Escolar Documentos
Profissional Documentos
Cultura Documentos
Approvals
APPROVAL PRIOR TO INITIAL PMOC MEETING: The undersigned agree that this document represents the high-level specifications for infrastructure and operations requirements, including resources. Recommendation is granted for the project to move forward, given these specifications delivered to IT from the project team. Approver IT Infrastructure Team Project Manager SIGNOFF PRIOR TO PROJECT BUILD PHASE: The undersigned agree that this document represents the definition of the project and accept the responsibility for the delivery of the defined outcomes. Approval is granted for the project to move forward. Approver Business Sponsor Technical Architect Project Manager IT Director Last Revision: [Month, Day, Year] Name Signature Date Signed Name James Cabe Signature Date Signed
Document History
The following table shows a history of document changes. Refer to the Approvals section at the front of the document to see the approving bodies for those changes. Revision # 1 2 Revision Date 11-31-2010 4-13-2011 Author James Cabe James Cabe Description of Changes Initial Start of Document Final Rough
[CUSTOMER]- Confidential
Page 2 of 25
Table of Contents
1 1.1 1.2 1.3 1.4 2 2.1 2.2 2.3 2.4 2.5 3 3.1 3.2 3.3 4 5 6 6.1 6.2 6.3 INTRODUCTION .................................................................................................................................................... 4 PROJECT OVERVIEW ............................................................................................................................................... 4 HIGH-LEVEL BUSINESS & TECHNICAL REQUIREMENTS ................................................................................................ 5 BUSINESS & TECHNICAL CONSTRAINTS/ ASSUMPTIONS ............................................................................................... 5 RELATED DOCUMENTS............................................................................................................................................. 6 RECOMMENDED SOLUTION ARCHITECTURE.................................................................................................... 7 SOLUTION OVERVIEW .............................................................................................................................................. 7 LOGICAL SOLUTION PROFILE .................................................................................................................................. 15 SEQUENCE OF I MPLEMENTATION ............................................................................................................................. 16 INFORMATION USAGE PROFILE ............................................................................................................................... 20 SOLUTION RETIREMENT ......................................................................................................................................... 20 TO-BE SOLUTION ARCHITECTURE DETAIL ..................................................................................................... 20 INFRASTRUCTURE ................................................................................................................................................. 20 TECHNICAL OPERATIONS COMPONENTS .................................................................................................................. 22 TECHNICAL RESOURCES ........................................................................................................................................ 22 RISKS AND LIMITATIONS................................................................................................................................... 23 FUTURE CONSIDERATIONS .............................................................................................................................. 23 APPENDIX ........................................................................................................................................................... 23 PRINCIPAL OF LEAST PRIVILEGE ............................................................................................................................. 23 MCAFEE AGENT ARCHITECTURE............................................................................................................................. 24 NEW EDGE ARCHITECTURE .................................................................................................................................... 25
[CUSTOMER]- Confidential
Page 3 of 25
1 Introduction
In computer security, the term threat modeling has two distinct, but related meanings. The first is a description of the security issues the designer cares about. This is the sense of the question, "What is the threat model for Web Browsing for [CUSTOMER]?" In the second sense, a threat model is a description of a set of security aspects; that is, when looking at a piece of software (or any computer system), one can define a threat model by defining a set of possible attacks to consider. It is often useful to define many separate threat models for one computer system. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. More recently, threat modeling has become an integral part of Microsoft's SDL (Security Development Lifecycle) process. The two senses derive from common military uses in the United States and the United Kingdom. Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats. Threat modeling looks at a system from an adversary's perspective to anticipate security attacks and is based on the premise that an adversary cannot attack a system without a means of supplying it with data or otherwise interacting with it. Documenting the system's entry points, i.e., interfaces it has with the rest of the world, is crucial for identifying possible vulnerabilities. Threat modeling uses traditional Data Flow Diagrams (DFDs) with securityspecific annotations to describe how data enters, leaves and traverses the system. One large project at Microsoft has over 1,400 completed and reviewed threat modeling DFDs, so we needed a semi-automated approach to support and enhance the current threat modeling process, still mostly manual. The Business Problem is sophisticated attacks continue to tax security and compliance operations teams. The proliferation of multiple point products complicates the ability to detect incidents and to find the root cause of breaches because the disparate tools dont share threat information. Moreover, audit preparation requires significant manual work to collect and report on compliance documentation from multiple data silos. [CUSTOMER] has chosen two strategic directions to secure their infrastructure. First and foremost, network infrastructure best practices that includes an audit of the current network infrastructure, and the second, the implementation of new systems that control the network. Network Admission Control, new Antivirus technologies, Internet Content Filtering (for browsing), and an Intrusion Prevention System are systems that will be controlled by ePolicy Orchestrator, a centralized management and logging console from McAfee. McAfee ePO extends traditional log management by collecting additional types of critical security information, including configuration, asset, performance, vulnerability, and network flow data on a centralized platform. This ensures that all teams work off the same data set with duplication of effort and exercise a new degree of agility created by understanding the relationships among these disparate sets of data. McAfee ePO will help [CUSTOMER] manage the strategic layers of infrastructure that are chosen to manage: End-Point: workstation\server, messaging, network port access, internet connection, content filtering. The server will also make available reporting and data collection from those strategic layers: y y y y y y Log and event data Configuration data Asset data Network flow data Vulnerability data Performance metrics
Technical Architecture Planning Document Template infrastructure during implementation. After the implementation of each phase, training will be scheduled with stake holders for the hand-off of the monitoring, feeding, and care of the infrastructure. Typical network security methodology divides the infrastructure in two separate focus groups. The first focus group is the edge, which defines devices that provide entry points into enterprise or service provider core networks. Edge devices also provide connections into carrier and service provider networks such as internet carriers. The second focus group consists of the core network. Typically it refers to the high capacity communication facilities that connect primary nodes. The definition can be expanded to include devices that are directly connected to these devices. [CUSTOMER] Wind Energy Infrastructure network security currently covers the core with Best Practices such as the Principal of Least Privilege, antivirus, and network segmentation. The edge is covered with firewalls and antivirus technology. The topic of Network Security is dominated by consolidation. There is consolidation in terms of divergent network infrastructure vendors. Furthermore, there is consolidation of edge security functionality into universal threat management. Lastly, the consolidation of application patch data into regular updates. There are network-wide viruses, denial of service attacks (internal and external), spam threats, and white-collar data theft and resource misuse. There are regulatory pressures that could mean the end of the business and even prison time for company executives. If that were not enough, businesses are also facing increased security threats from new technologies and business culture changes, such as demands from the workforce or company strategy to enable remote working, and managing the use of instant messaging, deployment of technical resources (in a secure manner), and internal attacks which make up the majority of successful attacks on any enterprise. The proposal is that the HWE IT staff will consolidate logging, monitoring, policy management, and enforcement all into one efficient console. New technologies that cover the edge of the network and enable threat management such as Content Filtering and Intrusion Prevention (host and edge based) and clarify the problems that currently plague the infrastructure staff (hosted antivirus and network admission control). The new Edge Architecture will be deployed on mobile infrastructure as well to extend the threat management beyond the HWE infrastructure.
[CUSTOMER]- Confidential
Page 5 of 25
Technical Architecture Planning Document Template In all phases of the project there will be communication with the business to insure there is wide spread knowledge of everything that is being implemented for protection of the business and the end-users\business proprietary information.
[CUSTOMER]- Confidential
Page 6 of 25
[CUSTOMER]- Confidential
Page 7 of 25
Technical Architecture Planning Document Template ePolicy Orchestrator requires MS SQL 2008 for the database. According to current policy, this will require an IT infrastructure instance and a Service Account with NTFS permissions as Database Owner (after install) and System Administrator (during installation). This database will exist on a new instance of the Infrastructure Database cluster. Disaster Recovery Planning: The ePO server, and the client access server in Houston, is installed on SCVMM clusters. In event of a network outage, the disk files are moved between sites. If there is an outage with the server, there are backups to snapshot via the Netapp Snap Manager software that is on the VM hosts. If there is a MAN outage to the datacenter from Houston there is a fail-over link over the F5 Link Controllers. If both of those circuits are cut, the VPN based internet connection will provide backup support to the datacenter.
