1 FHDA Network/Security Architecture Ken Agress Senior Consultant, NTS Fred Cohen Senior Consultant, SRMS Management Overview All Contents 2008 Burton Group. All rights reserved.
2 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
3 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
4 Introduction & Background Introductions Project Background Why did we do this project? Who was involved? What were the deliverables? How will this be used? Why Burton Group?
5 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
6 What is a Network/Security Architecture? An architecture is a forward-looking document that: Defines how an organization will approach technology decisions Describes specific requirements and goals that technology must address to meet the organization s needs Establishes standards that can be leveraged in a useful fashion over a long period of time Allows IT to evaluate solutions in a neutral and unbiased fashion An architecture is not: A design that describes the environment with specificity A detailed description of configurations or devices A list of products, vendors, solutions, or systems that will be implemented
7 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
8 Why Have an Architecture? An architecture allows an organization to: Reduces the complexity of managing and operating the environment. Reduction in cost, operational issues Improved consistency and greater effectiveness Define a set of technology standards that: Can be applied to a wide range of technical solutions Provide for interoperability of hardware/software Ensure required needs are addressed Support bid specifications that are targeted and meet the needs Describe approaches to technology that the district can review and revisit as requirements or technologies change Develop processes and procedures based on a common understanding of technical and business requirements. An architecture is intended to be a living document that is revisited regularly and modified over time.
9 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
10 The Burton Group Architecture Process Burton Group leverages a structured methodology to assist clients. Business needs determine the specific goals, this process defines the standards.
11 What we did: The Burton Group Architecture Process Gathered background data through interviews and document review Discussed technical and business needs with FHDA personnel Conducted a one week workshop to create the architecture with FHDA management and staff Described FHDA Principles Defined FHDA Technical Positions Created FHDA Templates Prepared and presented the resulting architecture What FHDA needs to do: Socialize the architecture within the district Perform annual reviews of the architecture Understand the gaps, prioritize them, and act on them Develop standard processes that leverage the architecture
12 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
13 FHDA Key Business Drivers Support the district s education objectives Distance learning Anywhere/anytime access Improve support for key applications: EIS System Multicast for audio/video services Prepare for PBX replacement Support a range of users effectively providing: Improved bandwidth, reliability, protection Support for many different types of traffic Build network in a cost effective, sustainable, adaptable fashion
14 The FHDA Architecture What does FHDA get out of this Architecture? Properly secured, reliable communications for students, faculty, and staff that adapts as requirements change.
15 The FHDA Architecture: Wireless Enhanced wireless access is called for: Wireless standards with greater range, bandwidth Ability to provide support for different user groups on a single infrastructure Security appropriate to the type of user and group Guest access where allowed
16 The FHDA Architecture :Multimedia The standards adopted provide support for: Streaming video and audio Multicast applications such as video conferencing, video distribution, and broadcasting Increased bandwidth to support new and interesting types of media Proper classification and handling of different types of traffic Support for IP Telephony as a potential PBX replacement
17 The FHDA Architecture: Proactive Management The architecture will help ETS achieve: Enhanced management capabilities and visibility into network performance and conditions Greater understanding of applications and services the network should support Improved historical tracking for trend analysis and capacity planning Process and procedure improvements to standardize responses, reduce heroic efforts Uniform approaches to technical issues, problem identification, prioritization, and resolution
18 The FHDA Architecture: Improved Access The architecture adds: Support for properly secured, authorized anytime/anywhere access Student access to resources and materials Faculty access to systems and services Staff access for administrative purposes 3 rd parties supporting FHDA Green initiatives for facilities management Higher performance core network Faster, more capable connections between buildings & locations
19 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
20 Security Architecture Key Issues The situation today: No IT risk management function Content, applications, and systems are not adequately inventoried Processes are not well defined or automated Lack of structure for controls Detection of security related events is inadequate to the need
21 Security: No Risk Management Function What is the problem? For information and information technology no risk management function is in place for FHDA Why does it matter? Without this function, rational decision-making cannot be done regarding what to protect and how well. How can it be solved? Someone has to be put in charge of performing this function for the district. They need the skills, knowledge, and tools to do it. Until this is done, design decisions may be seen as without a rational basis and justification
22 Security: No Inventory of Content and Systems What is the problem? There is no comprehensive inventory of content, applications, and systems What do they do? How do they do it? What are they for? Why does it matter? If you don't know what you have: How do you know how to protect it? How do you know when you are done? How do you know how well you have done it? How can it be solved? Generate an inventory over time Start with what's obvious and critical keep going Over time, inventory all new things, systematically deprecate what's not inventoried till done
23 Security: Processes Not Well Defined What is the problem? The processes for getting things done with content and technology are not systematically defined and consistently applied Why does it matter? Processes are hard to repeat, depend on heroic effort of individuals, and are not well documented even after they have taken place. As complexity rises, so do costs, unless you systematize and automate functions How can it be solved? Move toward a higher level of maturity in processes Add automation to support the effort
24 Security: Lack of Structure for Controls What is the problem? Controls, where they exist, are ad-hoc and unstructured. Why does it matter? It takes a lot of individualized effort to examine each item one at a time, therefore: Many things are not examined Many things are poorly controlled or not controlled at all. The cost of controls is far higher Economies of scale are not readily attainable. How can it be solved? Structures should be put in place to allow content, applications, systems, and users to be controlled by common mechanisms based on defined characteristics. To wit:
25 Security: The Big Picture - Zones Without drilling into the details... Network Control The outside world Outer firewall DMZ Network Audit DMZ-Trusted Firewall Trusted zone Trusted Restricted Firewall Restricted zone
26 Security: Detection Inadequate to the Need What is the problem? You can't tell if you are being attacked or if you are misconfigured Why does it matter? No passive defense can hold out forever. To defend you must detect and react in time to prevent potentially serious negative consequences (PSNCs) in excess of management specified thresholds (MSTs). If you can't detect, you can't react in a timely fashion. How can it be solved? You need a systematic approach to detection of event sequences that can produce PSNCs and MSTs.
