Vous êtes sur la page 1sur 23

Study Guide for NSE 1: Datacenter Firewall 2016

Study Guide
for NSE 1:
Datacenter
Firewall

February 1

2016

This Study Guide is designed to provide information for the Fortinet


Network Security Expert Program Level 1 curriculum. The study
guide presents discussions on concepts and equipment necessary as a
foundational understanding for modern network security prior to
taking more advanced and focused NSE program levels.

Fortinet
Network
Security
Solutions

Study Guide for NSE 1: Datacenter Firewall 2016


Contents
Figures ..................................................................................................................................................... iii
Data Center Firewall ..................................................................................................................................... 1
Data Center Evolution ............................................................................................................................... 1
Market Trends Affecting Data Centers ..................................................................................................... 1
Infrastructure Integration ..................................................................................................................... 2
Edge vs. Core Data Center Firewalls ..................................................................................................... 2
Data Center Firewall Characteristics ......................................................................................................... 4
Virtual Firewalls .................................................................................................................................... 8
Data Center Network Services ................................................................................................................ 10
Application Systems ............................................................................................................................ 11
Application Services ............................................................................................................................ 12
Summary ................................................................................................................................................. 14
Key Acronyms.............................................................................................................................................. 15
Glossary ....................................................................................................................................................... 17
References .................................................................................................................................................. 20

ii |

Study Guide for NSE 1: Datacenter Firewall 2016


Figures
Figure 1. Notional edge firewall configuration. ............................................................................................ 3
Figure 2. Notional data center firewall deployment..................................................................................... 4
Figure 3. Data center firewall adaptability to evolving capabilities.............................................................. 5
Figure 4. Data center in a distributed enterprise network. .......................................................................... 6
Figure 5. Data center firewall requirements................................................................................................. 8
Figure 6. North-South (Physical) vs. East-West (Virtual) traffic. ................................................................... 9
Figure 7. Notional network. ........................................................................................................................ 11
Figure 8. Differences between IaaS, PaaS, and SaaS. ................................................................................. 12
Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models. ............................................. 13

iii |

Study Guide for NSE 1: Datacenter Firewall 2016


Data Center Firewall
Data centers have become abundant in the increasingly technology-based business environment of the
21st Century. Because of this growth, data centers provide a new field for trends in computing and
networking driving revisions to IT infrastructure strategies and, along with new strategies, new methods
to bolster network security. Presented in this module are characteristics and functions of data center
firewalls as they apply to networks and applications.

Data Center Evolution


A common notion in todays business environment is that No matter
what business you are in; you are a technology business. In the 21st
Century, this is not only true of large businesses, but also applies to
successful small and medium businesses (SMB). Modern data centers
typically contain servers with a variety of purposes, including web,
application, and database servers.
Along with growing use of technology came a need to not only develop more specialized applications
but also develop innovative ways to store ever-increasing volumes of digital data. This growing storage
requirement spurred a new sector in the technology operationsthe Data Center. As new technologies
for end users of computing platforms evolve, so must security measures for the data centers they will
access for operations such as email, social media, banking, shopping, education, and myriad other
purposes. Developing strategies to keep pace with the accelerating integrated and distributed nature of
technology has become a critical industry in protecting personal, business, and organizational data and
communications from legacy, advanced, and emerging threats.

Market Trends Affecting Data Centers


As mentioned previously, consumer trends influenced data center development; however, the business
sector was also instrumental in spurring on this development. As technology evolved, businesses
learned to step to the leading edge of innovation in order to get aheador stay aheadof competing
enterprises. To this end, changes in business practices that influenced data center development
included:
Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network or even an operating system where the framework divides the resource into one or more
execution environments.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be
classified as public, private or hybrid.
Software-Defined Networks (SDN). An approach to networking in which control is decoupled from
hardware and given to a software application called a controller. Dynamic, manageable, costeffective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's
applications.

1|

Study Guide for NSE 1: Datacenter Firewall 2016


BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphone
or tablet, in order to interface to the corporate network. According to a Unisys study conducted by
IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee.
Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to
process using traditional databases and software techniques. In many enterprise scenarios, the data
is too big, moves too fast, or exceeds current processing capacity.
The Internet of Things (IoT). The [once future] concept that everyday objects have the ability to
connect to the Internet & identify themselves to other devices. IoT is significant because an object
that can represent itself digitally becomes something greater that the object by itself. When many
objects act in unison, they are known as having ambient intelligence.

