Secure to the Core: The Next Generation Secure Operating System from CyberGuard
|
|
- Myron Farmer
- 8 years ago
- Views:
Transcription
1 Secure to the Core: The Next Generation Secure Operating System from CyberGuard Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP, CISM, CISA Senior Vice President CyberGuard Corp A CyberGuard Corporation White Paper September 2004 Copyright 2004 CyberGuard Corporation. All rights reserved.
2 What is a Secure Firewall Operating System? While industry experts may debate which firewall architecture provides the optimum level of security, few would disagree about the critical importance of a secure firewall Operating System. Many vendors claim their network security products are built upon a hardened OS. What you will find in virtually all cases, is that the vendor simply turned off -- or removed -- unnecessary services, and then patched the OS for known vulnerabilities. Clearly, this is not a hardened OS but really a patched OS. A true hardened OS is one in which the vendor has modified the kernel source code to enforce a security perimeter between the operating system, firewall software and network stack. Correctly implemented, this eliminates the risk that a service running on the hardened OS could be exploited by a hacker to obtain root level privilege and then highjack the firewall. CyberGuard s heritage in developing secure real-time operating systems for the US Department of Defense is evident today in our Mandatory Access Control (MAC) and Multi-Level Security (MLS) operating system technologies. Together, MAC/MLS completely insulate the operating system layers used to inspect and transport packets from those that allow the firewall to be configured and managed. A user who has been authenticated and authorized for administrative access can never leave the firewall and connect to the network. Likewise, a user seeking network connectivity can never gain access to the firewall s management functions. Even of the firewall were to be compromised, no further network incursions would be possible. In this White Paper, we review the sophisticated techniques CyberGuard used to implement this same level of security in our next generation firewall product, and the resulting technical and operational benefits. The Evolution of CyberGuard s Next Generation of Security Products CyberGuard s experience building secure operating systems dates back to 1967, when the company -- then known as Datacraft -- began building mission-critical real-time simulation and control systems. In 1987, with 20 years of OS experience under its belt, CyberGuard now a part of the Harris Corporation -- and AT&T Federal Systems began joint development of an Orange Book B1 MLS/OS and LAN solution. It has been estimated that 75 man years of development time was invested in this critical government project. Development concluded in 1991 and the NCSC B1 Evaluation Cycle began. In 1992 the evaluation concluded with the award by the United States Department of Defense for the world s first TCSEC B1 OS and Network LAN certification. No other firewall vendor to date has ever been able to match this achievement. Secure to the Core: CyberGuard s Next Generation Operating Environment Page 2
3 In response to customer demands, CyberGuard decided to migrate to a more mainstream Operating System that would preserve the same levels of security while supporting a broader set of hardware platforms. CyberGuard purchased the source code rights to SCO UnixWare and ported many of the security mechanisms that enabled us to achieve our previous B1 certification. This purpose built Operating System has served our clients well since In fact not a single CERT bulletin has ever been written against our SCO UnixWare based firewall solution. The advent of 64 bit processing architectures and high performance platforms from Intel (among others), creates the foundation for CyberGuard to offer a new set of highly scalable purpose-built security solutions. This was our primary motivation in developing CG Linux ; a next generation secure Operating System based on the Linux kernel. CyberGuard s CG-Linux Operating System takes full advantage of the security controls that helped us earn our original TC SEC B1 certification, while incorporating the additional security features available when u tilizing a Linux-based kernel. Collectively, these capabilities allo w us to offer the highest level of Operating System security available in a commercial firewall product. The table below summarizes the security features built into the respective UnixWare and CG-Linux OS. Security Mechanisms Features Linux UnixWare Description Discretionary Access Control (DAC) Yes Yes Limit s a user's access to a file or directory. Based on owner/group IDs and permission bits. Multilevel Security (MLS) Yes Yes Creates a barrier between non-administrative users, processes, and data, and the corresponding set of users, processes, and data of the firewall security systems. Based on a modified Bell-LaPadula security model. Mandatory Access Control (MAC) Yes Yes Enforces mandatory system-wide