technical & commercial - first directory · simplifying and enhancing it security at xxxxxxx...
TRANSCRIPT
Simplifying and Enhancing IT Security at xxxxxxx Council This document is designed to highlight existing infrastructure and security solutions and recommend alternative technology that could be used to simplify the management and enhance security at the council. Current Infrastructure
Windows Active Directory 2003 Mode with 2012 servers in operation.
2 Domains, 1 primary and 1 GCSX with a one way trust between them.
Approximately 600 users, with 350 regular PC clients.
Windows 7 Enterprise is running on most desktop machines.
IP v4.
Citrix thin clients. Most clients operate Internet Explorer or Chrome. Sites include:
Primary Council Office in xxxxxxx
2 Leisure centres
Waste Depot
Business centre
Parks
Network diagram illustrating current infrastructure
UTM A/PFirewall/IPS
Web SecurityReverse Proxy (active
sync+others)Wifi Control
Customer
Parks
leisure centre
Remote Ethernet
Connectivity
Remote Ethernet
Connectivity
Other required small sites
Remote Ethernet
Connectivity
Internet
DMZ
(x82 VMS)
NON PSN NON PSN NON PSN NON PSN
ARUBA AP105 (x4)
NON PSNNON PSN
NON PSN
NON PSN
PSTN
Internet Access
PSN
Domain Controller
StoneGateFW310Firewall
Exchange
FW logs
FWManagement
Console
Citrix App Citrix WI
Core Network
TMG FireWall
Telephony
Application (x1)
Exchange SharePoint Data Management
System
MS SQL ActiveDirectory
CitrixFarm
Swivel 2FAApplicationServers
Print Servers
FAS2240-2FAS2240-2
StoneGate 1030 Firewall
FTPKIRONA CONNECTORPLANS MINUTES MRM
n
ProductionNETAPP 2240 (30 TB)
ISCSI and NFS
Radius Server
Support Staff (x 5)
Remote Users(x100)
Juniper SSG5 Firewall
Fiery Printer Controller
Mirra Recording Device
StoneGate 310Firewall
Company
NON PSN
TelephonyGateway Telephony
Gateway
PSTN
(x 15)
(x 20)(x 10)
(x 1)
PSTN
Telephony Gateway
Physical Servers (x 30)
NETAPP 2240 (30 TB)ISCSI and NFS
All Data is being snap mirrored across from the Production NetApp 2240 filer, and by the SyncSort Backup software.
FAS2240-2FAS2240-2
Antivirus/Endpoint Security and Mobile Device Management (MDM)
Infrastructure Current Solution Proposed Alternative Technology Desktops/Laptops Kaspersky V6 or V10
roll out 1 Cloud based end user protection
Regular Servers Kaspersky V6 or V10 roll out 1
Cloud based end user protection
Critical Servers Kaspersky V6 or V10 roll out 1
Cloud based Server Protection with Advanced black/whitelisting
VDI/Vshield Kaspersky Security for Virtualization
VDI Protection
Mobile Device Management (MDM)
Sophos Hosted SMC Cloud based end user protection
Consolidating on premise desktop/laptop Anti-Virus, Server Protection, VDI Security and Mobile Device Management into a fully cloud hosted service with the only on premise management being the VDI agent. This will simplify the management and updating process associated with traditional malware defence. Primary benefits of adopting proposed alternative strategy:
Simpler management, including managing all devices (desktop, laptop, server and mobile) together,
Console and versions automatically upgraded,
Built in web filtering for remote and mobile* users,
Device control (USB control),
Client firewall,
Application control,
Malicious traffic detection,
AD Sync,
Critical Servers can be protected with Lockdown (whitelisting),
Increased server protection,
VDI agentless scanning for VMware Vshield,
Ongoing security integration with UTM technology.
Cloud based Anti-Virus/Endpoint controls allow simpler management of all devices together, including desktops/laptops, mobile devices (IOS/Android etc.) and servers. The cloud solution is automatically maintained and new features/controls are automatically made available when released.
Firewalls
Infrastructure Current Solution Proposed Alternative Technology Main Firewall(s) 2xStonegate FW1030 A/P
6xCopper Nics
UTM Technology A/P
Function Performance
Firewall Throughput 25 GBPS
IPS Throughput 7 GBPS
AV Throughput 2 GBPS
Concurrent connections 8,000,000
UTM Technology includes:
Module Core Features
Network Protection Next Generation Firewall, IPS, Country Blocking, QOS, VPN, RED device, Routing, Load Balancing.
Web Protection Web Category Filtering, App Control, Dual AV filtering, HTTPS analysis
Web Server Protection Reverse Proxy (WAF), Dual AV, Security profiles/controls.
Wireless Protection Wi-Fi Filtering, multi networks, password of the day, guest Wi-Fi
Email Filtering (included in the bundle, but due to on premise it is not recommended for this proposal)
AV/AS/Encryption
Stonegate 310 Associated with xxxxx council Consolidate and utilise the above UTM solution i.e. no further hardware required!