2.1.2 Content Filter McAfee Web Gateway, McAfee Site Advisor Enterprise
Content filtering is commonly used by organizations such as offices and schools to prevent computer users from viewing inappropriate web sites or content, or as a pre-emptive security measure to prevent access of known malware hosts. Filtering rules will be set on the ePolicy Orchestrator Server and Site Advisor Enterprise will be pushed to the endpoints via McAfee Agent on individual computers or at a central point on the content filtering appliance, McAfee Web Gateway. Depending on the sophistication of the system used, it may be possible for different computer users to have different levels of internet access. It protects your network against threats arising from the web, such as viruses and other malware, inappropriate content, data leaks, and related issues. It also ensures regulatory compliance and a productive work environment. The appliance is installed as a gateway that connects your network to the web. Following the implemented web security rules, it filters the requests that users send to the web from within your network. Responses sent back from the web and embedded objects sent with requests or responses are also filtered. Malicious and inappropriate content is blocked, while useful matter is allowed to pass through. 2.1.2.1 McAfee Web Gateway Appliance Filtering web traffic is a complex process. The main functions of the appliance contribute to it in different ways: Filtering web objects Special anti-virus and anti-malware functions on the appliance scan and filter web traffic and block objects when they are infected. Other functions filter requested URLs, using information from the global TrustedSource intelligence system, or do media type and HTML filtering.They are supported by functions that do not filter themselves, but do such jobs as counting user requests or indicating the progress made in downloading web objects. Filtering users This is done by the authentication functions of the appliance, using information from internal and external databases and methods such as NTLM, LDAP, RADIUS, Kerberos, and others. In addition to filtering normal users, the appliance also gives you control over administrator rights and responsibilities. Intercepting web traffic This is a prerequisite for any filtering of web objects or users. It is achieved by the gateway functions of the appliance, using different network protocols, such as HTTP, HTTPS, FTP, Yahoo, ICQ, Windows Live Messenger, and others. As a gateway, the appliance can run in explicit proxy mode or in transparent bridge or router mode. Monitoring the filtering process The monitoring functions of the appliance allow you a continuous overview of the filtering process. They include a dashboard, providing information on web usage, filtering activities, and system behavior, as well as logging and tracing functions and options to forward data to an ePolicy Orchestrator or do event monitoring with an SNMP agent. The following are the main activities needed to administer the appliance: Perform the initial setup You can set up the appliance on a physical hardware platform or on a virtual machine. The setup procedure includes the initial configuration of system parameters, such as host name and IP address, implementing an initial system of filtering rules, and licensing. Two wizards are available in this phase, one for the initial configuration, another for the filtering rules. Configure the gateway functions After the initial setup, explicit proxy mode and the HTTP protocol are preconfigured on the appliance. You can modify this and also configure other network components that the appliance communicates with.
[CUSTOMER]- Confidential
Page 8 of 25
Technical Architecture Planning Document Template Modify filtering rules The filtering rules are the building blocks of your web security policy. You can review the system of filtering rules that has been implemented during the initial setup and modify it. Authentication is not implemented initially. Working on the filtering rules includes also maintaining the lists that these rules use and configuring the settings for rule actions and for the modules involved in the filtering processs. Monitor the appliance When you have configured the appliance according to your requirements, you can monitor it to see how it performs the filtering process. You can also monitor system functions, such as CPU and memory usage. 2.1.2.2 McAfee Site Advisor Enterprise SiteAdvisor Enterprise Plus requires the following components be installed and running to provide managed web browsing protection: y ePolicy Orchestrator server and repository - The management tool that installs software, deploys policies, monitors activity, creates reports, and stores and distributes content and software updates.
