sunil misra chief security advisor
TRANSCRIPT
Sunil MisraChief Security Advisor
Enterprise Reference Architecture Overview
2
Reference Architecture Objectives
Accelerate solution development & implementation projects by providing reference architectures as a project starting point.
Provide a communications tool describing the business problem the infrastructure addresses, how the problem is solved, the scope and cost of the solution, and the tools and technologies used to build the solution.
Reduce risk through common tools and a Point of View
3
Reference Architecture Solutions
Industry Expertise
The Reference
Architecture Solution
Technology Points of View
Visioning future state infrastructure models for industries
ROI modeling
Pre-populated with industry- relevant infrastructure models
Customized for clients Digital Record of
solution
It’s the mechanism that
Field tested solutions Draws upon managed services
and outsourcing experiences Understanding of What Works
With What
captures solution value and drives deployment.
4
Reference Architecture Defined – Comprehensive
RA Introduction What is a Reference Architecture? Why use a Reference Architecture? How to use the baseline Reference
Architectures Application Infrastructure Services
Utility Services• Definitions• Service Models
Application Technology Services• Definitions• Service Models
Data Services• Definitions• Service Models
Physical Infrastructure Services Platforms Services
• Definitions• Service Models
Network Services• Definitions• Service Models
Security Infrastructure Services Definitions Service Models
Operations Infrastructure Services Definitions Service Models
5
What is Reference Architecture?
Reference architectures represent a baseline set of recommended models that meet the needs of a high percentage of our client situations.
A reference architecture does not specify implementation details, but instead provides a framework that can be customized and implemented at any organization or for most consultative or sales situations
The Reference Architecture is based on services combining technologies, not just the technologies alone
Today 3 years
CurrentState
ArchitectureTargets
Technology Investments& Returns
Architecture Targets
Needs
Specific SituationReference
Architecture
Adjust for Environment
Identify Applicability
6
How to use Reference Architecture
Reference Architectures align to all phases of the Unisys ITS Balanced Portfolio (Advisory, Transform, Manage)
Infrastructure Architects will use the Reference Architecture to develop customer-specific Enterprise Infrastructure Architectures as well as Solution-specific architectures
Identify Enterprise Architecture Drivers
Conduct Interviews with key stakeholders
Document current state enterprise architecture
Analyze current state architecture Formulate and confirm the future
state architecture vision Incorporate customer unique
requirements
Document architecture decisions Review and approve architecture Create a communication
strategy, governance structure and rollout plan
Data Gathering / Analysis
Architecture Definition
Architecture Plan
Phase Definition
Advisory
Reference Architectures provide our Point of View (POV) on key infrastructure decisions
Assists client in accelerating development of strategy and architecture for either Enterprise-wide or Solution-specific requirements
Transformation
Reference Architectures provide design and deployment teams with an accelerated starting point as well as ensuring all components of the infrastructure are considered
Sustain / Manage
Reference Architectures provide a starting point for determining scope of managed services as well as assessing potential risks of incomplete client architectures
Periodic progress review on client implementation of Reference Architecture
7
Reference Architecture LandscapeThe following services are modeled within the Unisys Reference Architecture…
Security Infrastructure
Security Services
Encryption Services
Security Management Services
Identity Management
Authentication / Authorization
Services
Anti-Virus & Content Control Services
Network Communication
Security Services
Mgmt Infrastructure
Services Mgmt
Incident Management
Problem Management
Capacity Management
Financial Management
Change Management
Configuration Management
Service Desk
Release Management
Service Level Management
Availability Management
Continuity Management
Application Infrastructure ServicesApplication Technology
Services
Application Framework
Integration
Orchestration
Channel Integration
Process Mgmt & Workflow
Utility Services
File Services
Print Services
Messaging Services
Directory Services
Collaboration Services
Naming & Addressing Svcs
Backup Services
Information Services
Data Management
Data Usage
Data Movement & Transformation
Content Access
Physical Infrastructure ServicesPlatform Services
Data Center Services
Storage ServicesShared Device Platforms
End User Device Platforms
High Availability Services
Network ServicesSite Network
Services
Remote Access Services
Business Partner Connectivity
Telephony Services
Enterprise Perf. Mgmt. Services
Wide Area Network Services
Data Center Network Services
Metropolitan Area Network Services
8
Key Architecture Representation Concepts Key concepts presented in each description include the following:
Services – Services define the capabilities and value the infrastructure must provide for its user groups, applications and data stores. Each represents and is formed through a unique view of technology standards, components and vendors.
