Sunil Misra Chief Security Advisor

1
Sunil MisraChief Security Advisor
Enterprise Reference Architecture Overview
2
Reference Architecture Objectives

• Accelerate solution development implementation
  projects by providing reference architectures as
  a project starting point.
• Provide a communications tool describing the
  business problem the infrastructure addresses,
  how the problem is solved, the scope and cost of
  the solution, and the tools and technologies used
  to build the solution.

• Reduce risk through common tools and a Point of
  View

3
Reference Architecture Solutions
captures solution value and drives deployment.
Its the mechanism that
The Reference Architecture Solution
Technology Points of View

• Field tested solutions
• Draws upon managed services and outsourcing
  experiences
• Understanding of What Works With What

• Pre-populated with industry- relevant
  infrastructure models
• Customized for clients
• Digital Record of solution

Industry Expertise

• Visioning future state infrastructure models for
  industries
• ROI modeling

4
Reference Architecture Defined Comprehensive

• RA Introduction
• What is a Reference Architecture?
• Why use a Reference Architecture?
• How to use the baseline Reference Architectures
• Application Infrastructure Services
• Utility Services
• Definitions
• Service Models
• Application Technology Services
• Definitions
• Service Models
• Data Services
• Definitions
• Service Models
• Physical Infrastructure Services
• Platforms Services
• Definitions
• Service Models
• Network Services

• Security Infrastructure Services
• Definitions
• Service Models
• Operations Infrastructure Services
• Definitions
• Service Models

5
What is Reference Architecture?

• Reference architectures represent a baseline set
  of recommended models that meet the needs of a
  high percentage of our client situations.
• A reference architecture does not specify
  implementation details, but instead provides a
  framework that can be customized and implemented
  at any organization or for most consultative or
  sales situations
• The Reference Architecture is based on services
  combining technologies, not just the technologies
  alone

6
How to use Reference Architecture

• Reference Architectures align to all phases of
  the Unisys ITS Balanced Portfolio (Advisory,
  Transform, Manage)
• Infrastructure Architects will use the Reference
  Architecture to develop customer-specific
  Enterprise Infrastructure Architectures as well
  as Solution-specific architectures

Data Gathering / Analysis
Architecture Definition
Architecture Plan

• Identify Enterprise Architecture Drivers
• Conduct Interviews with key stakeholders
• Document current state enterprise architecture

• Analyze current state architecture
• Formulate and confirm the future state
  architecture vision
• Incorporate customer unique requirements

• Document architecture decisions
• Review and approve architecture
• Create a communication strategy, governance
  structure and rollout plan

7
Reference Architecture LandscapeThe following
services are modeled within the Unisys Reference
Architecture
8
Key Architecture Representation Concepts

• Key concepts presented in each description
  include the following
• Services Services define the capabilities and
  value the infrastructure must provide for its
  user groups, applications and data stores. Each
  represents and is formed through a unique view of
  technology standards, components and vendors.
• Service Delivery / Control Domains - This is the
  background layout for each of the models. It
  consists of the following areas and is based on
  the level of control the enterprise has over the
  end user devices, network or services within the
  environment
• External Services Services or end user devices
  that are physically external to the enterprise
• Site Services End User devices and local shared
  services
• Enterprise Shared Services Services available
  in a centralized manner to the entire enterprise,
  generally provided within Enterprise Data Centers
• Service Delivery or Access Point / Situation
  (some exceptions to definitions)
• Large Office User individual employed by the
  enterprise utilizing a network-connected device
  inside the boundaries of a corporate-designated
  Large Site
• Small Office User individual employed by the
  enterprise utilizing a network-connected device
  inside the boundaries of a corporate-designated
  Small Site
• Mobile User individual employed by the
  enterprise utilizing a network-connected device
  while outside the boundaries of a corporate site
• Home User individual employed by the enterprise
  utilizing a network-connected device while at
  their home
• Business Partner User individual NOT employed
  by the enterprise accessing corporate services
  over their own external (or public) network