Infrastructure Integration
Meeting the challenge of data center growth while maintaining
throughput capability requires the use of technology integration to
reduce potential for signal loss and speed reduction because of
bridging and security barriers between ad hoc arrangements of
independent appliances. There are definitely two camps on what
should be at the heart of a modern firewall, with two types of
hybrid design being prevalent:
CPU + OTS ASIC. A design whereby a general purpose central processing unit (CPU) is augmented by
an off the shelf (OTS) processor.
CPU + Custom ASIC. Most difficult but best design, bringing together a general CPU linked closely to
a number of custom built application-specific integrated circuits (ASICs). By matching ASICs that are
designed to handle the specific tasks for which the processor and device is intended, the ability to
process data is enhanced and system performance is optimized.
On one side, there are vendors who want to use off-the-shelf (OTS) central processing unit (CPU) design.
This is the simplest design but suffers from performance degradation. On the other side are those
advocating the use of hybrid designs, merging CPUs with application-specific integrated circuits (ASIC),
which are more efficient and may provide the necessary infrastructure to meet the demand for
throughput, growth, and security.

Edge vs. Core Data Center Firewalls


Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper. In addition to gatekeeper duties, the edge firewall may have capabilities added as other
security appliances are linked to the firewall. This method, however, leads to a complex architecture
that results in complex networkand securitycontrols. A typical edge firewall is depicted in Figure 1.

2|

Study Guide for NSE 1: Datacenter Firewall 2016

Figure 1. Notional edge firewall configuration.

Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions. Depending on network size and configuration, the data center firewall may also provide
additional security functions, such as segregating internal resources from access by malicious insiders,
and ensuring compliance with regulations protecting consumer, patient, and other sensitive user data.
These functions are referred to as Multi-Layered Security, and may include:

IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion Prevention System (IDS/IPS)
Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [1]

These functions work together, providing integrated security for the data center, concurrently providing
consolidated, clear control for administrators while presenting complex barriers to potential threats.
Figure 2 shows a notional data center firewall deployment, providing gatekeeper duty, integrated
security solutions (as depicted in Figure 1, above), with simplified control and complex protection.

3|

Study Guide for NSE 1: Datacenter Firewall 2016

Figure 2. Notional data center firewall deployment.

Data Center Firewall Characteristics


As end user devices and activities evolve, data centers must evolve to ensure both service and security
keep pace. Some market trends affecting data centers include increasing use of mobile devices,
employee device portabilityor BYOD, data center consolidation through server virtualization, cloud
computing, and software-defined networking.
The key benefit of a data center network core firewall configuration with high-speed, high-throughput,
low-latency is the ability to evolve as technology develops.
Throughput speeds have potential to double every 18 months
High-speed 40/100 GbE ports are already going into existing systems
External users moving from Internet Protocol version 4 (IPv4) to IPv6
Figure 3 (next page) illustrates how the data center firewall is adaptable to evolving technology and user
trends.

4|

Study Guide for NSE 1: Datacenter Firewall 2016

Figure 3. Data center firewall adaptability to evolving capabilities.


Size Matters. Historically, a determining factor in network firewall selection included consideration
based on the size of usersboth internal and externalaccessing the network or its components. Using
data center firewalls in small and medium businesses (SMB) makes sense, because modern data center
firewall systems provide higher throughput speeds, higher connectivity (port capacity), and a higher
capacity for concurrent sessions.
As a business or organization grows and network access begins to grow into multiple locations and
thousands of users, the option to consider using an enterprise campus firewall may become a necessary
investment. While the capacity to handle thousands of users and multiple locations may be
accomplished with enterprise firewalls, the trade-off is in the need for redundancy to ensure reliability
resulting in significantly higher costs and equipment complexityand the need for extensive training if
an organization intends to self-manage the enterprise firewall. Because of these complexities, enterprise
data centers may reside on-premises at a company site, in a dedicated co-location space in a providers
data center facility, or as an outsource service in a multi-tenant provider cloud environment.

