White Paper Security and High Availability Concerns with Wide Area Networks
1. How Your Wide Area Network is Putting Your Company at Risk
Overview
Thiswhite paperdetailssome importantissuesthatbusinessdecision-makersneed to know concerning
the way Internet Service Providers and Telco Carriers are now engineering the configuration of Wide
AreaNetworks. The issuesathandare not necessarilywithanyparticularproviderorservice,but rather
very real concerns regarding security and high availability of a Wide Area Network.
Background
Over the course of 35 years building and managing every type of network, Internet and Wide Area
Network available, a noticeable shift in prioritization has occurred. While security has always been a
concern, cost, performance and reliability—in that order—were more important.
(Cost -> Performance -> Reliability - > Security)
Thisdynamichas nowchanged.Due to vastly increasedsecurityconcerns and dependency on access to
digital information,securityand reliabilityhave jumpedtothe headof the line,followedby performance
and then cost.
(Security -> High Availability -> Performance -> Cost)
CEO’s,usersand companypresidentsare not happy with this order of importance, but IT Professionals
are more comfortable than ever sacrificing performance for security in today’s digital IT world.
To understandwhythe networkscurrentlyengineeredbythe ISPsandTelco’sfall shortof today’sdigital
IT demands, we have toput ourselvesintothe minds of the Internet Service Providers and Information
Carriers. It’s important to realize that most of these providers are frankly still stuck in the old Telco
world with a lack of understanding regarding today’s connectivity requirements.
Withthat in mind, it’seasiertounderstand whyyourprovideristryingtosell you a network design that
will neither protect you nor provide adequate reliability.
** Note:The use of the word “reliability” in this context is not meant to state the actual “up time” of the
provider but more to address the modern understanding of “reliability” to mean “high availability.”
Thisis because todaysITprofessionals(note the difference betweenITprofessionalsand Telco provider
engineers) understandthatnomatterhow reliable aprovideris, “thingswillhappen!” Sowe’ll leavethe
“up time” reliability for the providers to define in their SLA. Our concern for reliability has to do with
high availability of the connections to our Wide Area Network.
Now with an understanding of the difference in perspective between Internet providers and IT
professionals, we can see why the provider’s recommendation for our Wide Area Network is not
comprehensive enough for today’s digital IT security requirements.
2. Due to theirlimitedscope focused solely onnetworkconnectivity in the Telco world, they simply don’t
have the knowledge orexperience tounderstandthe depthof engineeringrequiredtochange the Wide
Area Dynamic from the old prioritization model (Cost -> Performance -> Reliability - > Security) to the
modern one (Security -> High Availability -> Performance -> Cost).
Creating High Availability
With this background information, let’s take a quick look at the type of network connectivity the ISPs
and carriers want to implement (or may have already implemented) for your business.
(Reference Diagram A-1 below to see the physical layout)
ISPs try to sell prospects on the fact that if their network is an MPLS, MaN (Metro Area Network) or
Metro Ethernet Network, it’s a closed and private network. Therefore, the customer doesn’t need to
consider any security at each location. They believe Vlan or packet routing is enough.
The ISPs supply a connection with a router; typically a Cisco or Adtran. The network is directly
connected to this device, which also provides DHCP and DNS services to your network elements (PC’s
and phones in many cases). So with this configuration, the devices are completely dependent on this
router, and all data processing (digital IT) is captive on this network.
The problem here is if they go down….you go down. This configuration does not allow for any
secondary, failover or “high availability” connectivity to the Internet or your core operations, which is
typically at a data-center. This is known as “zero tolerance” to IT professionals.
Evenmore alarmingis thisconfigurationprovidesnosecurity protection to the local network. Don’t be
fooled by your ISP trying to explain that they have IPS and IDS systems in place. These are useless in
protecting network assets from encrypted traffic and in containing local infections (i.e. an infected
notebook connected to the network). This will be explained in the next section.
Note:If you havea VoIPphonesystem,you’reeven moreexposed to an unreliable network as it pertains
to high availability.
