Sunil Misra Chief Security Advisor - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Sunil Misra Chief Security Advisor

Description:

Proxy Server. Proxy Data. O/S, F/S, RAM. URL or IP. Text Pattern. Active Content. Content Filters ... Server or Network Device. Public. User Device. Business ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 25
Provided by: uni6160
Category:

less

Transcript and Presenter's Notes

Title: Sunil Misra Chief Security Advisor


1
Sunil MisraChief Security Advisor
Enterprise Reference Architecture Overview
2
Reference Architecture Objectives
  • Accelerate solution development implementation
    projects by providing reference architectures as
    a project starting point.
  • Provide a communications tool describing the
    business problem the infrastructure addresses,
    how the problem is solved, the scope and cost of
    the solution, and the tools and technologies used
    to build the solution.
  • Reduce risk through common tools and a Point of
    View

3
Reference Architecture Solutions
captures solution value and drives deployment.
Its the mechanism that
The Reference Architecture Solution
Technology Points of View
  • Field tested solutions
  • Draws upon managed services and outsourcing
    experiences
  • Understanding of What Works With What
  • Pre-populated with industry- relevant
    infrastructure models
  • Customized for clients
  • Digital Record of solution

Industry Expertise
  • Visioning future state infrastructure models for
    industries
  • ROI modeling

4
Reference Architecture Defined Comprehensive
  • RA Introduction
  • What is a Reference Architecture?
  • Why use a Reference Architecture?
  • How to use the baseline Reference Architectures
  • Application Infrastructure Services
  • Utility Services
  • Definitions
  • Service Models
  • Application Technology Services
  • Definitions
  • Service Models
  • Data Services
  • Definitions
  • Service Models
  • Physical Infrastructure Services
  • Platforms Services
  • Definitions
  • Service Models
  • Network Services
  • Security Infrastructure Services
  • Definitions
  • Service Models
  • Operations Infrastructure Services
  • Definitions
  • Service Models

5
What is Reference Architecture?
  • Reference architectures represent a baseline set
    of recommended models that meet the needs of a
    high percentage of our client situations.
  • A reference architecture does not specify
    implementation details, but instead provides a
    framework that can be customized and implemented
    at any organization or for most consultative or
    sales situations
  • The Reference Architecture is based on services
    combining technologies, not just the technologies
    alone

6
How to use Reference Architecture
  • Reference Architectures align to all phases of
    the Unisys ITS Balanced Portfolio (Advisory,
    Transform, Manage)
  • Infrastructure Architects will use the Reference
    Architecture to develop customer-specific
    Enterprise Infrastructure Architectures as well
    as Solution-specific architectures

Data Gathering / Analysis
Architecture Definition
Architecture Plan
  • Identify Enterprise Architecture Drivers
  • Conduct Interviews with key stakeholders
  • Document current state enterprise architecture
  • Analyze current state architecture
  • Formulate and confirm the future state
    architecture vision
  • Incorporate customer unique requirements
  • Document architecture decisions
  • Review and approve architecture
  • Create a communication strategy, governance
    structure and rollout plan

7
Reference Architecture LandscapeThe following
services are modeled within the Unisys Reference
Architecture
8
Key Architecture Representation Concepts
  • Key concepts presented in each description
    include the following
  • Services Services define the capabilities and
    value the infrastructure must provide for its
    user groups, applications and data stores. Each
    represents and is formed through a unique view of
    technology standards, components and vendors.
  • Service Delivery / Control Domains - This is the
    background layout for each of the models. It
    consists of the following areas and is based on
    the level of control the enterprise has over the
    end user devices, network or services within the
    environment
  • External Services Services or end user devices
    that are physically external to the enterprise
  • Site Services End User devices and local shared
    services
  • Enterprise Shared Services Services available
    in a centralized manner to the entire enterprise,
    generally provided within Enterprise Data Centers
  • Service Delivery or Access Point / Situation
    (some exceptions to definitions)
  • Large Office User individual employed by the
    enterprise utilizing a network-connected device
    inside the boundaries of a corporate-designated
    Large Site
  • Small Office User individual employed by the
    enterprise utilizing a network-connected device
    inside the boundaries of a corporate-designated
    Small Site
  • Mobile User individual employed by the
    enterprise utilizing a network-connected device
    while outside the boundaries of a corporate site
  • Home User individual employed by the enterprise
    utilizing a network-connected device while at
    their home
  • Business Partner User individual NOT employed
    by the enterprise accessing corporate services
    over their own external (or public) network

