Internet Exit Security

Challenges for corporate internet exit 

Corporate internet exit primarily works for access to corporate portal and corporate internet. 

Corporate portal is primarily used to release corporate information and provide Internet-based services, e.g. the Internet banking of the financial sector. The main security challenges of corporate portal exit include attacks based on WEB application layer, including malicious code, webpage tampering and denial of service. Traditional firewalls are based on network layer and transmission layer protections and can’t prevent attacks on application layers. Therefore, security protection tools need to be deployed on the application layer. 

The main challenges facing corporate internet access services, include staff Internet access, email sending and receiving and mobile office, control of the flows and contents of internal users’ access to the Internet, prevention of any disclosure of the Company’s confidential information, filtration of junk mail and mail with malicious code. 

Portal exit solution 

Zone-based security deployment 

Portal exit generally includes three security zones, i.e. Internet access zone, portal service zone and internal network access zone. The portal service zone is typically divided into WEB service zone, application service zone and database service zone. 

In addition to the deployment of firewall and IPS/IDS, flow cleaning equipment also needs to be deployed in Internet access zone to prevent Distributed Denial of Service (DDOS). Where the company has access to multiple operator networks, link load equalizer also needs to be deployed for portal domain name analysis and access optimization. 

The portal service zone needs to have a firewall to safely isolate the WEB service zone, application service zone and database service zone. Meanwhile, application security and auditing equipment needs to be deployed for application layer security protection. For enterprises that have stringent requirements on server performance and availability, it is also necessary to deploy server load equalizer and SSL accelerator equipment to provide load equalization and SSL VPN services to the server. Where access flows need to be monitored and controlled, it is also necessary to deploy flow analytical equipment. 

For the internal network access zone, a firewall is primarily adopted for secure isolation between the internal network and the portal service zone. 

Typical solution 

Physically or logically isolate various subzones. Please see the following Figure for the typical solution of complete physical and logical isolations:

 

Figure 1 Complete Physical Isolation

 

Figure 2 Logical Isolation

 

Corporate internal network access solution 

The corporate internal network access exit solution mainly includes the following content: 1. access control; 2. email protection; 3. mobile office secure access. 

Please see the following Figure for the corporate internal network access solution.

 

Figure 3

 

Conclusions

Internet exit has gradually become a main channel of services. It brings benefits and security risks together. The occurrence of any security event at the Internet exit will normally cause considerable losses to a company. Therefore, it is necessary to deploy a well-established Internet security protection system.