Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.
|
|
- Noel Baldwin
- 8 years ago
- Views:
Transcription
1 Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Foundstone Labs October, 2003
2 Table of Contents Table of Contents...2 Introduction...3 Scope and Approach...3 Assumptions...4 Findings and Recommendations...6 Conclusion...10 About Foundstone...11 Resources Foundstone, Inc. All Rights Reserved - 2
3 Introduction This paper presents an overview of the security assessment of Microsoft s System Architecture (MSA) 2.0 performed by Foundstone. The assessment entailed a detailed review of the appropriate documentation, interviews with key personnel and a penetration test of a pilot deployment to ensure that the architecture enforced a strong security posture. The goal of the exercise was to identify significant strengths and issues of concern both from an architectural and deployment perspective. Foundstone conducted the assessment in October 2003 in accordance with their comprehensive architecturereview methodology that employs an array of security penetration techniques and commercial-grade stress testing and monitoring. Foundstone s analysis showed that the MSA 2.0 architecture is in unison with the defense-in-depth principle of security, and is an in-depth reference for secure enterprise-network deployment using Microsoft technologies. Scope and Approach Foundstone analyzed the security framework of the MSA 2.0 architecture through design review and technical analysis of the framework as it was implemented in Microsoft s pilot laboratory environment. The following areas were examined: Documentation of Microsoft Systems Architecture 2.0 MSA Build Guide 2.0 MSA Planning Guide 2.0 MSA Operations Guide 2.0 MSA Deployment Kit 2.0 Reference Architecture Kit version 2.0 Implementation Kit versions 2.0 Pilot Deployment Security posture of Internet-facing MSA environment Logical controls to segment network zones Configurations of component servers and network devices Potential threat vectors to environment Foundstone s testing approach consisted of interviews with MSA development staff, design reviews, and technical analysis. Key design features and assumptions were documented, tested, and analyzed Foundstone, Inc. All Rights Reserved - 3
4 The pilot deployment consisted of a full array of servers including DHCP, Database, Active Directory, Management, Web, WINS, DNS, Proxy, VPN, Backup, Print, DFS, Deployment, Storage Management, and Firewall servers. These servers were configured in a multi-tier environment, including Boarder, Perimeter, and Internal network zones. The few protocols that were available from the Internet consisted primarily of http and https Web services. From the Perimeter network, only services that were required to operate the business were explicitly allowed, including Web (http and https) and DNS (53). This deployment simulated a real-world enterprise environment which included servers, various protocols, and the diversity of platforms found in large modern companies. The guidelines in the MSA 2.0 documentation allow for scaling to smaller environments while still following the underlying principles of defense in-depth. Foundstone approached the review with standardized test methodologies to review the pilot deployment. This approach focused on real-world vulnerabilities and exploits applied against varying attack vectors. Multiprotocol discovery and vulnerability scans were utilized from various zones within the MSA to test the adequacy of ingress and egress network controls. Foundstone utilized Foundstone Enterprise, a vulnerability analysis and remediation software package during this testing phase. Foundstone also reviewed the configuration of servers and network devices to determine the appropriateness of host-based controls and security features such as auditing, logging, and host-based access. Assumptions Foundstone identified areas that require additional attention to ensure against negligence during the deployment process. Due to the existence of other Microsoft guidance, the following topics are outside of the scope of the MSA guidance. Although the architecture is believed to impart a sound security posture to an implementation in accordance with it, Foundstone and Microsoft believe that consideration and deployment of the followings technologies is important. Anti-Virus Software Development Anti-virus software deployment serves not only to protect the subject machines against virus and worm outbreaks, but also makes an attacker s task of uploading malicious executables extremely arduous. This further reinforces the compliance to a defense-in-depth approach to security. Patch Management Solutions and their Significance Effective patch management solutions such as Microsoft s Software Update Service (SUS) are addressed in the Microsoft Solution for Management (MSM). Hence, Patch Management is not addressed in the MSA guidance. Patch management is fundamental for an organization to keep up-to-date on security patches and hot fixes. Patch management also helps ensure that critical servers are not compromised by exploitation of well-known vulnerabilities Foundstone, Inc. All Rights Reserved - 4
5 Use of IPsec Encryption between Critical Servers As discussed earlier, confidentiality is one of the three primary tenets of security. Foundstone recommended that due importance be given to the maintenance of confidentiality of data passing between critical servers (e.g., between a Web server and database) and appropriate solutions to achieve it (viz. IPSec encryption). IPSec encryption is discussed in the Security Architecture documentation as a mechanism to mitigate the impact of packet sniffing on the network. Un-Patched Internal Servers The Microsoft lab being assessed was updated with patches up to a specific date for testing purposes. Patches released after that date were not applied. This allowed Foundstone to attempt several exploits against vulnerabilities that were not patched, providing an accurate simulation of an un-patched or inadequately patched environment a common scenario. Attempts to exploit these vulnerabilities, however, were in vain due to appropriate application-level access controls in the form of an ISA server between the attacker's machine and the victim. This re-enforced the defense-in-depth strategy recommended by the MSA 2.0 architecture documentation. Secure Configuration of Wireless Deployments Wireless technologies are being deployed as a last-hop solution in corporate environments at an everincreasing rate. Wireless networking implementation was not covered in the current MSA release. However, this topic was covered to some extent in the Microsoft Solutions for Security Securing Wireless Networking guide Foundstone, Inc. All Rights Reserved - 5
