Managed Firewall

Overview

Overview

Managed Firewall provides Customers with firewall functions which Customers can utilize within their Tenant(s) for Enterprise 2.0.
Managed Firewall can be connected to Logical Network within the Tenant(s) and Customers are able to utilize their own controlling parameters at their inter-logical network transmission so that they are the only controllers of their own network.
(NOTE: Hereinafter, Managed Firewall is referred to as “this Menu” and the equipment that provides the features is referred to as “device”.)
Overview Managed Firewall

Features

Following are the features of this menu:
**1. Safety and Security are the two main concerns in Operations of Security-Managed Services:
Service Provider provides Customers with a highly qualified level of global security operation called Global Risk Operation Center (GROC hereinafter) which monitors Customers’ network securities.

**2. Upgradable Security Features:
This menu avails Customers with upgradable Managed UTM menus which have huge plus in security functions.
Managed UTM provides all-in-one necessary security features in order to protect the customers’ environment from a variety of security threats such us unauthorized access, virus infection, unwanted web access, spam e-mail, etc. The functions include:
  • Firewall Functions (Controlling access)

  • IDS / IPS Functions (with Defensive anti-unauthorized access detections and control)[#]_

  • Anti-viral Functions (Anti-viral infections)

  • Web-Filtering Functions (Filtering URLs of web-transmissions)

  • Anti-Spam Functions (Judging and / Removing Spams)

Change Menu
[1]
IDS; i.e., Intrusion Detection System
IPS; i.e., Intrusion Prevention System

**3. Immediate Provision / Immediate Settings Change Through Self-Operations
Customers can utilize this menu immediately by operating to maneuver on the security control panels of Enterprise Cloud 2.0 Portal. Furthermore, setting changes will be possible through immediate actions by operating to maneuver security control panels.
Customers are therefore able to utilize the functions without initial investments or risks of having minimum use periods and pay only at the time they utilize the service, designing security network accordingly with their business climate.

Available Functions

List of Available Functions

Customers are provided with the following functions with this menu:
No.

Functions

Overviews

1

**Firewall

This function is where Customers can defend themselves against the traffic based upon the controlled firewall parameters of their policies.

2

Network

This function is where the “Device” is connected to the Logical Network and / or routed to the transmitters.

3

Other Functions

The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the “Device” and assign the time zone for the log content recorded within the “Device” itself.

4

Security Incident Report

This function is what the “Device” self-analyzes and reports any security incident(s) occurring within itself once there is any information that determines the “Device” received hostile incoming transmissions.

5

Control Panel

This function is where the “Device” is set and recognize the subscriptions being created or added through Security Control Panel in Enterprise Cloud 2.0 Portal.


Descriptions of Each Function

1. Firewall
Following Firewall Functions are provisioned:

Functions

Overviews

Firewall

This function, based upon the Firewall policies in values and regulations, undertakes “stateful packet inspection”[2] in process of traffic which passes through the “Device” .

NAT/NAPT [3]

NAT / NAPT function is to transform the IP Address or Port number(s) which pass through the “Device” .

[2]

Stateful inspection will inspect to determine if it allows or disallow a passer-by packets (through the “Device” ) by monitoring the status of passer-by packets. Usually the packets will be allowed to come passing back through if it is allowed on the way to.

[3]
NAT stands for Network Address Translation.
NAPT stands for Network Address Port Translation.

Firewall Policy
The firewall policy is defined by the following items:

Functions

Overviews

Input Interface

Specify the interface that control the communication that comes into the device

Source Address

Specify the source address (address objects, selected from the address group)

Output Interface

Specify the interface that control the communication that goes out from the device

Destination address type

Specify the type of destination address

  • Address Object: If you do not want to Destination NAT

  • NAT object: If you want to Destination NAT

Destination address

Specify the destination address (selected from the object that you specified in the destination address type)

Service

Specify the communication services that control (selected service objects, from the service group)

Action

It specifies the action for communication that meets the policy

  • ACCEPT: to allow communication

  • DENY: reject the communication

NAT

Mode specified in the case of utilizing the Source NAT

  • Use Outgoing Interface Address: using the IP address that has been set to the port that was specified in the output interface

  • Use NAPT Object: use the address of the NAT object (Source NAT object) that was pre-defined

Log

It specifies whether to retrieve log when communication is consistent with the policy

Note

  • In HA configuration, following IP addresses configured to Interfaces cannot be used for Source NAT.

    • Real IP Address of each devices

    • Virtual IP Address (IP Address of VRRP)


Objects
Preliminarily Objects are defined and thereby will be utilized in firewall policy settings.

Name of Objects

Overviews

Address Object

Define the address utilized here at Firewall Policy functions.

Address Group

Defined so as to put together multiple address objects; thereby one (1) group is handled at one (1) Firewall Policy.

