Title: Sunil Misra Chief Security Advisor
1Sunil MisraChief Security Advisor
Enterprise Reference Architecture Overview
2Reference Architecture Objectives
- Accelerate solution development implementation
projects by providing reference architectures as
a project starting point. - Provide a communications tool describing the
business problem the infrastructure addresses,
how the problem is solved, the scope and cost of
the solution, and the tools and technologies used
to build the solution.
- Reduce risk through common tools and a Point of
View
3Reference Architecture Solutions
captures solution value and drives deployment.
Its the mechanism that
The Reference Architecture Solution
Technology Points of View
- Field tested solutions
- Draws upon managed services and outsourcing
experiences - Understanding of What Works With What
- Pre-populated with industry- relevant
infrastructure models - Customized for clients
- Digital Record of solution
Industry Expertise
- Visioning future state infrastructure models for
industries - ROI modeling
4Reference Architecture Defined Comprehensive
- RA Introduction
- What is a Reference Architecture?
- Why use a Reference Architecture?
- How to use the baseline Reference Architectures
- Application Infrastructure Services
- Utility Services
- Definitions
- Service Models
- Application Technology Services
- Definitions
- Service Models
- Data Services
- Definitions
- Service Models
- Physical Infrastructure Services
- Platforms Services
- Definitions
- Service Models
- Network Services
- Security Infrastructure Services
- Definitions
- Service Models
- Operations Infrastructure Services
- Definitions
- Service Models
5What is Reference Architecture?
- Reference architectures represent a baseline set
of recommended models that meet the needs of a
high percentage of our client situations. - A reference architecture does not specify
implementation details, but instead provides a
framework that can be customized and implemented
at any organization or for most consultative or
sales situations - The Reference Architecture is based on services
combining technologies, not just the technologies
alone
6How to use Reference Architecture
- Reference Architectures align to all phases of
the Unisys ITS Balanced Portfolio (Advisory,
Transform, Manage) - Infrastructure Architects will use the Reference
Architecture to develop customer-specific
Enterprise Infrastructure Architectures as well
as Solution-specific architectures
Data Gathering / Analysis
Architecture Definition
Architecture Plan
- Identify Enterprise Architecture Drivers
- Conduct Interviews with key stakeholders
- Document current state enterprise architecture
- Analyze current state architecture
- Formulate and confirm the future state
architecture vision - Incorporate customer unique requirements
- Document architecture decisions
- Review and approve architecture
- Create a communication strategy, governance
structure and rollout plan
7Reference Architecture LandscapeThe following
services are modeled within the Unisys Reference
Architecture
8Key Architecture Representation Concepts
- Key concepts presented in each description
include the following - Services Services define the capabilities and
value the infrastructure must provide for its
user groups, applications and data stores. Each
represents and is formed through a unique view of
technology standards, components and vendors. - Service Delivery / Control Domains - This is the
background layout for each of the models. It
consists of the following areas and is based on
the level of control the enterprise has over the
end user devices, network or services within the
environment - External Services Services or end user devices
that are physically external to the enterprise - Site Services End User devices and local shared
services - Enterprise Shared Services Services available
in a centralized manner to the entire enterprise,
generally provided within Enterprise Data Centers - Service Delivery or Access Point / Situation
(some exceptions to definitions) - Large Office User individual employed by the
enterprise utilizing a network-connected device
inside the boundaries of a corporate-designated
Large Site - Small Office User individual employed by the
enterprise utilizing a network-connected device
inside the boundaries of a corporate-designated
Small Site - Mobile User individual employed by the
enterprise utilizing a network-connected device
while outside the boundaries of a corporate site - Home User individual employed by the enterprise
utilizing a network-connected device while at