9
Key Architecture Representation Concepts (2)

• Key concepts presented in each description
  include the following (2)
• Technology Maturity Classification -
• Core technologies that are to be the first
  choice in new implementations, and toward which
  existing infrastructure will be migrated.
• HORIZON emerging technologies that are expected
  to play a significant role in the architecture in
  the near future but cannot be labeled Core due to
  immaturity, lack of availability, or poor fit to
  transitional environment
• HERITAGE existing technologies that are not
  Core but will continue to play a substantial role
  in the architecture within the timeframe under
  consideration.
• SUNSET technologies that should be replaced and
  removed from the environment in the most rapid
  and efficient manner possible.
• TRANSITION technologies that must be in place
  for a short time until either a chosen CORE
  market technology becomes a reality or until the
  client is prepared to deploy that CORE technology
  choice.
• Service Cross-Dependency Delivery of enterprise
  technology services requires that many of the
  services have dependencies upon others. In order
  to simplify the depiction of service definitions
  and models, service abstraction is used to focus
  only on the technology concepts inherent to the
  service currently being discussed

10
Security Infrastructure Guidelines

• Use the concept of Defense in depth to guide
  security architecture
• Use multiple layers of controls between Untrusted
  devices/environments and applications and data
• Use non-technology controls (physical,
  management, etc) in conjunction with technology
  controls where appropriate and use a combination
  of network- and application-layer technology
  controls
• When architecting security, account for both
  external and internal threats
• Define a limited number of discrete network trust
  zones
• Apply controls in a common way within zones
• Allow network traffic to flow freely within the
  Trusted Zone
• Rather than attempt to characterize every
  permitted data flow between trusted devices, rely
  on physical, management, and application-level
  technology controls within the trusted zone
• while providing a means to segment or quarantine
  portions of the trusted network as needed in an
  emergency
• Explicitly deny network traffic known to be
  malicious or against corporate policy
• Provide strong authentication mechanisms as
  appropriate
• Two-factor or certificate-based authentication
  for systems administration access and for remote
  VPN access
• Support strong authentication within applications
  as needed
• Use technology to enable coordination between
  multiple security information sources, including
  thorough event correlation across all platforms

11
Security Services Definitions
12
Network Communication Security ServicesNetwork
and Platform Trust Zones
Untrusted
Transitional
Trusted
Any Clients, Servers, Services
ltClientgt Governed VPN Clients on Untrusted
Networks
External

• External Systems
• External Services

Restricted
Controlled Connections Connections Authenticated
Connections Logged IDS Monitoring
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default DENY Connections
Logged IDS Monitoring
DMZ 1
DMZ 2 n
Guest

• Public Facing Servers
• External Gateways
• DMZ Networks
• Guest High Risk Devices

No Horizontal Traffic
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default ALLOW Connections
Logged
Server LAN 1
Server LAN 2 n
VPN VLANs
User LAN 1
User LAN 2 n
Mgmt. LAN
RD

• User Devices
• Business Systems and Data (Servers)
• Internal Networks (LAN/MAN/WAN)

Internal
Unique Trusted Segments Default Deny Horizontal
Traffic Connections Authenticated, Logged
Monitored
Default Allow Horizontal Traffic Ability to
filter traffic at network choke points Ability to
monitor traffic at network choke points
Controlled Connections Default DENY Connections
Logged IDS Monitoring
Controlled Connections Default ALLOW Connections
Logged
Server LAN 1
Server LAN 2
Server LAN n