NAT Object

Define NAT, the Source NAT object to be used for NAPT configuration, the Destination NAT object

Service Object

Servicing object defines the service to utilize in Firewall Policy.

Service Group

Multiple of servicing objects are defined to put together as one (1) to be handled at one (1) Firewall Policy.


2. Network
Following functions are available with Network-based Functions:

Functions

Overviews

Interface

This function is where Interface of the “Device” will be set and then it will be connected to logical network.

Routing

Routing function is where static routes and default gateway is being set and transmission is being routed with.

Note

  • It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.

  • The “Device” will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.

  • In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the “Device” , the Customers (and the end users) are noted that they are required to reboot the “Device” and the interface MAC address will be automatically changed.

  • MTU size of the interface can be changed in the range of 100 to 1500 bytes. The default value is 1500 bytes.


3. Other Functions
Following are other functions:

Functions

Overviews

Sys log transmission

Sys log server where the Customers manage is receiving logs obtained at the “Device”

Time Zone Assignment

Time stamp recorded as to the timetable log on the “Device” will be assigned.

Note

  • There is only one (1) settable destination for syslog transmission.

  • If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.


4. Security Incident Reporting Functions
“Security Incident Report” Functions provisions the following functions:

Functions

Overviews

Create Report

Device logs will be automatically analyzed and “Security Incident Report” will be generated after recognizing detected threat(s).

Publish Report

This is the function where “Security Incident Report” is relayed and transmitted to the destination of the report recipient by registering a destination of a notification email via Enterprise Cloud 2.0 Portal.

Notify Report

When a “Security Incident Report” is generated, the notification of “Security Incident Report” will be informed through Enterprise Cloud 2.0 Portal.


Security Incident Report
Following titles will be included within the “Security Incident Report”:

Functions

Overviews

Device

The Device Name if there is any

Reference

Automatically granted ID

Severity

Severity in degree of the recognized threat

Date and Time

The date and time of detection –and date and time of last detection– of the reported threat being reported

Description

Description of the details of the recognized threat

Recommendation/Action

Recommended measures and the further action(s) against the threat

Signature, DNS

Name of signature and DNS’s information, etc. that was identified from the detections of threat

Note

  • All “Security Incidents” are reported in English.


5. Control Panel Functions
Following functions are provisioned in Control Panel Functions:
Please refer to Enterprise Cloud 2.0 tutorial for the details.

Functions

Overviews

Order

Customers can subscribe the Security Menu

Operation

Customers can either manage and / or set the created “Device”


Orders
Following actions are processable from the Order Panel:

Functions

Overviews

Add Device

Customers can either create a new or add a “Device”

Change

Created “Device” Menu and / or Plan will be changed to update the settings details

Delete Device

Created “Device” can be deleted to be eliminated from the operation


Operations
Following actions are operable from the Operations Panel:

Functions

Overviews

Device KPI

Resource status (such as CPU and memory) and traffics will be viewed.

Network Management

Interface of the “Device” will be set here (and then connected to logical network).

Device Management

Settings related to firewall functions, network-based functions (such as routing), and other functions will be set here.

Log Analysis

Customers can download to obtain the data by CSV file after assigning search details by conditions tags.

Incident Reports

Security Incident Report is published.

Customer Profile

Customers can register the contents of Security Incident Report’s email destinations.

Information

Any notable information will be relayed.

Note

  • In the log analysis, the period for search and inspect the logs is as follow:

    • Detailed logs over the obtained portal Firewall Function: 1 week (7 days).

    In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.


Menu

Plan

This menu provisions the following Plans:

Plan

vCPU

Memory

Disk

Interface

Plan

 

(Number)

(GB)

(GB)

(Maximum)

 
2CPU-4GB 2 4 2 7

Deploy Singular

8CPU-12GB 8 12 2 7

Deploy Singular

2CPU-4GB(HA) 2 4 2 7

<HA Configuration>

8CPU-12GB(HA)

8 12 2 7

<HA Configuration>


Subscriptions Methods

Any Customers who contracted Enterprise Cloud 2.0 can opt to place an order for subscription for this particular Menu.
Followings are the Subscriptions Types:

Subscription Types

Details

Subscriptions Methods

Delivery Timing

Add Device

Create the Device

Customers can start subscribing via Enterprise Cloud 2.0 Portal

Immediately

Change

Change the Device Plan; Modify Menus to change settings

Same as the above

Immediately

Delete Device

Delete the Device

Same as the above

Immediately

Note

  • Number of the executable “Device” for one (1) “order” is just one (1). Therefore, if in any event Customers wish to make multiple orders for the “Device”, Customers are advised that each order process has to go through once for every “Device” Customers wish to subscribe. The Order screen has to proceed for each and every “Device” every time.

  • Plan can be changed within the same menu:

    • 2CPU-4GB → 8CPU-12GB
    • 8CPU-12GB → 2CPU-4GB
  • Following plan changes with changing configurations, such as changing from a Single Configuration Plan to a HA Configuration Plan, is not possible.