their home - Business Partner User individual NOT employed
by the enterprise accessing corporate services
over their own external (or public) network
9Key Architecture Representation Concepts (2)
- Key concepts presented in each description
include the following (2) - Technology Maturity Classification -
- Core technologies that are to be the first
choice in new implementations, and toward which
existing infrastructure will be migrated. - HORIZON emerging technologies that are expected
to play a significant role in the architecture in
the near future but cannot be labeled Core due to
immaturity, lack of availability, or poor fit to
transitional environment - HERITAGE existing technologies that are not
Core but will continue to play a substantial role
in the architecture within the timeframe under
consideration. - SUNSET technologies that should be replaced and
removed from the environment in the most rapid
and efficient manner possible. - TRANSITION technologies that must be in place
for a short time until either a chosen CORE
market technology becomes a reality or until the
client is prepared to deploy that CORE technology
choice. - Service Cross-Dependency Delivery of enterprise
technology services requires that many of the
services have dependencies upon others. In order
to simplify the depiction of service definitions
and models, service abstraction is used to focus
only on the technology concepts inherent to the
service currently being discussed
10Security Infrastructure Guidelines
- Use the concept of Defense in depth to guide
security architecture - Use multiple layers of controls between Untrusted
devices/environments and applications and data - Use non-technology controls (physical,
management, etc) in conjunction with technology
controls where appropriate and use a combination
of network- and application-layer technology
controls - When architecting security, account for both
external and internal threats - Define a limited number of discrete network trust
zones - Apply controls in a common way within zones
- Allow network traffic to flow freely within the
Trusted Zone - Rather than attempt to characterize every
permitted data flow between trusted devices, rely
on physical, management, and application-level
technology controls within the trusted zone - while providing a means to segment or quarantine
portions of the trusted network as needed in an
emergency - Explicitly deny network traffic known to be
malicious or against corporate policy - Provide strong authentication mechanisms as
appropriate - Two-factor or certificate-based authentication
for systems administration access and for remote
VPN access - Support strong authentication within applications
as needed - Use technology to enable coordination between
multiple security information sources, including
thorough event correlation across all platforms
11Security Services Definitions
12Network Communication Security ServicesNetwork
and Platform Trust Zones
Untrusted
Transitional
Trusted
Any Clients, Servers, Services
ltClientgt Governed VPN Clients on Untrusted
Networks
External
- External Systems
- External Services
Restricted
Controlled Connections Connections Authenticated
Connections Logged IDS Monitoring
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default DENY Connections
Logged IDS Monitoring
DMZ 1
DMZ 2 n
Guest
- Public Facing Servers
- External Gateways
- DMZ Networks
- Guest High Risk Devices
No Horizontal Traffic
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default ALLOW Connections
Logged
Server LAN 1
Server LAN 2 n
VPN VLANs
User LAN 1
User LAN 2 n
Mgmt. LAN
RD
- User Devices
- Business Systems and Data (Servers)
- Internal Networks (LAN/MAN/WAN)
Internal
Unique Trusted Segments Default Deny Horizontal
Traffic Connections Authenticated, Logged
Monitored
Default Allow Horizontal Traffic Ability to
filter traffic at network choke points Ability to
monitor traffic at network choke points
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default ALLOW Connections
Logged
Server LAN 1
Server LAN 2
Server LAN n
- Sensitive Data Applications
No Horizontal Traffic
13Network Communication Security ServicesNetwork
Communication Controls
Untrusted
Transitional
Trusted
Business Partner / Managed Service Provider
Employee
Any
Governed User Device
User Device
User Device
User Device or Application
Partner VPN Endpoint
S/W Firewall
FWDP
VPN Client
Packet Filter
FWDP
FWDP
FWPR
FWDP
FWDP
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
Partner Apps
Protected Partner VPN
Employee Outbound
Employee
Guest
Public
Utility
Restricted
Guest Devices
App GWs (SMTP, DNS, NTP, etc.)
