Secure Managed Firewall

Transcription

1 Secure Managed Firewall Product Specification Spark New Zealand Trading Limited 2018 Spark owns copyright and all other intellectual property rights in this document. You may not copy or redistribute any portion of this document without Spark s permission.

2 Product overview Secure Managed Firewall service (the Service ) provides access control, inspection and filtering services between the customer and the internet, branch networks, partner networks and hosted applications. The Service is a managed service. Based on industry-leading security technologies, it protects the customer s organisation from the threat landscape. The Service is available in two modes. It can be a virtual firewall delivered from a Spark Service Node or a physical device at the customer s premises. Spark can also provide the Service as a management-only option, operating on customer-supplied firewall equipment. The Service includes service management and 24x7 firewall infrastructure management, with qualified security professionals performing scheduled checks and maintenance activities. Spark provides an online portal that gives customers visibility of their service. The diagram below provides an overview of the key Secure Managed Firewall features: This product is designed to work with other Spark products to deliver end-toend protection. These products include Secure Internet connectivity, Secure Application Publishing, WAN connectivity and Revera IaaS services. Commercial in Confidence Secure Managed Firewall product specification page 2 of 10

3 Functional Specification Secure Managed Firewall is available in three deployment models (Virtual Service, Onsite Physical service, Managed Customer Firewall), and three service variants (Standard, Plus, Premium). These options are outlined in the tables below. Deployment models Deployment Model Virtual Service Onsite Physical Service Managed Customer Firewall Attribute Equipment location Spark security nodes Customer premises Customer premises Technology selection Spark-defined Spark-defined Customerdefined (from Spark Approved Technology List) Equipment supply Included Included Customerprovided Capacity Predefined Small Predefined Small Equipmentdependent Medium Large Medium Large High Availability Capability Optional Uplifts Included Optional Equipmentdependent Equipment & licensing, procurement maintenance procurement Service Variants Firewall Service Variant Features Standard Plus Premium Layer 3 and 4 Firewall protection Site to site VPN support Protocol inspection Next Generation Firewall Application visibility Intrusion Detection Service (IDS) Commercial in Confidence Secure Managed Firewall product specification page 3 of 10

4 Intrusion Prevention Service (IPS) Identity integration Web filtering Advanced threat defence Physical high availability (Onsite deployments only) The sections below define each of these components: Layer 3 and 4 Firewall protection Layer 3 and 4 Firewalls allow filtering of traffic based on source/destination IP, port and protocol. They also provide the ability to track active network connections and sessions. It is then possible to allow or deny traffic based on the state of those sessions. Site to Site VPN A site-to-site VPN allows sites in multiple fixed locations to establish secure connections with each other. Protocol Inspection Protocol Inspection provides the capability to check traffic traversing the firewall for conformance with standard published protocols. This is required for services that embed IP addressing information in the user data packet. Services that open secondary channels on dynamically assigned ports also require it. Next Generation Firewall Next Generation Firewall provides IPS/IDS and application visibility (see below) over and above Layer 3 and 4 Firewall protection. Application Visibility Application-level visibility allows the setting of policies based on specific application profiles. Intrusion Detection Service An intrusion detection service (IDS) policy is a means for identifying malicious activity or policy violations. The firewall matches traffic against a signature database. This service alerts only and does not prevent malicious traffic that it detects. Signature update downloads are automatic. IDS events are viewable via a portal or via a monthly report. To effect policy changes, service requests are required. Intrusion Prevention Service An Intrusion Prevention service (IPS) policy is a means of identifying malicious activity or policy violations. The firewall matches traffic against a signature database. This service sits in-line with a traffic flow and will drop malicious traffic for those signatures set to prevent mode. Signature update downloads are automatic. IPS events are viewable via a portal or via a monthly report. To effect policy changes, service requests are required. Commercial in Confidence Secure Managed Firewall product specification page 4 of 10

5 Identity Integration Identity Integration enables the firewall to integrate with a corporate directory service (Active Directory, LDAP). Thus, it identifies the user on a given connection rather than identifying an IP address. This approach gives organisations easier, more precise visibility over who can access the network and what they can access. URL Filtering Web Filtering provides the ability to restrict access to Web content according to specific categories. The firewall vendor dynamically updates categorisation, with some scope for the customer to request specific categorisation. Advanced Threat Defence Advanced threat defence provides global threat intelligence and sandboxing capabilities to discover malware. This works over supported network protocols and for supported file types. Physical High Availability A High Availability configuration allows for two physical firewalls to operate in failover mode. This preserves connectivity if a single hardware device fails. High Availability is a service uplift available for the Onsite Physical deployment model, and the Standard and Plus service variants. Sparks Virtual Service deployment model provides virtual infrastructure level redundancy by default. The Premium service variant includes High Availability by default. Commercial in Confidence Secure Managed Firewall product specification page 5 of 10

6 Service On- Demand Features The following on-demand features are non-recurring features that customers can request for the appropriate firewall subscription plan via Service Requests. The Service Request Category shown reflects the typical categorisation of the request. Spark will advise you prior to commencement if your request falls outside the expected categorisation. Features Log File Integration initial setup Log File Integration subsequent change Firewall audit Configure user VPN initial setup Configure user VPN subsequent change Policy development Policy migration Identity Aware Firewalling initial setup Configure user VPN subsequent change Customer-initiated platform upgrades Firewall policy changes Emergency change Site to site VPN Usual Service Request Category Simple Standard Simple Simple Simple/Standard Incident Non-Standard Log File Integration Makes log files available for forwarding to a customer syslog server. This may be a requirement for compliance and data retention. Firewall Rule Audit Provides a full review and audit of current policy. Spark recommends that every customer review their policies periodically to ensure that they are achieving the required level of security. Configure User VPN Allows users to connect with clients across different platforms to the customer s network and to access the customer s network securely Policy Development Ensures that organisations have a comprehensive security policy to manage their risks. This includes the development of specific product policy changes. These changes may be for a new build firewall or where the policy is significantly out of date or insufficient. Commercial in Confidence Secure Managed Firewall product specification page 6 of 10