9
Key Architecture Representation Concepts (2)
  • Key concepts presented in each description
    include the following (2)
  • Technology Maturity Classification -
  • Core technologies that are to be the first
    choice in new implementations, and toward which
    existing infrastructure will be migrated.
  • HORIZON emerging technologies that are expected
    to play a significant role in the architecture in
    the near future but cannot be labeled Core due to
    immaturity, lack of availability, or poor fit to
    transitional environment
  • HERITAGE existing technologies that are not
    Core but will continue to play a substantial role
    in the architecture within the timeframe under
    consideration.
  • SUNSET technologies that should be replaced and
    removed from the environment in the most rapid
    and efficient manner possible.
  • TRANSITION technologies that must be in place
    for a short time until either a chosen CORE
    market technology becomes a reality or until the
    client is prepared to deploy that CORE technology
    choice.
  • Service Cross-Dependency Delivery of enterprise
    technology services requires that many of the
    services have dependencies upon others. In order
    to simplify the depiction of service definitions
    and models, service abstraction is used to focus
    only on the technology concepts inherent to the
    service currently being discussed

10
Security Infrastructure Guidelines
  • Use the concept of Defense in depth to guide
    security architecture
  • Use multiple layers of controls between Untrusted
    devices/environments and applications and data
  • Use non-technology controls (physical,
    management, etc) in conjunction with technology
    controls where appropriate and use a combination
    of network- and application-layer technology
    controls
  • When architecting security, account for both
    external and internal threats
  • Define a limited number of discrete network trust
    zones
  • Apply controls in a common way within zones
  • Allow network traffic to flow freely within the
    Trusted Zone
  • Rather than attempt to characterize every
    permitted data flow between trusted devices, rely
    on physical, management, and application-level
    technology controls within the trusted zone
  • while providing a means to segment or quarantine
    portions of the trusted network as needed in an
    emergency
  • Explicitly deny network traffic known to be
    malicious or against corporate policy
  • Provide strong authentication mechanisms as
    appropriate
  • Two-factor or certificate-based authentication
    for systems administration access and for remote
    VPN access
  • Support strong authentication within applications
    as needed
  • Use technology to enable coordination between
    multiple security information sources, including
    thorough event correlation across all platforms

11
Security Services Definitions
12
Network Communication Security ServicesNetwork
and Platform Trust Zones
Untrusted
Transitional
Trusted
Any Clients, Servers, Services
ltClientgt Governed VPN Clients on Untrusted
Networks
External
  • External Systems
  • External Services

Restricted
Controlled Connections Connections Authenticated
Connections Logged IDS Monitoring
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default DENY Connections
Logged IDS Monitoring
DMZ 1
DMZ 2 n
Guest
  • Public Facing Servers
  • External Gateways
  • DMZ Networks
  • Guest High Risk Devices

No Horizontal Traffic
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default ALLOW Connections
Logged
Server LAN 1
Server LAN 2 n
VPN VLANs
User LAN 1
User LAN 2 n
Mgmt. LAN
RD
  • User Devices
  • Business Systems and Data (Servers)
  • Internal Networks (LAN/MAN/WAN)

Internal
Unique Trusted Segments Default Deny Horizontal
Traffic Connections Authenticated, Logged
Monitored
Default Allow Horizontal Traffic Ability to
filter traffic at network choke points Ability to
monitor traffic at network choke points
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default ALLOW Connections
Logged
Server LAN 1
Server LAN 2
Server LAN n
  • Sensitive Data Applications