GCSX TMG Firewall and Stonegate 310
Function Performance
Firewall Throughput 13 GBPS
IPS Throughput 3 GBPS
AV Throughput 800 mbps
Concurrent connections 4,000,000
Juniper Firewall Legacy equipment Consolidate and utilise the above UTM solution i.e. no further hardware required!
Primary benefits of adopting proposed alternative strategy:
Stronger performance,
Enhanced scalability,
Integrated network functionality and security o Enhanced security over point solutions.
Consolidation of multiple firewall/technology providers,
Simpler Management,
Increased functionality: o Quick, secure and easy expansion of the network to remote sites via Remote Ethernet Devices
Integrated failover Link aggregation and failover detection Load Balancing Intrusion prevention App Control Enhanced Web filtering/HTTPS inspection Dual AV (Avira/Sophos) Etc.
o Direct cost savings, as security providers offer greater discounts the more solutions you take from one vendor o Indirect cost savings in terms of simpler management
Replacement of legacy equipment (that is due to become unsupported).
Encryption
Infrastructure Current Solution Proposed Alternative Technology
HDD Encryption Microsoft Bitlocker Microsoft Bitlocker, with Third Party Management.
File Shares None File Encryption Solution
Primary benefits of adopting proposed alternative strategy:
Simple centralised management,
Key backup/recovery,
Auditing and reporting of encrypted machines for data compliance purposes (i.e. proof they were encrypted.),
Network file share encryption, protecting sensitive documents with file based encryption.
Infrastructure Current Solution Proposed Alternative Technology
AV/AS ICritical Cloud Email Alternative
Encryption None Cloud Email Alternative
Archiving None Cloud Email Alternative
Primary Benefits of adopting proposed alternative strategy
Simple management,
Business continuity,
AV/AS/Encryption/Email hygiene
Web Security/Filtering
Infrastructure Current Solution Proposed Alternative Technology
Web Filtering Bluecoat (cloud) Proposed UTM technology for the firewall
Web Security Bluecoat (cloud) Proposed UTM technology for the firewall
Primary Benefits of adopting proposed alternative strategy
Integrated Web Filtering/Security with Firewall/UTM,
Simple management and reporting,
User authentication with agentless filtering for machines,
Faster performance for internet access,
110 Categories and application control,
HTTPS Analysis,
Dual AV,
Bandwidth controls and application throttling,
Reputation analysis,
File type and mime type blocking.
Vulnerabilities
Infrastructure Current Solution Proposed Alternative Technology
Vulnerability Identification
GFI Languard, but for servers only
Complete Patch remediation solution
Vulnerability Remediation/Patching
Wsus for windows patches. GFI Languard for servers only
Complete Patch remediation solution (integrating with WSUS)
Primary Benefits of adopting proposed alternative strategy
Protect against malware or hacker exploitation of poorly patched machines,
Identify missing patches for third party apps (Adobe, Java) and Microsoft systems (50,000 systems covered),
Remediate patches via WSUS/SCOM integration, with advanced technology that strips out unwanted items (such as a bundled Chrome update),
Deploy patches at a schedule that fits with business requirements,
Wi-Fi
Infrastructure Current Solution Proposed Alternative Technology
Corp network Aruba Proposed UTM technology with access points
Guest network(s) zwifi Proposed UTM technology with access points
Primary benefits of adopting proposed alternative strategy
Integrated Wi-Fi with UTM technology (Firewall, Web Filtering, Routing etc.)
Simple Management
Define new networks: o What they have access to, o How they are web filtered (via UTM tech), o If they have a guest password of the day, o If they are Active Directory integrated authentication, o Remote Wi-Fi networks, off other UTMs or RED devices.
Reverse Proxy (WAF)
Infrastructure Current Solution Proposed Alternative Technology
Active Sync Microsoft TMG Proposed UTM technology
OWA None, not currently used. Proposed UTM technology
Sharepoint None, not currently used. Proposed UTM technology
Websites None, not currently used. Proposed UTM technology
Primary benefits of adopting proposed alternative strategy
Enhanced protection for web servers with security technology including (URL Hardening, SQL Injection Prevention, Cookie Signing, Dual AV Protection etc.),
Published Web servers, SharePoint, OWA.
Load balance servers behind the reverse proxy.
Intrusion Prevention & Detection
Infrastructure Current Solution Proposed Alternative Technology Main Firewall Stonegate Proposed UTM technology
Core Servers None. Proposed UTM technology
Network IDS None Agentless Network Access Control
Primary benefits of adopting proposed alternative strategy
Enhanced protection for services that are allowed to pass the firewall,
Protect core servers from the desktop estate by passing through the UTM with IPS protection.
Network Client Security and Guest Controls
Infrastructure Current Solution Proposed Alternative Technology Network Access Control
None Agentless Network Access Control
Network visibility None. Agentless Network Access Control
Guest Controls Limited to manually controlling live ports. Agentless Network Access Control
Primary benefits of adopting proposed alternative strategy
Stop unauthorised devices connecting to the network and potentially gaining access to secure information,
Identify what’s on the network: o Different devices, o Operating systems, o Mobiles, o Printers, o Appliances.