Partner VPN Endpoint
Front End for Public Apps
FWPR
FWPR
VPN
Proxy
Proxy
FWPR
FWPR
A
DA
DD
DD
DA
DD
DA
DD
DA
DD
DA
DA
DD
A
A
S/W Firewall
A
Utility Apps
Non-Proxyable
Applications / Data
Governed User Devices
DA
DD
Default Allow
Hybrid Firewall with Deep Packet Inspection focus
Legend
FWDP
DA
Default Deny
DD
Authentication
Restricted Apps / Data
Hybrid Firewall with App Proxy focus
FWPR
A
A
HORIZON
14Network Communication Security ServicesWireless
Security
Untrusted
Transitional
Trusted
Proprietary Svc
Carrier Svc
Wide Area
Firewall
VPN-Secured Public Wireless
802.11 b/g
Employee Services
Proxy
Restricted
Wireless eMail Gateway
Guest Wireless
802.11 b/g
Shared 802.11 Access Point
Unsecured Wireless with VPN-Secured Session
A/A Service
HORIZON
Governed Device
802.11i Client
S/W FW
802.11 b/g 802.11 i
Legend
Authentication
A
15Anti-Virus and Content ControlAnti-Virus and
Content Control Capabilities
External Services
External Servers (Public, BP, Etc.) IM, SMTP, HTTP
External Client Application
Site Services
Enterprise Services
Site Shared
Device
Proxy Server
IM Gateway
AV Scan Targets
AV Scan Targets
Content Filters
Content Filters
URL or IP
File Transfer
File Transfer
Proxy Data
Text Pattern
Text Pattern
O/S, F/S, RAM
Active Content
O/S, F/S, RAM
Internal IM Service
AV Scan Targets
File Transfer
O/S, F/S, RAM
Removable Media
A Remote Employee System Tunneled into the
Network via a VPN connection is equivalent to an
Internal Client System. Refer to Client System
for Data Flows.
Legend
HORIZON
16Enterprise Authentication/Authorization
ServiceSupplicants and Credentials
Untrusted
Transitional
Trusted
Business Partner/ Customer
Employee
Service Provider
Public
Satellite Office
Smart Card Reader
User Device
User Device
User Device
User Device
User Device
User Device
Site to Site VPN
A
A
or
or
or
A
B
B
C
TRANSITION
Depending on application
No Credentials
Restricted
B
Depending on application
B
And possibly
Public DMZ Application
Partner DMZ Application
D
Emp. DMZ Application
D
Depending on implementation
Proxy (Outbound)
Site to Site VPN
VPN
IP Filter
B
Management Console
Standard App or Utility Service
Server or Network Device
Or pass-thru from Local logon
A
A
User Device
Local logon
HORIZON
B
B
Sensitive App
B
Facilities Access System
Proximity or Mag. Stripe Card Reader
Network Device
Passthru from Local logon
D
HORIZON
B
Proximity chip or mag. stripe on same physical
card as
or
Legend
C
B
UserID/Password
A
Restricted Applications
User Certs (UserID/Password)
B
One-time Password token (transitional)
(UserID/Pwd)
C
Device Certs
D
17Enterprise Authentication/Authorization
ServiceAuthentication Systems Model
External Services
Enterprise Services
Site Services
Web Applications
Site Shared
Device
Legacy System
Some Packaged Applications
Most Applications
Network Device
Web SSO layer
RADIUS
Proprietary
Proprietary
RADIUS/ TACACS Service
HORIZON
App-proprietary A/A
Active Directory Authentication Service
Legacy A/A System (e.g., RACF)
HORIZON
Physical A/A Service
OTP I/F
TRANSITION
One-Time Password Service (e.g., ACE)
PKI I/F
Native Data Interface
Native Data Interface
Native Data Interface
SUNSET
SUNSET
OTP accounts
App-specific A/A Data
AD A/A Store (employees)
RADIUS or TACACS accounts
Legacy A/A Data
Physical A/A Accounts
Second AD forest (non-employees)
PKI CRL Publishing
CRLs
TRANSITION
Legend
Utility Directory Services
One Time Password
OTP
Authentication Protocol Comm. Authorization Query
Data Movement / Integration
18Identity Management ServicePublic Key
Infrastructure (PKI)
External Services
- User Certs live on
- Machines (DS)
- Cards
- Tokens
HTTP CRL distribution
Online Status Checking
HSM
CRLs
Enterprise Services
Site Services
External User Issuing CA
Second AD forest (non-employees)
Certs / CRLs
Device
Site Shared
HSM
Key Recovery
AD A/A Store (employees)
Internal User Issuing CA
Utility Directory Services
Certs / CRLs
HSM
Key Recovery
Device Issuing CA
Certs / CRLs
HSM
- Policy Procedures