No Horizontal Traffic
13
Network Communication Security ServicesNetwork
Communication Controls
Untrusted
Transitional
Trusted
Business Partner / Managed Service Provider
Employee
Any
Governed User Device
User Device
User Device
User Device or Application
Partner VPN Endpoint
S/W Firewall
FWDP
VPN Client
Packet Filter
FWDP
FWDP
FWPR
FWDP
FWDP
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
Partner Apps
Protected Partner VPN
Employee Outbound
Employee
Guest
Public
Utility
Restricted
Guest Devices
App GWs (SMTP, DNS, NTP, etc.)
Partner VPN Endpoint
Front End for Public Apps
FWPR
FWPR
VPN
Proxy
Proxy
FWPR
FWPR
A
DA
DD
DD
DA
DD
DA
DD
DA
DD
DA
DA
DD
A
A
S/W Firewall
A
Utility Apps
Non-Proxyable
Applications / Data
Governed User Devices
DA
DD
Default Allow
Hybrid Firewall with Deep Packet Inspection focus
Legend
FWDP
DA
Default Deny
DD
Authentication
Restricted Apps / Data
Hybrid Firewall with App Proxy focus
FWPR
A
A
HORIZON
14
Network Communication Security ServicesWireless
Security
Untrusted
Transitional
Trusted
Proprietary Svc
Carrier Svc
Wide Area
Firewall
VPN-Secured Public Wireless
802.11 b/g
Employee Services
Proxy
Restricted
Wireless eMail Gateway
Guest Wireless
802.11 b/g
Shared 802.11 Access Point
Unsecured Wireless with VPN-Secured Session
A/A Service
HORIZON
Governed Device
802.11i Client
S/W FW
802.11 b/g 802.11 i
Legend
Authentication
A
15
Anti-Virus and Content ControlAnti-Virus and
Content Control Capabilities
External Services
External Servers (Public, BP, Etc.) IM, SMTP, HTTP
External Client Application
Site Services
Enterprise Services
Site Shared
Device
Proxy Server
IM Gateway
AV Scan Targets
AV Scan Targets
Content Filters
Content Filters
URL or IP
File Transfer
File Transfer
Proxy Data
Text Pattern
Text Pattern
O/S, F/S, RAM
Active Content
O/S, F/S, RAM
Internal IM Service
AV Scan Targets
File Transfer
O/S, F/S, RAM
Removable Media
A Remote Employee System Tunneled into the
Network via a VPN connection is equivalent to an
Internal Client System. Refer to Client System
for Data Flows.
Legend
HORIZON
16
Enterprise Authentication/Authorization
ServiceSupplicants and Credentials
Untrusted
Transitional
Trusted
Business Partner/ Customer
Employee
Service Provider
Public
Satellite Office
Smart Card Reader
User Device
User Device
User Device
User Device
User Device
User Device
Site to Site VPN
A
A
or
or
or
A
B
B
C
TRANSITION
Depending on application
No Credentials
Restricted
B
Depending on application
B
And possibly
Public DMZ Application
Partner DMZ Application
D
Emp. DMZ Application
D
Depending on implementation
Proxy (Outbound)
Site to Site VPN
VPN
IP Filter
B
Management Console
Standard App or Utility Service
Server or Network Device
Or pass-thru from Local logon
A
A
User Device
Local logon
HORIZON
B
B
Sensitive App
B
Facilities Access System
Proximity or Mag. Stripe Card Reader
Network Device
Passthru from Local logon
D
HORIZON
B
Proximity chip or mag. stripe on same physical
card as
or
Legend
C
B
UserID/Password
A
Restricted Applications
User Certs (UserID/Password)
B
One-time Password token (transitional)
(UserID/Pwd)
C
Device Certs
D
17
Enterprise Authentication/Authorization
ServiceAuthentication Systems Model
External Services
Enterprise Services
Site Services
Web Applications
Site Shared
Device
Legacy System
Some Packaged Applications
Most Applications
Network Device
Web SSO layer
RADIUS
Proprietary
Proprietary
RADIUS/ TACACS Service
HORIZON
App-proprietary A/A
Active Directory Authentication Service
Legacy A/A System (e.g., RACF)
HORIZON
Physical A/A Service
OTP I/F
TRANSITION
One-Time Password Service (e.g., ACE)
PKI I/F
Native Data Interface
Native Data Interface
Native Data Interface
SUNSET
SUNSET
OTP accounts
App-specific A/A Data
AD A/A Store (employees)
RADIUS or TACACS accounts
Legacy A/A Data
Physical A/A Accounts
Second AD forest (non-employees)
PKI CRL Publishing
CRLs
TRANSITION
Legend
Utility Directory Services
One Time Password
OTP
Authentication Protocol Comm. Authorization Query
Data Movement / Integration
18
Identity Management ServicePublic Key
Infrastructure (PKI)
External Services
  • User Certs live on
  • Machines (DS)
  • Cards
  • Tokens

HTTP CRL distribution
Online Status Checking
HSM
CRLs
Enterprise Services
Site Services
External User Issuing CA
Second AD forest (non-employees)
Certs / CRLs
Device
Site Shared
HSM
Key Recovery
AD A/A Store (employees)
Internal User Issuing CA
Utility Directory Services
Certs / CRLs
HSM
Key Recovery
Device Issuing CA
Certs / CRLs
HSM
  • Policy Procedures
  • Enterprise Certificate Policy
  • Certification Practice Statements
  • Best Practices