Diagram A-1
3. The diagram above showsthe physical layout and limitations of a typical Wide Area Network provided
by mostISP’s and Telcocarriers. Diagram A-2 will demonstrate acost-effective highlyavailable network
that also offers the highest level of security protection to local digital IT assets.
The focus here is not to displace the ISP or Telco. On the contrary, you need them to connect to the
Internet,otherlocationsandyourcentral datacore. The goal isto offera cost-effectiveway to mitigate
the limitations and security exposure of the ISP proposed network.
Taking the modern prioritization model (Security -> High Availability -> Performance -> Cost) into
consideration, the security solution that Data-Tech’s engineering team has selected is the Dell
SonicWALL series of security appliances.
Essentiallyoursolution istosimplyplace aSonicWALLsecurityappliance betweenyournetworkandthe
router provided by your ISP. With this simple, cost-effective solution added to your network, we will
modify the Telco dynamic (Cost -> Performance -> Reliability - > Security) into the modern accepted
interpretation by today’s top IT professionals of (Security -> High Availability -> Performance -> Cost).
Withthe SonicWALLsecurityappliance inplace, we can provide carrier-neutral DHCP and DNS services
fromthe SonicWALL. Providingthese core network services from the SonicWALL is critical for our high
availability plan. In order to leverage both carriers automatically, we need a carrier-neutral device to
provide these core network services. This is the first step to achieve a highly available network.
At thispointyou alreadyhave yourprimaryISPestablished. Now withthe SonicWALLinplace,youhave
complete flexibilityforasecondaryproviderforbackupservices. Depending on your budget and needs,
you can use a cable modem, T1, Metro-Ethernet and also 4g wireless connectivity.
The SonicWALLappliance will automaticallyestablishaVPN connectionthroughthe backupcarrierif the
primary carrier fails. This is instant; the connection will exist all the time and can actually be made
available for manual load balancing if desired.
Because the SonicWALL is providing core network services of DHCP and DNS, the failover for the
endpoints will be relativelyseamless. (We use the term “relatively”because if the user is just accessing
the Internet or email, he/she will never notice the failover. If, however, the user is working with a
program that requiresa“persistent”connectionlike RDP, Citrix or 2X, he/she will notice a short blip in
the connection. This is completely acceptable as opposed to the alternative, which is down time.
This diagram shows the physical layout of a highly available network with a SonicWALL security
appliance.
Diagram A-2
4. Critical Network and Endpoint Security
Ok,so we’ve nowclearly defined the essential advantage of creating a cost-effective, highly available
networkbyinsertingaSonicWALLsecurityappliance atyourremote office locations. Now we’ll look at
how this same appliance provides critical network and endpoint security to the endpoints at this
location. Throughout this process, we’ll also get a clearer picture on why the Diagram A-1 network
infrastructure does not provide this protection.
There are literallybookswrittenonthe securityprotectionprovidedbya SonicWALL security appliance.
However, we’ll focus on 3 top security initiatives of concern.
1. Application Controls
2. Wide Area Network Data Traffic Security Scanning
3. DPI-SSL (Deep Packet Inspection of Secure Socket Layer Data Packets)
ApplicationControls allowyoutoblock,limitorcontrol access to Internet andwebapplicationsthatrun
on yourcomputers. These controlsworkwithyourcurrentAD securitystructure soyousimply integrate
your currently layered security into the SonicWALL protection scheme.
Wide Area NetworkData Traffic Security isa recommendedfeature of the SonicWALLsecurity devices.
By routing all data packets through the SonicWALL, you can be assured that if a PC was to become
infected, the transmissionof infected packets would be stopped at the local security appliance. This is
essential on Wide Area Networks where data packets can be destined for almost any other endpoint.
DPI-SSL or Deep Packet Inspection of Secure Socket Layer Data Packets: Today, this is the most critical
service asecurityappliance canprovide. SonicWALLdoes,mostdon’t. Simply ask your provider if their
security includes DPI-SSL, and then verify it.