Agent (ePO agent or McAfee Agent) - The agent installed on a managed computer that acts as the intermediary between the client system and the ePO server and database. It sends data between the client and the ePO server. SiteAdvisor Enterprise Plus management component (Site Advisor Enterprise Plus extension for ePolicy Orchestrator) - Provides the interface to policy management in the ePO console. SiteAdvisor Enterprise browser plug-in on the client Provides browsing protection for the client system on which it is installed. If you purchased Web Filtering for Endpoint, these additional components are included: Web Filtering for Endpoint management component (Web Filtering for Endpoint extension for ePolicy Orchestrator) - Provides web content filtering management on the SiteAdvisor Enterprise Plus policy pages in the ePO console. Web Reporter application - Provides more detailed reports based on site content category and rating.
2.1.3 Intrusion Prevention System Intrushield Appliance, McAfee Host Intrusion Prevention System (HIPS)
Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. Intrusion prevention systems do more than intrusion detection systems because. IPS(s) monitor network traffic and/or system activities for malicious activity. Intrusion prevention systems, placed in-line, they are able to actively prevent/block intrusions that are detected. IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. These systems can also correct CRC, reorder fragmented packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. McAfee IntruShield IPS is a combination of network appliances and software that accurately detects and prevents intrusions, denial of service (DoS) and distributed denial of service (DDoS) attacks, and network misuse. The IntruShield IPS combines real-time intrusion detection and prevention The Intrushield is a multi-tiered solution with a web management console and adjoining sensors for the portions of the network that are to be protected. The management solution or ISM will be located on the ePO management server on a different IP address than the ePO itself. This will be installed at both the data center and Houston sites. Policies, signatures, and management of the IPS sensors will be done from either of these consoles.
[CUSTOMER]- Confidential
Page 9 of 25
Technical Architecture Planning Document Template The major components of IntruShield IPS are: IntruShield Security Manager (ISM) server IntruShield Sensors. McAfee Update Server ISM server communicates with the McAfee Update Server for signature set updates and software downloads. Intrusion sensors will be located at the internet chokes for Houston and Dallas Data Center. There will also be outside and inside management of the network segments at the firewalls. There several considerations with the placement of the sensors. Deployment of an IntruShield IPS requires specific knowledge of your networks security needs. Answering these questions will determine which sensor model will best suit your environment, and what in what operating mode youll need to employ each sensor port: What is the size of the network? How many access points are there between the HWE network and the extranets or Internet? Where is the critical infrastructure that requires protection within the network? Where are the security operations located? 2.1.3.1 Network Size The HWE network is fairly large for the head count associated with the company. The Wind farms are geographically diverse and each If there is more than one wind farm within a short geographic area (typically 3-4 hours of driving) they usually share an Operations and Maintenance (O&M) facility. There are 13 O&M facilities on the network. These O&M facilities require Regional Offices (RO). These facilities house the middle-management and executives making strategic level logistics decisions. There are 7 RO(s) in the infrastructure. The last type of office that are on the network are temporary Construction Offices (CO). There are 33 edge-type sites in the network. The company is growing and will have 4 new sites in the New Year. The sites connect to two hubs that are well-connected and act as DR sites for each other. 2.1.3.2 Access Points (choke points) These offices types include their own internet connection. Traffic to the internet is allowed through the firewall that is local to the site. During the Network Security project, the traffic will change to route through the IPS located centrally at the hub sites. 2.1.3.3 Critical Infrastructure (applications) The majority of critical infrastructure is located in the hub sites referred to as the core. The core does not have a Demilitarized Zone (DMZ). One of the main features of this project is the creation of a DMZ between the server infrastructure and the rest of the hub and edge networks. The DMZ will not be a Network Address Translated NAT(ed) DMZ, but will be a function of the IPS sensors. This will keep the work to a minimum for the movement of infrastructure resources. 2.1.3.4 Proposed Two-Layer HIPS\IPS Flow
2.1.3.5 Operations Considerations Ingress and egress on the network will be through the Internet connections located in Houston and in Dallas. These hub sites are the most connected and house the majority of the applications and critical infrastructure. The management and policy servers will be housed at these sites in the data center. The
[CUSTOMER]- Confidential
Page 10 of 25
Technical Architecture Planning Document Template console will be located on virtual servers that create a clustered affect to prevent a hardware outage affecting the management of the security infrastructure. More detail about the deployment of sensors (in multiport, inline, transparent mode) can be found in the IPS Deployment Guide.
