
enforcement componentsenforcement components• Product availabilityProduct availability
– NICs are currently available COTS productNICs are currently available COTS product– Centralized controller and modified firmware completeCentralized controller and modified firmware complete– Betas in March 2001, product release in 3Q01Betas in March 2001, product release in 3Q01
© 2000-2001, Secure Computing Cor© 2000-2001, Secure Computing Corp. All rights reserved.p. All rights reserved.
33
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Demo Screen ShotsDemo Screen Shots
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.34
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Controller GUIController GUI
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.35
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Policy ViewPolicy View
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.36
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Expanded Policy ViewExpanded Policy View
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.37
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Rule Set ManagerRule Set Manager
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.38
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Server ViewServer View
© 2000-2001, Secure Computing Corp. All rights reserved.© 2000-2001, Secure Computing Corp. All rights reserved.39
ADF
ADF
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G Node Manager NIC ScreenNode Manager NIC Screen
© 2000-2001, Secure Computing Cor© 2000-2001, Secure Computing Corp. All rights reserved.p. All rights reserved.
40
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Q & AQ & AGeorge Jelatis & David PapasGeorge Jelatis & David Papas
David_Papas@[email protected]
Jelatis@[email protected]
www.securecomputing.comwww.securecomputing.com