6 Findings and Recommendations Following interviews, the documentation review, and laboratory testing, Foundstone presented the results and recommendations to Microsoft s System Architecture team. Documentation and Architecture Foundstone believes that the extensive coverage of the following subjects in the documentation and design will contribute to a strong security posture when appropriately applied. The following areas are highlighted requirements within the Microsoft Systems Architecture 2.0 documentation: Findings Segregation of the Network into Pertinent Zones Segregation of the network into security zones not only facilitates the implementation of mitigation strategies through aggregation but also limits the influence of an attacker in case of a compromise. Hardening of Servers at the Host Level Hardening at the host level ensures against extensive compromise of the entire environment, even in the event of circumvention of the firewall rule sets. This step entails running minimal services on the host, implementing appropriate password complexity requirements, and setting appropriate registry settings to prevent unauthorized access to the machine over the network. Encryption Mechanisms Implementation of strong encryption mechanisms protects the confidentiality of critical data traversing the network by making it undecipherable to packet sniffers. This is of paramount importance in maintaining confidentiality one of the three tenets of security, along with integrity and availability. Application Level Security Enhancements Application level attacks are transparent to conventional firewalls. Thus, additional inspection of layer-7 data is necessary to prevent the acceptance of malicious URLs which may result in system or data compromise. The documentation stresses this fact through the discussion of HTML filters. Physical Security Mechanisms for Critical Servers Physical security is an often-neglected aspect of IT security. However, it is a vital component of a secure implementation. The overall security posture of the network can be severely undermined by an attacker gaining unauthorized physical access to critical servers. Emphasis on Defense-in-depth The documentation appropriately emphasizes conformance to the defense-in-depth principle, to ensure that a single compromise due to potential zero-day vulnerabilities does not allow the attacker to expand his or her influence throughout the environment. This is achieved by implementing multiple layers of security mechanisms at the host, network, data, and application layers to ensure a safe fail throughout the network Foundstone, Inc. All Rights Reserved - 6
7 Establishment of a Risk Assessment Process The risk assessment process has been given due significance in the documentation. A well-defined risk assessment process ensures that all threats to the environment have been identified and that the consequential risks have been accepted, rejected, or mitigated. The continuity of the process also ensures that the security posture of the environment is maintained at a high level, despite the advent of new threats. Recommendations Although an implementation in accordance with the described architecture may impart a sound security posture, Foundstone identified areas that could be further emphasized in the documentation to ensure against negligence through the deployment process. Additional attention to these topics will aide in creating a more secure infrastructure. The following list describes these topics: Use of IPsec Host-Based Filtering on Key Infrastructure Components Although the DMZ domain controllers were on a physically separate network segment than the front-side of the multi-homed, Internet-connected servers, Foundstone still recommended utilizing the additional protection that IPsec host-based port filters provide. This helps protect the components against unauthorized access in case other elements in the DMZ are compromised. Centralized logging mechanisms to effectively support intrusion detection Intrusion detection can by facilitated through the implementation of centralized logging mechanisms. Centralized logs not only sufficiently mitigate the deletion of security logs by a potential attacker but also greatly simplify the correlation process to effectively detect an intrusion at the earliest possible moment. Ethernet Port Security The MSA 2.0 architecture addresses packet sniffers as a potential intrusion threat, and it references various techniques to limit the effects of sniffing with malicious intent. These techniques include the use of strong authentication, a switched infrastructure, anti-sniffing technology, and cryptography to good effect. However, the architecture does not cover the subject of binding Ethernet ports to specific MAC addresses to limit sniffing in a switched environment through ARP spoofing. Foundstone believes that this topic requires more coverage as an anti-sniffing measure that can be easily deployed by most organizations. Penetration Test Foundstone performed the penetration test, both from the perspective of an anonymous Internet surfer with malicious intent, and an attacker who had gained access to the DMZ and was attempting to expand his influence and penetrate into the internal corporate network Foundstone, Inc. All Rights Reserved - 7
