integradoraii -banco bradesco
TRANSCRIPT
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
UNIVERSIDAD TECNOLOacuteGICA DE QUEREacuteTARO
IMPLEMENTACION DE INFRAESTRUCTURA DE COMUNICACIONES EN BANCO BRADESCO
Aacutevila Jimeacutenez Joseacute Alejandro Gutieacuterrez Hernaacutendez Diana Gabriela
ITIC-2 Octubre de 2010
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Contenido Introduccioacuten 3
Definicioacuten del caso de estudio 4
Layout fiacutesico de la empresa 5
Layout fiacutesico depto presidencia 6
Layout fiacutesico de la oficina remota 7
Topologiacutea loacutegica 8
Aacutereas de cobertura de cableado seguacuten la norma EIATIA 9
Especificaciones de cada componente del cableado estructurado seguacuten la norma EIATIA 11
Edificio Principal 11
Depto Presidencia 13
Oficina Remota 15
Topologiacutea loacutegica de la red LAN y WAN con detalle 18
Caacutelculos basados en el modelo de propagacioacuten de espacio libre 19
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer los 500 kbps por usuario 20
Caacutelculos de potencias de APs 21
Disentildeo de canales de frecuencias 22
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo 22
Especificaciones del enlace digital para la comunicacioacuten en WAN 24
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto 26
Diagrama de Gantt 26
Presupuesto 28
Integrar APs en PT en topologiacutea ESS 29
Especificaciones de equipo utilizado para la red (alaacutembrica e inalaacutembrica) 30
Red alaacutembrica 30
Red inaacutelambrica 35
Poliacutetica de seguridad de la empresa 40
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Introduccioacuten
Uno de los aspectos maacutes importantes en el camino hacia el eacutexito radica en el
manejo de la informacioacuten llegando incluso a afirmarse que ldquoquien maneja la
informacioacuten maneja el poderrdquo
En la buacutesqueda de ese sendero al eacutexito se ha venido desarrollando la teoriacutea de
redes informaacuteticas la cual no es algo reciente La necesidad de compartir recursos
e intercambiar informacioacuten fue una inquietud permanente desde los primeros
tiempos de la informaacutetica Los comienzos de las redes de datos se remontan a los
antildeos 60 en los cuales perseguiacutean exclusivamente fines militares o de defensa
Paulatinamente se fueron adoptando para fines comerciales
Desde principios de la deacutecada de los 80 se empezoacute a dar el desarrollo de las
redes de aacuterea local (LAN) esto influyo mucho en la forma de manejar los sistemas
de informacioacuten vitales de las pequentildeas medianas y grandes empresas
delineando asiacute un futuro particularmente en el campo de las redes y de la
informaacutetica general Si anteriormente se utilizaban baacutesicamente para compartir los
recursos de las computadoras conectadas hoy las redes son medios de
comunicacioacuten internacional a traveacutes de las cuales se intercambian grandes
voluacutemenes de datos a velocidades de trafico a niveles casi inimaginables
Bajo el enfoque anunciado y gracias a los avances tecnoloacutegicos actuales hoy por
hoy ldquoBradescordquo ha orientado todos sus esfuerzos y recursos a la sistematizacioacuten
de sus datos de tal forma que ellos constituyan el soporte indispensable en
inseparable en la toma de decisiones Para lograr este objetivo nada mejor que
implementar una excelente red de datos que permita la faacutecil y fluida circulacioacuten de
informacioacuten por todos y cada uno de los departamentos que conforman la
empresa
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Definicioacuten del caso de estudio
La empresa ldquoBradescordquo es una institucioacuten bancaria que tiene ubicadas sus
instalaciones principales en la ciudad de Quereacutetaro y cuenta con una oficina
remota ubicada geograacuteficamente a 200 km de distancia por lo cual tiene la
necesidad de implementar una infraestructura de red que le permita solucionar la
comunicacioacuten efectiva entre sus dos instalaciones
La compantildeiacutea cuanta con un total de 1000 usuarios de los cuales 100 de ellos
estaacuten ubicados en las oficina remota Entonces se desea disentildear una plataforma
de comunicaciones que soporte aplicaciones de tiempo real en las oficinas
centrales y la oficina remota La compantildeiacutea tiene 10 departamentos distribuidos de
acuerdo al aacuterea el disentildeo requiere especiacuteficamente una VLAN por departamento
maacutes una VLAN de voz y otra VLAN de video Considerando que no existe
infraestructura de telecomunicaciones
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la empresa
El siguiente disentildeo muestra la estructura del edificio central ubicado en el estado de
Quereacutetaro con sus correspondientes departamentos
Plano Localizacion general
y distribucion el MDF e IDFrsquo
Plano Aire acondicionado central Plano Sistema de tierra principal
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico depto presidencia
El siguiente disentildeo muestra la estructura del depto de Presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Contenido Introduccioacuten 3
Definicioacuten del caso de estudio 4
Layout fiacutesico de la empresa 5
Layout fiacutesico depto presidencia 6
Layout fiacutesico de la oficina remota 7
Topologiacutea loacutegica 8
Aacutereas de cobertura de cableado seguacuten la norma EIATIA 9
Especificaciones de cada componente del cableado estructurado seguacuten la norma EIATIA 11
Edificio Principal 11
Depto Presidencia 13
Oficina Remota 15
Topologiacutea loacutegica de la red LAN y WAN con detalle 18
Caacutelculos basados en el modelo de propagacioacuten de espacio libre 19
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer los 500 kbps por usuario 20
Caacutelculos de potencias de APs 21
Disentildeo de canales de frecuencias 22
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo 22
Especificaciones del enlace digital para la comunicacioacuten en WAN 24
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto 26
Diagrama de Gantt 26
Presupuesto 28
Integrar APs en PT en topologiacutea ESS 29
Especificaciones de equipo utilizado para la red (alaacutembrica e inalaacutembrica) 30
Red alaacutembrica 30
Red inaacutelambrica 35
Poliacutetica de seguridad de la empresa 40
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Introduccioacuten
Uno de los aspectos maacutes importantes en el camino hacia el eacutexito radica en el
manejo de la informacioacuten llegando incluso a afirmarse que ldquoquien maneja la
informacioacuten maneja el poderrdquo
En la buacutesqueda de ese sendero al eacutexito se ha venido desarrollando la teoriacutea de
redes informaacuteticas la cual no es algo reciente La necesidad de compartir recursos
e intercambiar informacioacuten fue una inquietud permanente desde los primeros
tiempos de la informaacutetica Los comienzos de las redes de datos se remontan a los
antildeos 60 en los cuales perseguiacutean exclusivamente fines militares o de defensa
Paulatinamente se fueron adoptando para fines comerciales
Desde principios de la deacutecada de los 80 se empezoacute a dar el desarrollo de las
redes de aacuterea local (LAN) esto influyo mucho en la forma de manejar los sistemas
de informacioacuten vitales de las pequentildeas medianas y grandes empresas
delineando asiacute un futuro particularmente en el campo de las redes y de la
informaacutetica general Si anteriormente se utilizaban baacutesicamente para compartir los
recursos de las computadoras conectadas hoy las redes son medios de
comunicacioacuten internacional a traveacutes de las cuales se intercambian grandes
voluacutemenes de datos a velocidades de trafico a niveles casi inimaginables
Bajo el enfoque anunciado y gracias a los avances tecnoloacutegicos actuales hoy por
hoy ldquoBradescordquo ha orientado todos sus esfuerzos y recursos a la sistematizacioacuten
de sus datos de tal forma que ellos constituyan el soporte indispensable en
inseparable en la toma de decisiones Para lograr este objetivo nada mejor que
implementar una excelente red de datos que permita la faacutecil y fluida circulacioacuten de
informacioacuten por todos y cada uno de los departamentos que conforman la
empresa
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Definicioacuten del caso de estudio
La empresa ldquoBradescordquo es una institucioacuten bancaria que tiene ubicadas sus
instalaciones principales en la ciudad de Quereacutetaro y cuenta con una oficina
remota ubicada geograacuteficamente a 200 km de distancia por lo cual tiene la
necesidad de implementar una infraestructura de red que le permita solucionar la
comunicacioacuten efectiva entre sus dos instalaciones
La compantildeiacutea cuanta con un total de 1000 usuarios de los cuales 100 de ellos
estaacuten ubicados en las oficina remota Entonces se desea disentildear una plataforma
de comunicaciones que soporte aplicaciones de tiempo real en las oficinas
centrales y la oficina remota La compantildeiacutea tiene 10 departamentos distribuidos de
acuerdo al aacuterea el disentildeo requiere especiacuteficamente una VLAN por departamento
maacutes una VLAN de voz y otra VLAN de video Considerando que no existe
infraestructura de telecomunicaciones
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la empresa
El siguiente disentildeo muestra la estructura del edificio central ubicado en el estado de
Quereacutetaro con sus correspondientes departamentos
Plano Localizacion general
y distribucion el MDF e IDFrsquo
Plano Aire acondicionado central Plano Sistema de tierra principal
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico depto presidencia
El siguiente disentildeo muestra la estructura del depto de Presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Introduccioacuten
Uno de los aspectos maacutes importantes en el camino hacia el eacutexito radica en el
manejo de la informacioacuten llegando incluso a afirmarse que ldquoquien maneja la
informacioacuten maneja el poderrdquo
En la buacutesqueda de ese sendero al eacutexito se ha venido desarrollando la teoriacutea de
redes informaacuteticas la cual no es algo reciente La necesidad de compartir recursos