5|

Study Guide for NSE 1: Datacenter Firewall 2016

Figure 4. Data center in a distributed enterprise network.

Because of the increasing size and complexity of data center operations and needs of external usersas
well as the increased costs associated with enterprise firewall equipment and training needs
companies may decide to outsource data center security operations to a third party, or Managed
Security Service Provider (MSSP). A growing market along with evolving technologies, MSSPs provide a
wide range of network security services, from one-time servicessuch as configuring routersto
ongoing services such as network monitoring, upgrade, and configuration. This provides small and
medium businesses (SMB) enhanced capabilities without having to increase technical staff, while
providing large and high-visibility businesses with supplemental protection beyond their technical staff.
When deciding on whether to engage an MSSP for network security operations, a number of
considerations must be taken into account. From the most basic perspective, the MSSP should align with
your business and security philosophy. Will they sign a non-disclosure agreement, so details about your
companys security will be secure? The MSSP needs to be highly available to you, especially if you run
24/7 operations and reach a global audience (and who on the Internet doesnt these days?). It is worth a
visit to their facility to check out their operations and talk with staff. The MSSPs service must be
sustainablewhat are their redundancy capabilities in case of primary system failures or disaster; what
is the likelihood they may go out of business (the market is still maturing and the current failure rate is
high). Identify clearly the level of serviceability you can expect from the MSSPdemand a strong service
level agreement (SLA) spelling out all roles and responsibilities for both parties. These requirements are
foundational to success with using an MSSP to manage data center security.

6|

Study Guide for NSE 1: Datacenter Firewall 2016


As cloud services and software-defined networks (SDNs) became prevalent, network functions
virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical devices,
encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual appliances
within the same physical devices. The emergence of OpenFlow from behind the research lab walls and
into mainstream management in cellular, TELCO, and data center operations has brought major network
operators and manufacturers onboard in making OpenFlow the standard protocol for communications
between controllers and network switches in the SDNor virtualenvironment. The OpenFlow
protocol abstracts the network control plane from the data control plane in order to program network
traffic flows to be more dynamic and automated.
As virtualization and SDN deployment expanded, the practice became available for implementation by
private individuals and organizations outside traditional boundaries of those with large amounts of
available capital and resources. With broad availability of open-source software enabling low-cost
network development, cloud computing has reached into the realm of private and personal clouds. One
popular open-source platform for cloud computing is OpenStack, which provides capability to develop
and manage private and public clouds, even providing compatibility with popular enterprise and opensource technologies for controlling large pools of data center computing, storage, and networking
resources.
By designing and implementing network infrastructures combining high throughput with a dynamic
software-defined network (SDN), the data center firewall provides the capability to evolve with
consumer and industry trends. To accomplish this, data center firewalls must focus on three primary
areas as foundations for security: performance, segmentation, and simplification.
Performance. As the need for network speeds to accelerate continues, the data center will be at the
forefront of network design enabling higher performance through high-speed, high-capacity, and low
latency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, with
an expectation by large company data center users that throughput may be increased up to an
aggregate 100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of
10 Gigabits for Ethernet ports on the data center firewall, with some capabilities already expanding in
the 40-100 Gigabit range.
Segmentation. With the evolution of IT devices and evolving network threats, organizations using data
centers have adopted network segmentation as a best practice to isolate critical data against potential
threats. Common data isolation criteria include applications, user groups, regulatory requirements,
business functions, trust levels, and locations. To support the use of network segmentation in network
security schema, data center firewalls must provide high density and logical abstraction supporting both
physical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned from
unauthorized access for security and compliance purposes, limiting lateral movement of advanced
threats that gain initial footholds in the network, and ensure employees and users have access to only
the services and applications for which they are authorized.

7|

Study Guide for NSE 1: Datacenter Firewall 2016


Simplification. Because data centers extend to external users of varying trust levels, the need to extend
a Zero-Trust model for data access beyond the traditional data center edge and into the segmentation
throughout the networks core. This requires a consolidatedsimplifiedsecurity platform that can
manage multiple functions while supporting high speed network operations. In order to further simply
data center firewall operations, integration of network routing and switching functions into firewall
controls provides added centralized visibility and control to network functions and security monitoring.
Consolidation may also be accomplished by putting multiple physical server workloads onto a shared
physical host by using virtual machines on a hypervisor.
A good example of a data center core firewall that incorporates all the requirements of low-latency, high
throughput, and high performance is the FortiGate platform line. These firewalls include models that
deliver over 100 Gbps performance with less than 5 s latency (Figure 5).