2.1.4 Network Admission Control McAfee NAC Appliance, McAfee Network Access Control
McAfee Network Access Control is a security software that protects corporate networks by controlling access to systems that do not comply with IT security policies. The software integrates with McAfee ePolicy Orchestrator, and provides robust policy creation, device detection and mapping, fast and accurate compliance assessment, network access control, and remediation capabilities for the systems on the network. The components of McAfee NAC are: McAfee NAC server (ePO) McAfee NAC sensor (appliance) McAfee NAC scanner (client\ePO\appliance) McAfee NAC remediation portal (phase II of project implementation) McAfee NAC detects and assesses systems attempting to enter the network and can enforce policy compliance on the systems before allowing them on to the network. However, network security is not complete with only preadmission control. Comprehensive and continuous network security requires effective post-admission control. IntruShield will provide the post-admission control. IntruShield can alert in real-time about post-admission threats and exploit attempts such as a system generating malicious traffic. McAfee NAC and IntruShield collaboratively handle the offending system. IntruShield can quarantine a rogue system and re-direct all HTTP traffic from the system to the remediation portal until remediation is complete.
2.1.4.1 HWE Layout The HWE network consists of two hub\aggregation points in the network. The Core1 switches connect the two sites with a 500MB Metropolitan Area Network. The Core1 connects the remote sites via MPLS cloud. The Core1 switches also connect the Internet connections for both hub sites. The two Core2 switches aggregate client connections on the LAN and remote access VPN and L2L VPN for remote site backup circuits. The logical choke point in the network for the IPS (Sensor) is on the connection between the Core1 switch in the Houston site (thus protecting the largest amount of end users and vital internal networks). The ePO server will reside in the Data Center on virtual infrastructure with matching infrastructure in Houston in case there is a need for backup (which will be snapped to Houston daily).
[CUSTOMER]- Confidential
Page 11 of 25
2.1.4.2 Components and Concerns McAfee NAC Server IP Address: You need to specify the IP address of your McAfee NAC server for an IntruShield sensor to communicate with it. Important: You can integrate IntruShield with the McAfee NAC-ePO integrated server or with a standalone McAfee NAC server. However, if you are to use your Windows logon credentials for logging on to the ePO server, then you can only integrate IntruShield with the McAfee NAC-ePO integrated server.
[CUSTOMER]- Confidential
Page 12 of 25
Technical Architecture Planning Document Template McAfee NAC Server Anonymous Port: This is the console-to-server communication port number. The IntruShield sensor uses this port number for its initial communication with the McAfee NAC server. The minimum port number that can be used is 1 and the maximum port number that can be used id 65535. The default port number is 8443. . McAfee NAC Server SSL Port: This is the network port number that an IntruShield sensor should use for its trusted communication with the McAfee NAC server. The default port number is 8444. This is the same port that McAfee NAC sensors and scanners use to communicate with the McAfee NAC server. Contact your McAfee NAC server administrator for more information. McAfee NAC Server Root Certificate: This is the self-signed electronic certificate that comes as part of your McAfee NAC installation. Store this certificate file at a location from where you can access it so that you can import it to ISM and subsequently push it to the IntruShield sensor when you install the communication between the sensor and the ISM.This certificate enables the IntruShield sensor to authenticate the McAfee NAC server. Note: You can find this certificate in the ePO install directory. By default it is stored at \db\certificates. ePO User Credentials: You need the administrator user name and password of the ePO server that is communicating with McAfee NAC. You need to pass it to the IntruShield sensor through the ISM. The sensor then uses these credentials for establishing trust with McAfee NAC.