Analyse the security posture of machines/devices: o Is the device a domain member? o Is it running up to date AV? o Are its windows’ patches up to date? o Is it running a P2P application right now? o Does it have an xyz registry key?
Remediate devices based on policy,
Quarantine insecure machines,
Stop P2P apps running,
Group machines without an xyz registry key,
Change the Vlan of a device, limiting its web or network access,
Authenticate non AD domain devices and request sponsorship to access the network,
Dynamic Intrusion Detection (with honeypots) system built in.
Technology Consolidation (Simplification) Overview Shown below, in Foursys recommended priority order (in terms of simplification/security benefit), are the changes proposed to the network solutions that are currently implemented.
Technology Area Current Solution Alternative Technology/Simplification Firewall Stonegate, TMG, Juniper (3) UTM Technology
Web Security/Filtering Bluecoat Cloud and agent UTM Technology
Wi-FI Aruba & Z-wifi (2) UTM Technology
Reverse Proxy (WAF) TMG UTM Technology
Intrusion Prevention System Stonegate / no protection for servers from Internal network
UTM Technology
AV/Endpoint Kaspersky on Premise Cloud AV/MDM
Mobile Devices Sophos Cloud Cloud AV/MDM
Encryption Microsoft Bitlocker (little/no management) Bitlocker with integrated management
Anti-Virus and Endpoint can be simplified by adopting the latest cloud managed solution(s), ensuring console upgrades are a thing of the past. This technology can also integrate mobile device management; ensuring management is one console for all clients. Firewall, Web Security, Wi-Fi and reverse proxy can all be integrated into the latest UTM technology. This will simplify management, but also allow the technology to work together, extending the capabilities over the existing solutions. Commercially utilising this technology from a single vendor will also offer cost savings, whilst UTM technology incorporates dual AV filtering ensuring that security isn’t compromised. Network/Firewall Security
Network security and efficiency as a whole can be increased via consolidation around UTM technology. Since the parks can be connected to the core network via a low cost layer 2 tunnelling device (RED), ensuring they can be connected to the network quickly and easily with firewall/IPS controls from the core UTM firewall ensuring security is maintained. This type of technology could be used to replace legacy point to point connections, enhancing security via Intrusion Prevention (IPS) and simplifying the design whilst allowing for lower cost broadband connections to be used rather than expensive leased lines.
UTM Network Technology includes IPS, Country Blocking, and quality of service (bandwidth controls) allowing existing in place security to be replaced with next generation firewall capabilities that also include stronger performance via upgraded hardware.
Consolidation of firewalls for GCSX network, but the ability to report centrally across all UTMs/Firewalls in a single management or reporting interfaces.
Wi-Fi Security
Wi-Fi can be integrated with the UTM configuration, ensuring full firewall, web filtering and appropriate security controls for guests, BYOD and corporate Wi-Fi networks.
The ability to extend Wi-Fi to remote sites via RED technology results in fast deployment times, highly secure networks, multiple networks of single access points, etc.
Web Security
Direct Web Filtering and security for all devices whether LAN or Wi-Fi based.
Different policies for different users, networks or groups.
Dual AV controls
Category and Application Filtering
User authentication with agentless (transparent) authentication possible. Possible network diagram (for illustration purposes only):
(x82 VMS)
NON PSN
NON PSNNON PSN
NON PSN
Access Points (x4)
NON PSN
NON PSN
NON PSN
NON PSN
PSTN
Internet Access
PSN
Domain Controller
UTM Technology
Exchange
FW logs
FWManagement
Console
Citrix App Citrix WI
UTM Technology
Telephony
Application (x1)
Exchange SharePoint Data Management
System
MS SQL ActiveDirectory
CitrixFarm
Swivel 2FAApplicationServers
Print Servers
FAS2240-2FAS2240-2
UTM TechnologyFTPKIRONA CONNECTORPLANS MINUTES MRM
n
ProductionNETAPP 2240 (30 TB)
ISCSI and NFS
Support Staff (x 5)
Remote Users(x100)
Fiery Printer Controller
Mirra Recording Device
Company
NON PSN
WebSite
TelephonyGateway
Telephony Gateway
(x 15)
(x 20) (x 10)(x 1)
PSTN
Telephony Gateway
Physical Servers (x 30)
NETAPP 2240 (30 TB)ISCSI and NFS
All Data is being snap mirrored across from the Production NetApp 2240 filer, and by the SyncSort Backup software.
Parks
Remote Ethernet Connectivity
FAS2240-2FAS2240-2
Areas to enhance security further, whilst ensuring simple management/maintenance
Technology Area Current Solution Alternative Technology/Simplification
Vulnerabilities WSUS for Microsoft patching only Patch remediation for all applications (50,000 supported)
Network Client Security and Guest Controls
None Agentless NAC
Encryption Microsoft Bitlocker Microsoft Bitlocker with full encryption management solution.