8 Findings The pilot deployment implemented in accordance with the underlying principles of the MSA 2.0 reference architecture was found to be sound from a security standpoint. Foundstone identified the following significant strengths in the deployment: Minimal Exposure of Services to the Internet Ports scanning the infrastructure deployed in accordance with the MSA 2.0 reference architecture revealed that only necessary services, defined in this case as HTTP (port 80), HTTPS (port 443), and DNS (port 53) on select servers, were accessible from the Internet,. Foundstone considered this to be a positive result from following the MSA 2.0 design, as exposure of additional (potentially unnecessary) services to the Internet may have provided an attacker with additional entry points into the DMZ. Out-of-Band Management Channel The deployment used a physically-separate network to transmit management traffic. This is a recommended practice to prevent the sniffing and/or alteration of critical management data including administrative credentials. Foundstone considered this to be a positive result from following the MSA 2.0 design. Secure Configuration of Web Servers and their Underlying Operating Systems In general, the Web servers and their underlying operating systems were found to be deployed following Microsoft s recommended build documents. They were also identified as up-to-date on security patches and hot fixes at the time the documentation was created. This mitigates the risk of a script kiddie or worm from gaining access to the server through the exploitation of an existent well-known vulnerability. Foundstone also considered this a positive result from following the MSA 2.0 design. Sound Configuration of Application-Layer Firewalls The external firewall protecting the DMZ from the Internet and the internal firewall protecting back-end databases from the DMZ servers were found to be properly configured and deployed. This prevented any attempts of unauthorized access against these critical infrastructure components. Foundstone also considered this to be a positive result from following the MSA 2.0 design. In addition, application firewall features were enabled at the perimeter; adding an even deeper level of security at the critical border between the public Internet and the enterprise DMZ. Recommendations Foundstone did identify some minor issues of concern. These issues were not considered a serious risk to the environment as they could not be successfully exploited to gain unauthorized access to any component of the infrastructure. These issues include the following: Web Servers Support Export Grade (weak) SSL Ciphers Web servers in the DMZ were found to be compatible to export grade (40 bit) SSL ciphers Foundstone, Inc. All Rights Reserved - 8
9 Foundstone recommended the use of 128-bit ciphers only, as they alone are considered adequate to prevent against the exposure of encrypted data. To overcome limitations imposed on the export of cryptography, Foundstone recommended referring to Microsoft s Server Gated Cryptography (SGC) technology. Foundstone also recommended that this issue be given due importance in the MSA 2.0 architecture documentation. Inconsistent Permission of ICMP from the Internet into the DMZ Permitting the use of the Internet Control Message Protocol (ICMP) on the network can provide an attacker with the means of launching a denial-of-service attack against critical day-to-day business operations. It can also be leveraged as an effective covert channel. Foundstone recommended that ICMP packets be disallowed by periphery firewalls. Though the deployment under review did abide by this policy, the denial of ICMP packets was not consistent and comprehensive Foundstone, Inc. All Rights Reserved - 9
10 Conclusion Foundstone concluded that the MSA 2.0 architecture emphasized the defense-in-depth principle of security through every step of the implementation and documentation. This can be attributed to the appropriate emphasis on segmentation of infrastructure components coupled with the extensive incorporation of accesscontrol mechanisms at appropriate places in the environment. The significance of this conformance was highlighted by the minimal impact of the high-risk buffer overflow vulnerability discovered on several servers within the internal network. Without these controls in place, the test may have resulted in the complete compromise of several critical servers. Foundstone also identified several areas requiring further emphasis to enhance the security posture imparted by the architecture. These include: patch management, IPsec filtering and encryption, anti-virus software deployment, and intrusion detection. Most of these issues can be addressed by reading the documentation referenced on several of these topics earlier in this paper. On the whole, Foundstone believes that the MSA 2.0 architecture is an excellent reference for secure enterprise network deployment providing sufficient flexibility to adapt to varying business needs and sizes Foundstone, Inc. All Rights Reserved - 10
11 About Foundstone Foundstone Inc., experts in strategic security, offers a unique combination of software, services, and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company has one of the most dominant security talent pools ever assembled, and has authored ten books, including the best seller Hacking Exposed. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, D.C., and Seattle. For more information about Foundstone and Foundstone Enterprise Risk Solutions, visit or call FOUND within the U.S, and outside the U.S Foundstone, Inc. All Rights Reserved - 11
12 Resources Foundstone MSA Microsoft Patch Management IPsec Encryption Services Foundstone, Inc. All Rights Reserved - 12
Foundstone ERS remediation System
Expediting Incident Response with Foundstone ERS Foundstone Inc. August, 2003 Enterprise Risk Solutions Platform Supports Successful Response and Remediation Introduction The Foundstone Enterprise Risk
More informationInternet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.
