Security Landscape Presentation


Published on

Presentation of an example security landscape

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Security is everyone’s job. For IT, it’s features are engrained in the technology and procedures they useI may touch on items managed by other people around this table and point those out
  • PAN 5020 internet browsing as part of the internet consolidation projectIt’s the new firewall- Full application firewall. Firewalls used to be port management. Now, most ports are blocked except 80 and 443. To the hacker, this is always availableGoal- Better understand and control what goes through those ports
  • Juniper VPN InfrastructureSSG520 Appliance Cluster – Concentrator for 90+ remote Site-to-Site offices connecting with Juniper Firewalls.Avaya VPN Phone connectivity for remote users. ISA 2006 –primary ISA firewall for Perimeter applications and reverse proxy of OWA, OCS, Active Sync, Outlook AnywhereISA 2006 Firewall for publishing current and external websites to Internet, used for website
  • ActiveSync and BES-Device encryption, remote wipe, encryption (yes for Iphone, no for Android?)
  • SendIT Appliance and application supportExternal FTP server and project folder managementSecure FTP infrastructure for Oracle Alert Driving data transferZscaler web filtering application management and configuration on 90+ Juniper firewallsURL filteringBotnet, browser exploits protectionWorks through a redirect of all HTTP trafficSoon to be replaced by PANMicrosoft Exchange Hosted Solution (EHS), Vircom server and application for SMTP mail flowQuarantine and Spam management
  • Complete management of External DNS and domains in Network Solutions for all and PBSJ subdomainsGlobalSign external Public SSL certificate management for all perimeter and some internal SSL websites2 Microsoft DNS caching servers on DMZ for DNS caching of DNS requestsODCEDGE DMZ server for OCSMEWEB01 – for McLaren Enterprise
  • WSUS – Patch management application for enterprise-wide patching of servers & workstationsMcAfee InfrastructureEPO server configuration and management of software, policies and reporting5000+ nodes consisting of workstations and servers for Antivirus and SpywareAntigen/Forefront for Antivirus on current Exchange InfrastructureAD Rights Management (ADRMS) Infrastructure – configuration of policies, client deployment, setup, training guides etc.Internal PKI Infrastructure - Root CA server and Issuing CA server, architecture configuration, maintenance, security of infrastructure. Issuance of machine certificates to all enterprise workstations and servers. Issuance of internal code signing certificates and SSL certificates for internal applications.Wireless Aerohive InfrastructureHive Manager and Guest Manager Appliance: configuration, software updates, maintenance, security policy configuration.200 wireless access points: security policy configurations, RADIUS configuration and software updates
  • Password AuditingL0phtcrace-mail reminders upon 90 day expirationPassword Reset/enable. Unlocks userIDs, 2 Microsoft IAS RADIUS servers for Wireless, Switch and Router Authentication for users.Password Auditing Server: Running L0phtcrackLog Rhythm SIEM Appliance – Collection of Security logs and domain controller logs, future collection of networking equipment (i.e. switches and routers.) IAS- Internet Authentication ServerSIEM- Security Information and Event ManagementADRMS- Active Directory Rights Management ServiceInternal PKI- Allows us to issue our own internal certificates, plays role in federating domains
  • Complex password- At least 8 characters, 1 letter, 1 number, 1 special character
  • Software inventory is obtained through Altiris, compared against licenses on-file by the respective areaConcept of Least privilege- Grant only the privileges required to fulfill job responsibilities. 4 AD Domain administrators
  • Mcafee and ePO agent Ugh– IE 7To protect from retired workstations, there is an automated process to remove them from the domain
  • IE Settings- Zones, etc.Altiris workstation images- Used on new and rebuilt computers to provide a consistent, supportable, secure system
  • Desktop SecurityBrowser upgrades to IE8 for XP and IE9 to Windows 7 (IE9 is fully W3C compliant finally from Microsoft)Compatibility testing of all internal applicationsImplementation of Pop-up Blocker on Enterprise desktops Possible implementation of Windows Firewall on workstations (currently a requirement at DOT)
  • Security Landscape Presentation

    1. 1. AGENDA 1) 2) 3) 4) 5) The Perimeter The Interior The Security Policy Workstation & Server Standards Questions
    2. 2. PERIMETER FIREWALLS • Checkpoint UTM for site-to-site VPN with UK • Checkpoint UTM for ATG / IS data center • Palo Alto for Atlanta Data Center (DMZ), internet browsing, and disaster recovery
    3. 3. PERIMETER FIREWALLS • Juniper for VPN infrastructure • ISA for perimeter applications and reverse proxy
    4. 4. PERIMETER REMOTE ACCESS • Nortel Extranet- Client based • Juniper- Clientless • ActiveSync • BES
    5. 5. PERIMETER APPLICATIONS • SendIt file transfer • FTP / Box.Net • Web Security • E-mail Anti-virus / anti-malware / antispam
    6. 6. PERIMETER APPLICATIONS • DNS and domain registration • Public security (SSL) certificates • DNS Caching • Various server support
    7. 7. INTERNAL APPLICATIONS • Patch management- WSUS and Altiris • Computer anti-virus and anti-malware • ADRMS • Internal PKI • Wireless
    8. 8. INTERNAL APPLICATIONS • IAS- Radius authentication • Password auditing • SIEM • ADFS
    9. 9. POLICY AND PROCEDURE • • • • Password change every 90 days Complex password IT installs all software All software stored in secure location
    10. 10. POLICY AND PROCEDURE • • • • • Periodic software audits Data backups Incident Management Security Awareness Least privilege
    11. 11. WORKSTATION STANDARDS • • • • Anti-virus / management agent IE7 Windows XP SP3 Automated process to remove unused workstations from the domain
    12. 12. WORKSTATION STANDARDS • Local administrative privilege allowed by exception • Guest and administrator account disabled • Administrator account renamed • No windows firewall • No pop-up blocker
    13. 13. WORKSTATION STANDARDS • Unused computers are removed from the domain • Other policies as recommended in Microsoft Baseline Security Configuration Manager • Variety of IE settings • Altiris workstation images
    14. 14. SERVER STANDARDS • Anti-virus / management agent • Windows 2003 R2 or higher • Redundant hardware / UPS to protect against data loss
    15. 15. SERVER STANDARDS • Regular backup with offsite storage to ensure data availability • Encryption and secure protocols • Other policies as recommended in Microsoft Baseline Security Configuration Manager • Altiris server images
    16. 16. VISION • • • • • • Vulnerability management Full Disk Encryption Intrusion prevention Desktop Security Mobile Device Management Segregate confidential systems- HR, Financial, and application development
    17. 17. Questions? Thank you for your attention.