• Sensitive Data Applications

No Horizontal Traffic
13
Network Communication Security ServicesNetwork
Communication Controls
Untrusted
Transitional
Trusted
Business Partner / Managed Service Provider
Employee
Any
Governed User Device
User Device
User Device
User Device or Application
Partner VPN Endpoint
S/W Firewall
FWDP
VPN Client
Packet Filter
FWDP
FWDP
FWPR
FWDP
FWDP
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
DD
Partner Apps
Protected Partner VPN
Employee Outbound
Employee
Guest
Public
Utility
Restricted
Guest Devices
App GWs (SMTP, DNS, NTP, etc.)
Partner VPN Endpoint
Front End for Public Apps
FWPR
FWPR
VPN
Proxy
Proxy
FWPR
FWPR
A
DA
DD
DD
DA
DD
DA
DD
DA
DD
DA
DA
DD
A
A
S/W Firewall
A
Utility Apps
Non-Proxyable
Applications / Data
Governed User Devices
DA
DD
Default Allow
Hybrid Firewall with Deep Packet Inspection focus
Legend
FWDP
DA
Default Deny
DD
Authentication
Restricted Apps / Data
Hybrid Firewall with App Proxy focus
FWPR
A
A
HORIZON
14
Network Communication Security ServicesWireless
Security
Untrusted
Transitional
Trusted
Proprietary Svc
Carrier Svc
Wide Area
Firewall
VPN-Secured Public Wireless
802.11 b/g
Employee Services
Proxy
Restricted
Wireless eMail Gateway
Guest Wireless
802.11 b/g
Shared 802.11 Access Point
Unsecured Wireless with VPN-Secured Session
A/A Service
HORIZON
Governed Device
802.11i Client
S/W FW
802.11 b/g 802.11 i
Legend
Authentication
A
15
Anti-Virus and Content ControlAnti-Virus and
Content Control Capabilities
External Services
External Servers (Public, BP, Etc.) IM, SMTP, HTTP
External Client Application
Site Services
Enterprise Services
Site Shared
Device
Proxy Server
IM Gateway
AV Scan Targets
AV Scan Targets
Content Filters
Content Filters
URL or IP
File Transfer
File Transfer
Proxy Data
Text Pattern
Text Pattern
O/S, F/S, RAM
Active Content
O/S, F/S, RAM
Internal IM Service
AV Scan Targets
File Transfer
O/S, F/S, RAM
Removable Media
A Remote Employee System Tunneled into the
Network via a VPN connection is equivalent to an
Internal Client System. Refer to Client System
for Data Flows.
Legend
HORIZON
16
Enterprise Authentication/Authorization
ServiceSupplicants and Credentials
Untrusted
Transitional
Trusted
Business Partner/ Customer
Employee
Service Provider
Public
Satellite Office
Smart Card Reader
User Device
User Device
User Device
User Device
User Device
User Device
Site to Site VPN
A
A
or
or
or
A
B
B
C
TRANSITION
Depending on application
No Credentials
Restricted
B
Depending on application
B
And possibly
Public DMZ Application
Partner DMZ Application
D
Emp. DMZ Application
D
Depending on implementation
Proxy (Outbound)
Site to Site VPN
VPN
IP Filter
B
Management Console
Standard App or Utility Service
Server or Network Device
Or pass-thru from Local logon
A
A
User Device
Local logon
HORIZON
B
B
Sensitive App
B
Facilities Access System
Proximity or Mag. Stripe Card Reader
Network Device
Passthru from Local logon
D
HORIZON
B
Proximity chip or mag. stripe on same physical
card as
or
Legend
C
B
UserID/Password
A
Restricted Applications
User Certs (UserID/Password)
B
One-time Password token (transitional)
(UserID/Pwd)
C
Device Certs
D
17
Enterprise Authentication/Authorization
ServiceAuthentication Systems Model
External Services
Enterprise Services
Site Services
Web Applications
Site Shared
Device
Legacy System
Some Packaged Applications
Most Applications
Network Device
Web SSO layer
RADIUS
Proprietary
Proprietary
RADIUS/ TACACS Service
HORIZON
App-proprietary A/A
Active Directory Authentication Service
Legacy A/A System (e.g., RACF)
HORIZON
Physical A/A Service
OTP I/F
TRANSITION
One-Time Password Service (e.g., ACE)
PKI I/F
Native Data Interface
Native Data Interface
Native Data Interface
SUNSET
SUNSET
OTP accounts
App-specific A/A Data
AD A/A Store (employees)
RADIUS or TACACS accounts
Legacy A/A Data
Physical A/A Accounts
Second AD forest (non-employees)
PKI CRL Publishing
CRLs
TRANSITION
Legend
Utility Directory Services
One Time Password
OTP
Authentication Protocol Comm. Authorization Query
Data Movement / Integration
18
Identity Management ServicePublic Key
Infrastructure (PKI)
External Services

• User Certs live on
• Machines (DS)
• Cards
• Tokens

HTTP CRL distribution
Online Status Checking
HSM
CRLs
Enterprise Services
Site Services
External User Issuing CA
Second AD forest (non-employees)
Certs / CRLs
Device
Site Shared
HSM
Key Recovery
AD A/A Store (employees)
Internal User Issuing CA
Utility Directory Services
Certs / CRLs
HSM
Key Recovery
Device Issuing CA
Certs / CRLs
HSM

• Policy Procedures
• Enterprise Certificate Policy
• Certification Practice Statements
• Best Practices