e intercambiar informacioacuten fue una inquietud permanente desde los primeros
tiempos de la informaacutetica Los comienzos de las redes de datos se remontan a los
antildeos 60 en los cuales perseguiacutean exclusivamente fines militares o de defensa
Paulatinamente se fueron adoptando para fines comerciales
Desde principios de la deacutecada de los 80 se empezoacute a dar el desarrollo de las
redes de aacuterea local (LAN) esto influyo mucho en la forma de manejar los sistemas
de informacioacuten vitales de las pequentildeas medianas y grandes empresas
delineando asiacute un futuro particularmente en el campo de las redes y de la
informaacutetica general Si anteriormente se utilizaban baacutesicamente para compartir los
recursos de las computadoras conectadas hoy las redes son medios de
comunicacioacuten internacional a traveacutes de las cuales se intercambian grandes
voluacutemenes de datos a velocidades de trafico a niveles casi inimaginables
Bajo el enfoque anunciado y gracias a los avances tecnoloacutegicos actuales hoy por
hoy ldquoBradescordquo ha orientado todos sus esfuerzos y recursos a la sistematizacioacuten
de sus datos de tal forma que ellos constituyan el soporte indispensable en
inseparable en la toma de decisiones Para lograr este objetivo nada mejor que
implementar una excelente red de datos que permita la faacutecil y fluida circulacioacuten de
informacioacuten por todos y cada uno de los departamentos que conforman la
empresa
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Definicioacuten del caso de estudio
La empresa ldquoBradescordquo es una institucioacuten bancaria que tiene ubicadas sus
instalaciones principales en la ciudad de Quereacutetaro y cuenta con una oficina
remota ubicada geograacuteficamente a 200 km de distancia por lo cual tiene la
necesidad de implementar una infraestructura de red que le permita solucionar la
comunicacioacuten efectiva entre sus dos instalaciones
La compantildeiacutea cuanta con un total de 1000 usuarios de los cuales 100 de ellos
estaacuten ubicados en las oficina remota Entonces se desea disentildear una plataforma
de comunicaciones que soporte aplicaciones de tiempo real en las oficinas
centrales y la oficina remota La compantildeiacutea tiene 10 departamentos distribuidos de
acuerdo al aacuterea el disentildeo requiere especiacuteficamente una VLAN por departamento
maacutes una VLAN de voz y otra VLAN de video Considerando que no existe
infraestructura de telecomunicaciones
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la empresa
El siguiente disentildeo muestra la estructura del edificio central ubicado en el estado de
Quereacutetaro con sus correspondientes departamentos
Plano Localizacion general
y distribucion el MDF e IDFrsquo
Plano Aire acondicionado central Plano Sistema de tierra principal
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico depto presidencia
El siguiente disentildeo muestra la estructura del depto de Presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Definicioacuten del caso de estudio
La empresa ldquoBradescordquo es una institucioacuten bancaria que tiene ubicadas sus
instalaciones principales en la ciudad de Quereacutetaro y cuenta con una oficina
remota ubicada geograacuteficamente a 200 km de distancia por lo cual tiene la
necesidad de implementar una infraestructura de red que le permita solucionar la
comunicacioacuten efectiva entre sus dos instalaciones
La compantildeiacutea cuanta con un total de 1000 usuarios de los cuales 100 de ellos
estaacuten ubicados en las oficina remota Entonces se desea disentildear una plataforma
de comunicaciones que soporte aplicaciones de tiempo real en las oficinas
centrales y la oficina remota La compantildeiacutea tiene 10 departamentos distribuidos de
acuerdo al aacuterea el disentildeo requiere especiacuteficamente una VLAN por departamento
maacutes una VLAN de voz y otra VLAN de video Considerando que no existe
infraestructura de telecomunicaciones
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la empresa
El siguiente disentildeo muestra la estructura del edificio central ubicado en el estado de
Quereacutetaro con sus correspondientes departamentos
Plano Localizacion general
y distribucion el MDF e IDFrsquo
Plano Aire acondicionado central Plano Sistema de tierra principal
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico depto presidencia
El siguiente disentildeo muestra la estructura del depto de Presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la empresa
El siguiente disentildeo muestra la estructura del edificio central ubicado en el estado de
Quereacutetaro con sus correspondientes departamentos
Plano Localizacion general
y distribucion el MDF e IDFrsquo
Plano Aire acondicionado central Plano Sistema de tierra principal
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico depto presidencia
El siguiente disentildeo muestra la estructura del depto de Presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico depto presidencia
El siguiente disentildeo muestra la estructura del depto de Presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Layout fiacutesico de la oficina remota
El siguiente disentildeo muestra el departamento de la oficina remota y la estructura
de coacutemo seraacute
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica
+
CORE DISTRIBUCIOacuteN
DISTRIBUCIOacuteN
ACCESO
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura de cableado seguacuten la norma EIATIA
Plano Distribucioacuten eleacutectrica y telecomunicaciones depto
presidencia
Plano Distribucioacuten aire acondicionado depto presidencia
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano Distribucioacuten Eleacutectrica y Telecomunicaciones oficina remota
Plano Distribucioacuten aire acondicionado oficina remota
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de cada componente del cableado estructurado
seguacuten la norma EIATIA
Edificio Principal
Localizacion general y distribucion el MDF e IDFrsquoS
En el plano puede apreciarse graficamente como sera la ubicacioacuten y distribucion del MDF
y de los IDFrsquoS El backbone vertical es en fibra optica tipo multimodo de 625125micro Los
medios que conectan el IDF con el MDF tambien seran en fibra optica del mismo tipo
mientas que la distribucion a cada nodo se haraacute en UTP-5E
Aire Acondicionado Central
En este edificio principal se encuentra instalado un sistema de aire acondicionado tipo
distribucion central el cual se halla en la terraza del edificio y del que se tiene dos
unidades completas en perfecto estado de funcionamiento una como sistema principal y
la otra como sistema de emergencia
La capacidad de este sistema es suficiente para soportar el edificio en general con cada
una de sus dependencias manteniendo un sistema de aire confortable tanto para las
personas como para los equipos y sistemas que se hallan instalados La temperatura
seleccionada es de 24degC (Temperatura cuarto)
En el plano puede apresiarce como desde el techo hasta el ultimo piso llega el ducto
principal y las respectivas derivaciones en cada piso Los ductos secundarios de aire asi
como los ductos de retorno recorren el edificio a traveacutes del techo falso con rejillas de
ventilacion ubicadas esteticamente en los puntos que se estiman necesarios
Sistema de tierra principal
Este sistema compuesto por un solo barraje primario que recorre el edificio desde la terraza hasta el uacuteltimo piso se halla compuesto por un cable calibre 00 (Doble cero) sin
revestimiento en cada piso se desprenden de el las ramificaciones respectivas que
luego alimentaraacuten todos y cada uno de los tomacorrientes tipo tripolo asiacute como la
alimentacioacuten de cada uno de los equipos y los respectivos blindajes de los mismos
El sistema de proteccioacuten o supresioacuten de picos es inherente a este sistema de tierra con
el fin de lograr una oacuteptima seguridad eleacutectrica para los equipos electroacutenicos eleacutectricos y
naturalmente para los seres humanos Cuando el barraje primario llega al uacuteltimo piso
este se conecta en forma directa y bajo las maacutes estrictas normas teacutecnicas a la malla de
aterrizamiento que se halla ubicada debajo del piso
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
La distribucioacuten por dependencia y por equipos para cada piso se muestra a continuacioacuten en el siguiente cuadro
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
Proyector
100 100 1 1 1
Recursos Humanos Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Administracioacuten (Sucursales)
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Soporte a Aacutereas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Telemaacutetica Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Control de gestioacuten y presupuestos
Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Juriacutedico Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Finanzas Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Auditoria Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Depto Presidencia
Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el IDF y
luego hacia los equipos que lo requieren Graficamente la linea roja en el plano nos
muestra al detalle como se halla distribuida la acometida principal y secundaria del
sistema de potencia 110VCA
La canaleta utilizada es la de tipo doble cavidad las cuales permiten aislar los cableados
de datos de los cableados de potencia AC o cualquier otro sistema que se implemente en
el futuro Estas canalestas tienen una dimension de 75x50 milimetros Cada nodo cuanta
con 2 tomacorrientes de potencia todas tipo tripolo y debidamente aterrizadas
Cableado Horizontal
La distribucion se hace a partir del centro de cableado en el IDF donde se halla el patch
panel de voz y datos luego hacia equipos que lo requieren Graficamente la linea verde
nos muestra al detalle como se halla la distribucion del cableado UTP-5E para los
diferentes nodos La canaleta utilizada es la misma que se utiliza para la distribucion
