Upload
jim-meulemans
View
14
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Cipher Networks is an Authorized Value Added Reseller for Certes Network Products. You can contact CipherWire with the contact details below.CipherWire Networks - http://cipherwire.net/Tel#: 866-421-9522 | Email: [email protected] Person:Jim MeulemansTel#: 434-534-6989Email:[email protected]
Citation preview
Certes CryptoFlow Overview
CONFIDENTIAL
<name> CertesNetworks.com
Certes Networks
Leader in IT security solutions protecting sensitive data traffic § More than 7,000 units deployed in 70 countries around the world § Perfect 15 year track record:
Not One Hack of any customer on our watch § CryptoFlow VPNs: patented, trademarked data traffic security with
multiple unique capabilities § Only vendor focused solely on securing your sensitive data in motion
No performance hit on firewalls, routers, switches, applications Simple one-and-done security policies and key management
Blocks main attack vectors in data breaches over last two years
Certes Networks Confidential 2
Root of the IT Security Crisis Borderless Enterprises
Digitized sensitive data, apps, distributed DC, hosted, virtualized,
Cloud
Mobile employees, remote offices, shared
BYOD devices, contractors, IoT
Firewalls Fall Short
Access for working = access for hacking
Once past firewall, all bets are off; insider risk too
Crypto Chaos
Fragmentation: VPNs, IPsec, SSL, HTTPS; each app, each hop
Key Management & Performance trade-offs:
frequently no encryption used
“Trusted” Network
No encryption
IPsec
HTTPS
SSL#3
Access Attacks
SSL#4
No encryption
SSL#1
SSL#2
Certes Networks Confidential 3
Risk & Breach Cost
$793,000
$820,000
$837,000
$1,002,000
$1,018,000
$1,038,000
$1,234,000
$1,473,000
$1,556,000
Maximum Liability per Compliance Lapse
Payment Card Industry Data Security Standard (PCI DSS)
Securities and Exchange Commission (SEC) regulations
Global privacy regulations
Health Insurance Portability and Accountability Act (HIPAA)
COBIT Operational Standards
Sarbanes-Oxley (SOX, JSOX) United States Federal Rules of Civil
Procedure (Legal Discovery) 'Green' Compliance requirements
United States Patriot Act
• Forced trade-off between security and app or network performance • Is the cost of a lapse worth the performance gain? • Is the risk really evaluated or is security sacrificed just to get stuff done?
Source: Aberdeen Group study
Certes Networks Confidential 4
Crypto Chaos
• Encryption tools are fragmented: hop by hop, app by app, device by device, user by user
• Very hard to ensure end-to-end security of sensitive networked applications, especially when shared internally and externally
• Encryption tied to infrastructure, huge performance hits
Certes Networks Confidential 5
When Firewalls Fail
“Trusted” Network
No encryption Attacks
Certes Networks Confidential 6
Perimeter Based
Defenses
Discrepancy
• Once an attacker is past the firewall, they are free to hack and steal § No internal cryptography of networked apps
• Most internal security products focus on detecting threats and responding § Aim to reduce discovery of intrusion from weeks
to minutes
• Instead, CryptoFlows focus on containing and minimizing the damage § Cryptographic segmentation of traffic made easy
How We Solve It: CryptoFlows Application-Aware and User-Aware virtual overlays, connecting users to applications over any network … “SDN meets Security” § One-and-Done
§ Single point of control for all app traffic, over any network, to any user on any device § End-to-end encryption along the entire data path; site to site, server to user, site to cloud, etc. § Includes internal network encryption: no one accesses the app except by CryptoFlow
§ Borderless § Encryption policy that “follows” users, secures both internal and external app flows § Proactive security, protection when the firewalls fail
§ Hitless § Secure traffic with no performance hit on network or apps, simple key management
§ Seamless § Separated and independent from the network and the apps § No changes to network, apps, or firewalls; use them as before
Certes Networks Confidential 7
HypervisorvSS
CryptoFlow Enforcer appliances/COTS
CryptoFlow Virtual, Cloud,
on third-party devices
Flow-through, automated
encryption policies
CryptoFlow for mobile end-points
CryptoFlow: One and Done
Certes Networks Confidential 8