Figure 5. Data center firewall requirements.


One of the benefits to a data center network core firewall configuration as illustrated in Figure 10 is the
ability to evolve as trends in technology develop. With an estimated potential for throughput speeds to
double every 18 months, and adoption of high-speed network interfaces such as 40/100Gb Ethernet
ports into existing architectures, data center firewalls will need to be ready for the challenge. With these
developments, and as external users move from transmitting traffic using Internet Protocol version 4
(IPv4)which currently carries over 95% of the worlds Internet trafficto IPv6, firewalls such as the
FortiGate line provide ability to keep pace and maintain data center service and security.
Virtual Firewalls
Traditional firewalls protect physical computer networksthose running on physical hardware and
cabling. As such, the most effective means of security was and still is a physical, locked, fire door. This is
also referred to as North-South traffic. Unlike physical machines and networks, virtual machines
operate in a virtual environment, isolated on a host but acting as though it were an independent system

8|

Study Guide for NSE 1: Datacenter Firewall 2016


or network. Even as a virtual reality, however, the network may be subject to threats and intrusion from
external sources. Virtual trafficthat traffic moving laterally between servers without leaving the data
centeris referred to as East-West traffic (Figure 6).
Today, 60-70% of traffic is E-W because of the trend in virtualization and consolidation
which is why virtual networks are of vital importance in the emergence of data centers
and need for reliable and adaptable data center security in modern networks.
Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical
switchto secure data being transmitted between virtual machines in a virtual network, the virtual
firewall was developed. A virtual firewall is simply a firewall service running entirely within the virtual
environment, providing the typical packet filtering and monitoring that would be expected when using a
physical device in a physical network. The virtual firewall may take a number of forms: it may be loaded
as a traditional software firewall on the virtual host machine, it can be built into the virtual environment,
it can be a virtual switch with additional capabilities, or it can be a managed kernel process within the
host hypervisor for all virtual machine activity.

Figure 6. North-South (Physical) vs. East-West (Virtual) traffic.


Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridge
mode or hypervisor mode. A virtual firewall operating in bridge mode acts like a physical firewall,
normally situated at an inter-network switch or bridge to intercept network traffic needing to travel
over the bridge. In this way, the virtual firewall may decide to allow passage, drop, reject, forward, or

9|

Study Guide for NSE 1: Datacenter Firewall 2016


mirror the packet. This was the standard for early virtual networks and some current networks still
retain this model.
In hypervisor mode the virtual firewall is not actually part of the virtual network at all; rather, it resides
in the host virtual machineor hypervisorin order to capture and analyze packets destined for the
virtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network
in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examples
of popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV.
As these developments in virtual capabilities occurred, they necessarily gave way to a new paradigm by
which to consider the definition of the data center itself. Instead of the need for a traditional physical
infrastructure that defines the data centersuch as a building or a server room within a structure
what if the paradigm shifted to a data center that resided within a software-defined space? Because of
continued evolution of virtual technology, this capability is a reality. The software-defined data center
(SDDC) presents a paradigm that infrastructure such as servers, network, and storage can be logically
and dynamically orchestrated without the need for adding or configuring new physical appliances or
expanding into new facilities. Because of the virtual nature of these SDDCs, the emergence of ondemand data centers was enabled that provided benefits to small consumers and SMBs, such as pay-asyou-use infrastructure, delivery on demand without extended provisioning times, and no requirement
for long-term obligations or contracts. In other words, the emergence of SDDCs provided new paths for
economical flexibility in data center definition and operation.
In summary, the flexible deployment capability for data center firewalls provides for targeting of the
threats identified as most important to the network or system. Deploying the firewall at the network
edge is effective to block external intrusions from accessing the network. Deploying the firewall at the
network core provides segmentation in the event that an external threat gains access to the network. At
the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).