policies that cannot be changed at the discretion of individual users. Based on a modified Bell-LaPadula security model. Capability (Privileges) Yes Yes Divides the super user privilege into a number of discrete privileges that can be assigned to multiple users or programs. Roles Yes Yes Organizes administrative duties in to roles that can be assigned to multiple administrative users. Used to provide separation of duties. Auth Yes No RSBAC mechanism for restricting the ID to which a program may switch (setuid). File Flags Yes No RSBAC model for providing fine-grained access control over file system objects (files, directories, symbolic links etc.). PAM User Level Authentication Yes No Enables the use of longer passwords and more granular transaction logging. Audit Yes Yes Audits security relevant events at a very granular level, enabling forensic analysis and accountability. Secure to the Core: CyberGuard s Next Generation Operating Environment Page 3
4 Discretionary Access Control Discretionary Access Control (DAC) is an access control service that enforces a security policy based on the identity of system users (or groups of users) and their respective authorizationsto access files and other system resources. There are three categories of users: 1. Owner The owner of the file 2. Group Users in the same group as the owner 3. Other Everyone else There are three kinds of authorizations: 1. Read Users may read the file or list the contents of a directory 2. Write - Users may write to the file or add a new file to the directory 3. Execute Users may execute the file or lookup a specific file DAC is used primarily to limit a user's access to a file or directory. This access is considered to be discretionary because the owner determines at his or her discretion who receives these read, write and execute access rights. Multi Level Security CyberGuard s implementation of Multi Level Security (MLS) is based on a modified version of the Bell-LaPadula security model. MLS provides the security mechanisms and enforcement systems needed to allow data with different degrees of sensitivity to be securely maintained and accessed on the same system. Essentially, MLS provides a barrier between the non-administrative users, processes, and data, and the corresponding set of users, processes, and data of the firewall security systems. A process inherits its sensitivity level from its respective use. Therefore the permissions for the process determine the level of sensitivity of the data that the process is permitted to act upon. MLS enforcement enables an administrative user to run a process that reads or modifies a firewall configuration file, while preventing a non-administrator -- running the exact same process -- from accessing or modifying the firewall configuration data. Mandatory Access Controls CyberGuard s implementation of Mandatory Access Controls (MAC) enhances and complements DAC by enforcing MLS rules within the CG-Linux kernel. MAC enforces mandatorysystem-wide policies that cannot be changed at the discretion of individual users. Most commercial Operating Systems provide support for DAC only. Secure to the Core: CyberGuard s Next Generation Operating Environment Page 4
5 Many in the security community believe that MAC is inherently more secure than DAC, because it eliminates some of the most prevalent incorrect permissions mistakes made by administrators trying to implement DAC in security systems. In addition, a DACbased OS can be exploited by a Trojan Horse program to alter the DAC security settings, thereby allowing an escalation of privileges for a malicious user. Limiting Super User Privileges In a typical UNIX or Linux operating system, the Super User -- otherwise known as the Root User -- has total control over all aspects of the operating system and the tasks and programs it is running. CyberGuard s CG-Linux divides Super User privileges across multiple users and system processes, effectively reducing the Super User s authority. This increase security by reducing the dependence on a single entity that could otherwise assert total control over all security processes. Should a malicious hacker ever achieve Super User status, they would gain very limited control over the firewall and its security-related processing. Role-Based Management CyberGuard has always provided extremely granular control over the separation of administrative duties. This makes it possible to provide selective administrative access while ensuring that no one can gain complete control over the firewall and its security processing. CyberGuard has enhanced and extended this role functionality in its next generation firewall product by incorporating these features into the CG Linux OS. This provides additional security by reducing the possibility that a firewall administrative duty can be circumvented by an operating system administrative function. Auth Module In a typical UNIX environment, a Super User can change the authority level at which a process operates within the OS. This is explicitly prevented by CG-Linux, which offers extensive controls over which privilege changes are permitted and by whom they can be applied. This eliminates the common ploy of the Privilege Escalation Attack, in which a hacker alters the au thority level of a process in order to increase their privileges within the OS and gain control over the firewall. Secure to the Core: CyberGuard s Next Generation Operating Environment Page 5