(offline)
Root CA
HSM
19
Identity Management ServiceProvisioning and
Account Management Model
External Services
Enterprise Services
Site Services
IDM System
HR
Site Shared
Device
Business Rules
Bulk Updates
User Self Svc
User
Admin Services
Administrator
Email Notification
Workflow
Delegated Admin
Administrator
Connectors
API or scripted
App-proprietary Account Mgmt
One-Time Password Account Tools (e.g., ACE)
Legacy System Account Mgmt (e.g., RACF)
Physical A/A Account Tools
Native Data Interface
Native Data Interface
Native Data Interface
Native Data Interface
LDAP
LDAP
RADIUS
App-specific A/A Data
AD A/A Store (employees)
LDAP A/A Store (other users)
RADIUS or TACACS accounts
Legacy A/A Data
OTP accounts
Physical A/A Accounts
Legend
One Time Password
OTP
User - System Interactions System - System
Interactions
System Data Interactions
20
Security Management ServicesIntrusion Detection
/ Prevention
Untrusted
Transitional
Firewall
Trusted
HORIZON
Managed IDS Service
IDS Data
IDS Monitoring System
IDS Alert Logging
R
Exposed Router
VPN
NIDS
VPN
NIDS
IPS
Restricted
VPN
Server with HIDS
Firewall
VPN
Proxy
IP Filter
NIDS
NIDS
NIDS
IPS
IPS
IPS
Server with HIDS
IDS Data
Firewall
Server w/o HIDS
IDS Monitoring System
Network IDS Data Collection
Intrusion Prevention System
Legend
NIDS
IPS
Out of Band IDS communication
NIDS
Host IDS Agent
Server with HIDS
IDS Traffic
IPS
HIDS
21
Security Management ServicesAlert Processing
External Services
Advisory Alerts
Enterprise Services
Site Services
Device
Site Shared
Messaging Services
Vulnerability Assessment
User Device
A/V Alerts
Manual processes
Networking Devices Firewalls
SNMP Traps, Security logs
Mgmt./ Monitoring Console
A/V Alerts, SNMP Traps, HIDS Alerts
Servers
Alert Correlation System
Raw Data
Data Normalization
SNMP Traps, IDS Alerts
IDS System
Data Processing
Refined Data
Alert Generation
Forensic Tools
SNMP Traps, Security logs
Email, Pager, SMB, MOM, etc.
Networking Devices Firewalls
Log Mining Trend Reporting
DSS
22
Security Management ServicesUpdate Management
External Services
Signature Update Service
O/S or App Patch Services
Filter Update Service
Virus Signatures
Filter Triggers
Patches
Signature Updates Pulled From External Service
Site Services
Enterprise Services
Site Shared
Device
Customized Filters
Enterprise Anti-Virus Management System
Enterprise Content Filter System
Patch Staging Server
Patches
Push to AV Clients
Virus Signatures
Filter Triggers
Update Service
Operations Release Management
Updates pushed to all appropriate platforms
Policy Management Consoles
Security Policies
23
Encryption ServicesSecure Messaging
Untrusted
Transitional
Firewall
Trusted
Firewall
Business Partners (Ad Hoc)
Business Partners or Public (Ad Hoc)
Business Partners (Planned)
User Device
Email Client
Firewall
Certificate
BP Certificate directory
SMTP Gateway
SMTP Gateway
SMTP Gateway
Utility
Restricted
Email encrypted between domains using MTA-to-MTA
S/MIME
A
Normal Email Transport
Published Certificate directory
Normal Email Transport
Firewall
SMTP Gateway
SMTP Gateway
SMTP Gateway
File Services
Messaging Services
Firewall
Employee Device
Employee Device
Employee Device
Email Client
Email Client
Email Client
Encryption Utility
Certificate
E-Mail encrypted with client-to-client S/MIME
Normal email with self-decrypting file attachment
(Password transmitted out of band)
Legend
Authentication
A
Encrypted Data
Unencrypted Data
24
Encryption ServicesNetwork Encryption
Untrusted
Firewall
Transitional
Trusted
External System
BP User Device or Application
Firewall
IPSEC, AES, 3DES
SSL, TLS, SFTP
SSL, TLS
SSL, SSH, SFTP
S/MIME
SSL, TLS
Restricted
Application Front End
Application Front End
SMTP Gateway, DNS, NTP, etc.
Proxy
Firewall
VPN
SSL, SSH, SFTP
Management Workstation
User Devices
SSL
802.11 Client
Management Applications
HORIZON
Data
SSL
EAP
Legend
SSL
SSL
Restricted Applications
VPN Tunnel
Restricted Data