• Application-Aware & User-Aware virtual overlays … app-specific virtual networks
• One point of control: security manager controls data in motion protection, offloads from network infrastructure and staff
• Blocks top attack vector exploited in Target, Home Deport, Sony, Anthem
• Cuts Shadow IT Risk: roll out new apps very quickly with minimal security delay
LAN/WAN/Internet /Cloud
Hypervisor
Corporate: mesh, hub …
Secure Backup / DR
Secures control nodes, sensors, kiosks, IOT
Secures traffic between distributed sites
Hypervisor
Virtualized Data Center traffic
Cloud apps, infrastructure
• WAN, LAN, Internet, Wifi, Cloud; MPLS, Ethernet, IP • Hitless security with keys you control • 5 Mbps – 10 Gbps • DC-to-DC, DR, Remote Office, IoT (Kiosks) • Records, finance, comms, VoIP, video, backup
Certes CryptoFlow Net
Certes Networks Confidential 9
Certes CryptoFlow App
Certes Networks Confidential 10
• Any app matched to user over any connectivity • BYOD, employer provided, ruggedized, third party; employees, suppliers, partners, contractors • Users never have to configure or trigger VPNs • Makes it very easy to roll out new enterprise apps securely … no security delays … cuts Shadow IT temptation
Simple Mobile Security for iOS • User enrolls only once
§ Simple download from Apple App Store § Uses same corporate credentials as regular
directory services § CryptoFlow Creator syncs with directory § User’s directory profile determines which
apps are permitted to access
• VPN triggers whenever designated app is used
• System denies connection for non-authorized apps
• Complements Mobile Device Management, Enterprise Mobility Management § We are one-stop-shop for protecting
data in motion instead of data at rest
Certes Networks Confidential 11
CryptoFlow LAN
• Strong crypto segmentation of internal enterprise application flows • Isolates sensitive applications, controls access for only authorized users • Based on user roles, blocking #1 attack vector when firewalls fail
Certes Networks Confidential 12
CryptoFlow B2B
• Safely extends internal applications to external partners, including contractors, suppliers, trading partners and others
Certes Networks Confidential 13
• Limits authorized business partners to only the applications they need • Protecting sensitive applications when business partners have been
compromised
How It Works • CryptoFlow Creator management system syncs with directory • Users have same security profile as for enterprise apps, sign-on policies
Certes Networks Confidential 14
How It Works • Admin identifies user, app, encryption policy • CryptoFlow engine pushes policies to encryptors • Policies automatically enforced. One and done.
Certes Networks Confidential 15
Solution examples
LAN/WAN/Internet /Cloud
Hypervisor
Corporate
Backup / DR Control nodes, sensors
Data center interconnect Hypervisor
Virtualized Data Centers
Cloud apps, infrastructure
Secure application access for mobile users
§ Traditional corporate DC applications
§ Virtualized, cloud applications
Secure interconnect between data centers § Top performance across MPLS / WAN links; enterprise controls keys § Disaster Recovery, Data Center Backups
Secure connectivity for remote kiosks, smart grid, IoT § Encrypted Bank ATM machine – financial and PCI DSS privacy
Compliant real-time communications of sensitive data § Financial services, healthcare, education, government, including real-time data for
voice, video, messaging
Certes Networks Confidential 16
CryptoFlow Benefits
Fragmented: different VPNs, encryption, security controls for each segment, layer, app
Performance: encryption cuts network capacity in half, degrades app performance
Scaling: complex tunnels, fragmented control take hours & network rocket science to scale
Rigid: firewall encryption based on static border; easily bypassed by mobile and cloud, can’t follow apps or devices
Security Challenge Certes Solution ü One and Done: Centrally
managed, end-to-end, Layers 2, 3, 4, very simple key management
ü Hitless: zero impact; line-rate encryption does not cut performance of networks or apps
ü Seamless: Separates security from network, management, apps; automatic topology configuration
ü Borderless: End-to-end protection of any app over any network: CryptoFlow VPNs
Certes Networks Confidential 17
Simple security: faster, safer deployment of enterprise applications