6 File Flags To further enhance OS security, CG-Linux provides additional granularity in its standard file access controls. The file flags are complementary to the standard Linux file permissions and can only be altered or changed by an authenticated security officer. Flag execute_only search_only read_only write_only secure_delete no_execute Checked for FILE, FIFO, SYMLINK DIR FILE, FIFO, SYMLINK, DIR FILE, FIFO, SYMLINK FILE FILE no_delete_or_rename FILE, FIFO, SYMLINK, DIR append_only add_inherited FILE, FIFO, SYMLINK FILE, FIFO, SYMLINK, DIR By extending the access control capabilities of Linux standard file permission, CG-Linux provides a level of granular contro l far beyond what is available in a commercial OS. Pluggable Authentication Module (PAM) PAM is a UNIX programming interface that enables third-party security methods to be used. By using PAM, multiple authentication technologies, such as RSA, DCE, Kerberos, smart card and S/Key, can be added without changing any of the login services, thereby preserving existing system environments. CyberGuard has incorporated PAM into CG-Linux, affording numerous security enhancements, including: 1. Support for longer passwords 2. Password and account expirations / verifications 3. Improved transaction logging (including information on the user and login address) 4. RSBAC restrictions to provide more granular access control The incorporation of an enhanced version of PAM into CG-Linux affords a great deal of flexibility and expandability for authentication-related servic es in current and future CyberGuard products. Audit and Alert Systems CyberGuard has always offered superior logging capabilities, and stored log files in binary format to preserve data integrity. CG-Linux provides additional security benefits Secure to the Core: CyberGuard s Next Generation Operating Environment Page 6
7 by dramatically improving the performance and flexibility of the firewall Alert and Audit Systems. Because these systems can reach deeper and wider into the CG Linux audit trail, the granularity and amount of data that can be logged is far more extensive and granular than ever before. The binary format dramatically improves search and query performance while the increased granularity and breadth of information allows you to drill down into the log file with increased precision during your queries. The Alert system has also been dramatically enhanced and now includes fully user configurable alerts. This includes OS performance data that is typically absent with firewalls built upon a commercial OS. Operating System Performance The evolutionary move to Linux allows CyberGuard to leverage new OS efficiencies that significantly improve performance and throughput. CG-Linux offers full support for 64 bit processors, for the Intel Itanium processor family, as well as non-intel-based platforms. This provides compelling opportunities to deploy CG-Linux based security solutions on embedded devices. The firewall architecture has changed from a UnixWare Stream model to a the faster and more efficient Socket model implemented in Linux Linux fully supports threads. This significantly improves performance, memory management and overall resource efficiency. Threads provide a useful programming technique for dividing work into separate pieces. Programs that correctly use threads can run on multiprocessor systems, with each thread running on a separate CPU. Any slow process running on a single-cpu system can theoretically execute on an N-way multiprocessor in 1/N of the time. In Conclusion CyberGuard historically has provided the most secure and best performing application proxy based firewalls in the industry. The legacy continues with the evolution of our next generation CG-Linux OS. Providing unparalleled performance and security, CyberGuard is well positioned to remain as the preferred solution for securing the world s most demanding networks. Secure to the Core: CyberGuard s Next Generation Operating Environment Page 7
8 CyberGuard Corporate Headquarters Quadrant Business Center 350 SW 12th Avenue Deerfield Beach, FL Phone: Fax: CyberGuard Europe Limited Asmec Centre, Eagle House The Ring, Bracknell Berkshire, RG12, 1HB United Kingdom Phone: +44 (0) Fax: +44 (0) Copyright 2004 by CyberGuard Corporation. All rights reserved. This publication is intended for use with CyberGuard Corporation products by CyberGuard's personnel, customers and end users of CyberGuard's products. It may not be reproduced in any form without the written permission of CyberGuard Corporation. CyberGuard is a registered trademark of CyberGuard Corporation. UnixWare is a registered trademark of Santa Cruz Operations, Inc. All other trademarks are the property of their respective owners.
Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH
Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension Tutorial Amon Ott Contents: 1 Motivation: Why We Need Better Security in the Linux Kernel 2 Overview of RSBAC 3 How
More informationUsing Likewise Enterprise to Boost Compliance with Sarbanes-Oxley
Likewise Enterprise Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley IMPROVE SOX COMPLIANCE WITH CENTRALIZED ACCESS CONTROL AND AUTHENTICATION With Likewise Enterprise, you get one user,
More informationChapter 8 A secure virtual web database environment
Chapter 8 Information security with special reference to database interconnectivity Page 146 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationFlexible, Secure Operation
CyberGuard Central Management: Flexible, Secure Operation A CyberGuard Corporation White Paper September 2002 Copyright 2002 CyberGuard Corporation. All right reserved. Central Management page 1 Central
More informationNixu SNS Security White Paper May 2007 Version 1.2
1 Nixu SNS Security White Paper May 2007 Version 1.2 Nixu Software Limited Nixu Group 2 Contents 1 Security Design Principles... 3 1.1 Defense in Depth... 4 1.2 Principle of Least Privilege... 4 1.3 Principle
More informationSecurity Overview of the Integrity Virtual Machines Architecture
Security Overview of the Integrity Virtual Machines Architecture Introduction... 2 Integrity Virtual Machines Architecture... 2 Virtual Machine Host System... 2 Virtual Machine Control... 2 Scheduling
More informationZone Labs Integrity Smarter Enterprise Security
Zone Labs Integrity Smarter Enterprise Security Every day: There are approximately 650 successful hacker attacks against enterprise and government locations. 1 Every year: Data security breaches at the
More informationSygate Secure Enterprise and Alcatel
Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and
More informationThe Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention
Whitepaper The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention May 2007 Copyright Sentrigo Ltd. 2007, All Rights Reserved The Challenge: Securing the Database Much of the effort
More informationRule Set Based Access Control (RSBAC)
Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension Short Overview for OpenWeekend 2002 in Prague Amon Ott Contents: 1 Introduction 1.1 History 1.2 Motivation 1.3 Design
More informationSafety measures in Linux
S a f e t y m e a s u r e s i n L i n u x Safety measures in Linux Krzysztof Lichota lichota@mimuw.edu.pl A g e n d a Standard Unix security measures: permissions, capabilities, ACLs, chroot Linux kernel
More informationBM482E Introduction to Computer Security
BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1 Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationCAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD
CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD Robert N. M. Watson Security Research Computer Laboratory University of Cambridge March 23, 2006 Introduction Background Common Criteria,
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationAccess Control Fundamentals
C H A P T E R 2 Access Control Fundamentals An access enforcement mechanism authorizes requests (e.g., system calls) from multiple subjects (e.g., users, processes, etc.) to perform operations (e.g., read,,
More informationSELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:
SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM: 12 Key Questions to Ask Executive Summary Host Intrusion Prevention Systems (HIPS) complement perimeter defenses, and play a vital role in protecting
More informationIS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
More informationSECURITY: THE KEY TO AFFORDABLE UNMANNED AIRCRAFT SYSTEMS. By Alex Wilson, Director of Business Development, Aerospace and Defense
SECURITY: THE KEY TO AFFORDABLE UNMANNED AIRCRAFT SYSTEMS By Alex Wilson, Director of Business Development, Aerospace and Defense EXECUTIVE SUMMARY Cost efficiency and affordability will always be key
More informationTotal Defense Endpoint Premium r12
DATA SHEET Total Defense Endpoint Premium r12 Overview: Total Defense Endpoint Premium Edition r12 offers comprehensive protection for networks, endpoints and groupware systems from intrusions, malicious
More informationTECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT. Windows Host Access Management with CA Access Control
TECHNOLOGY BRIEF: HOST ACCESS MANAGEMENT Windows Host Access Management with CA Access Control Table of Contents Executive Summary SECTION 1 2 Windows Servers in Today s Security Management Environment
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationSecurity Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background
Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,
More informationHost Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)
Host Hardening (March 21, 2011) Abdou Illia Spring 2011 CERT Report on systems vulnerabilities Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric 2 OS Vulnerability test Source: http://www.omninerd.com/articles/2006_operating_system_vulnerabilit
More informationHow To Buy Nitro Security
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
More informationEXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report
KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski March 2015 is a comprehensive Privileged Identity Management solution for physical and virtual environments with a very broad range of supported
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may
More informationRed Hat. www.redhat.com. By Karl Wirth
Red Hat Enterprise Linux 5 Security By Karl Wirth Abstract Red Hat Enterprise Linux has been designed by, and for, the most security-conscious organizations in the world. Accordingly, security has always
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationVMWARE Introduction ESX Server Architecture and the design of Virtual Machines
Introduction........................................................................................ 2 ESX Server Architecture and the design of Virtual Machines........................................