(offline)
Root CA
HSM
19
Identity Management ServiceProvisioning and
Account Management Model
External Services
Enterprise Services
Site Services
IDM System
HR
Site Shared
Device
Business Rules
Bulk Updates
User Self Svc
User
Admin Services
Administrator
Email Notification
Workflow
Delegated Admin
Administrator
Connectors
API or scripted
App-proprietary Account Mgmt
One-Time Password Account Tools (e.g., ACE)
Legacy System Account Mgmt (e.g., RACF)
Physical A/A Account Tools
Native Data Interface
Native Data Interface
Native Data Interface
Native Data Interface
LDAP
LDAP
RADIUS
App-specific A/A Data
AD A/A Store (employees)
LDAP A/A Store (other users)
RADIUS or TACACS accounts
Legacy A/A Data
OTP accounts
Physical A/A Accounts
Legend
One Time Password
OTP
User - System Interactions System - System
Interactions
System Data Interactions
20
Security Management ServicesIntrusion Detection
/ Prevention
Untrusted
Transitional
Firewall
Trusted
HORIZON
Managed IDS Service
IDS Data
IDS Monitoring System
IDS Alert Logging
R
Exposed Router
VPN
NIDS
VPN
NIDS
IPS
Restricted
VPN
Server with HIDS
Firewall
VPN
Proxy
IP Filter
NIDS
NIDS
NIDS
IPS
IPS
IPS
Server with HIDS
IDS Data
Firewall
Server w/o HIDS
IDS Monitoring System
Network IDS Data Collection
Intrusion Prevention System
Legend
NIDS
IPS
Out of Band IDS communication
NIDS
Host IDS Agent
Server with HIDS
IDS Traffic
IPS
HIDS
21
Security Management ServicesAlert Processing
External Services
Advisory Alerts
Enterprise Services
Site Services
Device
Site Shared
Messaging Services
Vulnerability Assessment
User Device
A/V Alerts
Manual processes
Networking Devices Firewalls
SNMP Traps, Security logs
Mgmt./ Monitoring Console
A/V Alerts, SNMP Traps, HIDS Alerts
Servers
Alert Correlation System
Raw Data
Data Normalization
SNMP Traps, IDS Alerts
IDS System
Data Processing
Refined Data
Alert Generation
Forensic Tools
SNMP Traps, Security logs
Email, Pager, SMB, MOM, etc.
Networking Devices Firewalls
Log Mining Trend Reporting
DSS
22
Security Management ServicesUpdate Management
External Services
Signature Update Service
O/S or App Patch Services
Filter Update Service
Virus Signatures
Filter Triggers
Patches
Signature Updates Pulled From External Service
Site Services
Enterprise Services
Site Shared
Device
Customized Filters
Enterprise Anti-Virus Management System
Enterprise Content Filter System
Patch Staging Server
Patches
Push to AV Clients
Virus Signatures
Filter Triggers
Update Service
Operations Release Management
Updates pushed to all appropriate platforms
Policy Management Consoles
Security Policies
23
Encryption ServicesSecure Messaging
Untrusted
Transitional
Firewall
Trusted
Firewall
Business Partners (Ad Hoc)
Business Partners or Public (Ad Hoc)
Business Partners (Planned)
User Device
Email Client
Firewall
Certificate
BP Certificate directory
SMTP Gateway
SMTP Gateway
SMTP Gateway
Utility
Restricted
Email encrypted between domains using MTA-to-MTA
S/MIME
A
Normal Email Transport
Published Certificate directory
Normal Email Transport
Firewall
SMTP Gateway
SMTP Gateway
SMTP Gateway
File Services
Messaging Services
Firewall
Employee Device
Employee Device
Employee Device
Email Client
Email Client
Email Client
Encryption Utility
Certificate
E-Mail encrypted with client-to-client S/MIME
Normal email with self-decrypting file attachment
(Password transmitted out of band)
Legend
Authentication
A
Encrypted Data
Unencrypted Data
24
Encryption ServicesNetwork Encryption
Untrusted
Firewall
Transitional
Trusted
External System
BP User Device or Application
Firewall
IPSEC, AES, 3DES
SSL, TLS, SFTP
SSL, TLS
SSL, SSH, SFTP
S/MIME
SSL, TLS
Restricted
Application Front End
Application Front End
SMTP Gateway, DNS, NTP, etc.
Proxy
Firewall
VPN
SSL, SSH, SFTP
Management Workstation
User Devices
SSL
802.11 Client
Management Applications
HORIZON
Data
SSL
EAP
Legend
SSL
SSL
Restricted Applications
VPN Tunnel
Restricted Data
Write a Comment
User Comments (0)
About PowerShow.com