Company and Product Line Overview

1
HIPAA and how it affects Information Technology
in a clinical environment
Keith Layne - Infuturo
2
HIPPA - Security Requirements

• Protect health records from unauthorized use or
  disclosure.
• Implement security solutions for data exchange.
• Ensure compliance with HIPAA regulations for
  network devices.

3
(No Transcript)
4
(No Transcript)
5
Recent Surveys Studies

• 75 percent of responding companies said they have
  been victimized by computer-related crime.
• 59 percent of these companies placed a dollar
  figure on their losses - which averaged more
  than 400,000.
• Damage from electronic attacks will exceed 10
  billion in 2001
• 61 of the companies said that they had
  experienced an internal attack.

6
Challenges for the CEO
7
Strategic risk A Boardroom topic
LOSS OF CLIENT CONFIDENCE
INDIRECT COSTS
Security Breach!
OFFICER LIABILITY
REGULATORY ACTION
8
Why you cant ever be 100 secure
9
Managing clinical security risks
Residual Risk after Countermeasures Applied
Baseline Risk
10
Challenges for clinical managers

• To what degree is the security policy of the
  network putting my business operations at risk?
• Which of my operations are at high risk for
  attack and which are at a lower risk?
• What are the potential costs associated with a
  network attack or failure?
• What is the likelihood that such an attack or
  failure will actually occur?
• How much should I spend to lower risk levels?
• Which group of safeguards or countermeasures are
  most cost-effective?

11
Challenges for network managers

• What is the right trade off between security and
  network performance?
• What is the right trade off between security and
  cost?
• For each network segment, what are the right
  security practices?
• How do I embed these practices into day-to-day
  operations?
• And how do I manage this in a dynamic environment
  -- what if I need to change the posture?

12
Risk management is the goal
Wheres the sweet spot?
13
The foundation for risk management
THE SECURITY LIFECYCLE
14
Security - Threats

• Types of threats
• Competitors
• Foreign governments
• Hackers
• Current employees
• Former employees
• Threat agents
• Anyone who seeks to seize, manipulate, or exploit
  assets
• Motivation
• Business and technical skills
• Opportunity

15
Assessments - Threats

• Categories of Threats
• Denial of services
• Buffer overflow
• Trojan horses
• Intruders and physical security
• Intercepted transmission
• Social engineering
• Lack of user support
• Findings
• Assigns priorities to threats that your company
  faces
• Identifies specific threat agents
• Determines motives, goals and skills set of
  threats agents

16
Assessments - Vulnerability

• Findings
• Weak passwords
• Missing or weak security
• Specific buffer overflows
• Accessible UDP or TCP ports
• Products
• Firewalls
• Virus Scanners
• Intrusion Detection Systems
• Vulnerability Scanners
• Network Traffic Analyzers
• Application Firewalls

17
Planning

• Must consider the nature, value and location of
  assets
• Develop security policies and practices that are
  current with changing business and technical
  scene
• Post your security plan where all users can see
• Technical security designs
• Incident response plans

18
Monitoring

• Must monitor against a defined security policy
• Must monitor against the implementation plan
• Must monitor changes to network configuration
• Must monitor insider/outsider misuse

19
Where do you start

• Disable all unnecessary network access and
  services
• First step is to disable features you dont
  absolutely need
• Scan your network for known security holes
• Operating systems holes, open ports
• Implement baseline best practices everywhere
• Protects from intruders and establishes basis for
  duty of care
• Formulate robust incident response plans
• Back ups, redundancy, forensics, press relations
• Fix the education deficit
• Increase user awareness of security policies
• Keep current with software updates and patches
• Prepare for accreditation and audits
• Industry best practices, government regulations,
  insurance companies

20
Vital tools to Securing a Network
Intrusion Detection System
Network Vulnerability Scanner
FIREWALL
Your Network
Network Traffic Analyzer
Virus Scanner
Application Firewall
21
Best of Breed Products
Never ending technology products and services
22
Using NetScreen Firewalls, VPN IDP To Meet
HIPPA Requirements

• Nashville, TN
• September 25, 2002
• Paul L. Thomas
• pthomas_at_netscreen.com
• 404-812-0404