7 Policy Migration Manages the migration of customer policies between different technology solutions. Develops processes to migrate policies from one Firewall platform to another, or physical to virtual. Identity Aware Firewalling Integrates existing directories to improve visibility of user activity. This is available for individual user access verification. It allows customers to apply security policies that align to users and groups rather than to IP addresses. This provides more precise control over who can access applications and what they can access. Customer Initiated Platform Upgrades Includes minor and critical upgrades. A customer can request a major system upgrade in addition to Spark s schedule. Firewall Policy Change Amends the operative security policy or firewall rules as required by the customer. This includes changes to application visibility, control configuration, IDS, IPS, advanced threat defence rules or policies and malware detection policies. Emergency Change Allows immediate blocking of all traffic originating from a particular host, as part of incident resolution. Site to Site VPN Adds, removes or modifies the site-to-site VPN between two sites. Commercial in Confidence Secure Managed Firewall product specification page 7 of 10

8 Service Limitations & Dependencies Physical Firewall Upgrades Upgrading between the different service plans on physical firewalls may require hardware replacement. In addition, upgrades may require planned service outages. The service availability calculation will not include these outages. Onsite Firewall Connectivity Management This Service does not include management connectivity to onsite firewalls under the Onsite Physical and Managed Customer Firewall service models. It is the customer s responsibility to provide suitable management connectivity from the onsite location back to Spark for service management. Physical Firewall Interfaces and Other Customisations If requested during presales, Spark will advise how many physical interfaces firewalls under the Onsite Physical Service model can have. Spark may from time to time update the technologies selected to deliver the defined services. A customer requiring additional interfaces will need to purchase a custom firewall under the Managed Customer Firewall service model. Only the previously identified features and uplift options are available for the Virtual Service and the Onsite Physical Service models. The Managed Customer Firewall service model allows customisation of currently available hardware from vendors on the Supported Technology List. An example of customisation is adding power supply redundancy. Web Filtering Web filtering at user and group levels requires integration into customer Active Directory (AD) and the definition of user groups. Supported Technology List In addition to this Product Definition, Spark maintains an updated Supported Technology List for the Managed Customer Firewall service models. This provides customers with a choice of key firewall technologies, in line with their share of the firewall market. The Supported Technology List details which firewall technologies can come under the Managed Customer Firewall service model. It also documents any differences in feature support, limitations and customer responsibilities relating to the chosen technology. Note: Under the outcome-based service models (Virtual Service and Onsite Physical Firewall service models), Spark will select technology that meets the defined service features and service levels. Identity Aware Firewalling Identity Aware Firewalling is available through LDAP and Microsoft Active Directory user directories integration. The Supported Technology List defines specific limitations and dependencies. A directory proxy may require enablement of integration between the customer directory and the firewall. This service does not provide server infrastructure (virtual or physical), monitoring or management on the customer s site for this directory proxy. Spark will support only the directory proxy software. Syslog Forwarding Where customers choose to retain a copy for analysis or archive, Spark will provide syslog forwarding of customers firewall logs. This service excludes Commercial in Confidence Secure Managed Firewall product specification page 8 of 10

9 customers log storage or suitable network connectivity to customers log storage. Customer Change Management Secure Managed Firewall pricing (including installation and service requests) excludes customer change management review and approval. If required, this work will come under Non-Standard Service Requests. Onsite Field Support The Service includes onsite field support for hardware failures and replacement of vendor equipment. It does not include field support costs for customerinitiated changes requiring field support (e.g. Data Centre changes). Customer Responsibilities Onsite Firewall Hosting The customer is responsible for the physical hosting, cabling and LAN infrastructure. The customer is also responsible for insuring the equipment on their premises or within a third-party provider s facility. Onsite Access The customer is responsible for approving and providing onsite access, if required by Spark, to manage and support onsite firewalls. Management Connectivity to Onsite Firewalls The customer is responsible for providing suitable management connectivity from their onsite premises back to Spark for service management. Management of Customer Firewalls When Spark is to take over management of customer-owned firewalls, the customer retains certain responsibilities. These include ensuring that firewalls are correctly licensed, in good working order and have current and suitable vendor maintenance agreements. This customer must also agree to continue relevant vendor maintenance. Support, Monitoring and Management Spark will support, monitor and manage the Service on a 24x7 basis. The service includes 14 days of centralised log retention in our Service Nodes for Spark troubleshooting and support purposes. Spark will provide notification of events and incidents via ITSM to the customer via the Service Desk and/or . Commercial in Confidence Secure Managed Firewall product specification page 9 of 10

10 Service Levels, Service Hours, Support Hours, and Service Targets Service Availability Service Level The following availability levels in service hours, as defined below, apply to each instance of the Service: Type of service Availability Virtual service 99.5% Onsite physical service and managed customer firewall 99% Onsite physical service high availability uplift 99.5% Service hours exclude: The planned maintenance window and any planned outages For the onsite physical service and managed customer firewall, the time required by a vendor to replace a faulty device. This exclusion applies where Spark has identified a hardware fault and referred it to the device vendor. Spark deems the Service to be unavailable when the access provided by the Service is not available to all users. Note: 99.5% availability equates to a maximum permitted downtime of 18 hours annually. For the Service Level Calculation and Standard Service Hours/Support Hours/Service Targets please refer to the Managed Security Services Levels Targets Specification. Commercial in Confidence Secure Managed Firewall product specification page 10 of 10