| Overview | | | | authentication and authorization |
| These are the 5 primary security groups that should | | | | · Unix and Mainframe host authentication and |
| be considered with any enterprise security model. | | | | authorization |
| These include security policy, perimeter, network, | | | | · Application authorization per server |
| transaction and monitoring security. These are all part | | | | · File and data authorization |
| of any effective company security strategy. Any | | | | Transaction Security |
| enterprise network has a perimeter that represents all | | | | Transaction security works from a dynamic |
| equipment and circuits that connect to external | | | | perspective. It attempts to secure each session with |
| networks both public and private. The internal network | | | | five primary activities. They are non-repudiation, |
| is comprised of all the servers, applications, data, and | | | | integrity, authentication, confidentiality and virus |
| devices used for company operations. The | | | | detection. Transaction security ensures that session |
| demilitarized zone (DMZ) represents a location | | | | data is secure before being transported across the |
| between the internal network and the perimeter | | | | enterprise or Internet. This is important when dealing |
| comprised of firewalls and public servers. It that allows | | | | with the Internet since data is vulnerable to those that |
| some access for external users to those network | | | | would use the valuable information without permission. |
| servers and denies traffic that would get to internal | | | | E-Commerce employs some industry standards such |
| servers. That doesn't mean that all external users will | | | | as SET and SSL, which describe a set of protocols |
| be denied access to internal networks. On the | | | | that provide non-repudiation, integrity, authentication and |
| contrary, a proper security strategy specifies who can | | | | confidentiality. As well virus detection provides |
| access what and from where. For instance | | | | transaction security by examining data files for signs of |
| telecommuters will use VPN concentrators at the | | | | virus infection before they are transported to an |
| perimeter to access Windows and Unix servers. As | | | | internal user or before they are sent across the |
| well business partners could use an Extranet VPN | | | | Internet. The following describes industry standard |
| connection for access to the company S/390 | | | | transaction security protocols. |
| Mainframe. Define what security is required at all | | | | Non-Repudiation - RSA Digital Signatures |
| servers to protect company applications and files. | | | | Integrity - MD5 Route Authentication |
| Identify transaction protocols required to secure data | | | | Authentication - Digital Certificates |
| as it travels across secure and non-secure network | | | | Confidentiality - IPSec/IKE/3DES |
| segments. Monitoring activities should then be defined | | | | Virus Detection - McAfee/Norton Antivirus Software |
| that examine packets in real time as a defensive and | | | | Monitoring Security |
| pro-active strategy for protecting against internal and | | | | Monitoring network traffic for security attacks, |
| external attacks. A recent survey revealed that | | | | vulnerabilities and unusual events is essential for any |
| internal attacks from disgruntled employees and | | | | security strategy. This assessment identifies what |
| consultants are more prevalent than hacker attacks. | | | | strategies and applications are being employed. The |
| Virus detection should then be addressed since | | | | following is a list that describes some typical monitoring |
| allowed sessions could be carrying a virus at the | | | | solutions. Intrusion detection sensors are available for |
| application layer with an e-mail or a file transfer. | | | | monitoring real time traffic as it arrives at your |
| Security Policy Document | | | | perimeter. IBM Internet Security Scanner is an excellent |
| The security policy document describes various | | | | vulnerability assessment testing tool that should be |
| policies for all employees that use the enterprise | | | | considered for your organization. Syslog server |
| network. It specifies what an employee is permitted to | | | | messaging is a standard Unix program found at many |
| do and with what resources. The policy includes | | | | companies that writes security events to a log file for |
| non-employees as well such as consultants, business | | | | examination. It is important to have audit trails to record |
| partners, clients and terminated employees. In addition | | | | network changes and assist with isolating security |
| security policies are defined for Internet e-mail and | | | | issues. Big companies that utilize a lot of analog dial |
| virus detection. It defines what cyclical process if any is | | | | lines for modems sometimes employ dial scanners to |
| used for examining and improving security. | | | | determine open lines that could be exploited by |
| Perimeter Security | | | | security hackers. Facilities security is typical badge |
| This describes a first line of defense that external | | | | access to equipment and servers that host mission |
| users must deal with before authenticating to the | | | | critical data. Badge access systems record the date |
| network. It is security for traffic whose source and | | | | time that each specific employee entered the telecom |
| destination is an external network. Many components | | | | room and left. Cameras sometimes record what |
| are used to secure the perimeter of a network. The | | | | specific activities were conducted as well. |
| assessment reviews all perimeter devices currently | | | | Intrusion Prevention Sensors (IPS) |
| utilized. Typical perimeter devices are firewalls, external | | | | Cisco markets intrusion prevention sensors (IPS) to |
| routers, TACACS servers, RADIUS servers, dial | | | | enterprise clients for improving the security posture of |
| servers, VPN concentrators and modems. | | | | the company network. Cisco IPS 4200 series utilize |
| Network Security | | | | sensors at strategic locations on the inside and outside |
| This is defined as all of the server and legacy host | | | | network protecting switches, routers and servers from |
| security that is implemented for authenticating and | | | | hackers. IPS sensors will examine network traffic real |
| authorizing internal and external employees. When a | | | | time or inline, comparing packets with pre-defined |
| user has been authenticated through perimeter | | | | signatures. If the sensor detects suspicious behavior it |
| security, it is the security that must be dealt with | | | | will send an alarm, drop the packet and take some |
| before starting any applications. The network exists to | | | | evasive action to counter the attack. The IPS sensor |
| carry traffic between workstations and network | | | | can be deployed inline IPS, IDS where traffic doesn't |
| applications. Network applications are implemented on | | | | flow through device or a hybrid device. Most sensors |
| a shared server that could be running an operating | | | | inside the data center network will be designated IPS |
| system such as Windows, Unix or Mainframe MVS. It | | | | mode with its dynamic security features thwarting |
| is the responsibility of the operating system to store | | | | attacks as soon as they occur. Note that IOS intrusion |
| data, respond to requests for data and maintain | | | | prevention software is available today with routers as |
| security for that data. Once a user is authenticated to | | | | an option. |
| a Windows ADS domain with a specific user account, | | | | Vulnerability Assessment Testing (VAST) |
| they have privileges that have been granted to that | | | | IBM Internet Security Scanner (ISS) is a vulnerability |
| account. Such privileges would be to access specific | | | | assessment scanner focused on enterprise customers |
| directories at one or many servers, start applications, | | | | for assessing network vulnerabilities from an external |
| and administer some or all of the Windows servers. | | | | and internal perspective. The software runs on agents |
| When the user authenticates to the Windows Active | | | | and scans various network devices and servers for |
| Directory Services distributed it is not any specific | | | | known security holes and potential vulnerabilities. The |
| server. There is tremendous management and | | | | process is comprised of network discovery, data |
| availability advantages to that since all accounts are | | | | collection, analysis and reports. Data is collected from |
| managed from a centralized perspective and security | | | | routers, switches, servers, firewalls, workstations, |
| database copies are maintained at various servers | | | | operating systems and network services. Potential |
| across the network. Unix and Mainframe hosts will | | | | vulnerabilities are verified through non-destructive |
| usually require logon to a specific system, however the | | | | testing and recommendations made for correcting any |
| network rights could be distributed to many hosts. | | | | security problems. There is a reporting facility available |
| · Network operating system domain | | | | with the scanner that presents the information findings |
| authentication and authorization | | | | to company staff. |
| · Windows Active Directory Services | | | | |