electrica que es de tipo doble cavidad Cada noso cuenta con 2 tomacorrientes que
manejan dos circuitos uno para datos y otro para telefonia
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucion de aire acondicionado
Los ductos de aire acondicionado se denotan por lineas de color amarillo Estos ductos
son de 50 por 70cm totalmente en aluminio y recorren el techo falso tal y como se
muestra en el plano Estan dotados de rejillas difusoras de aire instaladas
horizontalmente sobre el ducto y techo con persianas totalmente moviles de tal manera
que el usuario pueda abrir o cerrar esas persianas permitiendo asi manejar el flujo de
aire a entera comodidad Sobre el IDF no hay techo falso por lo cual se utiliza una reijilla
de dispersion aerea tipo lateral montada sobre el costado del IDF Los difusores de
retorno se hallan instalados estrategicamente para que el ciclo de ventilacion se cumpla
de forma optima
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
IDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se muestra la distribucioacuten por cada una de las aeacutereas por la cual va a estar
conformado el piso de Presidencia
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Secretaria Presidencia Equipo
Teleacutefono directo
Impresora
Fax
1 1 1 1
Recepcioacuten Equipo
Teleacutefono directo
Fax
1 1 1
Sala de juntas Equipo
Teleacutefono directo
Impresora
Proyector
2 1 1 1
Aacuterea de Gestioacuten Administrativa Equipo
Teleacutefono directo
Impresora
95 95 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Oficina Remota Distribucion y localizacion del sistema electrico
La distribucion principal se hace a partir de la caja de circuitos (breakers) en el MDF y
luego hacia los equipos que lo requieren Graficamente la line roja en el plano muestra
como se halla distribuida la acometida principal y secundaria del sistema de potencia
110VCA
La canaleta utilizada es de tipo doble cavidad y tienen una dimension de 75x50milimetros
Cada nodo cuenta con 2 tomacorrientes de potencia todas tipo tripolo y debidamente
aterrizadas
Cableado Horizontal
La distribucion principal se hace a partir del centro de cableado en el MDF donde se halla
el patch panel de voz y datos luego hacia los equipos que lo requieren llevandose la
distribucion principal por medio de una escalerilla de soporte aereo y luego cuando se
hace necesario hasta la canaleta de doble cavidad Graficamente la linea verde muestra
como se halla la distribucion de cableado UTP-5E para los diferentes nodos
Cable UTP para el cableado horizontal de voz y datos sera Categoria 5e debera
estar conformado de 4 pares(8 hilos) de conductores solidos de cobre calibre
24AWG debe tener un revestimiento aislante externo de PCV retardante al fuego
Jacks y tomas Acorde a la norma EIATIA-568-A se utilizaran jacks y tomas tipo
RJ45 con el fin de conectar el cable UTP
Distribucioacuten de aire acondicionado
Los ductos de distribucioacuten de aire acondicionado se denotan por liacuteneas de color amarillo
con las mismas caracteriacutesticas descritas anteriormente Sobre el MDF no hay techo falso
por lo cual se utilizan dos rejillas de dispersioacuten aeacuterea tipo lateral montadas sobre el
costado del MDF
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
MDF
La localizacioacuten de este cuarto se puede ver claramente en el plano Siguiendo el estaacutendar
TIAEIA-568-A sobre especificaciones para una Lan-Ethernet el tendido del cableado
horizontal estaraacute conectado a un punto central En este cuarto se encuentran montados
los Racks dentro de los cuales se instalaran los paneles de conexioacuten switches y los
servidores necesarios
Racks
En el cuarto hay montados 2 Racks en los que se montara el equipamiento que haga
falta Estos racks son elementos sobre el cual se soporta toda la estructura del cableado
estos son del tipo abierto anclados al piso en sus cuatro extremos
Los Racks cumplen con la norma estipulada EIA-TIA 310D Y NEMA 250
Pintura electroestaacutetica
Barraje de tierra
Organizadores de cables horizontales y verticales bandejas fijas y entendibles
para equipos de gran peso bandejas para monitores bandejas para teclado
extraiacutebles multitomas verticales
A continuacioacuten se mostrara las medidas del rack
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
En el siguiente diagrama se presentara como estaraacute conformado cada piso con su IDF y los 3 switches que corresponden a cada uno considerando voz y datos Recordando que cada edificio estaraacute conformado por 100 usuarios
A continuacioacuten se muestra la distribucioacuten por cada una de las aacutereas por la cual va a estar
conformado el piso de oficina remota
DEPENDENCIA TIPO DE EQUIPO CANTIDAD
Oficina Remota Equipo
Teleacutefono directo
Impresora
Fax
100 100 1 1
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Topologiacutea loacutegica de la red LAN y WAN con detalle
El tipo de red es ETHERNET GIGABIT con una topologiacutea loacutegica tipo Bus (es decir donde el flujo de la informacioacuten se ubica en un bus lineal) y un meacutetodo de acceso al medio llamado CSMACD (Carrier Sense Multiple Access con Deteccioacuten de Colisioacuten = Acceso al medio por sensor de portadora ydeteccioacuten de colisiones) Cada departamento tendraacute asignada una vlan y las estaciones de trabajo que pertenezcan a eacutestas usaraacuten una direccioacuten IP la cual les permitiraacute comunicarse en el momento de requerir transmitir informacioacuten a otras vlanrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Caacutelculos basados en el modelo de propagacioacuten de espacio libre
Tao es el tiempo maacuteximo de propagacioacuten para la sentildeal entre un extremo y otro de la red
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Aacutereas de cobertura inalaacutembrica seguacuten los caacutelculos para satisfacer
los 500 kbps por usuario
Modelo ranurado y no ranurado
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
G 500
a 97104
f 500e 2718
d a f( )f e
a f
G 1 2 a( ) ea G
s a G( )a G e
a G
1 ea G
a s a G( ) 0185
d a G( ) 0614f 0 5000
G 0 5000
0 1000 2000 3000 4000 5000
016
032
048
064
08
s a G( )
d a f( )
G f
t 0266
Caacutelculos de potencias de APs
Nuacutemero de usuarios por cada BSA
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Disentildeo de canales de frecuencias Solamente se colocara Access-point en la oficina remota y a continuacioacuten se presenta un diagrama de disentildeo de canales que se utilizaran y de BSAS
Simulacioacuten de propagacioacuten de sentildeales para cada AP en el disentildeo Red Inalaacutembrica en oficina remota Bradesco La tecnologiacutea de redes inalaacutembricas basada en el estaacutendar IEEE 80211 tiene unos beneficios incuestionables en el mundo empresarial Algunos de estos beneficios son la flexibilidad movilidad reduccioacuten de costes de infraestructura de red integracioacuten con dispositivos moacuteviles y PDAs y mejor escalabilidad de la red
11 1
6
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Plano oficina remota simulacioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del enlace digital para la comunicacioacuten en WAN
El ISP (Internet Service Provider) que nos proporcionara este enlace seraacute la compantildeiacutea
Telmex por su confiabilidad seguridad y calidad que ofrecen sus servicios
Plano oficina remota simulacioacuten distribucioacuten APrsquos
Plano oficina remota simulacioacuten propagacioacuten de sentildeal APrsquos
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
El enlace que se tiene pensado contratar es un E1 (2048kbps) que cuenta con las
siguientes caracteriacutesticas
Ideal para diferentes aplicaciones como servidores web de correo electroacutenico FTP comercio electroacutenico etc
Se entregan desde 8 Direcciones IP Homologadas (Fijas) Puede integrar Moacutedulo de Seguridad y Moacutedulo Data Center Soporte viacutea telefoacutenica o en sitio las 24 horas del diacutea y los 365 diacuteas del antildeo Con un
tiempo maacuteximo de atencioacuten de 4 horas Incluye Herramienta de Monitoreo WEB Registro de Dominio ante el NIC Consultoriacutea
y Disentildeo de su Red Soporta Aplicaciones Server Soporte teacutecnico en sitio Servicios Opcionales Modelador de Traacutefic Servicio de Respaldo Equipo Firewall
Centro de Operacioacuten de Seguridad (SOC)
Este enlace cuenta con las caracteriacutesticas necesarias para satisfacer las necesidades de
nuestra red que cuenta con un total de 1000 usuarios
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto y diagrama de Gantt de la implementacioacuten del proyecto
Diagrama de Gantt
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Presupuesto La siguiente tabla presenta el costo aproximado del proyecto
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Integrar APs en PT en topologiacutea ESS Se integraron los puntos de acceso a la topologiacutea ESS (Extended Service Set) en el aacuterea
de la oficina remota por las exigencias de flexibilidad movilidad e integracioacuten con
dispositivos moacuteviles que requieren los procesos y actividades realizadas en esta aacuterea de
la empresa La topologiacutea fiacutesica quedariacutea de esta manera aproximadamente donde por
cuestiones de espacio y limitaciones del software simulador no se pudieron integrar los
1000 nodos de los cuales consta la infraestructura de red del banco Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones de equipo utilizado para la red (alaacutembrica e
inalaacutembrica)
Red alaacutembrica
Especificaciones
En la tabla 1 se incluyen las especificaciones el contenido del paquete y los requisitos miacutenimos del Switch Gigabit de 48 puertos Cisco SGE2010P
Lo maacutes destacado
48 puertos de alta velocidad optimizados para el nuacutecleo de la red o para aplicaciones de alto consumo de ancho de banda
La funcioacuten Power over Ethernet suministra alimentacioacuten de forma faacutecil y econoacutemica a puntos de acceso inalaacutembrico caacutemaras de viacutedeo y otros terminales conectados en red
