Royal Mitra Teknologi

Information Security Implementation

Firewall
    Firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules.A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed to not be secure or trusted.Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls are a software appliance running on general purpose hardware or hardware-based firewall computer appliances that filter traffic between two or more networks. Host-based firewalls provide a layer of software on one host that controls network traffic in and out of that single machine. Routers that pass data between networks contain firewall components and can often perform basic routing functions as well, Firewall appliances may also offer other functionality to the internal network they protect such as acting as a DHCP or VPN server for that network.


Intrusion Prevention Systems
    Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.

    Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.


Next Generation Firewall
    NGFWs include the typical functions of traditional firewalls such as packet filtering, network- and port-address Translation (NAT), stateful inspection, and virtual private network (VPN) support. The goal of next generation firewalls is to include more layers of the OSI model to improve filtering of network traffic dependent on the packet contents. NGFWs perform deeper inspection compared to stateful inspection performed by the first- and second-generation firewalls. They go deeper to inspect the payload of packets and match signatures for harmful activities such as known vulnerabilities, exploit attacks, viruses and malware. Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks." At minimum, Gartner states an NGFW should provide:
  • Non-disruptive in-line bump-in-the-wire configuration
  • Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.
  • Integrated signature based IPS engine
  • Application awareness, full stack visibility and granular control
  • Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
  • Upgrade path to include future information feeds and security threats
  • SSL decryption to enable identifying undesirable encrypted applications



Security information and event management
    Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes. Every system in your IT enterprise generates a security event of some type. This can be very useful as it maintains a historical record of events that have happened and statuses of systems in a time sequential format as well as recording activity on the network.

Security events can assist in:
  • Determining what happened
  • Intrusion detection
  • Incident containment
  • Forensic analysis
  • Real-time alerts of malicious activity
  • Understanding attacker intent
  • And more


    However, the amount of data generated can be overwhelming and without an effective security event management system, you could be missing critical events. Knowing which activities and systems to monitor and when is key to filtering and locating the needle in the haystack of event data that could be the cause of a security breach.
Centralized Security Alerts:
  • Automatic event correlation
  • Easily configure monitoring for all critical assets
  • Monitored security events arranged by kill chain methodology to give you context into actions

Compliance :
  • Report templates for PCI-DSS, ISO 27002, HIPAA and more
  • Role-based access control for customized views
  • Visibility into which users are violating policy



UTM
    Unified threat management (UTM) or unified security management (USM), is a solution in the network security industry, and since 2004 it has become established as a primary network gateway defense solution for organizations. In theory, UTM is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention and on-appliance reporting. The worldwide UTM market was approximately worth $1.2 billion in 2007, with a forecast of 35-40% compounded annual growth rate through 2011. The primary market of UTM providers is the SMB and enterprise segments, although a few providers are now providing UTM solutions for small offices/remote offices. The term UTM was originally coined by market research firm IDC. The advantages of unified security lie in the fact that rather than administering multiple systems that individually handle antivirus, content filtering, intrusion prevention and spam filtering functions, organizations now have the flexibility to deploy a single UTM appliance that takes over all their functionality into a single rack mountable network appliance.

    A single UTM appliance simplifies management of a company's security strategy, with just one device taking the place of multiple layers of hardware and software. Also from one single centralized console, all the security solutions can be monitored and configured. In this context, UTMs represent all-in-one security appliances that carry a variety of security capabilities including firewall, VPN, gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management, application control and centralized reporting as basic features. The UTM has a customized OS holding all the security features at one place, which can lead to better integration and throughput than a collection of disparate devices. For enterprises with remote networks or distantly located offices, UTMs are a means to provide centralized security with control over their globally distributed networks.

Key Advantages
  1. Reduced complexity: Single solution. Single Vendor. Single AMC
  2. Simplicity: Avoidance of multiple software installation and maintenance
  3. Easy Management: Plug & Play Architecture, Web-based GUI for easy management
  4. Reduced technical training requirements, one product to learn.
  5. Regulatory compliance


Key Disadvantages
  1. Single point of failure for network traffic, unless HA is used
  2. Single point of compromise if the UTM has vulnerabilities
  3. Potential impact on latency and bandwidth when the UTM cannot keep up with the traffic