Security

Our partners: Fortinet, PaloAlto

When it comes to firewalls, we at Sidation not only think of stateful inspection, but also of next-generation firewalls with application control, web filters, intrusion detection & prevention, anti-virus, user & device identity and so on.

Modern firewalls allow services to be consolidated. Products that were once separate, such as web proxies, VPN concentrators and IPS systems, are now managed and monitored centrally. Depending on the size of the company and the desired architecture, this can be combined in a cluster or distributed over several devices. In any case, there is a cost saving, because you do not have to be familiar with numerous different systems, the number of support channels is reduced and you gain more in-depth know-how by only needing to focus on one product.

Thanks to integrated, powerful hardware acceleration, we have a suitable solution for every company size.

Our Partner: Fortinet

Due to today’s conditions, employees are very mobile and working from home has become standard. The demand for speed, connectivity and availability remains. Since often sensitive documents are processed, security must also be guaranteed. A VPN infrastructure can meet all of these requirements. As an authenticated part of the company network, users can move around the intranet via the Internet as if they were in the office.

The two most common ways to set up a VPN network are SSL-VPN and IPsec . While SSL-VPN is mostly used to connect individual users to the company network for a limited time, IPsec tunnels are used to permanently connect two networks. This makes it possible to share internal resources in the head office with the subsidiaries. Different locations can work together as if they were connected in a single network.

Our Partners: Fortinet, OneSpan

A key factor in the success of the Internet and other networks is that people and devices around the world can participate in it in real time. Identity and access management products provide the services necessary to securely confirm the identity of users and devices when they enter the network.

Two-factor authentication is therefore widespread today. Together with our partners, we use various methods and, among other things, use centralised authentication services (including single sign-on services, certificate management and guest management) in combination with soft and hard tokens or a SMS service .

For user-friendly use of two-factor authentication, Single sign-on can be implemented in parallel. The user only logs on to a central instance once and is automatically given the rights that correspond to his approval on all connected systems. The flexibility in the integration of the solutions we offer is so great that not only existing infrastructures can be equipped with them, but also individual areas or very specific systems if required.

Our partners: Fortinet, Infoblox, PaloAlto, Cumulus Networks

The high degree of networking has resulted in systems whose failure can bring entire branches of the company, or even the whole operation to a standstill. The priorities have therefore shifted from resilience to high availability. For this reason, additional systems running in parallel are installed, which can take over the functionality in a fraction of a second if the primary device fails.

There are few spatial limits to such a cluster: Firewall clusters can be distributed over several data centers, so that availability is guaranteed even in the event of major problems such as power failures. The cluster can even span countries or continents and as the number of devices in the network increases, a system can be armed against even the most severe failures. Anyone who has already experienced major failures knows the resulting damage and supports the investment in redundant systems.

Our partners: Fortinet, MenloSecurity

There are still many dangers when surfing the Internet. Unfortunately, Web 2.0 and HTML 5 have not changed that. On the contrary, browsers are becoming more and more powerful and now offer many functions.

This is where the Unified Threat Management (UTM) of next-generation firewalls comes into play. In addition to undesirable content, the URL filter can also be used to block many malware and phishing sites. The anti-malware protection helps with known malware threats, while pattern-based attack detection can combat the weak points in the browser. The Application Control Profiles help to filter the content of a provider in the widely networked Web 2.0.

Of course the most elegant solution would be if the user never came into contact with the Internet. And as absurd as the thought is nowadays, this is exactly possible with modern proxy products . Instead of the user accessing the website directly, these solutions only show the rendered image of the website. Nothing changes for the user, but a compromise via an infected website is made impossible. Don’t you believe us? Ask for a PoC, we will be happy to convince you.

Our partners: Fortinet, SEPPMail

In addition to the well-known anti-malware and anti-spam functions, secure e-mail solutions also offer the possibility of encrypted and signed communication with the whole world in a simple manner, without each user needing their own S/MIME certificate.

Checking for viruses and malware as well as the suppression of spam mails are still very much required. We offer you high-performance solutions that can process up to 2 million e-mails per hour on one appliance.

With SPF, DKIM and DMARC entries you can take effective action against forged senders. However, these additional security measures often fail due to implementation. Due to Sidarion’s expertise in the area of DNS, we can also support you in creating and editing these entries.

You can obtain all of our solutions as hardware appliances, virtual appliances or as a managed security service.

Our partners: Tufin, Redhat

Managing large firewall environments with over 100 firewalls is a challenge. With a suitable management system, however, this works well today and boundaries are managed. Independent of the manufacturer, you can manage entire firewall landscapes, generate reports, check compliance and consistently roll out changes to multiple systems at the same time.

An automated workflow is essential for managing the complete ruleset. The user should be able to submit their applications in a self-service portal. The automation can then make risk-based decisions and, if necessary, implement them automatically (zero-touch). Thanks to the high flexibility, the workflow that the customer wants can be implemented.

Sidarion projects: insurance, automobile manufacturer

Our partner: Tufin

The rules on the firewalls are adjusted every day, new access lists are recorded on routers or temporary exceptions are configured for a test. Because new projects are coming in every day, there is often not enough time to clean up old and expired configurations.

Automation of the ruleset enables optimisation and auditing in real time. In this way, even complex rulesets can be managed and documented on a project basis.