Borderless Applications Network Perimeter
Threat Protection
Threat Containment
Competitive Comparison
Hypervisor
Fragmented by hop Point-to-point, manual Burden on performance Complex to scale
Hypervisor
Fragmented by app Not in enterprise control Burden on performance Scaling limited by apps
Hypervisor
Fragmented by app, device, network Point protection (DMZ border) Static, network-based Complex to scale
Network equipment vendors
Security vendors: Firewalls, IDS/IPS, RAS
Application vendors, cloud providers
Certes Networks Confidential 18
Hypervisor
ü Flow-through security policies & key management
ü Fluid security follows users ü End-to-end protection ü No burden on network or app
Why Certes? § Security of data in motion is all we do § Solutions are independent of network and applications
Ø No impact on network or apps Ø Vendor neutral – bundles with any solution set Ø Flexible deployment: variable speed appliance, virtual, Cloud
§ Certes’ products make IT projects more successful Ø No security roadblocks: point-and-click encryption for new application roll-out Ø No performance issues: hitless even for real-time apps Ø Extend applications across untrusted networks
§ Single point of control: all apps, all data, all connectivity § Blocks the #1 attack vector
HypervisorvSS
CryptoFlow Enforcer appliances/COTS
CryptoFlow Virtual, Cloud,
on third-party devices
Flow-through, automated
encryption policies
CryptoFlow for Mobile endpoints
Certes Networks Confidential 19
Thank You
Channel Program
Go-to-Market
Betas &
POCS
Security Manager
Network / Apps
Manager
CIOs
Security VARs Fishnet,
Cipherdata, etc.
Network / IT VARs
DiData, Presidio, NACR, etc.
SIs Accenture, CSC, IBM
OEMs NFV, SPs:
TrendMicro, Ciena, Cyan, AT&T, Tata
Enterprise end customers
Certes Networks Confidential 23
Why Resell Certes? Certes’ CryptoFlow VPNs simplify security of any network or networked application
Ø Security does not block projects: sell and deploy new applications and infrastructure faster
CryptoFlow VPNs secure all corporate traffic over any network
Ø Point-and-click to extend any enterprise application to any site: sell more application seats
Ø Deploy multi-site solutions: sell more application servers, more regional site devices (VoIP phones, gateways)
Certes’ solutions are resale friendly, plug-and play Ø No more complex firewall or VPN re-architecting: deploy quickly and
painlessly for earlier project completion
Certes Networks Confidential 24
Reseller overview • General qualifications
§ Established business with focus on network solutions or vertical markets in Healthcare, Finance, Government, Utilities, etc.
§ Long term relationships with enterprises § Commercial relationship with distributors or willingness to follow
qualification process
• Relationship § NDA § Sales & Marketing Agreement reflecting Gold, Silver or Bronze
tier
Certes Networks Confidential 25
Reseller Tier Summary Gold Silver Bronze
Lead referral Y Y Y
Co-op marketing funds Y Y N
Participation in Certes marketing events Y Y Y
Training credits linked to volume Y N N
Web site listing Y Y Y
Access to Certes Partner Portal Y Y Y
Not-for-resale (NFR) demo or lab units Y Y Y
Customized joint marketing plan Y Y N
Joint customer support program Y N N
Co-branded collateral Y Y Y
Rebate (up to 2%) linked to volume Y N N
Lead registration Y Y Y
Use of logo Y Y Y
Certes Networks Confidential 26
Plug-and-Play Implementation
The hard way – IPsec Tunneling
IP (Public or Private), MPLS, or Ethernet
Expansion = Headaches
Manual configuration of point-to-point IPsec tunnels • Scaling complexity: Hours to deploy per site • Performance hits, limited throughput • Multicast issues • Maintenance headaches, lack of administrative visibility • Complex network engineering to fulfill security manager’s mandate • Practical trade-offs between security, scale or performance
Certes Networks Confidential 28
IP (Public or Private), MPLS, or Ethernet
• Group keys are generated centrally • Distributed securely over TLS
Groups are created based on security policies TrustNet Manager used to provision CEPs Keys and policies are securely delivered to CEPs
Certes Enforcement Points
TrustNet Manager Server & Database
Group A
Group B
2. Policies are defined in TrustNet Manager
Group Keying – Does Not Impact Networking
Certes Networks Confidential 29
Encryption enforced!