So what is DPI-SSL? Well as we know, Google is trying to encrypt the universe. To that end, 80% of
websiteshave been encrypted (https on port 443). While this initiative is successful in encrypting the
connection—andthusthe datapackettransfer—betweenthe endpoint(yourPC) andthe website,ithas
had unforeseen consequences.
Hackers, being some of the smartest IT engineers in the world, quickly figured out that if the website
connection to the PC is encrypted, all they needed to do was infect the website with downloadable
malware (including Trojan horses, viruses, spyware, as well as the dreaded Ransomware (Crypto-
Locker)). Because the connectionbetweenthe PCandthe website is encrypted, all firewalls (and most
security appliances) can’t see the encrypted traffic. Thus the infected files pass uninhibited from the
website to the PC. BAM…you’re infected.
What’sworse, if youdon’thave a device toscan your local networktraffic (aka, a SonicWALL appliance)
thenyourentire networkandserverswill soonbe infected.Game over,the PinkSlipVirus has just been
delivered. At your next gig, you’d likely invest in a SonicWALL security appliance to scan all network
traffic AND decrypt any encrypted traffic.
5. More Red Flags… How Was My Network Hacked?
Do you have any notebook computers that connect to your network? Of course you do. So let’s say a
userchecksin to a hotel andconnectsto a veryopenand veryunsecure network. More thanlikely,they
will get a virus that will easily bypass the mediocre anti-virus program. What’s next? You guessed
it…Infected.
No big deal; it’s only their notebook computer, right? BUT what happens when they get back to the
office and connect instantly to your wireless network (as most notebooks do)? If you don’t have a
SonicWALLsecurityappliance scanningall of the data packetscomingoutof that notebookBEFOREthey
hityour corporate network(orworse yet,yourunsecure Wide AreaNetwork)….that’sright,the PinkSlip
Virus.(Thatcouldbe YOUR pinkslipwe’re talkingabout.) The restof yournetworkisencryptedwith the
Crypto-Locker or current variant.
Don’t Think it Can Happen to You? Keep Reading, it Gets Better….or Worse
So youthinkbecause yourapplicationsare locatedinthe cloud and not on your local network that your
security exposure is reduced. You couldn’t be more wrong. In fact, hackers are counting on it.
As an illustration, let’s envision your remote office for an insurance agency or even a collision repair
center. From your point of view, there are only 3 or 4 pc workstations and maybe a notebook
computer. No server, no data. The users simply access a cloud application through the internet
browser. Soyou’re not reallyworriedaboutahackertargetingthese assetsandtherefore don’twant to
spend the money to secure this location (by money, we’re talking about $99 per month). Anyway,
neither you nor your ISP sees a need for high-level network security at this location.
So here’s what happens: Your user goes to a website that has been infected by a hacker. It may very
well be the normal CloudServicessitethattheygoto everyday,buttodayit’sinfectedby a Trojan Horse
virus. Thisparticularvirusis a “Key Logger.” As soon as the user opens this site in the browser the key
loggerisautomaticallydownloadedandinstalled;ithappensinless than 30 seconds. A key logger virus
or malware sitsquietlyonyourcomputerwithoutaffectingitsfunctionality;itssole purpose is to record
all of the keystrokesandtake snapshotsof the computerscreeneveryfew seconds. Thisinformation is
storedon yourlocal computerwhere asecondary function of the key logger transmits this information
over the internet to the hacker’s servers.
Now you’re curious…Why do this? Well your employee has done a few things this morning on the
computer.
1. First, she went to her online banking website, logged in and checked her checking account
balance. BAM…the hacker now has her bank, username and password.
Note: the password is masked on the computer screen, but the key logger records the key
strokes; so they have the password!
2. Second, this is your receptionist, so her second move is to log in to the corporate online
banking OR credit card website. Again BAM…hackers have this information.
6. You still have no idea what’s going on. Now your receptionist starts taking payments from your
customersandlogsintoyour online creditcardprocessingportal. Ok,thingsare now lookingreallybad.