Los cluacutesteres flexibles permiten gestionar varios switches como si fueran uno solo para respaldar el crecimiento de la empresa
La alta seguridad protege el traacutefico de la red para evitar el acceso de usuarios no autorizados
Gestioacuten por Internet simplificada que facilita la instalacioacuten y configuracioacuten
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Especificaciones del Switch Gigabit de 48 puertos Cisco SGE2010P PoE
Especificaciones
Puertos 48 conectores RJ-45 para puertos 10BASE-T100BASE-TX1000BASE-T con 4 puertos combo Gigabit compartidos entre puertos mini-GBIC puerto de consola interfaz dependiente del medio (MDI) e interfaz cruzada dependiente del medio (MDI-X) automaacuteticas autonegociacioacutenconfiguracioacuten manual puerto RPS para conexioacuten a unidad de alimentacioacuten redundante
Botones Botoacuten de reinicio
Tipo de cableado Par trenzado no apantallado (UTP) Categoriacutea 5 o superior para 10BASE-T100BASE-TX UTP Categoriacutea 5e o superior para 1000BASE-T
LED PWR Fan LinkAct PoE Speed RPS Master Stack ID de 1 a 8
PoE PoE IEEE 8023af suministrada a cualquiera de los 48 puertos 101001000 Potencia maacutexima de 154 W para un puerto Fast Ethernet 360 W totales disponibles para todos los puertos con alimentacioacuten CA regular y 280 W totales disponibles con RPS
Rendimiento
Capacidad de conmutacioacuten 96 Gbps sin bloqueos
Capacidad de transferencia 714 mpps (paquetes de 64 bytes)
Apilamiento
Funcionamiento con apilamiento Hasta 192 puertos en una pila Insercioacuten y retirada sin interrupcioacuten del servicio Opciones de apilamiento en anillo y en cadena Unidad maestra y unidad maestra de respaldo que permiten un control de apilamiento flexible Numeracioacuten automaacutetica o configuracioacuten manual de las unidades de la pila
Capa 2
Tamantildeo de tabla MAC 8000
Nuacutemero de VLAN 256 VLAN activas (rango 4096)
VLAN VLAN basadas en puertos y en etiquetas 8021Q VLAN basada en protocolo VLAN de gestioacuten VLAN TV multidifusioacuten Private VLAN Edge (PVE) protocolo geneacuterico de registro de VLAN (GVRP)
Bloqueo de cabecera de liacutenea (HOL) Prevencioacuten de bloqueo de cabecera de liacutenea
Capa 3
Opciones de capa 3 Enrutamiento estaacutetico enrutamiento entre dominios sin clases (CIDR) 60 rutas estaacuteticas IPv4 e IPv6 transferencia de traacutefico de capa 3 a velocidad de cable de silicio
IPv6
Opciones IPv6 IPv6 over Ethernet doble pila red IPv6 over IPv4 con tuacutenel de protocolo de direccionamiento automaacutetico de tuacutenel dentro de un emplazamiento (ISATAP) descubrimiento de adyacente IPv6 configuracioacuten de direcciones sin estado IPv6 descubrimiento de unidad de transmisioacuten maacutexima (MTU) WEB SSL Telnet Ping Traceroute protocolo de tiempo de red simple(SNTP) protocolo de transferencia de archivos trivial (TFTP) protocolo de gestioacuten de red simple (SNMP) RADIUS listas de control de acceso (ACL) QoS VLAN basada en protocolo
Gestioacuten
Interfaz de usuario para Internet Interfaz de usuario para Internet incorporada para una faacutecil configuracioacuten con el navegador
(HTTPHTTPS)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
SNMP SNMP versiones 1 2c y 3 con soporte de traps
MIB SNMP RFC1213 MIB-2 RFC2863 MIB de interfaz RFC2665 MIB Etherlike RFC1493 MIB de puente RFC2674 MIB de Puente ampliado (Puente P Puente Q) RFC2819 MIB RMON (grupos 1 2 3 9 solamente) RFC2737 MIB de entidad RFC2618 MIB de cliente RADIUS y RFC 1215 traps
Supervisioacuten remota (RMON) El agente de software RMON integrado admite 4 grupos de RMON (historial estadiacutesticas alarmas y eventos) para mejorar la gestioacuten supervisioacuten y anaacutelisis del traacutefico
Actualizacioacuten del firmware
Actualizacioacuten con navegador de Internet (HTTPHTTPS) y TFTP Imaacutegenes duales para la actualizacioacuten flexible del firmware
Replicacioacuten de puertos El traacutefico de un puerto puede duplicarse en otro puerto para anaacutelisis con un analizador de red o una sonda RMON
Otra gestioacuten Traceroute gestioacuten IP simple seguridad SSL para interfaz de usuario para Internet SSH RADIUS replicacioacuten de puertos actualizacioacuten TFTP cliente de protocolo de configuracioacuten dinaacutemica del servidor (DHCP) BOOTP SNTP actualizacioacuten Xmodem diagnoacutestico por cable Ping syslog cliente Telnet (soporte seguro SSH)
Seguridad
IEEE 8021X 8021X - Autenticacioacuten RADIUS cifrado MD5 VLAN de invitados modo host uacutenicomuacuteltiple
ACL Liacutemite de extraccioacuten y velocidad de transmisioacuten basado en MAC y direccioacuten IP de origen y destino protocolo puerto precedencia punto de coacutedigo de servicios diferenciados (DSCP)IP puertos de origen y destino de TCP Protocolo de datagrama de usuario (UDP) prioridad 8021p tipo Ethernet paquetes del protocolo de mensajes de control de Internet (ICMP) paquetes del protocolo de gestioacuten de grupo de Internet (IGMP) snooping DHCP inspeccioacuten de protocolo de resolucioacuten de direccioacuten (ARP) y proteccioacuten de direccioacuten de origen de IP Hasta 1018 reglas
Disponibilidad
Adicioacuten de enlaces Utilizando IEEE 8023ad protocolo de control de adicioacuten de enlace (LACP) hasta 8 puertos en un maacuteximo de 8 grupos
Control de tormentas Difusioacuten multidifusioacuten y unidifusioacuten desconocida
Aacuterbol de expansioacuten Aacuterbol de expansioacuten IEEE 8021D aacuterbol de expansioacuten raacutepida IEEE 8021w aacuterbol de expansioacuten muacuteltiple IEEE 8021s y Fast Linkover
Prevencioacuten de DoS Prevencioacuten de ataques DoS
Snooping IGMP (versiones 1 y 2) Limita el traacutefico de multidifusioacuten de alto consumo de ancho de banda uacutenicamente a los solicitantes soporta 256 grupos de multidifusioacuten
Redundancia de alimentacioacuten Conexioacuten a unidad RPS que ofrece redundancia de alimentacioacuten
Calidad del servicio
Niveles de prioridad 4 colas de hardware
Programacioacuten Asignacioacuten de prioridades de colas y turno rotativo ponderado (WRR)
Clase de servicio Basada en puerto basada en prioridad VLAN 8021p basada en precedenciaToSDSCP IP IPv4v6 DiffServ ACL de clasificacioacuten y remarcado
Limitacioacuten de velocidad de transmisioacuten Poliacuteticas de entrada control de velocidad de salida por VLAN
Estadiacutesticas 16 metros
Normas 8023 10BASE-T Ethernet 8023u 100BASE-TX Fast Ethernet 8023ab 1000BASE-T Gigabit Ethernet 8023z Gigabit Ethernet 8023x control de flujo 8023ad LACP
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
8023af PoE 8021D protocolo de aacuterbol de expansioacuten (STP) 8021Qp VLAN 8021w STP raacutepida 8021s STP muacuteltiple 8021X autenticacioacuten de acceso a puertos
Entorno
Dimensiones
An x Al x F
1732 x 1470 x 173 pulgadas
(440 x 375 x 44 mm)
Peso de la unidad 1089 lb (494 kg)
Alimentacioacuten 100-240V CA 47-63 Hz interna universal tambieacuten equipado con conector de alimentacioacuten redundante externo para fuente de alimentacioacuten externa de -48V CC
Certificacioacuten UL (UL 60950) CSA (CSA 222) Marcado CE FCC Parte 15 (CFR 47) Clase A
Temperatura de funcionamiento 32deg a 104degF (0deg a 40degC)
Temperatura de almacenamiento -4deg a 158degF (-20deg a 70degC)
Humedad de funcionamiento 10 a 90 de humedad relativa sin condensacioacuten
Humedad de almacenamiento 10 a 95 de humedad relativa sin condensacioacuten
Contenido del paquete
Switch Gigabit de 48 puertos Cisco SGE2010P Adaptador de alimentacioacuten CA con cable de alimentacioacuten Dos kits de montaje en rack con ocho tornillos CD-ROM con documentacioacuten del usuario (PDF) Tarjeta de registro Cable para consola
Requisitos miacutenimos
Navegador de Internet Mozilla Firefox 15 o posterior Microsoft Internet Explorer 55 o posterior Cable de red Categoriacutea 5 Ethernet TCPIP adaptador de red y sistema operativo apto para redes (como Microsoft Windows Linux o MAC OS X) instalado en
cada ordenador de la red Soporte del proveedor para software CPE versioacuten 12 o posterior
Garantiacutea del producto
Garantiacutea de hardware limitada de 5 antildeos con devolucioacuten a faacutebrica para sustitucioacuten y una garantiacutea de software limitada de 90 diacuteas
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Router Cisco 887V
Small offices can now take advantage of the multiple benefits offered by a single device
with the combination of enhanced security wireless services and increased throughput
speeds with VDSL2 The Cisco 887V Integrated Services Router offers broadband speeds
and simplified management to small businesses enterprise small branches and
teleworkers
The Cisco 887V Integrated Services Router provides
Business continuity with primary and backup connections
VPNs at broadband speeds up to 20 tunnels
Built-in security such as NAT and firewall
Four 10100 Mbps fast Ethernet-managed switch ports
Easy deployment with Cisco Configuration Professional
Centralized management
Universal software image for easy expansion with software activation
Available options on the Cisco 887V Integrated Services Router include
Advanced security including intrusion prevention GET VPN and dynamic
multipoint VPN (DMVPN)
Power over Ethernet (PoE) on two switch ports
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Red inaacutelambrica LINKSYS WRT54GL Los linksys que la empresa a decido utilizar son los de la marca CISCO el modelo
WRT54GL este modelo cubre con los requerimientos solicitados al departamento de TI
asimismo el renombre y la calidad que maneja CISCO ha dejado a Banco Bradesco
muy satisfecha con sus productos
Caracteriacutesticas
bullVersioacuten 82
bullChip Broadcom BCM5354KFBG
bullVelocidad del Chip 240 MHz
bullRAM 8 Mb
bullMemoria Flash 2 Mb
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
A continuacioacuten se muestra las especificaciones de este producto
Especificaciones
Luces indicadoras de estado Power DMZ WLAN LAN (1 2 3 4) Internet
Potencia de transmisioacuten 18 dBm
Caracteriacutesticas Generales
Contenido del Embalaje
bull WRT54G Wireless-G Broadband Router
bull Setup CD-ROM con Symantec Internet Security
bull Guia en CD-ROM