[CUSTOMER]- Confidential
Page 13 of 25
[CUSTOMER]- Confidential
Page 14 of 25
[CUSTOMER]- Confidential
Page 15 of 25
[CUSTOMER]- Confidential
Page 16 of 25
Technical Architecture Planning Document Template Plan your ePolicy Orchestrator System Tree and updating scheme. Create the ePolicy Orchestrator System Tree. Distribute the McAfee Agent to the systems you want to manage with ePolicy Orchestrator. Create the updating repositories. Check in to the repositories the products ePolicy Orchestrator is to manage. Then configure their policy settings. Deploy products to the managed computers. Configure the advanced features of ePolicy Orchestrator. These are the files that you must check in to the master repository after you install or upgrade the software. For more information, see the ePolicy Orchestrator 4.5 Product Guide. Custom packages Only managed product packages that were created with McAfee Installation Designer 8.7 or later can be checked in to the master repository. Product extensions If the extension for a managed product was not added to the repository during the installation, you must manually add it as a zip file. Product plug-in files Any product plug-in (.dll) files that were not checked in as part of the installation must be checked in to the master repository manually as zip files. Products Check the software you intend to deploy into the repository. If you are installing ePolicy Orchestrator for the first time, you must check in all products that you want to deploy via ePolicy Orchestrator. If you are upgrading ePolicy Orchestrator, any supported products that were not already present must be checked in to the master repository manually as zip files. Product updates You must check in all product updates that you want to deploy via ePolicy Orchestrator. Scan exception lists will be created for directories. The product installation guide for the antivirus client has a list of often-used application and infrastructure files and directories. The client package created with McAfee Installation Designer will be pushed out to clients in a phased approach after warning the offices. This will require a reboot.
[CUSTOMER]- Confidential
Page 17 of 25
2.3.3 Phase 3 - Intrusion Prevention System McAfee Intrushield, Host Intrusion Prevention System (HIPS)
2.3.3.1 Setting up the sensors for the desired deployment mode(s) Installing the ISM software and establishing sensor-to-ISM communication Configuring your deployment using the ISM Updating your signatures and software Viewing and working with data generated by IntruShield 2.3.3.2 Tuning the deployment Invoking the Sensor Installation Wizard Selecting Signature Set Update Method Importing the signature set from a local directory. Downloading the signature set from McAfee Update Server Skip the above options and continue with the default signature set that you received along with ISM installation. Adding a Sensor to ISM Configuring the sensor using CLI Assigning & Editing port configuration on sensor Applying policies to the interfaces on the sensor Pushing Configuration Information From ISM To The Sensor Viewing the Sensor Installation Summary page More detailed information on specific tasks for each step is in the Intrushield Deployment Guide. 2.3.3.3 Client-based HIPS
[CUSTOMER]- Confidential
Page 18 of 25
Technical Architecture Planning Document Template 2.3.4.1 McAfee NAC server The hardware requirements for the McAfee NAC server are the same as for the ePolicy Orchestrator server. When adding McAfee NAC, we suggest using the recommended hardware configuration rather than the minimum configuration. For details, see the ePolicy Orchestrator documentation The software requirements are: y y y y y y y y y ePolicy Orchestrator 4.0 with patch 2 installed. Rogue System Detection 2.0 or later. McAfee NAC client Systems on which you install the NAC client must meet these requirements. Option Definition Memory 512MB or higher RAM Operating System: Windows Server 2003 Enterprise, Service Pack 1 or later. ePO products McAfee Agent 3.6 patch 2 or later.