Service Delivery / Control Domains - This is the background layout for each of the models. It consists of the following areas and is based on the level of control the enterprise has over the end user devices, network or services within the environment:
• External Services – Services or end user devices that are physically external to the enterprise• Site Services – End User devices and local shared services• Enterprise Shared Services – Services available in a centralized manner to the entire
enterprise, generally provided within Enterprise Data Centers Service Delivery or Access Point / Situation (some exceptions to definitions)
• Large Office User – individual employed by the enterprise utilizing a network-connected device inside the boundaries of a corporate-designated Large Site
• Small Office User – individual employed by the enterprise utilizing a network-connected device inside the boundaries of a corporate-designated Small Site
• Mobile User – individual employed by the enterprise utilizing a network-connected device while outside the boundaries of a corporate site
• Home User – individual employed by the enterprise utilizing a network-connected device while at their home
• Business Partner User – individual NOT employed by the enterprise accessing corporate services over their own external (or public) network
9
Key Architecture Representation Concepts (2)
Key concepts presented in each description include the following (2): Technology Maturity Classification -
• Core – technologies that are to be the first choice in new implementations, and toward which existing infrastructure will be migrated.
• HORIZON – emerging technologies that are expected to play a significant role in the architecture in the near future but cannot be labeled Core due to immaturity, lack of availability, or poor fit to transitional environment
• HERITAGE – existing technologies that are not Core but will continue to play a substantial role in the architecture within the timeframe under consideration.
• SUNSET – technologies that should be replaced and removed from the environment in the most rapid and efficient manner possible.
• TRANSITION – technologies that must be in place for a short time until either a chosen CORE market technology becomes a reality or until the client is prepared to deploy that CORE technology choice.
Service Cross-Dependency – Delivery of enterprise technology services requires that many of the services have dependencies upon others. In order to simplify the depiction of service definitions and models, service abstraction is used to focus only on the technology concepts inherent to the service currently being discussed
10
Security Infrastructure Guidelines
Use the concept of “Defense in depth” to guide security architecture Use multiple layers of controls between Untrusted devices/environments and
applications and data Use non-technology controls (physical, management, etc) in conjunction with
technology controls where appropriate; and use a combination of network- and application-layer technology controls
When architecting security, account for both external and internal threats Define a limited number of discrete network trust zones
Apply controls in a common way within zones Allow network traffic to flow freely within the Trusted Zone
Rather than attempt to characterize every permitted data flow between trusted devices, rely on physical, management, and application-level technology controls within the trusted zone
…while providing a means to segment or quarantine portions of the trusted network as needed in an emergency
Explicitly deny network traffic known to be malicious or against corporate policy Provide strong authentication mechanisms as appropriate
Two-factor or certificate-based authentication for systems administration access and for remote VPN access
Support strong authentication within applications as needed Use technology to enable coordination between multiple security information
sources, including thorough event correlation across all platforms
11
Security Services Definitions
Service Definition
Network Communication Security Services