Transformador
bull Cable de red RJ45
Guia de instalacioacuten raacutepida Registration Card
Disponibilidad Alta
Modelo WRT54G
Presentacioacuten Retail
Tipo de producto Enrutador Router
Caracteriacutesticas Fiacutesicas
Dimensiones 186 mm x 48 mm x 200 mm
Peso Bruto (kg) 048
Alimentacioacuten
Tipo dispositivo de
alimentacioacuten Externo 12V DC 10A
Detalles Diversos
Estaacutendar Industrial IEEE 8023 IEEE 8023u IEEE 80211g IEEE
80211b
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Product Type Wireless Broadband Router
Manufacturer Part Number WRT54GL
Manufacturer Website Address wwwlinksyscom
Marketing Information The Wireless-G WRT54GL Broadband Router is
really three devices in one box First theres the Wireless Access Point
which connects both screaming fast Wireless-G (IEEE 80211g at 54 Mbps)
and Wireless-B (IEEE 80211b at 11 Mbps) devices to the network Theres
also a built-in 4-port full-duplex 10100 Switch to connects wired-Ethernet
devices together Connect four PCs directly or attach more hubs and
switches to create as big a network as needed Finally the Router function
ties it all together and the whole network share a high-speed cable or DSL
Internet connection
Manufacturer Linksys
Product Model WRT54GL
Product Name Wireless-G WRT54GL Broadband Router
Product Line Wireless-G
Frequency BandBandwidth 24 GHz IEEE 80211bg ISM Band USA amp
Canada
Transmission Speed 54Mbps
Antenna Range Up to 299 m
Channels 11 USA amp Canada
Transmission Speed Details 54Mbps Auto-fallback IEEE 80211g
11Mbps Auto-fallback IEEE 80211b 1Mbps IEEE 80211b 6Mbps IEEE
80211g
Wireless Security WEP WPA2 IEEE 8021x Wireless MAC Filtering Wi-Fi
Protected Access WPA
Wireless Technology IEEE 80211bg
InterfacesPorts 1 x RJ-45 10100Base-TX WAN 4 x RJ-45 10100Base-
TX LAN
Channels 11 USA amp Canada
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Data Transfer Rate 10Mbps Ethernet 100Mbps Fast Ethernet
Connectivity Media Twisted Pair
Expansion Slots Not Applicable
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Input Voltage 12 V DC Device
Power Supply External
Dimensions 48cm Height x 186cm Width x 20cm Depth
Weight 48194 g
Security Internet Policy Stateful Packet Inspection (SPI) Firewall
Certifications amp Standards CE FCC IC-03 Wi-Fi IEEE 8021x IEEE
80211b IEEE 80211g
Standards IEEE 8023 IEEE 8023u
IEEE 80211g IEEE 80211b
Channels 11 Channels (US Canada)
13 Channels (Europe Japan)
Ports Internet One 10100 RJ-45 Port
LAN Four 10100 RJ-45 Switched
Ports
One Power Port
Button Reset SecureEasySetup
Cabling Type CAT5
LEDs Power DMZ WLAN LAN (1-4)
Internet SecureEasySetup
RF Power Output 18 dBm
UPnP ablecert Able
Security Features Stateful Packet Inspection (SPI)
Firewall Internet Policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Wireless Security Wi-Fi Protected Accesstrade2 (WPA2)
WEP Wireless MAC Filtering
Environmental
Dimensions 732 x 189 x 606
(186 x 48 x 154 mm)
Weight 138 oz (391 g)
Power External 12V DC 05A
Certifications FCC ICES-003 CE Wi-Fi (80211b
80211g) WPA2 WMM
Operating Temp 32 to 104ordmF (0 to 40ordmC)
Storage Temp -4 to 158ordmF (-20 to 70ordmC)
Operating Humidity 10 to 85 Noncondensing
Storage Humidity 5 to 90 Noncondensing
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Poliacutetica de seguridad de la empresa
Introduction
More and more high profile information security events have garnered media attention in recent years As a result those responsible for protecting their organizations critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy However for too many people in such positions of responsibility cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet intranet and extranet endeavors And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests
Acceptable Use Policy
Overview
The Acceptable Use Policy not intended to impose restrictions that are contrary to Bradesco policies but rather to establish a culture of trust and integrity Bradesco is committed to protecting its employees partners and the company from illegal or damaging actions by individuals whether committed knowingly or unknowingly Internetintranetextranet-related systems including but not limited to computer equipment software operating systems storage media network accounts providing electronic mail Web browsing and FTP are the property of Bradesco You are expected to use these systems for business purposes in the interests of the company our clients and our customers in the course of normal operations Please review Human Resources policies for further details Effective security is a team effort involving the participation and support of every Bradesco employee and affiliate who deals with information andor information systems It is your responsibility as a computer user to know these guidelines and to act accordingly
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Purpose
This policy outlines the acceptable use of computer equipment at Bradesco These rules protect you and Bradesco Inappropriate use exposes Bradesco to risks including virus attacks compromise of network systems and services and legal issues
Scope
This policy applies to employees contractors consultants temporaries and other workers at Bradesco including all personnel affiliated with third parties This policy applies to all equipment that is owned or leased by Bradesco
Policy
General Use and Ownership
1 While Bradescorsquos network administration desires to provide a reasonable level
of privacy you should be aware that the data you create on corporate systems
remains the property of Bradesco Because of the need to protect Bradescorsquos
network management does guarantee the confidentiality of information stored
on any network device belonging to Bradesco
2 You are responsible for exercising good judgment regarding the
reasonableness of personal use Individual departments are responsible for
creating guidelines concerning personal use of Internetintranetextranet
systems In the absence of such policies you should follow departmental
policies on personal use and if there is any uncertainty consult your
supervisor or manager
3 Bradesco recommends encrypting any information that you consider sensitive
or vulnerable For guidelines on information classification see the Information
Sensitivity Policy For guidelines on encrypting email and documents see the
Awareness Initiative
4 For security and network maintenance purposes authorized individuals within
Bradesco may monitor equipment systems and network traffic at any time per
the Audit Policy
5 Bradesco reserves the right to audit networks and systems on a periodic basis
to ensure compliance with this policy
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Security and Proprietary Information
1 The user interface for information contained on Internetintranetextranet-related systems should be classified as either confidential or non-confidential as defined by corporate confidentiality guidelines found in Human Resources policies Examples of confidential information include but are not limited to company private corporate strategies competitor sensitive trade secrets specifications customer lists and research data You should take all necessary steps to prevent unauthorized access to this information
2 Keep passwords secure and do not share accounts As an authorized user you are responsible for the security of your passwords and accounts Change system level passwords quarterly change user level passwords every six months
3 Secure all PCs laptops and workstations with a password-protected screensaver with the automatic activation feature set at 10 minutes or less or by logging-off (Ctrl-Alt-Delete for Win2K users) when the host will be unattended
4 Use encryption of information in compliance with the Acceptable Encryption Use policy
5 Because information contained on portable computers is especially vulnerable exercise special care Protect laptops in accordance with ldquoLaptop Security Tipsrdquo
6 Newsgroup postings from a Bradesco email address should contain a disclaimer stating that the opinions expressed are strictly your own and not necessarily those of Bradesco unless posting is in the course of business duties
7 All hosts used by the you that are connected to the Bradesco Internetintranetextranet whether owned by you or by Bradesco must continually execute approved virus-scanning software with a current virus database (unless overridden by departmental or group policy)
8 Use extreme caution when opening email attachments received from unknown senders These attachments may contain viruses email bombs or Trojan horse code
Unacceptable Use The following activities are in general prohibited In special cases you may be exempted from these restrictions during the course of your legitimate job responsibilities (for example systems administration staff may need to disable the network access of a host that is disrupting production services) Under no circumstances is an employee of Bradesco authorized to engage in any activity that is illegal under local state federal or international law while utilizing Bradesco-owned resources The lists that follow are by no means exhaustive but provide a framework for activities that fall into the category of unacceptable use
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
System and Network Activities
The following activities are strictly prohibited with no exceptions 1 Violations of the rights of any person or company protected by copyright
trade secret patent or other intellectual property or similar laws or regulations including but not limited to the installation or distribution of ldquopiratedrdquo or other software products that are not appropriately licensed for use by Bradesco
2 Unauthorized copying of copyrighted material including but not limited to digitization and distribution of photographs from magazines books or other copyrighted sources copyrighted music and the installation of any copyrighted software for which Bradesco or the end user does not have an active license