    • 2CPU-4GB or 8CPU-12GB → 2CPU-4GB(HA)or 8CPU-12GB(HA)
    • 2CPU-4GB(HA)or 8CPU-12GB(HA)→ 2CPU-4GB or 8CPU-12GB

  • At such change of Plan, Customers are noted that the “Device” has to reboot.

  • This Menu is possible to shift from one with Managed Firewall to the one with Managed UTM.

  • When the Customers so wish to turn their menu from the one with Managed Firewall to one with Managed UTM, such change can proceed to undergo without reboot.

  • Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating “Device”, changing Plans and so forth.


Restrictions In Subscriptions

Following are the sales unit, the number of uppermost maximum and lowermost minimum units.

Sales Unit

Uppermost

Lowermost

1

No Limit

0

Conditions With Usage

Conditions With Usage

Logical Network Connectivity
Following is the number of Logical Networks which Customers are in need to set up this menu.

<Singular Configuration>
For singular deployment, logical network should be placed two (2) or more.
Customers are required to configure each separate logical networks to manage the receiving ends and transmitting ends.
(In essence Customers are hereby advised that they are unable to deploy what they call a “one-arm” setup.)
Minimun Configuration

<HA Configuration>
In the case of HA configuration, logical network requires four or more.
Logical network for customer communication, which has the same conditions as the single configuration, requires 2 or more. In the HA configuration, the logical network for connecting the two devices together will need two additional. (In essence Customers are hereby advised that they are unable to deploy what they call a “one-arm” setup.)

Conditions of Usage in Combination with Other Services

This menu does not specifically limit as with combined usage with any other services.

Minimum Use Period

This menu does not require minimum usage period.

Pricing

Initial Fee

This menu is offered at no charge no matter what Plan, subscriptions are being made.

Monthly Fees

This menu, regardless of the use of time, has a monthly fixed fee.
In the same device, if there is a change of the plan or menu in the middle of the month, then the new one is compared with the monthly fee according to the plan or the menu that was available in that month, to apply the highest rate as a monthly fee.

Qualities of Service

Support Coverage

This menu and functions provided by the Devices are all within the coverage of support.
However, Customers are duly advised that those architectures utilizing this menu (or the “Device” ) will be aside the coverage.

Operations

This menu accommodates the Customers with the qualities of standard that Enterprise Cloud 2.0 in duly regulated with.
Furthermore, this menu is implementable as qualified operation of the following self-managed services:

Functions

Overviews

Applies security patches

Depends upon how much the operation affects to the application of such (including updating versions in maintenance works, etc)

Life Cycle Management of the Products

Proceeds with the updated versions in operations

Monitoring / Maintenance

Proceeds to accommodate with the this function’s monitoring operation and opening support venues to implement repairs


SLA

SLA of this menu regulates to the SLA that is standardized in regular Enterprise Cloud 2.0 servicing operations.

Restrictions

Followings are the Restrictions of this menu:
  • The following IP address, interface, routing, address objects, Destination NAT, Source NAT, etc cannot be used. By using these IP addresses, it may not operate normally.

    • Link local address: 169.254.0.0/16
    • ISP shared address: 100.64.0.0/10
  • Dynamic Routing Function is not provisioned in this menu.

  • Bandwidth Controlling Function is not provisioned in this menu.

  • API is not configured. All maneuvers will take place in operations with Enterprise Cloud 2.0 Portal’s Security Control Panel.

  • When the infrastructure is deployed singularly thus not supported dually, Customers are advised that interruptions in transmissions will occur at such time as software updates or maintenance, planned work required for some sort of repairs. Such planned works will be scheduled by preliminarily informing the Customers (and due end-users) to set up such schedules although the plan is not negotiable for adjusting schedules.

  • Abnormality of packets and / or unauthorized packets which violate protocols in verified use of packets such as TCP / UDP / IP will be lead to systematic judgment where authorized packet usage is hereby defined as artificially breached. Customers are advised strongly that packets with such an irregular form or unauthorized protocols therefore will be duly destroyed with the Enterprise Cloud 2.0 regular functions. Following is the exemplar cases of the above:

    • IP header is intermittently cut off in the middle;

    • Port number is valued null (0);

    • TCP flag pair turns out to be abnormally irregular;

    • Unauthorized capsular processing of unauthorized packet(s).

  • Integrity, consistency, and / or compatibility to what due usage Customers are expected to utilize with this menu’s functions will not be guaranteed by any of this service provider or the program per se which the sales associate personnel in charge from Service Provider offered to Customers.

  • Service Provider is required to provide the following information to the “Devices’” developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which Service Provider did not intend to. The following information is going to be relayed to the system developer and front-end seller:

    • Setting details and data obtained at such time the menu is provisioned.

    • Managed details within such information relates to this provisioned menu.