With an integrated change management process, other teams also have insight into which communication relationships their systems have and how these are configured on the firewalls. The whole change process becomes transparent and many tasks only take minutes instead of hours or days. This makes it very easy to introduce new systems and dismantle old ones.

Our partners: Fortinet, Macmon

One reason the internet has risen so rapidly is that it is accessible to everyone. This cornerstone of the network permeates every protocol and architecture. As enormous as this benefit is, it represents a challenge to be solved for internal networks. How do we prevent users from connecting their devices to open network ports in an uncontrolled manner? How can we grant visitors access to projectors and televisions, but keep them away from internal company resources? And what do we do with employees’ personal devices?

The answer is 802.1x. With RADIUS-based logon mechanisms, the network can recognise company-internal devices and move them to the correct segment. Whether wired or wireless, Sidarion supports you in the selection and integration of this basic protection for your infrastructure.

Is your infrastructure not 802.1x compatible or is the project over budget? Based on the information from a CMDB or IPAM, you can achieve quick results with minimal risk. Our consultants will help you to find the right architecture for your environment.

Our partners: Nutanix, Rubrik

Sidarion offers a comprehensive range of solutions to protect your data and ensure the availability of your cloud applications. We offer suitable solutions for all cloud offerings from SaaS to PaaS to IaaS installations.
Our experienced IT architects support you on your way to the cloud; in planning the migration, securing the services and in the central administration of a hybrid enterprise cloud infrastructure.

To do this, we use technologies such as:

• Cloud Firewalls
• Cloud Access Security Broker (CASB)
• Cloud Loadbalancer
• Cloud IPS Systems
• VPN connections from your network to your cloud provider
• Cloud appliances for secure email and web-server installations

Our partners: Fortinet, LogRhythm

Who isn’t familiar with vague error descriptions from end users: “The network is slow”, “The VoIP phone is not working properly”.

In such cases, it is important that the network team can find the cause quickly and efficiently, if only to determine that it cannot be the network infrastructure. Modern monitoring solutions cover many aspects of a network such as round trip time, jitter, packet loss and dropped packets. Response times of applications such as DNS can also be included in monitoring. This allows you to keep an eye on the state of the network at all times and often you have the solution to a problem before the first call from a user.

Our monitoring solutions cover many aspects of a network, including:

• Link quality: round trip time, jitter, packet loss, discards

.

• Network utilisation

.

• Response times of network applications such as DNS

.

• Log distribution

As the speed of the network increases, so does the urgency of resolving issues.

Our goal is to optimise alerting so that only relevant events are reported. Thus, you save time and money.

Our partners: Illumio, Fortinet

Microsegmentation eliminates unnecessary network connections within your data centre and cloud. It is different from network segmentation, which has been around for years and was originally developed to improve efficiency and reduce broadcast domains.

Your segmentation strategy should apply the right type of segmentation to provide the security you need:

• Environment-specific segmentation: separates environments within the data centre and is the coarsest form of segmentation. It prevents intruders from entering multiple environments.
• Location-based segmentation: Cross-country or cross-data centre segmentation. Manage or control access of devices from different data centres (e.g., due to data sensitivity or regulatory requirements).
• Application-aware segmentation: separates individual applications, preventing cross-application communication, even within the same environment. Critical applications are thus given an additional layer of security.
• Tier segmentation: is even more granular than application-based segmentation. It divides the tiers within an application (e.g., web, application, and DB tiers).
• Process and service related segmentation: also called nanosegmentation and is the most granular form of segmentation. It ensures that only enabled connections are allowed. Highly critical processes and services can be protected in this way.
• User-based segmentation: prevents “credential hopping” – a common tactic in which an intruder attempts to use acquired access rights to gain access to critical applications.

We have extensive experience in implementing data centre firewall and IPS systems, and can help you make sense of segmentation based on security classes and protection needs.

Our partner: Fortinet

Many modern devices such as smartphones and tablets require a wireless connection. WLAN is also becoming increasingly important for mobile PCs, so almost all companies have a WLAN solution in place.

However, there are some important aspects to consider for a secure WLAN that are not supported by every product. We recommend that you take these points into account when using WLAN:

• Automatic management of BYOD (Bring Your Own Device) and guest access

.

• Distinguishing between managed and unmanaged (BYOD) devices

.

• Separate guest access (multi SSID)
• Integration into the company directory (e.g. AD)
• Device-based or user-based access rights

.

• Filtering of Internet access, especially for malware or abusive behavior

.

• Automatic WLAN roaming between different sites

.

• Adequate encryption

We are happy to support you in the design and implementation of your secure WLAN infrastructure and take care of the appropriate coverage of buildings or open spaces.

Our partner: Fortinet

Classic firewalls offer little protection for increasingly important web applications. Next-generation firewalls with IPS and AntiVirus can offer a certain basic protection for vulnerabilities in the server software. But this usually does not help against a vulnerability in the programming of the page logic, because the content is created individually per customer and installation.

With Web Application Firewalls (WAF) we can protect your servers and improve data integrity as well as server availability. We also use them to minimise the risk of your website being used to spread malware. A WAF takes care of many web security issues such as:

• Code injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Unwanted data leakage
• URL whitelisting and blacklisting

You can learn about the top 10 risks in web programming at OWASP Top Ten Project.