Data Center Network Services


As technology evolved, more and more services moved from running as physically resident to virtual or
cloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among
other benefits. Data center traffic has increased because of factors such as the increased number of
users depending on mobile applications to access data anytime and anyplace, businesses aggregating
and storing increasing amounts of data to enable analytics, and increased use of SaaS cloud storage over
local physical drive storage appliances. Because of these shifts, networks from distributed enterprises
down to SMB and home businesses began to depend on virtual and cloud applications for remote and
mobile capability. This led to a parallel focus on development of threats to the application layers of the
Open Systems Infrastructure (OSI), which will be discussed later in this book. The remainder of this
module will focus on how the data center serves to facilitate the use of applications in the modern
mobile, virtual and cloud-based technology environment.

10 |

Study Guide for NSE 1: Datacenter Firewall 2016


Application Systems
Application systems typically consist of user interfaces, programming (logic), and databases. A user
interface is the control or method by which the user interacts with the computer, system, or network,
often consisting of screens, web pages, or input devices. Some application systems have non-visual
interfaces that exchange data electronically with other systems in a network. Figure 7 illustrates a
notional network.
Programming consists of the scripts or computer instructions used to validate data, perform
calculations, or navigate users through application systems. Many large computers use more than one
computer language to drive the system and connect with networks. This allows linking of systems
performing specialized functions into a centrally-manageable network.
Databases are simply electronic repositories of data used to store information for the organization in a
structured, searchable, and retrievable format. Most databases are configured to facilitate access for
downloading, updating, andwhen applicablesharing with other authorized network users.

Figure 7. Notional network.

11 |

Study Guide for NSE 1: Datacenter Firewall 2016


Computer systems are simply sets of components that are assembled into an integrated package. The
heart of a computer system is the central processing unit (CPU), around which various other
components such as data storage, drives, displays, memory, input devices, and other peripherals are
built. Computer system components may vary in size and complexity and can be designed for single or
multiple purposes.
Control is accomplished through user interfaces. The level of application control found in Next
Generation Firewalls (NGFWs) is not generally necessary as a data center core firewall, primarily
because of the lack of end-users running in the data center itself. Typically, data center applications are
accessed and used as cloud services or database information, rather than platforms for writing and
execution of programming by external users.

Application Services
With increasing use of the cloud to enable mobileeven globaluse of applications and access to
organization databases, technology services designed to fulfill the needs of various industries from SMB
to large international corporations developed. In todays marketand the foreseeable futurecloud
services continue to grow quickly. Integral to this broad range of services are three primary
components: infrastructure (IaaS), platforms (PaaS), and software (SaaS) as services. The primary
difference between models rests in responsibility tradeoffs between developer (user) and vendor
(provider), as illustrated in Figure 8 [2].

Figure 8. Differences between IaaS, PaaS, and SaaS.

12 |

Study Guide for NSE 1: Datacenter Firewall 2016


Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service
provider creates the infrastructure, which becomes a self-service platform for the user for accessing,
monitoring, and managing remote data center services. The benefit to IaaS is that the user does not
have to invest large amounts into infrastructure and ongoing upgrades and service, while retaining
operational flexibility. The down side is that this model requires the user to have a higher degree of
technical knowledgeor at least know or employ someone who does. Examples of businesses using the
IaaS model appear in Figure 9.
Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond
the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user. Users of PaaS cloud services have access to
middleware to assist with application development, as well as inherent characteristics including
scalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user to
focus on what is most important to their businesstheir application(s). In particular, businesses large or
complex enough to employ an enterprise data center model benefit greatly from PaaS because it
reduces the amount of coding necessary and automate business policy. Examples of businesses using
the PaaS model appear in Figure 14.
Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues to
grow. This model takes the final step of bringing the actual software application into the set of functions
managed by the provider, with the user having a client interface. Because the application resides in the
cloud itself, most SaaS applications may be operated through a web browser without the need to
download or install resident software on individual physical systems. This allows businesses to develop
software and operational requirements, but to have those requirements written and fulfilled by a third
party vendoralthough such designs typically involve customization of pre-existing software
applications, because SaaS does not provide the broad flexibility of software development options
available in the PaaS model. Examples of businesses using the SaaS model appear in Figure 14 [3].

Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models.

13 |

Study Guide for NSE 1: Datacenter Firewall 2016


The Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant. Depending upon which model is
chosen for operationsIaaS, PaaS, or SaaSyour level of security responsibility changes in magnitude.
Referring back to Figure 8, as you relinquish more control of operations and decisionmaking/configuration to the vendor/provider, such as with the SaaS model, your degree of security
responsibility also declines. Conversely, if you decide to retain more management, such as in the IaaS
model, your security responsibility increases in magnitude.

Summary
From an introduction to the current status of computer network options and configurations, to the
challenges posed by evolving technologies and advanced threats, this module has prepared a foundation
for more focused discussion on emerging threats and the development of network security technologies
and processes designed to provide organizations with the tools necessary to defend best against those
threats and continue uninterrupted, secure operations. An additional module in this program will focus
on the Next Generation Firewall (NGFW), an evolving technology in network security.

14 |

Study Guide for NSE 1: Datacenter Firewall 2016


Key Acronyms
AAA

Authentication, Authorization, and


Accounting

AD

Active Directory

ADC

Application Delivery Controller

ADN

Application Delivery Network

ADOM Administrative Domain

HTML Hypertext Markup Language


HTTP

Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure


IaaS

Infrastructure as a Service

ICMP

Internet Control Message Protocol

ICSA

International Computer Security


Association

AM

Antimalware

API

Application Programming Interface

ID

Identification

APT

Advanced Persistent Threat

IDC

International Data Corporation

ASIC

Application-Specific Integrated Circuit

IDS

Intrusion Detection System

ASP

Analog Signal Processing

IM

Instant Messaging

ATP

Advanced Threat Protection

IMAP

Internet Message Access Protocol

AV

Antivirus

IMAPS Internet Message Access Protocol


Secure

AV/AM Antivirus/Antimalware
BYOD Bring Your Own Device
CPU

Central Processing Unit

DDoS

Distributed Denial of Service

DLP

Data Leak Prevention

DNS

Domain Name System

DoS

Denial of Service

DPI

Deep Packet Inspection

DSL

Digital Subscriber Line

FTP

File Transfer Protocol

FW

Firewall

Gb

Gigabyte

GbE

Gigabit Ethernet

Gbps

Gigabits per second

GSLB

Global Server Load Balancing

GUI

Graphical User Interface

15 |

IoT

Internet of Things

IP

Internet Protocol

IPS

Intrusion Prevention System

IPSec

Internet Protocol Security

IPTV

Internet Protocol Television

IT

Information Technology

J2EE

Java Platform Enterprise Edition

LAN

Local Area Network

LDAP

Lightweight Directory Access Protocol

LLB

Link Load Balancing

LOIC

Low Orbit Ion Cannon

MSP

Managed Service Provider

MSSP Managed Security Service Provider


NGFW Next Generation Firewall
NSS

NSS Labs

OSI

Open Systems Infrastructure

Study Guide for NSE 1: Datacenter Firewall 2016


OTS

Off the Shelf

SPoF

Single Point of Failure

PaaS

Platform as a Service

SQL

Structured Query Language

PC

Personal Computer

SSL

Secure Socket Layer

SWG

Secure Web Gateway

SYN

Synchronization packet in TCP

PCI DSS Payment Card Industry Data Security


Standard
PHP

PHP Hypertext Protocol

POE

Power over Ethernet

Syslog Standard acronym for Computer


Message Logging

POP3

Post Office Protocol (v3)

TCP

POP3S Post Office Protocol (v3) Secure


QoS

Quality of Service

Radius Protocol server for UNIX systems

Transmission Control Protocol

TCP/IP Transmission Control Protocol/Internet


Protocol (Basic Internet Protocol)
TLS

Transport Layer Security

RDP

Remote Desktop Protocol

TLS/SSL Transport Layer Security/Secure Socket


Layer Authentication

SaaS

Software as a Service

UDP

User Datagram Protocol

SDN

Software-Defined Network

URL

Uniform Resource Locator

SEG

Secure Email Gateway

USB

Universal Serial Bus

SFP

Small Form-Factor Pluggable

UTM

Unified Threat Management

SFTP

Secure File Transfer Protocol

VDOM Virtual Domain

SIEM

Security Information and Event


Management

VM

Virtual Machine

SLA

Service Level Agreement

VoIP

Voice over Internet Protocol

SM

Security Management

VPN

Virtual Private Network

SMB

Small & Medium Business

WAF

Web Application Firewall

SMS

Simple Messaging System

SMTP Simple Mail Transfer Protocol


SMTPS Simple Mail Transfer Protocol Secure
SNMP Simple Network Management Protocol