23
Key Corporate Facts
Millions

• Strong revenue
• More than 200 million in available cash
• Cash-flow positive
• Market cap gt 1B
• NASDAQ NSCN
• gt 400 employees
• Many key awards and certifications

As of April 2002
24
About NetScreen

• Leading supplier of network security solutions
  for large scale and high capacity enterprise and
  carrier networks
• Integrated firewall, VPN and traffic management
• Leading market share
• 1, 2 or 3 in key VPN and firewall categories

Based on data from Dataquest/Gartner Group,
Infonetics Research, International Data Corp.
25
HIPPA A Three Part Set of Rules

• Regulates E-commerce and mandates certain
  technologies such as Electronic Data Interchange
• Privacy Portion of the rule.which has critics
  saying that its too costly
• A Third portion is about security..and the last
  is still being defined

26
Management Responsibility

• CEO gets shot first.
• Organizations and their Business partners take as
  much care of the information as they would
• ALL medical partners need to be secure

27
IT Responsibility

• The requirements are vague
• HIPPA does provide some check lists.
• Must be scalable from the largest to the
  smallest
• HIPPA is technology neutral

28
Using the Net

• Protect the network from Internet Based Attacks
• Encrypt the data within
• Protect against Data Theft from the inside
• 65-75 of data thefts will occur from within the
  Organization

29
HIPPA SECURITY BASICS

• Firewalls
• VPN
• Authentication
• Intrusion Detection
• NetScreen supplies all of these pieces of the
  puzzle

30
Who We Are

• Developer of next generation Internet security
  appliances and systems, delivering
• Performance driving security into silicon (just
  like layer 3 switches did to routing)
• Integration firewall, VPN and traffic shaping
  IDP
• Ease of use installs easily
• Value industry leading price/performance
• Availability HA redundancy cluster, no moving
  parts
• Most complete product line data center to
  telecommuter
• Optimized for Internet data centers, Service
  Providers, and Enterprises from SME to SOHO

31
Encryption Performance

• ASIC accelerates key functions 5 to 10 times
• Firewall rule parsing
• VPN encryption
• NAT
• DoS protection
• Authentication

• Typical General Purpose Computer
• Single access RAM
• Limited by bus speed contention
• Encryption interferes with other Firewall
  functions

• NetScreen Purpose-built ASIC
• ASICCPUI/O on same board
• Using dual ported RAM, data accessed concurrently
  by I/O ASIC
• Data blasts through at CPU speed

32
Broad Market and Solution Coverage
Enterprise Telecommuter
Carrier Cloud
Central Site
Medium Site
Small Office
NetScreen-500
NetScreen-5XT
NetScreen-50
NetScreen-1000
NetScreen-5XP
NetScreen-25
NetScreen-200 Series
NetScreen -Remote
NetScreen-5000 Series
NetScreen-Global PRO
NetScreen-Global PRO Express
33
NetScreens Security Product Line
34
Universal Security Gateway Architecture

• Security zones introduced as customizable objects
• Create multiple security domains for policy
  enforcement
• Can have multiple interfaces in a security zone
• Interfaces supported generically
• All physical interfaces can independently have
  firewall and DoS protections activated using the
  Network Attack Blocking Engine
• Each interface (physical and logical using 802.1q
  VLANs) can be assigned to separate security zone
• IPSec VPN tunnels to/from any interface
• Use any interface for VPN tunnels
• Enables encryption and firewall policy access to
  be used on wireless LANs
• Virtual Systems with enhanced functionality
• Physical, in addition to logical, interfaces can
  be used in VSYS
• Architectural base to support future
  functionality

35
Central Site Enterprise Deployments

• Integrated VPN, FW and Traffic Mgmt
• VPN
• No Special Licenses or Additional Hardware
• gt100 Remote Sites or RA Users
• 1000 tunnels 200M 3DES
• Firewall
• Stateful Inspection FW, NAT, DHCP server relay
• Class Leading FW for Central Site
• 100K sessions 13K ramp rate
• Traffic Management
• Reduce BW for non-critical traffic
• Better utilize expensive WAN BW
• High Availability
• Stateful fail over FW VPN