3 Exporting software technical information encryption software or technology in violation of international or regional export control laws Consult appropriate management prior to export of any material that is in question
4 Introducing malicious programs into the network or server (eg viruses worms Trojan horses email bombs etc)
5 Revealing your account password to others or allowing use of your account by others This includes family and other household members when working at home
6 Using a Bradesco computing asset to procure or transmit material that is in violation of sexual harassment or hostile workplace laws in the userrsquos local jurisdiction
7 Making fraudulent offers of products items or services originating from any Bradesco account
8 Making statements about warranty expressly or implied unless it is a part of normal job duties
9 Effecting security breaches or disruptions of network communication Security breaches include but are not limited to accessing data of which you are not an intended recipient or logging into a server or account that you are not expressly authorized to access unless these duties are within the scope of regular duties ldquoDisruptionrdquo includes but is not limited to network sniffing pinged floods packet spoofing denial of service and forged routing information for malicious purposes
10 Port scanning or security scanning unless you previously notify Bradesco 11 Executing any form of network monitoring that will intercept data not
intended for your host unless this activity is a part of your normal duties 12 Circumventing user authentication or security of any host network or
account 13 Interfering with or denying service to any user other than your host (for
example a denial of service attack) 14 Using any programscriptcommand or sending messages of any kind
with the intent to interfere with or disable a userrsquos terminal session via any means locally or via the Internetintranetextranet
15 Providing information about or lists of Bradesco employees to parties outside Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Email and Communications Activities
Purpose The policy defines standards for conducting communications within Bradescorsquos network email system These standards minimize the potential exposure to Bradesco from unsolicited email messages and attachments Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems and unintentional employee exposure to inappropriate content or material
1 Sending unsolicited email messages including sending ldquojunk mailrdquo or other advertising material to individuals who did not specifically request such material (email spam)
2 Any form of harassment via email telephone or paging whether through language frequency or size of messages
3 Unauthorized use or forging of email header information 4 Soliciting email for any other email address other than that of the posterrsquos
account with the intent to harass or collect replies 5 Creating or forwarding ldquochain lettersrdquo or ldquoPonzirdquo or other ldquopyramidrdquo schemes of
any type 6 Using unsolicited email originating from within Bradescorsquos networks or other
Internetintranetextranet service providers on behalf of or to advertise any service hosted by Bradesco or connected via Bradescorsquos network
7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Spam Unauthorized andor unsolicited electronic mass mailings
Anti-Virus Policy
Purpose The policy defines standards for protecting Bradescorsquos network from any threat related to Virus Worm or Trojan Horse These standards minimize the potential exposure to Bradesco from damages that may result from and unprotected network Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 Always run the Bradesco standard supported anti-virus software available from the Bradesco download site Download and run the current version download and install anti-virus software updates as they become available
2 Never open any files or macros attached to an email from an unknown suspicious or un-trusted source Delete these attachments immediately then ldquodouble deleterdquo them by emptying your trash
3 Delete spam chain and other junk email without forwarding per Bradescorsquos Acceptable Use Policy
4 Never download files from unknown or suspicious sources 5 Avoid direct disk sharing with readwrite access unless there is absolutely a
business requirement to do so 6 Always scan a floppy diskette from an unknown source for viruses before
using it 7 Back up critical data and system configurations regularly and store the data
in a safe place 8 If lab testing conflicts with anti-virus software run the anti-virus utility to
ensure a clean machine disable the software and then run the lab test After the lab test enable the anti-virus software When the anti-virus software is disabled do not run any applications that could transfer a virus eg email or file sharing
9 New viruses are discovered almost every day Periodically check the company Anti-Virus Policy and this Recommended Processes list for updates
Identity Policy
Purpose The policy defines rules and practices for protecting Bradescorsquos network from unauthorized access These practices help reduce the potential for identity information getting into the wrong hands Damages may include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc Train Your Employees One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information Formal information security awareness training should be provided that reinforces the need to keep all information on your companys information assets confidential -- even data that appears the most innocuous Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated An important follow-up measure is to have written information security policy that explains the companys security philosophy and the business rationale behind it This policy should be imparted to all new employees as a part of new-hire orientation
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
How can having security savvy employees help protect your organization Many hackers make ample use of social engineering skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company For example a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running He may follow up by asking for the names of key employees at your company Armed with that basic information this unwelcome visitor now knows how to identify your systems what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems Watch Your Visitors Temporary workers contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firms full-time employees but may be granted the same high levels of system access In addition they will sometimes know the applications and operating systems running on your network better than your own employees will Watch these ad-hoc employees closely until you are familiar with their qualifications the caliber of their work and most importantly the degree of trust that it is safe to allow Though usually honest and competent these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your companys interest Vendors for example will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated Policy
1 Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area
2 Any employee who does not access an administrative system in a six
months time period will have hisher access removed and must be reauthorized for access
3 Sharing of IDs is prohibited
4 Access managers will (immediately) delete the access of employees who
have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position)
5 Computer installations running administrative applications will where
possible provide a mechanism that records and logs off a user ID after a specified period of time of inactivity they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Password Policy
Overview Passwords are an important aspect of computer security They are the front line of protection for user accounts A poorly chosen password may result in the compromise of Bradescorsquos entire corporate network As such all Bradesco employees (including contractors and vendors with access to Bradesco systems) are responsible for taking the appropriate steps as outlined below to select and secure their passwords Purpose The purpose of this policy is to establish a standard for creating strong passwords protecting those passwords and change frequency Scope This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Bradesco facility has access to the Bradesco network or stores any non-public Bradesco information Policy
1 Change all system-level passwords (eg root enable NT admin application administration accounts etc) at least quarterly
2 Make all production system-level passwords part of the Bradesco administered global password management database
3 Change all user-level passwords (eg email Web desktop computer etc) at least every six months The recommended change interval is every four months
4 User accounts that have system-level privileges granted through group memberships or programs such as ldquosudordquo must have a unique password from all other accounts held by that user
5 Do not insert passwords into email messages or other forms of electronic communication
6 Where using SNMP define community strings as something other than the standard defaults of ldquopublicrdquo ldquoprivaterdquo and ldquosystemrdquo and make them different from the passwords used to log in interactively Use a keyed hash where available (eg SNMPv2)
7 All user-level and system-level passwords must conform to the guidelines below
Guidelines General Password Construction Guidelines Bradesco uses passwords for various purposes Some of the more common uses include user-level accounts Web accounts email accounts screen saver protection voicemail passwords and local router logins Since very few systems have support for one-time tokens (ie dynamic passwords that are only used once) everyone should be aware of how to select strong passwords Poor weak passwords have the following characteristics
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