More informationIntel DPDK Boosts Server Appliance Performance White Paper
Intel DPDK Boosts Server Appliance Performance Intel DPDK Boosts Server Appliance Performance Introduction As network speeds increase to 40G and above, both in the enterprise and data center, the bottlenecks
More informationAn Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/
An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at
More informationSecuring Virtual Applications and Servers
White Paper Securing Virtual Applications and Servers Overview Security concerns are the most often cited obstacle to application virtualization and adoption of cloud-computing models. Merely replicating
More informationAddressing the United States CIO Office s Cybersecurity Sprint Directives
RFP Response Addressing the United States CIO Office s Cybersecurity Sprint Directives How BeyondTrust Helps Government Agencies Address Privileged Account Management and Improve Security July 2015 Addressing
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationREDUCE RISK WITH ORACLE SOLARIS 11
REDUCE RISK WITH ORACLE SOLARIS 11 MITIGATE RISKS WITH INTELLIGENT SECURITY CONTROLS KEY FEATURES Security in Silicon: Hardware-integrated cryptographic acceleration to protect both data and network. Reduce
More informationCEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS mdahshan@ccis.ksu.edu.sa
CEN 559 Selected Topics in Computer Engineering Dr. Mostafa H. Dahshan KSU CCIS mdahshan@ccis.ksu.edu.sa Access Control Access Control Which principals have access to which resources files they can read
More informationNovell Access Manager SSL Virtual Private Network
White Paper www.novell.com Novell Access Manager SSL Virtual Private Network Access Control Policy Enforcement Compliance Assurance 2 Contents Novell SSL VPN... 4 Product Overview... 4 Identity Server...
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSonicWALL Advantages Over WatchGuard
Competitive Analysis August 2001 WatchGuard SOHO - Product Overview WatchGuard Technologies extended its product offerings to the fast-growing broadband market through the acquisition of BeadleNet, LLC,
More informationEnterprise Security. Moving from Chaos to Control with Integrated Security Management. Yanet Manzano. Florida State University. manzano@cs.fsu.
Enterprise Security Moving from Chaos to Control with Integrated Security Management Yanet Manzano Florida State University manzano@cs.fsu.edu manzano@cs.fsu.edu 1 Enterprise Security Challenges Implementing
More informationUSING SOLARIS OPERATING SYSTEM SECURITY TO ADDRESS PAYMENT CARD INDUSTRY (PCI) DSS COMPLIANCE: A SYSTEMIC APPROACH TO SECURITY
USING SOLARIS OPERATING SYSTEM SECURITY TO ADDRESS PAYMENT CARD INDUSTRY (PCI) DSS COMPLIANCE: A SYSTEMIC APPROACH TO SECURITY Glenn Brunette, Distinguished Engineer, GSS Security Office Mark Thacker,
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationVirtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE
Virtualization Security and Best Practices Rob Randell, CISSP Senior Security Specialist SE Agenda General Virtualization Concepts Hardware Virtualization and Application Virtualization Types of Hardware
More informationTake Control of Identities & Data Loss. Vipul Kumra
Take Control of Identities & Data Loss Vipul Kumra Security Risks - Results Whom you should fear the most when it comes to securing your environment? 4. 3. 2. 1. Hackers / script kiddies Insiders Ex-employees
More informationREAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL
REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL AWF Series Web application firewalls provide industry-leading Web application attack protection, ensuring continuity
More informationSecure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications. www.vidyo.com 1.866.99.VIDYO
TECHNICAL NOTE Secure VidyoConferencing SM Protecting your communications 2012 Vidyo, Inc. All rights reserved. Vidyo, VidyoTechnology, VidyoConferencing, VidyoLine, VidyoRouter, VidyoPortal,, VidyoRouter,
More informationOracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationIntroduction to IT Security
Marek Rychly mrychly@strathmore.edu Strathmore University, @ilabafrica & Brno University of Technology, Faculty of Information Technology Enterprise Security 30 November 2015 Marek Rychly ES, 30 November
More informationSecuring OS Legacy Systems Alexander Rau
Securing OS Legacy Systems Alexander Rau National Information Security Strategist Sample Agenda 1 Today s IT Challenges 2 Popular OS End of Support & Challenges for IT 3 How to protect Legacy OS systems
More informationNew possibilities in latest OfficeScan and OfficeScan plug-in architecture
New possibilities in latest OfficeScan and OfficeScan plug-in architecture Märt Erik AS Stallion Agenda New in OfficeScan 10.5 OfficeScan plug-ins» More Active Directory support» New automated client grouping
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More informationHost-based Protection for ATM's
SOLUTION BRIEF:........................................ Host-based Protection for ATM's Who should read this paper ATM manufacturers, system integrators and operators. Content Introduction...........................................................................................................