Internet
Multiple interfaces needed in many central site
deployments
HA
Web Servers
Internal Network
Application Servers
36
Deploying ScreenOS against Enterprise
Vulnerabilities
Common External Threats
Internet
Compromised Server
Unauthorized Wireless User
Web Server
(((
DMZ
App Server
VPN Clients
Wireless Zone
Threat
Unsuspecting Employee with Trojan
Finance Servers
Attack Blocking Policy Engines
Dishonest Employee
Attack Prevention
37
NetScreen-5XT Rear Panel
Console (CLI) Interface DB-9 RS232
Modem Interface DB-9 (High Speed) RS232 Speeds up
to 115KB
Untrust Interface 10/100 Base-T Auto-sensing and
Auto-correcting
Power Inlet 12 Volts 1 Amp
Trust Interface Four Switching 10/100
Base-T Auto-sensing and Auto-correcting
38
NetScreen-5XT Key ScreenOS Features

• Dedicated Purpose Built OS
• Enterprise Class Firewall and VPN Standard
• NAT, Transparent Route Modes
• ICSA Certified Stateful Packet Inspection
  Firewall
• ICSA VPN and VPNC Certified for IPSec
  interoperability
• IPSec 3DES VPN Site to Site Remote Access
• 3DES, DES, and AES Encryption using digital
  certificates, IKE auto-key, or manual key
• PKI, Policy Based NAT, Hub Spoke, L2TP, Policy
  Management
• IPSec NAT Traversal
• IPSec tunnel over NAT, PAT, or NAPT devices
• Redundant VPN gateways for redundancy of VPN
  connections
• Robust Attack Prevention
• DoS blocking with ASIC acceleration
• SYN, ICMP Flood, and Port Scan attacks
• Traffic Management
• Maximize and tailors bandwidth utilization
• Easy setup for plug and play IP addressing in
  most networks

39
Dial Back-up Functionality
Remote Office

• With external modem, can provide Dial Back-up
  should DSL modem or DSLAM fail
• External modems supported
• US Robotics 56K V.92/V.90 Model 5686
• ZyXel ISDN Modem - Model OMNI.net.LCD
• Network monitoring for detection of failure with
  automatic fail-over and fail-back
• Key for mission-critical enterprise remote
  locations
• Additional value-added service with managed
  firewall/DSL service

Analog/ISDN Modem
DSL Modem
Admin
DMZ
Web
E-mail
Central Site
Available in Q3 2002
40
NetScreen-5XP

• Tailored for remote offices and telecommuters
• DHCP client and server with PPPoE
• 10 Mbps wire speed ASIC-based capacity
• 10 VPN tunnels
• QuickStart for easy deployment
• Included on the NS-5xp are
• IPSec, DES/3DES, MD5, SHA-1, IKE key management
• Stateful inspection firewall (strongest DoS
  protection around!)
• NAT (mapped IP, Virtual IP)
• Traffic Shaping
• URL filtering (with WebSense)
• Works with any proxy based Anti-virus services
• WebUI, CLI, Global Pro central mgmt

41
Improved Security for Mobile Workers
Smart cards
NetScreen-Global PRO
RADIUS/LDAP
Mobile workers/client-initiated VPNs

• User-based (rather than machine-based) policy
  management to reduce administration and improve
  security
• NetScreen-Global PRO
• Centrally control VPN groups rather than on a
  per-user basis
• Custom extensions for RADIUS, other directories
• Smart card support for NetScreen-Remote clients

42
Manage Personal VPN Policies via
NetScreen-Global PRO

• Remote user launches NetScreen-Remote VPN Client
  to connect
• Secure authentication to NetScreen-Global PRO or
  NetScreen-Global PRO Express
• External authentication servers may be queried
• (e.g. NT Domain via RADIUS)
• User authenticated
• Users VPN policy securely downloaded to
  NetScreen-Remote VPN Client user
• VPN tunnels established to NetScreen devices

Users authenticate to NetScreen-Global PRO
Internet
NetScreen-Remote VPN Client
VPN
VPN tunnels established
DMZ
Private LAN
SSL
Web Email
Users policy retrieved
RADIUS Server NT Domain
NetScreen-Global PRO
External authentication server queried
43
Easy to Use VPN Login