1 They contain less than eight characters 2 They are a word found in a dictionary (English or foreign) 3 They are a common usage word such as 4 Names of family pets friends co-workers fantasy characters etc 5 Computer terms and names commands sites companies hardware
software 6 The words ldquoBradescordquo and geographical indicators such as ldquosanjoserdquo
ldquosanfranrdquo or any derivation 7 Birthdays and other personal information such as addresses and phone
numbers 8 Word or number patterns such as aaabbb qwerty zyxwvuts 123321 etc 9 Any of the above spelled backwards 10 Any of the above preceded or followed by a digit (eg secret1 1secret)
Strong passwords
1 Contain both upper and lower case characters (eg a-z A-Z) 2 Include digits and punctuation characters as well as letters eg 0-9
$^amp()_+|~-=`[]ltgt) 3 Are at least eight alphanumeric characters long 4 Are not a word in any language slang dialect jargon etc 5 Are not based on personal information names of family etc 6 Are never written down or stored on-line
Create passwords that can be easily remembered One way to do this is create a password based on a song title affirmation or other phrase For example the phrase might be ldquoThis May Be One Way To Rememberrdquo and the password could be ldquoTmB1w2Rrdquo or ldquoTmb1Wgtr~rdquo or some variation NOTE Do not use either of the preceding examples as passwords Password Protection Standards
1 Do not use the same password for Bradesco accounts as for other non-Bradesco access (eg personal ISP account option trading benefits etc) Where possible do not use the same password for various Bradesco access needs For example select one password for engineering systems and a separate password for IT systems Also select a separate password for an NT account and a UNIX account
2 Do not share Bradesco passwords with anyone not even your secretary or departmental administrative assistant All passwords are sensitive confidential Bradesco information
3 Here is a list of ldquodonrsquotsrdquo 4 Donrsquot reveal a password to anyone over the phone 5 Donrsquot reveal a password in an email message 6 Donrsquot reveal a password to the boss 7 Donrsquot talk about a password in front of others 8 Donrsquot hint at the format of a password (eg ldquomy family namerdquo) 9 Donrsquot reveal a password on questionnaires or security forms 10 Donrsquot share a password with family members 11 Donrsquot reveal a password to a co-worker when you go on vacation 12 Donrsquot write down a password and store it anywhere in your office 13 Donrsquot store passwords in a file on any computer including a handheld
computer without encryption
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
14 Donrsquot use the ldquoRemember Passwordrdquo feature of an application such as Eudora Outlook or Netscape Messenger
If someone demands a password refer them to this document or have them call the Information Security Department If you suspect an account or password has been compromised report the incident to Bradesco Information Systems department and change all passwords Bradesco or its delegates may perform password cracking or guessing on a periodic or random basis If a password is guessed or cracked during one of these scans the user is required to change it Application Development Standards Application developers must ensure that their programs contain the following security precautions
1 Applications should support authentication of individual users not groups 2 Applications should not store passwords in clear text or in any easily
reversible form 3 Applications should provide for some sort of role management such that
one user can take over the functions of another without having to know the otherrsquos password
4 Applications should support TACACS+ RADIUS andor X509 with LDAP security retrieval wherever possible
Use of Passwords and Passphrases for Remote Access Users Control remote access to Bradesco networks using either a one-time password authentication or a publicprivate key system with a strong passphrase Passphrases Passphrases are not the same as passwords A passphrase is a longer version of a password and is therefore more securePassphrases are generally used for publicprivate key authentication A publicprivate key system defines a mathematical relationship between the public key that is known by all and the private key which is known only to the user Without the passphrase to ldquounlockrdquo the private key the user cannot gain access A passphrase typically consists of multiple words making it more secure against ldquodictionary attacksrdquo A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters Here is an example of a good passphrase ldquoThegtTrafficOnThe101WasampThisMorningrdquo All of the guidelines for creating strong passwords also apply to passphrases
Enforcement Any employee found violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Application Administration Account
Any account that is for the administration of an application (eg Oracle database administrator ISSU administrator)
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Encryption Policy
Purpose This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States Scope This policy applies to all Bradesco employees and affiliates Policy Use proven standard algorithms such as DES Blowfish RSA RC5 AES and IDEA as the basis for encryption technologies These algorithms represent the actual cipher used for an approved application For example Network Associatersquos Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman while Secure Socket Layer (SSL) uses RSA encryption Symmetric cryptosystem key lengths must be at least 56 bits Asymmetric cryptosystem keys must be of a length that yields equivalent strength Bradescorsquos key length requirements will be reviewed annually and upgraded as technology allows Using proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by Bradesco Be aware that the export of encryption technologies is restricted by the US Government Residents of countries other than the United States should learn the encryption technology laws of their countries Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public andor has not withstood public scrutiny The developer of the algorithm could be a vendor an individual or the government
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data
Asymmetric Cryptosystem
A method of encryption that uses two different keys one for encrypting and one for decrypting the data (eg public-key encryption)
Remote Access Policy
Purpose The policy defines standards for connecting to Bradescorsquos network from any host These standards minimize the potential exposure to Bradesco from damages that may result from unauthorized use of its resources Damages include the loss of sensitive or company confidential data or intellectual property damage to public image damage to critical Bradesco internal systems etc
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Scope This policy applies to all Bradesco employees contractors vendors and agents with a Bradesco owned or personally owned computer or workstation connecting to the Bradesco network This policy applies to remote access connections to Bradesco including reading or sending email and viewing intranet resources This policy covers remote access implementations that include but are not limited to dialup modems Frame Relay ISDN DSL VPN SSH Wireless Access Points and cable modems etc Rogue Modems and Wireless Access Points The best firewall on the market wont protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office With what they believe to be the best of intentions workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor Whatever the cause of these unauthorized access mechanisms it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems All external access to networks systems and data should be done through a centrally administered tested and sanctioned remote access solution Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately Policy
1 It is the responsibility of Bradesco employees contractors vendors and agents with remote access privileges to Bradescorsquos corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to Bradesco
2 General access to the Internet for recreational use by immediate household members through the Bradesco network on personal computers is permitted for employees who have flat-rate services You are responsible to ensure that family members do not violate any Bradesco policies perform illegal activities or use the access for outside business interests You bears responsibility for the consequences should the access be misused
3 Please review the following policies for details of protecting information when accessing the corporate network remotely and acceptable use of Bradescorsquos network a Encryption Policy b Virtual Private Network (VPN) Policy c Wireless Communications Policy d Acceptable Use Policy
4 For additional information regarding Bradescorsquos remote access connection options including how to order or disconnect service cost comparisons troubleshooting etc refer to the Remote Access Services Website
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Requirements
1 Bradesco strictly controls secure remote access to Bradesco networks Bradesco enforces control via one-time password authentication or publicprivate keys with strong passphrases For information on creating a strong passphrase see the Password Policy
2 Never provide a login or email password to anyone not even family members
3 You must ensure that your Bradesco-owned or personal computer or workstation which is remotely connected to Bradescorsquos corporate network is not connected to any other network at the same time with the exception of personal networks that are under your complete control
4 Do not use non-Bradesco email accounts (eg Hotmail Yahoo AOL) or other external resources to conduct Bradesco business This will help ensure that official business is never confused with personal business