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationEndpoint protection for physical and virtual desktops
datasheet Trend Micro officescan Endpoint protection for physical and virtual desktops In the bring-your-own-device (BYOD) environment, protecting your endpoints against ever-evolving threats has become
More informationWhite Paper. PCI Guidance: Microsoft Windows Logging
PCI Guidance: Microsoft Windows Logging Table of Contents Introduction...3 This white paper was written by: Cayce Beames, CISSP, QSA, Technical Practice Director, Strategic Services, Intel Security Preparation
More informationData Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec
The next generation of antivirus technology from Symantec Overview Advanced threat protection combines Symantec AntiVirus with advanced threat prevention to deliver an unmatched defense against malware
More informationidentity management in Linux and UNIX environments
Whitepaper identity management in Linux and UNIX environments EXECUTIVE SUMMARY In today s IT environments everything is growing, especially the number of users, systems, services, applications, and virtual
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationSecuring your Linux Server: Racing against the attacker. Nigel Edwards Hewlett-Packard <nigel_edwards@hp.com>
Securing your Linux Server: Racing against the attacker Nigel Edwards Hewlett-Packard Agenda The major source of security vulnerabilities Security strategies Patching Layered utilities
More informationSecuring the Database Stack
Technical Brief Securing the Database Stack How ScaleArc Benefits the Security Team Introduction Relational databases store some of the world s most valuable information, including financial transactions,
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationThe Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS
Performance, Verio FreeBSD Virtual Control, Private Server and (VPS) Security: v3 CONTENTS Why outsource hosting?... 1 Some alternative approaches... 2 Linux VPS and FreeBSD VPS overview... 3 Verio VPS
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationHow To Manage Log Management
: Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency LogLogic, Inc 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll
More informationIBM QRadar Security Intelligence April 2013
IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence
More informationThe Evolution of the Enterprise And Enterprise Security
The Evolution of the Enterprise And Enterprise Security Introduction Today's enterprise is evolving rapidly, with new technologies such as consumer-grade mobile devices, internet-based applications and
More informationInformation Security Measures and Monitoring System at BARC. - R.S.Mundada Computer Division B.A.R.C., Mumbai-85
Information Security Measures and Monitoring System at BARC - R.S.Mundada Computer Division B.A.R.C., Mumbai-85 Information Security Approach Secure Network Design, Layered approach, with SPF and Application
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationSection 1 CREDIT UNION Member Information Security Due Diligence Questionnaire
SAMPLE CREDIT UNION INFORMATION SECURITY DUE DILIGENCE QUESTIONNAIRE FOR POTENTIAL VENDORS Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire 1. Physical security o Where is
More informationMandatory Access Control in Linux
Mandatory Access Control in Linux CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ In the early 2000s Root and administrator Many
More informationReal Time Performance of a Security Hardened RedHawk Linux System During Denial of Service Attacks
A Concurrent Real Time White Paper 2881 Gateway Drive Pompano Beach, FL 33069 (954) 974 1700 real time.ccur.com Real Time Performance of a Security Hardened RedHawk Linux System During Denial of Service
More informationSecurity Overview Introduction Application Firewall Compatibility
Security Overview Introduction ShowMyPC provides real-time communication services to organizations and a large number of corporations. These corporations use ShowMyPC services for diverse purposes ranging
More informationNetwork Security. 1 Pass the course => Pass Written exam week 11 Pass Labs
Network Security Ola Lundh ola.lundh@hh.se Schedule/ time-table: landris.hh.se/ (NetwoSec) Course home-page: hh.se/english/ide/education/student/coursewebp ages/networksecurity cisco.netacad.net Packet
More informationHow To Secure Your Data Center From Hackers
Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationEndpoint protection for physical and virtual desktops
datasheet Trend Micro officescan Endpoint protection for physical and virtual desktops In the bring-your-own-device (BYOD) environment, protecting your endpoints against ever-evolving threats has become
More information