IP (Public or Private), MPLS, or Ethernet
3. Encryption is in effect
Secondary Data Center
Primary Data Center
Branch Offices
Data is encrypted, sent in the clear, or discarded at wire-speed Traffic flows and application performance are preserved No tunnels are created
Certes Networks Confidential 30
Product Details
Scalable Policy and Key Management
Significance/Differentiation • Multi-layer encryption/authentication policy management (L2, L3, L4) • Secure key generation, distribution and rotation for group keying with
fail-safe rekey and policy updates • Clustered architecture for high availability and scalability • Simple yet powerful drag and drop security policy builder • Role based access control - delegate or retain management
responsibilities • Fail-safe rekey and policy updates with hitless rekey
Certes Networks Confidential 32
Certes Enforcement Point (CEP) Hardware: HW accelerated variable speed network encryption appliances with aggregate throughputs from 3 Mbps - 10Gbps VSE – Variable Speed Encryption
Software: Network transparent L2 Ethernet frame, L3 IPsec based encryption with IP header preservation, L4 UDP/TCP payload encryption and Virtual IP Tunnelling
VSE Speed/ Platform
CEP 10 VSE
CEP 100 VSE
CEP 1000 VSE
CEP 10G VSE
3 Mbps √
6 Mbps √
10 Mbps √
25 Mbps √ √
50 Mbps √ √
75 Mbps √
100 Mbps √ √
155 Mbps √ √
250 Mbps √ √
500 Mbps √ √
650 Mbps √ √
1 Gbps √ √
2.5 Gbps √
5 Gbps √
10 Gbps √
Certes Networks Confidential 33
Cloud & VM Encryption
Significance • Security is viewed as a critical enabler of Iaas Cloud adoption • Encrypts traffic from Cloud to Data Center (across WAN) or from Server to Server within
the cloud • TrusntNet Manager allows clients to maintain control or policies and keys (this is an
important consideration for regulatory compliance • This is the only scalable solution for cryptographic isolation of sensitive workloads
Customer/Market Reception • Earned Gartner Cool Vendor award for Cloud Security • High levels of interest generated at Cloud Security Alliance and other events • Developed for integrated solutions
Virtual CEP (vCEP)
Hypervisor
Physical server NIC
remote local
mgmt
vSS
Cloud Network
Local Data
Center
Certes Networks Confidential 34
CryptoFlow for Mobile CryptoFlow
Data Center
WAN Internet
CF CryptoFlow
User DeviceEnrollment
Active Directory
CFE
LDAP
CryptoFlow
Sales
CFE
CryptoFlow
Cloud
CFD
CryptoFlows and Keys
vCFE CryptoFlow
X
Certes Networks Confidential 35
• iOS available GA 2Q2015 • Integrates with Active Directory / LDAP • Policies applied based on user profile • Simple one-time device registration • CryptoFlows automatically provisioned by system
per user per device • Users can be modified, revoked as required
Use Cases
LAN/WAN/Internet /Cloud
Hypervisor
Corporate
Backup / DR Control nodes, sensors
Data center interconnnect Hypervisor
Virtualized Data Centers
Cloud apps, infrastructure
§ Secure application traffic to remote sites
Ø Regional offices connect to HQ as hub and spoke – banking, financial services (privacy compliance)
Ø Distributed enterprises connect all sites in a secure mesh (manufacturing, distributed VoIP)
§ Secure applications across untrusted networks Ø Government communications requiring privacy and high availability
§ Secure interconnect between data centers Ø Top performance across MPLS / WAN links; enterprise controls keys
§ Secure connectivity for remote kiosks, smart grid Ø Encrypted ATM machine network – financial and PCI DSS privacy
§ Secure connection between physical and virtual assets Ø Connect data center to Cloud VMs, migrating between virtual data center and Cloud
§ Secure Disaster Recovery, Data Center Back-up § Compliant real-time communications of sensitive data
Ø Hospital network: healthcare data is HIPAA compliant with messaging, VoIP, video
Sample Use Cases