5 Routers for dedicated ISDN lines configured for access to the Bradesco network must meet minimum authentication requirements of CHAP
6 Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time
7 Frame Relay links must meet minimum authentication requirements of DLCI standards
8 Non-standard hardware configurations must be approved by Remote Access Services and Bradesco must approve security configurations for access to hardware
9 All hosts remotely connected to Bradesco internal networks including PCs must use the most up-to-date anti-virus software (place URL to corporate software site here) Third-party connections must comply with requirements stated in the Third Party Agreement
10 Any personal equipment that you use to connect to Bradescorsquos networks must meet the requirements of Bradesco-owned remote access equipment
11 Organizations or individuals who wish to implement non-standard remote access solutions to the Bradesco production network must obtain prior approval from Remote Access Services and Bradesco
Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Cable Modem Cable companies provide Internet access in their service areas over cable TV coaxial cable A cable modem accepts this coaxial cable and can receive data from the Internet at over 15 Mbps
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function
DLCI Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network
Dialup Modem A peripheral device that connects computers to each other for sending communications via the telephone lines The modem modulates digital data into analog signals for transmission and then demodulates the signals back into digital format to be read by the receiving computer
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Dual Homing Having concurrent connectivity to more than one network from a computer or network device Examples include Being logged into the corporate network via a local Ethernet connection and dialing into AOL or another Internet service provider (ISP) Being on a Bradesco-provided remote access home network and connecting to another network such as a spousersquos remote access Configuring an ISDN router to dial into Bradesco and an ISP depending on packet destination
Frame Relay A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds
ISDN Integrated Services Digital Network service comes in two types Basic Rate Interface (BRI) is used for home officeremote access Primary Rate Interface (PRI) is more often used for corporate Internet connectivity
Remote Access Any access to a private network through a non-private network device or medium
Split-tunneling Simultaneous direct access to another network (such as the Internet or a home network) from a remote device (PC PDA WAP phone etc) while remotely connected to a corporate network via a VPN tunnel
VPN Virtual private networking enables secure private network via a public network such as the Internet using ldquotunnelingrdquo technology
DSL Digital Subscriber Line is a broadband Internet access technology that works over standard phone lines
Virtual Private Network (VPN) Policy
Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the Bradesco corporate network Scope This policy applies to all Bradesco employees contractors consultants temporaries and other workers including all personnel affiliated with third parties utilizing VPNs to access the Bradesco network This policy applies to implementations of VPN that are directed through an IPSec Concentrator Policy Approved Bradesco employees and authorized third parties (customers vendors etc) may utilize the benefits of VPNs which are a user managed service This means that the user is responsible for selecting an Internet Service Provider (ISP) coordinating installation installing any required software and paying associated fees Further details may be found in the Remote Access Policy Additionally
1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Bradesco internal networks
2 VPN use is to be controlled using either a one-time password authentication such as a token device or a publicprivate key system with a strong passphrase
3 When actively connected to the corporate network VPNs will force all traffic to and from the PC over the VPN tunnel all other traffic will be dropped
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
4 Dual (split) tunneling is NOT permitted only one network connection is allowed
5 VPN gateways will be set up and managed by Bradesco network operational groups
6 All computers connected to Bradesco internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software) this includes personal computers
7 VPN users will be automatically disconnected from Bradescos network after thirty minutes of inactivity The user must then logon again to reconnect to the network Pings or other artificial network processes are not to be used to keep the connection open
8 The VPN concentrator is limited to an absolute connection time of 24 hours 9 Users of computers that are not Bradesco-owned equipment must configure
the equipment to comply with Bradescos VPN and Network policies 10 Only InfoSec-approved VPN clients may be used 11 By using VPN technology with personal equipment users must understand
that their machines are a de facto extension of Bradescos network and as such are subject to the same rules and regulations that apply to Bradesco-owned equipment ie their machines must be configured to comply with Network security administratorteam Security Policies
Enforcement Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
IPSec Concentrator A device in which VPN connections are terminated
Extranet Policy
Purpose This document describes the policy under which third-party organizations connect to Bradesco networks for the purpose of transacting business related to Bradesco Scope Connections between third parties that require access to non-public Bradesco resources are governed by this policy regardless of whether a telco circuit (such as Frame Relay or ISDN) or VPN technology is used for the connection Connectivity to third parties such as the Internet service Providers (ISPs) that provide Internet access for Bradesco or to the Public Switched Telephone Network does NOT fall under this policy Policy Prerequisites Security Review
All new extranet connectivity must undergo a security review with the Bradesco Information Security department This review ensures reviews that all third-party network access serves a legitimate business need
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Third-Party Connection Agreement All new connection requests between third parties and Bradesco require the signature of a Third-Party Agreement by the vice president of the sponsoring organization and a representative who is legally empowered to sign on behalf of the third party The signed document will be kept on file with [name of team responsible for extranet agreements] Documents pertaining to connections into Bradesco labs are to be kept on file with the [name of team responsible for lab security] Business Case All production extranet connections must be accompanied by a valid written business justification which is approved by a project manager in the extranet group Lab connections must be approved by the [name of team responsible for lab security] This business case is typically included as part of the Third-Party Agreement Point Of Contact The sponsoring organization must designate a person to be the Point of Contact (POC) for the extranet connection In the event that the POC changes promptly inform the relevant extranet organization
Establishing Connectivity Sponsoring organizations within Bradesco that wish to establish connectivity to a third party must submit a new site request including complete information about the proposed access to the extranet group The extranet group will address potential security issues raised by the project If the proposed connection is to terminate within a lab the sponsoring organization must also engage the [name of team responsible for lab security] All extranet connectivity must be based on the least-access principle in accordance with the approved business requirements and the security review In no case will Bradesco rely upon the third party to protect Bradescorsquos network or resources Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review Implement changes via the Bradesco change management process The sponsoring organization is responsible for notifying the extranet management group andor Bradesco when there is a material change in their original access request so that security and connectivity evolve accordingly Terminating Access When access is no longer required the sponsoring organization must notify the extranet team responsible for that connectivity which will then terminate the access This may mean modifying existing permissions up to terminating the circuit as appropriate The extranet and lab security teams must audit their respective connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection Connections that are no longer used to conduct Bradesco business will be terminated immediately Should a security incident or review determine that a circuit has been compromised or is no longer used to conduct Bradesco business
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco
Implementacioacuten de Infraestructura de Comunicaciones en Banco Bradesco
Bradesco andor the extranet team will attempt to notify the POC or the sponsoring organization prior to modifying permissions or terminating the connection Enforcement Any employee violating this policy may be subject to disciplinary action up to and including termination of employment
Definitions
Term Definition
Circuit For the purposes of this policy circuit refers to the method of network access and may include ISDN Frame Relay etc or VPNencryption technologies
Sponsoring Organization
The Bradesco organization that requested third-party access to Bradesco networks
Third Party A business that is not a formal or subsidiary part of Bradesco