27 Network: VLANs and IP What s the problem? Existing IP addressing and VLAN schemes aren t capable of meeting business requirements Why does it matter? Can t create a scalable network Can t support zones adequately Can t provide improved access How can it be solved? Develop initial plans for new IP addressing Determine how and where VLANs will be leveraged Work with implementation team(s) to finalize and deploy
28 Network: Dynamic Computer Placement What s the problem? FHDA needs to place users in the proper area of the network Why does it matter? Users may receive too much/too little access Implementation could be overly complex and difficult to support How can it be solved? Carefully plan implementation to minimize support burden Protocols and systems used (802.1x and Identity Management) will require careful, strategic consideration Strategy must be developed to some extent for use in bid documents
29 Network: Routing Priorities What s the problem? Security standards require that traffic is inspected at appropriate points, which requires proper routing Why does it matter? FHDA can t comply with the standards adopted without proper inspection, detection, and action How can it be solved? Develop initial plans for routing through the network Work with implementation teams to finalize Test implementation prior to acceptance Regularly test routing to verify compliance
30 Network: Quality of Service What s the problem? Different services demand different performance from the network Telephony Video conferencing Video streaming , browsing, other standard applications. Why does it matter? Negative impact on quality for high-demand services Can I make a connection? Is the connection good enough? Can I maintain the connection? How can it be solved? Leverage application/content inventory to classify services Determine service requirements Define classification and enforcement mechanisms Create procedures that include characterization of new applications
31 Agenda Introduction & Background What is a Network/security Architecture? Why Have an Architecture? The Burton Group Architecture Process The FHDA Architecture Key FHDA Issues Security Network Conclusion Q&A and Discussion
32 So What s Next? Communicating the architecture throughout the district Translating the architecture into an effective design Regularly reviewing the architecture and updating as required Applying the architecture systematically and effectively
33 Conclusion FHDA s Network/Security architecture is an important first step towards achieving: Properly secured, reliable communications for students, faculty, and staff that adapts as requirements change. FHDA can leverage the architecture because: It defines standards in a useful, modular fashion It provides the basis for decisions and allows discussion of priorities It describes a future state with identified gaps and action items
34 What questions do you have? All Contents 2008 Burton Group. All rights reserved.
NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan DOE Award No: DE-OE0000222 National Rural Electric Cooperative Association,
ITIL V3 Application Support Volume 1 Service Management For Application Support ITIL is a Registered Trade Mark and Community Trademark of the Office of Government and Commerce. This document may contain
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Problem Management Contents Introduction Overview Goal of Problem Management Components of Problem Management Challenges to Effective Problem Management Difference between Problem and Incident Management
. VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Review of Alleged Improper Program Management within the FLITE Strategic Asset Management Pilot Project September
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
Security Policy: Best Practices White Paper Document ID: 13601 Introduction Preparation Create Usage Policy Statements Conduct a Risk Analysis Establish a Security Team Structure Prevention Approving Security
GUIDE FOR DEVELOPING HIGH-QUALITY SCHOOL EMERGENCY OPERATIONS PLANS U.S. Department of Education U.S. Department of Health and Human Services U.S. Department of Homeland Security U.S. Department of Justice
HIPAA Security Procedures Resource Manual The following security policies and procedures have been developed by North Dakota State University (NDSU) for its internal use only in its role as a hybrid entity
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
SECURITY FOR INDUSTRIAL CONTROL SYSTEMS IMPROVE AWARENESS AND SKILLS A GOOD PRACTICE GUIDE Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,
` City of Beverly Hills Public Works Services Department 345Foothill Road Beverly Hills, CA. 90210 Infor (Hansen) Computerized Maintenance Management System Request for Proposal For Infor System Re-implementation
Continuous Cyber Situational Awareness Continuous monitoring of security controls and comprehensive cyber situational awareness represent the building blocks of proactive network security. A publication
Information Technology Outsourcing GTAG Partners AICPA American Institute of Certified Public Accountants www.aicpa.org CIS Center for Internet Security www.cisecurity.org CMU/SEI Carnegie-Mellon University
FIREWALL CLEANUP WHITE PAPER Firewall Cleanup Recommendations Considerations for Improved Firewall Efficiency, Better Security, and Reduced Policy Complexity Table of Contents Executive Summary... 3 The
Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology
VoIP Lifecycle Management Best Practices and Business Value Viola Networks May 2006 VoIP Lifecycle Management VoIP Lifecycle Management Best Practices and Business Value When managing an enterprise VoIP
BEST PRACTICES WHITE PAPER Measuring Success Service Desk Evaluation Guide for the Midsized Business: How to Choose the Right Service Desk Solution and Improve Your ROI Table of Contents INTRODUCTION...1
Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7
Vanderbilt University Medical Center Project Implementation Process (PIP).......... Project Implementation Process OVERVIEW...4 PROJECT PLANNING PHASE...5 PHASE PURPOSE... 5 TASK: TRANSITION FROM PEP TO
Gap Analysis for Information Technology At Sacramento State: A Self Study February, 2008 1 Larry Gilbert Vice President and CIO Information Resources & Technology 2 February 20, 2007 Introduction The California
ADVISORY SERVICES Transforming Internal Audit: A Model from Data Analytics to Assurance kpmg.com Contents Executive summary 1 Making the journey 2 The value of identifying maturity levels 4 Internal audit