Service that provides isolation of networks from other networks
Includes structures that control the flow of packets between devices on a network or between networks
Includes the technology used to define DMZs or semi-trusted network areas
Anti-Virus & Content Control Services
Service that prevents or controls the transmission of hostile applications, or any other content that is prohibited by policy
Includes technologies to identify and control viruses, to limit users ability to execute arbitrary code, and to monitor text messages for sensitive content
Authentication / Authorization Services
Service that verifies the identity of communicating endpoints
Includes identity credentials themselves, technology that ties credentials to sessions or transactions, and technology that associates an identity with the permissions assigned to it
Identity Management Service for provisioning user accounts
Security Management Services
Service that provides security event detection, monitoring of security status, and configuration control of security devices
Encryption Services Service that enables storing or transmitting information such that it can only be read by a designated party or parties
12
Res
tric
ted
Network Communication Security Services:
Network and Platform Trust ZonesU
ntru
sted
Trus
ted
Tran
sitio
nal
Any Clients, Servers, Services
Controlled ConnectionsDefault ALLOW
Connections Logged
Controlled ConnectionsDefault ALLOW
Connections Logged
Controlled ConnectionsDefault DENY
Connections LoggedIDS Monitoring
Controlled ConnectionsDefault DENYConnections LoggedIDS Monitoring
Controlled ConnectionsDefault DENYConnections LoggedIDS Monitoring
Controlled ConnectionsDefault DENYConnections LoggedIDS Monitoring
Server LAN
1
Server LAN 2 … n
VPN VLANs
Default Allow Horizontal TrafficAbility to filter traffic at network choke points
Ability to monitor traffic at network choke points
Server LAN 1
Server LAN 2
Server LAN n
No Horizontal Traffic
DMZ 1
DMZ 2 … n Guest
No Horizontal Traffic
• External Systems• External Services
• Public Facing Servers• External Gateways• DMZ Networks• Guest & High Risk Devices
• User Devices• Business Systems and Data (Servers)• Internal Networks (LAN/MAN/WAN)
• Sensitive Data & Applications
User LAN
1
User LAN 2 … n
Mgmt. LANR&D
<Client> Governed VPN Clients on Untrusted
Networks
Controlled ConnectionsConnections Authenticated Connections LoggedIDS Monitoring
Unique Trusted SegmentsDefault Deny Horizontal Traffic
Connections Authenticated, Logged & Monitored
ExternalInternal
13
Trus
ted
Network Communication Security Services:
Network Communication ControlsU
ntru
sted
Res
tric
ted
Tran
sitio
nal
Legend
Packet Filter
User Device
Governed User Device
S/W Firewall
VPN Client
User Device or Application
External Servers
DD
DA
DD
Employee
Front Ends for Employee
Applications
A
DD DA
PartnerApps
Front Ends for Partner
Applications
A
DD DA
ProtectedPartnerVPN
Partner VPN
Endpoint
DD DA
Applications / Data
AGoverned
User Devices
Restricted Apps / Data
DD DD
FW DP
FW PR
DD
DA Default Allow
Default Deny
A Authentication
Hybrid Firewall with Deep Packet Inspection focus
Hybrid Firewall with App Proxy focus
A
FW DP
FW PRFW PR
FW PR
DD DD
Guest
DD DA
Guest Devices
DD
ProxyA
S/W Firewall
HORIZON
Public
Front End for Public Apps
FW PR
DD DD
DD DA
FW DP
Utility
App GWs(SMTP, DNS,
NTP, etc.)
DD
DDProxy
DD FW PR DDDD
DD DAA
EmployeeOutbound
Non
-Pro
xyab
le
VPN
DD
FW PR
UtilityApps
FW DP
Employee AnyBusiness Partner / Managed Service Provider
Partner VPN Endpoint
FW DP FW DP
User Device
A
14
Trus
ted
Unt
rust
edR
estr
icte
dTr
ansi
tiona
l EmployeeServices
HORIZON
Firewall
Network Communication Security Services:
Wireless Security
Legend
Trusted Network
Internet
802.11 b/g802.11 i
Proprietary Wireless Handheld
VPN-SecuredPublic Wireless
802.11 b/g
Wide Area
Public 802.11Access Point
Carrier Svc
VPNA
802.11Mapper A/A
Service
VP
NC
lientGoverned
Device S/W FW
VP
NC
lientGoverned
Device S/W FW
VP
NC
lientGoverned
Device S/W FW
Proprietary Network
Wireless eMail
Gateway
Unsecured Wireless withVPN-Secured Session
Shared 802.11 Access Point
Secured 802.11i
AP
A
A
802.