Certes Networks Confidential 37
L2 VPLS Dual
Hub & Spoke
Data Center
7 DR Sites
Benefits § Unified, auditable control of data
in motion across any network to protect classified or sensitive data
§ FIPS and Common Criteria compliant encryption architecture
Where we deploy § Between Data Centers and recovery
sites § Between government offices over
foreign telcos and Internet § 10G Availability has major impact in
2012 § Recertification of FIPS opens US Fed
Gov’t
Government
Certes Networks Confidential 38
WAN1
Merchant Banks
Benefits § Protection of consumer data,
payment cards, financial transactions over any network
§ Verified protection for compliance audits: PCI DSS, GLBA, consumer privacy regulations
Where we deploy § Between Data Centers § Connecting banks and financial
hubs or processing centers § Hub-and-spoke transaction
networks (such as Automated Teller Machines)
WAN2
Financial & Banking
Certes Networks Confidential 39
WAN
Data Center
DR Site
Remote Offices
Hospital or Corporate HQ
Benefits § Single point of control for
healthcare affiliates to protect data in motion
§ Verified protection for compliance audits: HIPAA, GLBA, PCI DSS, etc.
Where we deploy § Between Data Centers and
recovery sites § Between hospitals/offices,
physician networks, and Data Centers
Healthcare
Certes Networks Confidential 40
Drivers § Protect customer personal and
financial information § Businesses are based on customer
trust - security is seen as a competitive necessity
§ Secure Data Replication is critical to online gambling
§ Protection of secret algorithms
Where we deploy § Between Data Centers and
Administrative offices § Casinos to Data Centers
L2 WAN Q in Q Trunks
Data Center1
Data Center2
Large enterprise
Certes Networks Confidential 41
Service Providers
IPTV Feeds Over Cable
Drivers § Carriers are getting requests for
encryption - especially from customers converting from legacy connections (Frame/ATM)
§ Potential for security based differentiation
Where we deploy § Classic IPsec tunnel
replacement § Managed Service option § Cable TV Service § TrustNet Manager is well
suited as a managed service
Super Head End
Fed Integrator Data Centers
Qwest Metro-E Optical Feeds
Multi-dwelling building 10 Cities in 7 States
DR Sites
Certes Networks Confidential 42
Application: protect credit cards
HTTPS
EncryptEncrypt
Encrypt
• PCI Requirement 4: Encrypt transmission of card holder data
• 4.1.1 Encrypt Network transmitting or connected to card holder data
• 4.2 Sending PAN (primary account number messaging later)
• Challenge• Encryption after web server
(merchant)• Encrypt between banks & merchants
• Solution• Certes Group Encryption (H&S)• Centralized TNM• CEPs at every branch, DC, partner
• Why Certes?• Simplicity of deployment across
varied networks• Zero Application/Network changes
WAN
Data Center
Corp HQ
Certes Networks Confidential 43
Application: video conferencing • Business Requirements
• Protect Communication Data • classified information
• Challenge • Peer-to-peer, real-time traffic • Application encryption = double
expensive servers • Solution
• Certes Group Encryption (Mesh) • Centralized TNM • CEPs at every Branch Video
Terminal • Why Certes?
• Real Time Encryption • Simplicity of large deployment • Centralized management, policy
changes, reporting
WAN
Data Center
Branch Offices
Corp HQ
Certes Networks Confidential 44
Application: Cloud adoption • Business Requirements
• Meet FedRAMP for Cloud services • Encryption as compensating control
• Challenge • Security in uncontrolled environment
• Solution • Certes Group Encryption • Centralized TNM • Multiple CEPs at every DC
• Why Certes? • Simplicity of large deployment • Scale 10Gbps • No performance hit • Centralized management, policy
changes, reporting
WAN Data Center Data Center
Enterprise Cloud
Certes Networks Confidential 45
Thank You