Internet Security and Acceleration Server 2000 with Service Pack 1 Audit An analysis by Foundstone, Inc. Internet Security and Acceleration Server 2000 with Service Pack 1 Audit This paper presents an
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationNetwork Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting
Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order
More informationWindows Remote Access
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationSecurity Considerations for DirectAccess Deployments. Whitepaper
Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift
More informationCOORDINATED THREAT CONTROL
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationPAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ
PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationINFORMATION SECURITY TRAINING CATALOG (2015)
INFORMATICS AND INFORMATION SECURITY RESEARCH CENTER CYBER SECURITY INSTITUTE INFORMATION SECURITY TRAINING CATALOG (2015) Revision 3.0 2015 TÜBİTAK BİLGEM SGE Siber Güvenlik Enstitüsü P.K. 74, Gebze,
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationHughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by
More information70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network
70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Course Number: 70 299 Length: 1 Day(s) Course Overview This course is part of the MCSA training.. Prerequisites
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationTechnology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications
Technology Blueprint Protect Your Email Servers Guard the data and availability that enable business-critical communications LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security
More informationS E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010
S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M Bomgar Product Penetration Test September 2010 Table of Contents Introduction... 1 Executive Summary... 1 Bomgar Application Environment Overview...
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationA Systems Engineering Approach to Developing Cyber Security Professionals
A Systems Engineering Approach to Developing Cyber Security Professionals D r. J e r r y H i l l Approved for Public Release; Distribution Unlimited. 13-3793 2013 The MITRE Corporation. All rights reserved.
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationLumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks
IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationInformation Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100
Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100 Course Description: Introduction to Cybersecurity is designed to provide students the basic concepts and terminology
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationThis chapter covers the following topics:
This chapter covers the following topics: Components of SAFE Small Network Design Corporate Internet Module Campus Module Branch Versus Headend/Standalone Considerations for Small Networks C H A P T E
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationNEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus
NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus CSCI - 440 Network Security and Perimeter Protection 3-0-3 CATALOG DESCRIPTION This
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationConsensus Policy Resource Community. Lab Security Policy
Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSTRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction
Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationJK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationDMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
More informationF5 and Microsoft Exchange Security Solutions
F5 PARTNERSHIP SOLUTION GUIDE F5 and Microsoft Exchange Security Solutions Deploying a service-oriented perimeter for Microsoft Exchange WHAT'S INSIDE Pre-Authentication Mobile Device Security Web Application
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationDon t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure
Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20
More informationWeb Security School Final Exam
Web Security School Final Exam By Michael Cobb 1.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site on the Internet? a. IIS Admin
More informationChapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security
Chapter 12 Network Security Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC). Network Security
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationMedical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.
Medical Device Security Health Imaging Digital Capture Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0 Page 1 of 9 Table of Contents Table of Contents... 2 Executive Summary...
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationSonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationSecuring Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationBendigo and Adelaide Bank Ltd Security Incident Response Procedure
Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationSELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:
SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM: 12 Key Questions to Ask Executive Summary Host Intrusion Prevention Systems (HIPS) complement perimeter defenses, and play a vital role in protecting
More informationUsing Skybox Solutions to Achieve PCI Compliance
Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary
More informationImportance of Web Application Firewall Technology for Protecting Web-based Resources
Importance of Web Application Firewall Technology for Protecting Web-based Resources By Andrew J. Hacker, CISSP, ISSAP Senior Security Analyst, ICSA Labs January 10, 2008 ICSA Labs 1000 Bent Creek Blvd.,
More informationToday's security needs in networking
Today's security needs in networking Besoins actuels de la sécurité réseau European partner summit Thursday, October 13, 2005 Hervé Schauer Hervé Schauer Agenda Firewalls Liability
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationHow To Protect Your Network From Attack
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationTECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS
TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS 19 NOVEMBER 2003 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationGiftWrap 4.0 Security FAQ
GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More information