• User launches NetScreen-Remote VPN Client to
  login and establish VPN
• User is securely authenticated to Global PRO or
  external database prior to VPN policy download
• Profiles defined by admin and users allowed to
  select which Global PRO device or policy domain
  to connect to
• Status window shows current user and connection
  statistics

44
NetScreen-Remote Security Client 8.0

• NetScreen-Remote Security Client includes VPN
  client with integrated personal firewall software
  providing mobile users additional security
• Firewall security features
• Stateful inspection firewall monitors state of
  TCP/IP traffic to prevent hijacked or unwanted
  sessions
• Application control functionality blocks network
  access to applications until theyve been allowed
  by user or administrator
• ICSA certified PC firewall
• Host-based security features
• NetBIOS protection allows users to share drives
  or printers without exposing PC to outside
  attacks
• Posture assessment ensures host has not been
  compromised prior to establishing VPN sessions
• Extensive attack, session and packet logging with
  AutoBlock capability
• Platform support
• Windows 95B, Windows 98, Windows NT 4.0 SP3,
  Windows ME, Windows 2000 Professional, Windows XP
  Professional Home Edition

45
New Personal Firewall Client Software

• New NetScreen-Remote Security Client offers VPN,
  firewall and other key security features to
  better protect mobile workers
• Using Sygate Technologies leading
  enterprise-class Personal Firewall SE 5.0
• Will be manageable via NetScreen-Global PRO in a
  future release

46
Application Control for Personal Firewall

• Restrict network access to trusted applications
• Admin or user may define trusted applications
• User is prompted if a new application attempts to
  gain network access, user may approve or deny
• Network access is blocked for untrusted
  applications, preventing unwanted outbound
  connections
• Prevents Trojans or rouge-applications from
  accessing VPN network or Internet from mobile
  users PC

47
Exploding number of VPN tunnels
B2B Partner
NetScreen-100 Central office
Multiple links per remote site
Multiple links for B2B Partner
NetScreen-10 Branch office
NetScreen-5 Small office
48
Hub Spoke VPN
B2B Partner
HA NetScreen-100 Central office
Single tunnel to all destinations
10-user NetScreen device is enough
Single link to B2B Partner
Wire speed VPN transfer (full duplex)
NetScreen-5 Small Office
NetScreen-5 Small office
49
Traffic Shaping

• Quality of Service when needed
• Prioritize key applications e-business vs File
  Transfers
• Prioritize key users customers vs employees
• Powerful capabilities
• Guaranteed bandwidth and maximum bandwidth
• 8 prioritization levels
• Defined by application/service, port, IP address,
  time of day

50
Interoperability

• Fully IKE IPSec compliant
• interfaces with all other ICSA certified VPN
  systems.
• Ex Tunnels with HQ Check Point or Pix firewall.
• NetScreen security rule creation process is
  similar to Check Point
• Easy to duplicate policies in NetScreen devices
  and keep in synch

51
NetScreen Virtual Systems

• NetScreen-1000 and NetScreen-500 include
  NetScreens unique Virtual Systems technology
• Create up to 100 individual security domains on
  the NetScreen-1000 and 25 on the NetScreen-500,
  each with its own policies
• Integrated firewall and VPN features
• Reduce capital cost, ease management and
  administration, simplify network architecture
• NetScreen Virtual Systems
• Physical ports mapped into VLAN groups within the
  switch
• VLAN traffic passed over 802.1Q tagged trunk
• VLANs mapped to Virtual Systems within the
  NetScreen system

Traffic Mapped to VLANs via Virtual Systems
IEEE 802.1Q VLAN Trunk
Physical ports mapped to VLANs within switch
Standard Ethernet connections
52
Multi-Department Security
Internet

• Traditional Solution
• Multiple Firewalls required to provide internal
  security

Corp HQ

• NetScreen-500 Solution
• Virtual Systems employed to provide departmental
  security
• Can also be used for additional DMZs, security
  domains and for extranets
• Trust limited to Need to know employees