11i
Clie
ntGoverned Device S
/W FW
Authentication
Uncontrolled Guest Device
Proxy
Guest Wireless802.11 b/g
Proprietary Svc
15
Enterprise Services
Legend
Site Services
External Services
Device Site Shared
Anti-Virus and Content Control:
Anti-Virus and Content Control Capabilities
Proxy Server
Proxy DataO/S, F/S, RAM
URL or IPText Pattern
Active Content
Content FiltersAV ScanTargets
IM Gateway
File Transfer File TransferText Pattern
AV ScanTargets Content Filters
SMTP Gateway
SMTP QueueO/S, F/S, RAM
Email SourceText PatternAttachment
AV ScanTargets Content Filters
Internal IM Service
File TransferO/S, F/S, RAM
AV ScanTargets
User Desktop
O/S, F/S, RAM
Removable Media
Internal Utility Server
O/S, F/S, RAM
Internal App, Server or Data Store
O/S, F/S, RAM
Front End Server
O/S, F/S, RAM
External Servers
(Public, BP, Etc.) IM,
SMTP, HTTP
External Client
Application
A Remote Employee System Tunneled into the Network via a VPN connection is equivalent to an Internal Client System. Refer to Client System for Data Flows. HORIZON
Internal Mail Service
User Mail BoxO/S, F/S, RAM
AV ScanTargets
O/S, F/S, RAM
16
Trus
ted
Res
tric
ted
HORIZON
Tran
sitio
nal TRANSITION
Enterprise Authentication/Authorization Service:
Supplicants and CredentialsU
ntru
sted
Legend
ServiceProvider
User Device
Public DMZ Application
Partner DMZ Application
Emp. DMZ Application
Standard App or Utility Service Sensitive
App
Server or Network Device
Public
User Device
Business Partner/Customer
User Device
Employee
User Device
User Device
S/W FirewallVPN Client
SatelliteOffice
User Device
Management Console
Restricted Applications
VPN Site to Site VPN
Proxy (Outbound)
Site to Site VPN
A
B
CD
UserID/Password
User Certs (+UserID/Password)
One-time Password token (transitional) (+UserID/Pwd)Device Certs
A BorB
D
B
And possiblyD
B
User Device
A
B
B
B
B
HORIZONB
Depending onimplementation
Or pass-thru from Local logon
Passthru from Local logonNetwork Device
D
ALocal logon
Smart Card
Reader
User Device
CNo Credentials
FacilitiesAccessSystem
Proximity or Mag. Stripe
Card Reader
A A
Proximity chipor mag. stripe onsame physical card as B
or or
Depending onapplication
Depending onapplication
Cor
IP F
ilter
17
Enterprise Services
HORIZON
SUNSET SUNSET
TRANSITION
Legend
Site Services
External Services
Device Site Shared
Second AD forest (non-employees)
TRANSITION
Enterprise Authentication/Authorization Service:
Authentication Systems Model
Legacy System
Some Packaged
Applications
Most Applications
Web Applications Network
Device
App-specific A/A Data
AD A/A Store
(employees)
RADIUS or TACACS+ accounts
Utility:DirectoryServices
Legacy A/A Data
App-proprietary A/A
Active Directory
Authentication Service
RADIUS/ TACACS+
Service
One-Time Password Service
(e.g., ACE)
Legacy A/A System
(e.g., RACF)
OTP accounts
ProprietaryHERITAGENTLM
Kerberos
NativeDataInterface
Data Movement / Integration
Authentication Protocol Comm.Authorization Query
OTP One Time Password
Physical A/A
Service
Physical A/A
Accounts
NativeDataInterface
OTP I/F
PKI I/F
PKI: CRL Publishing
CRLs
RADIUSProprietary
Web SSOlayer
NativeData
Interface
HORIZON
18
Enterprise Services
Site Services
External Services
Device Site Shared
Identity Management Service:
Public Key Infrastructure (PKI)
Root CA
Internal User Issuing CA
Device Issuing CA
External User Issuing CA
Online Status
Checking
HSM
Utility:DirectoryServices
HTTP CRL distribution
Second AD forest (non-employees)
AD A/A Store
(employees)
Certs / CRLs
Certs / CRLs
Certs / CRLs
Key Recovery
Policy & Procedures:- Enterprise Certificate Policy- Certification Practice Statements- Best Practices
User Certs live on:-Machines (DS)-Cards-Tokens
(offline)
HSM
HSM
Key Recovery
HSM
CRLsHSM
19
Enterprise Services
Legend
Site Services
External Services
Device Site Shared
Identity Management Service:
Provisioning and Account Management Model
App-specific A/A Data
AD A/A Store (employees)
LDAP A/A Store (other
users)
RADIUS or TACACS+ accounts
Legacy A/A Data
App-proprietary
Account Mgmt
One-Time Password
Account Tools (e.g., ACE)
Legacy System
Account Mgmt(e.g., RACF)
OTP accounts
LDAPNativeDataInterface
System – Data Interactions
User - System InteractionsSystem - System Interactions
OTP One Time Password
Physical A/A Account
Tools
Physical A/A Accounts
IDM System
Connectors
User Self Svc
Workflow
Admin Services
BusinessRules
Administrator
User
Delegated Admin
Administrator
Email Notification
NativeDataInterface
NativeDataInterface
RADIUSLDAPNativeDataInterface
API or scripted
Bulk UpdatesHR
20
Trus
ted
Unt
rust
ed
HO
RIZO
N
Security Management Services:
Intrusion Detection / PreventionR
estr
icte
dTr
ansi
tiona
l
Legend
Managed IDS Service
IDS Alert Logging
VPN
IDSData
Server with HIDS
R
VPN
VPN
Server with HIDS
Server with HIDS
NIDS Engine(s)
IDS Monitoring
System
Exposed Router
Firewall
VPN Proxy
Host IDS Agent
IDS Traffic
Network IDS Data Collection
Firewall
NIDS
NIDS NIDS
NIDS
NIDS
NIDS
NIDS
HIDS
Firewall
Server w/o HIDS
IPS
IPS
IPS IPS IPS
IPS
Intrusion Prevention System
Out of Band IDS communication
IDSData
IDS Collectors
IDS Monitoring
System
IP F
ilter
21
Enterprise Services
Security Management Services:
Alert Processing
Site Services
External Services
Device Site Shared
Alert Correlation System
Data Normalization
Data Processing
Alert Generation
Raw Data
Refined Data
Mgmt./ Monitoring Console
Email, Pager, SMB, MOM,
etc.