16 |

WANOpt Wide Area Network Optimization


WLAN Wireless Local Area Network
WAN

Wide Area Network

XSS

Cross-site Scripting

Study Guide for NSE 1: Datacenter Firewall 2016


Glossary
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to
process using traditional databases and software techniques. In many enterprise scenarios, the data is
too big, moves too fast, or exceeds current processing capacity.
Bridge Mode. A virtual firewall operating in bridge mode acts like a physical firewall, normally situated
at an inter-network switch or bridge to intercept network traffic needing to travel over the bridge.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a
Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were
owned by the employee.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.
Computer systems are simply sets of components that are assembled into an integrated package.
CPU. The heart of a computer system is the central processing unit (CPU), around which various other
components are built. A CPU is the electronic circuitry within a computer that carries out the
instructions of a computer program by performing the basic arithmetic, logical, control, and
input/output (I/O) operations specified by the instructions.
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:

IP Security (IPSec)
Firewall
Intrusion Detection System/Intrusion
Prevention System (IDS/IPS)

Antivirus/Antispyware
Web Filtering
Antispam
Traffic Shaping [1]

Databases are simply electronic repositories of data used to store information for the organization in a
structured, searchable, and retrievable format.
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper.
Hypervisor Mode. In hypervisor mode the virtual firewall is not actually part of the virtual network at
all; rather, it resides in the host virtual machineor hypervisorin order to capture and analyze packets
destined for the virtual network.

17 |

Study Guide for NSE 1: Datacenter Firewall 2016


Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service
provider creates the infrastructure, which becomes a self-service platform for the user for accessing,
monitoring, and managing remote data center services.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to
the Internet & identify themselves to other devices. IoT is significant because an object that can
represent itself digitally becomes something greater that the object by itself.
OpenFlow. OpenFlow enables network controllers to determine the path of network packets across a
network of switches. The controllers are distinct from the switches. This separation of the control from
the forwarding allows for more sophisticated traffic management than is feasible using access control
lists (ACLs) and routing protocols. OpenFlow allows switches from different vendors often each with
their own proprietary interfaces and scripting languages to be managed remotely using a single, open
protocol.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall
appliance instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities
of a traditional firewall with advanced features including:

Intrusion Prevention (IPS)


Access Enforcement

Third Party Management


Compatibility

Deep Packet Inspection (DPI)


Distributed Enterprise
Capability
VPN

Network App ID & Control


Extra Firewall Intelligence

Application Awareness

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user beyond
the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user.
Programming consists of the scripts or computer instructions used to validate data, perform
calculations, or navigate users through application systems.
SDDC. The software-defined data center (SDDC) presents a paradigm that infrastructure such as servers,
network, and storage can be logically and dynamically orchestrated without the need for adding or
configuring new physical appliances or expanding into new facilities.
Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant.
Software as a Service (SaaS). The SaaS model takes the final step of bringing the actual software
application into the set of functions managed by the provider, with the user having a client interface.

18 |

Study Guide for NSE 1: Datacenter Firewall 2016


Software-Defined Networks (SDN). An approach to networking in which control is decoupled from
hardware and given to a software application called a controller. Dynamic, manageable, cost-effective,
and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications.
Virtual Firewall. A virtual firewall is simply a firewall service running entirely within the virtual
environment, providing the typical packet filtering and monitoring that would be expected when using a
physical device in a physical network.
Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network or even an operating system where the framework divides the resource into one or more
execution environments.
VLAN. Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical
switch.

19 |

Study Guide for NSE 1: Datacenter Firewall 2016


References
1.

UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

2.

Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.

3.

Bray, G., SaaS vs PaaS vs IaaS. 2010, Stack Exchange.

20 |