DMZs
Finance Dept
Engineering Dept
M A Group
53
Network Security Redundancy
Good / Better / Best
System Redundancy Active / Passive
System Redundancy Active / Active
System Redundancy Active / Active / Full Mesh
54
NetScreen-Global PRO Meets the Needs

• Focus on significant events
• Identify source of attacks
• Track overall performance

• Rapidly deploy new users/sites
• Define once, use often
• Distribute management workload

Deploy
Monitor

• Discover/analyze attack patterns
• Track SLAs
• Effectively bill customers for usage

• Respond to attacks
• Enforce adds/moves/ changes
• Maintain device firmware

Report
Maintain
55
Policy Manager Point Click VPN

• Simply select locations to include in the VPN
• Establish VPNs with easy point click
  functionality

56
Point Click Policies
Branch Offices
Regional Offices

• Ability to add additional devices to network
  quickly easily
• All required VPN and firewall rules are created
  automatically
• Allows for rapid response to attacks
• Create full mesh, hub spoke, and site-to-site
  VPNs

Remote Offices
Remote Users
All boxes in VPN are updated with the new configs
Internet
New device added to policy group
Web Email Servers
DMZ
Firewall VPN polices are automatically applied
to the new device
NetScreen-Global PRO
57
New Historical Report Server

• New report server and console with over 200
  report templates and reports under 6 major
  categories
• Administration
• Alarms 
• Logs
• Network traffic
• Resources 
• Service Level Agreements

• New Report Server Features
• User defined sampling durations (daily, weekly,
  monthly, etc...)
• Customized report titles and logo
• Customizable tables
• Reports saved as CSV and/or PDF
• Single click report generation

58
New Real-time Monitor Reports and Features

• New real-time statistics
• NSRP/High availability monitoring
• Resource statistics
• Enhancements and extensions to existing reports

• New real-time monitor features
• Device troubleshooting
• Auto save of filter window configuration
• User definable severity levels for events.
• Trending for utilization, errors and policy
• Additional alarm types through Telalert
  integration (Pager, SNMP, TT System)

59
Priority One Protect Everything
60
Increasing Number of Security Incidents
Security Incidents Reported
Vulnerabilities Reported
Source CERT Coordination Center 2001
Source CERT Coordination Center 2001
61
How do I stop all of these Attacks?
62
Security in Layers

• Firewalls is 1st layer of defense
• Control access in and out of network
• Designed for access control, authentication, and
  VPN functions
• Distinction between good and bad traffic is
  predefined
• E.g. Allow all HTTP traffic to Web server
• IDS tries to be 2nd layer of defense
• Monitor content of all network traffic to detect
  attacks
• Distinction between good and bad traffic based on
  actual network traffic
• E.g. Look for HTTP based attacks

External TrafficAllowed ByFirewall
Internal Traffic
63
IDS Challenges and Opportunities

• Opportunities
• Compliment FW ? 2nd layer of defense to prevent
  attacks
• Increase accuracy ? detect more attacks, reduce
  false alarms
• simplify management ? rule-based, centralized
  control

• Challenges (with 2nd layer defense)
• IDS is passive ? attacks impact network
• IDS has poor accuracy ? dont detect all attacks,
  lots of false alarms
• IDS has poor control ? difficult to control/manage

64
Solution NetScreen-IDP 100

• Detects and Prevents intrusions
• Passive and active modes (in-line) to prevent
  attacks before it is too late
• Multiple response mechanisms
• Allow the user to decide how to respond to
  individual attacks

• Simplifies management, enterprise-wide
• Rule-based for granular control
• Centralized management of all operations,
  including signature updates
• Integrated incident and policy management

• A unified security appliance that
• Improves intrusion detection accuracy to reduce
  false alarms and detect more attacks
• Multi-Method Detection
• In-line mode prevents attackers from bypassing
  the system

65
Summary

• Next generation security solutions that are
  highly scalable
• Integrated functionality
• Highest performance ASIC Based
• Complete line from the data center to the edge,
  use for all applications manageability
• NetScreen leads the market with the first
  Internet data center security system, now
  expanded to Enterprise
• Enabling enterprise clients, service providers,
  e-businesses and web and application hosting to
  provide the best SECURITY solutions available
  today.