2.3.4.2 Tasks y y y Download the product zip file from the McAfee product download site, and store it on your ePolicy Orchestrator server. Unzip the archive, then double-click the Setup program. In the Setup Requirements window, check that each section displays the message All required applications were found. If the required applications were not found, they are listed, and you must exit and install these applications. Accept the license agreement. Type your ePolicy Orchestrator global administrator username and password. Accept the default port (8444) for Network Security Sensor communications with the NAC client unless you changed this port when configuring McAfee Network Security Platform.This port cannot be changed unless you re-install the software. Accept the default location to install the software, or select a different location on the ePolicy Orchestrator server. Verify that all information is correct, then start the installation. Use this task to install the McAfee Network Access Control remediation portal on the ePolicy Orchestrator server. You must install the portal to the default installation path specified in the installer.C:\Program Files\McAfee\ePolicy Orchestrator\Server\extensions\installed\NAC\3.0.<build_number>\webapp\portal. When installed on the ePO server, the URL to the guest cleint portal is:https://localhost:8443/nac/portal/default.htm
y y y
y y y
Before you begin The requirements for this task are: You must be running ePolicy Orchestrator 4.0. You must install McAfee Network Access Control 3.0 first. Task If necessary, unzip the archive, then double-click the Setup program. Accept the default installation path.
[CUSTOMER]- Confidential Page 19 of 25 Network Security Architecture V1.0
Technical Architecture Planning Document Template Click Install when you reach the final installer screen.
More information for each of the individual tasks can be found on the NAC Configuration Guide.
Technical Architecture Planning Document Template Network Security Platform (appliance formerly Intrushield and NAC)
3.1.2.3 Production ePO 4.5 Patch 3 Network Security Manager 5.1.x (6.0.x if it makes it into general distribution) End Point Security Antispyware 8.7, NAC 3.2.x, Site Advisor Enterprise 3.0.x, VirusScan 8.8, HIPS 8.0 Messaging Groupshield 7.0.1 for Exchange 2007, Quarantine Manager 7.0 Web Reporter Premium 5.11 Web Gateway (appliance) Network Security Platform (appliance formerly Intrushield and NAC)
3.1.3.2 Test Software installations on the proposed production servers and network equipment with resources that have been allocated for the servers and workstations. The testing will cover four security areas that have been deemed high-risk: y Endpoint protection Host-based Intrusion Prevention, Antivirus, Antispyware, Web Filtering y Internal Network Security Intrusion Prevention, Network Admission Control y Web-filtering - control of corporate policy and policing for HTTP access y Messaging email antivirus and site admission control (HTTP control in email) y Management logging, policy control, remediation The test phase will include all new network equipment such as the Web Gateways, Intrusion Prevention system, CIFS Filer Scanners, and Network Access Appliance. These will be racked and plugged into the network in the appropriate locations but will not be put into production until some initial focus-groups can be tested with (ROCC, SCADA, Finance). 3.1.3.3 Production The test systems will be put into production in a phased rollout: 1 Management logging, policy control, remediation 2 Endpoint protection Host-based Intrusion Prevention, Antivirus, Antispyware, Web Filtering 3 Messaging email antivirus and site admission control (HTTP control in email) 4 Web-filtering control of corporate policy and policing for HTTP access 5 Internal Network Security Intrusion Prevention, Network Admission Control
[CUSTOMER]- Confidential
Page 21 of 25
[CUSTOMER]- Confidential
Page 22 of 25
Technical Architecture Planning Document Template y y How can vendor information contribute to the development of the work instructions? They will be consulted at all phases of the project and deployment. Is existing operations documentation available? No, it is being done at every phase of the deployment.
Mitigation
5 Future Considerations
Development resources will need to be put on different signature update schedules. This provides a testing ground for these updates to prevent outages. The same considerations that are made for the patching process are also applicable to the signature update process.
6 Appendix
6.1 Principal of Least Privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary for its legitimate purpose. In other words, this means giving a user only those powers which are absolutely essential to do his/her work. For example, a backup user need not install software. Hence the backup user has rights only to run backup and backup related applications. Any other powers (privileges) like installing software etc. are blocked. When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.
[CUSTOMER]- Confidential
Page 23 of 25
[CUSTOMER]- Confidential
Page 24 of 25
[CUSTOMER]- Confidential
Page 25 of 25