Log Mining & Trend Reporting
DSS
Forensic Tools
Vulnerability Assessment
UserDevice
NetworkingDevices &Firewalls
NetworkingDevices &Firewalls
IDS System
Servers
A/V Alerts
SNMP Traps, Security logs
SNMP Traps,Security logs
A/V Alerts,SNMP Traps,HIDS Alerts
SNMP Traps,IDS Alerts
AggregationSystems
Enterprise A/V Server
SNMP Console
IDSConsole
Syslog Server
AdvisoryAlerts
MessagingServices
Manual processes
22
Enterprise Services
Site Services
External Services
Device Site Shared
Security Management Services:
Update Management
Enterprise Content Filter System
Operations: Release
ManagementUpdates pushed to all appropriate platforms
Signature Update Service Virus
Signatures
Filter Update Service
Filter Triggers
Signature Updates Pulled From External Service
O/S or App Patch
ServicesPatches
Patch Staging Server
Enterprise Anti-Virus Management System
Update ServicePush to AV Clients
Internet
Virus Signatures
Customized Filters
Policy Management
Consoles Security Policies
Filter Triggers
Patches
23
Untrusted
Transitional
Firewall
Trusted
Business Partners (Ad Hoc)
MessagingServices
Business Partners or Public(Ad Hoc)
Encryption Services:
Secure Messaging
Restricted
Legend
User Device
Email Client
Employee Device
File Service Client
Firewall
Firewall
Firewall
Utility
SMTP Gateway
SMTP Gateway
Normal Email Transport
File Services
Firewall
A Authentication
Encrypted Data
Unencrypted Data
Employee DeviceEmail Client
EncryptionUtility
Employee Device
Business Partners (Planned)
User DeviceEmail Client
SMTP Gateway
Email Client
SMTP Gateway
Email encrypted between domains using MTA-to-
MTA S/MIME
Employee DeviceEmail Client
Certificate
User DeviceEmail Client
SMTP Gateway
SMTP Gateway
Normal Email Transport
Certificate
Published Certificate directory
BP Certificate directory
Normal email with self-decrypting file attachment (Password transmitted out of band)
E-Mail encrypted with client-to-client S/MIME
User Device
HTTP Client SCP Client
Data Server
HTTPS Service
SFTPService
A
24
Trus
ted
HORIZON
Encryption Services:
Network EncryptionU
ntru
sted
Res
tric
ted
Tran
sitio
nal
Legend
External System
Trusted User Device
S/W Firewall
VPN Interface
External Servers
External Servers
External Servers
SMTP Gateway, DNS, NTP, etc.
Application Front End
Application Front End
BP User Device or
Application
External Servers
External Servers
Applications
Data
Restricted Data
Restricted Applications
UserDevices
Management Workstation
Management Applications
Proxy
Firewall
Firewall VPN
SSL, TLS, SFTP SSL, TLS SSL, SSH, SFTP IPSEC, AES, 3DES
S/MIME SSL, TLS
SSL, SSH, SFTP
SSL
SSL SSL
SSL
VPN Tunnel
Firewall
802.11Access Point
802.11 ClientEAP