- Enterprise Certificate Policy
- Certification Practice Statements
- Best Practices
(offline)
Root CA
HSM
19Identity Management ServiceProvisioning and
Account Management Model
External Services
Enterprise Services
Site Services
IDM System
HR
Site Shared
Device
Business Rules
Bulk Updates
User Self Svc
User
Admin Services
Administrator
Email Notification
Workflow
Delegated Admin
Administrator
Connectors
API or scripted
App-proprietary Account Mgmt
One-Time Password Account Tools (e.g., ACE)
Legacy System Account Mgmt (e.g., RACF)
Physical A/A Account Tools
Native Data Interface
Native Data Interface
Native Data Interface
Native Data Interface
LDAP
LDAP
RADIUS
App-specific A/A Data
AD A/A Store (employees)
LDAP A/A Store (other users)
RADIUS or TACACS accounts
Legacy A/A Data
OTP accounts
Physical A/A Accounts
Legend
One Time Password
OTP
User - System Interactions System - System
Interactions
System Data Interactions
20Security Management ServicesIntrusion Detection
/ Prevention
Untrusted
Transitional
Firewall
Trusted
HORIZON
Managed IDS Service
IDS Data
IDS Monitoring System
IDS Alert Logging
R
Exposed Router
VPN
NIDS
VPN
NIDS
IPS
Restricted
VPN
Server with HIDS
Firewall
VPN
Proxy
IP Filter
NIDS
NIDS
NIDS
IPS
IPS
IPS
Server with HIDS
IDS Data
Firewall
Server w/o HIDS
IDS Monitoring System
Network IDS Data Collection
Intrusion Prevention System
Legend
NIDS
IPS
Out of Band IDS communication
NIDS
Host IDS Agent
Server with HIDS
IDS Traffic
IPS
HIDS
21Security Management ServicesAlert Processing
External Services
Advisory Alerts
Enterprise Services
Site Services
Device
Site Shared
Messaging Services
Vulnerability Assessment
User Device
A/V Alerts
Manual processes
Networking Devices Firewalls
SNMP Traps, Security logs
Mgmt./ Monitoring Console
A/V Alerts, SNMP Traps, HIDS Alerts
Servers
Alert Correlation System
Raw Data
Data Normalization
SNMP Traps, IDS Alerts
IDS System
Data Processing
Refined Data
Alert Generation
Forensic Tools
SNMP Traps, Security logs
Email, Pager, SMB, MOM, etc.
Networking Devices Firewalls
Log Mining Trend Reporting
DSS
22Security Management ServicesUpdate Management
External Services
Signature Update Service
O/S or App Patch Services
Filter Update Service
Virus Signatures
Filter Triggers
Patches
Signature Updates Pulled From External Service
Site Services
Enterprise Services
Site Shared
Device
Customized Filters
Enterprise Anti-Virus Management System
Enterprise Content Filter System
Patch Staging Server
Patches
Push to AV Clients
Virus Signatures
Filter Triggers
Update Service
Operations Release Management
Updates pushed to all appropriate platforms
Policy Management Consoles
Security Policies
23Encryption ServicesSecure Messaging
Untrusted
Transitional
Firewall
Trusted
Firewall
Business Partners (Ad Hoc)
Business Partners or Public (Ad Hoc)
Business Partners (Planned)
User Device
Email Client
Firewall
Certificate
BP Certificate directory
SMTP Gateway
SMTP Gateway
SMTP Gateway
Utility
Restricted
Email encrypted between domains using MTA-to-MTA
S/MIME
A
Normal Email Transport
Published Certificate directory
Normal Email Transport
Firewall
SMTP Gateway
SMTP Gateway
SMTP Gateway
File Services
Messaging Services
Firewall
Employee Device
Employee Device
Employee Device
Email Client
Email Client
Email Client
Encryption Utility
Certificate
E-Mail encrypted with client-to-client S/MIME
Normal email with self-decrypting file attachment
(Password transmitted out of band)
Legend
Authentication
A
Encrypted Data
Unencrypted Data
24Encryption ServicesNetwork Encryption
Untrusted
Firewall
Transitional
Trusted
External System
BP User Device or Application
Firewall
IPSEC, AES, 3DES
SSL, TLS, SFTP
SSL, TLS
SSL, SSH, SFTP
S/MIME
SSL, TLS
Restricted
Application Front End
Application Front End
SMTP Gateway, DNS, NTP, etc.
Proxy
Firewall
VPN
SSL, SSH, SFTP
Management Workstation
User Devices
SSL
802.11 Client
Management Applications
HORIZON
Data
SSL
EAP
Legend
SSL
SSL
Restricted Applications
VPN Tunnel
Restricted Data