Your exposure has just transcended your organization to compromising your customer’s personal
information. This goes on and on to include screen shots of your online application which has your
customer’sname,address,phone number,email addressalongwithanyotherinformationstored here.
Worried yet?
So nowyoumightbe thinking:“Myusersdon’tgo to any “bad” websites.” How doyou know? You have
no securitydevice monitoringyouruser’sactivity. What’sworse,itdoesn’tmatter–They don’thave to!
True Story: As a test, a certain security engineer left a dozen USB keys scattered about a hotel. When
inserted intoa computer, the user found no data on the USB; it appeared to be blank. However, in the
30 secondsit was plugged into the computer, a key logger and remote control program were installed
on that computer and the user never knew it. How do we know this occurred? The remote control
utility essentially “phoned home” when plugged into the computer.
Here’sthe reallyinterestingpart:There were 12 USB drivesscatteredabout. However, we were able to
observe over 24 different devices that “phoned home.” That means that after seeing nothing on the
thumbdrive,the personjustleftitforthe nextinnocentbystandertoinfecthiscomputer.That’s human
nature for you.
Ok sothe picture shouldbe clearby now. You’re exposed to some really nasty stuff if you don’t have a
SonicWALL security appliance at every remote location, no matter how big or small.
The good newsisData-Techhas partneredwithDell SonicWALLtoprovide comprehensive cost-effective
service planstoprotectyour users,data and network from the bad guys. Most remote locations can be
totally protected from everything in this document and more starting as low as $99 per month.
Monitoring, Reporting & Regulatory Compliance
This document purposely excluded the requirements for regulatory compliance. Data-Tech and Dell
SonicWALL are well versed on these requirements and can arrange a FREE security audit to determine
your specific security compliance needs.
Althoughthis may not seem incredibly important (depending on the nature of your business), ISPs do
not have the ability to provide the necessary level of monitoring and reporting required to establish
HIPAA and other regulatory compliance.
SonicWALLhas putmillions of dollars into their Global Management System, not only to manage large
enterprise distributed security but also to provide the necessary reporting for compliance.
7. Real World Example
Why is it important to secure Online Banking Portals?
A commonhackertool is phishing.Phishingiswhere yougetanemail thatasks you to reset your Online
Banking Password (or other secure site). However this is a fake email made to look exactly like your
BankingEmail with a Link to a website that looks exactly like your banking or Credit Card website. You
cannot tell the difference.Howeverthe actual locationof the site is NOT the official URL of your Online
Bankingor CreditCard. You will not know this but your SonicWALL Security Device will. That's because
your official OnlineBankingPortal URLisapproved in the SonicWALL Security but the fake one is NOT!!
So, if you change banks, add a new bank or portal or for some reason your bank actually changes it's
secure URL the SonicWALL Security has to be updated by a certified SonicWALL Security Engineer to
allow access.
Thislevel of Cyber-Security protection can only be achieved with SonicWALL’s DPI / SSL Secure Packet
InspectionTechnology.Don’tbe fooledbyyourISPwhooffersManagedSecurity. Simplyask them for a
DPI / SSL Verification statement. If they can’t provide this…call Data-Tech for a SonicWALL Security
solution.
Conclusion
So the bottom line is this: With one cost-effective appliance, you can achieve the security, reliability,
compliance and performance that are essential to today’s critical digital IT requirements.
Well thatabout coversit. Soundsexpensive? It’s not. With Data-Tech’s Firewall-as-a-Service, you can
have this level of high availability and security protection for as low as $99 per month.
Thank you and please contact us at Data-Tech for a free consultation with our certified security sales
engineers.
Chris Lietz
President, Data-Tech
Memberof the CyberCATS
www.DataTechITP.com
Important Links:
DPI-SSLVideobyData-Tech:https://www.youtube.com/watch?v=gG1qW3XlNbQ
Firewall-as-a-Service VideobyData-Tech:https://www.youtube.com/watch?v=hMbUZVPHDtM
Firewall-as-a-Service Information: https://www.datatechitp.com/2015/07/it-as-a-service-part-2-
firewall-as-a-service/