Sunil MisraChief Security Advisor

Enterprise Reference Architecture Overview

2

Reference Architecture Objectives

Accelerate solution development & implementation projects by providing reference architectures as a project starting point.

Provide a communications tool describing the business problem the infrastructure addresses, how the problem is solved, the scope and cost of the solution, and the tools and technologies used to build the solution.

Reduce risk through common tools and a Point of View

3

Reference Architecture Solutions

Industry Expertise

The Reference

Architecture Solution

Technology Points of View

Visioning future state infrastructure models for industries

ROI modeling

Pre-populated with industry- relevant infrastructure models

Customized for clients Digital Record of

solution

It’s the mechanism that

Field tested solutions Draws upon managed services

and outsourcing experiences Understanding of What Works

With What

captures solution value and drives deployment.

4

Reference Architecture Defined – Comprehensive

RA Introduction What is a Reference Architecture? Why use a Reference Architecture? How to use the baseline Reference

Architectures Application Infrastructure Services

Utility Services• Definitions• Service Models

Application Technology Services• Definitions• Service Models

Data Services• Definitions• Service Models

Physical Infrastructure Services Platforms Services

• Definitions• Service Models

Network Services• Definitions• Service Models

Security Infrastructure Services Definitions Service Models

Operations Infrastructure Services Definitions Service Models

5

What is Reference Architecture?

Reference architectures represent a baseline set of recommended models that meet the needs of a high percentage of our client situations.

A reference architecture does not specify implementation details, but instead provides a framework that can be customized and implemented at any organization or for most consultative or sales situations

The Reference Architecture is based on services combining technologies, not just the technologies alone

Today 3 years

CurrentState

ArchitectureTargets

Technology Investments& Returns

Architecture Targets

Needs

Specific SituationReference

Architecture

Adjust for Environment

Identify Applicability

6

How to use Reference Architecture

Reference Architectures align to all phases of the Unisys ITS Balanced Portfolio (Advisory, Transform, Manage)

Infrastructure Architects will use the Reference Architecture to develop customer-specific Enterprise Infrastructure Architectures as well as Solution-specific architectures

Identify Enterprise Architecture Drivers

Conduct Interviews with key stakeholders

Document current state enterprise architecture

Analyze current state architecture Formulate and confirm the future

state architecture vision Incorporate customer unique

requirements

Document architecture decisions Review and approve architecture Create a communication

strategy, governance structure and rollout plan

Data Gathering / Analysis

Architecture Definition

Architecture Plan

Phase Definition

Advisory

Reference Architectures provide our Point of View (POV) on key infrastructure decisions

Assists client in accelerating development of strategy and architecture for either Enterprise-wide or Solution-specific requirements

Transformation

Reference Architectures provide design and deployment teams with an accelerated starting point as well as ensuring all components of the infrastructure are considered

Sustain / Manage

Reference Architectures provide a starting point for determining scope of managed services as well as assessing potential risks of incomplete client architectures

Periodic progress review on client implementation of Reference Architecture

7

Reference Architecture LandscapeThe following services are modeled within the Unisys Reference Architecture…

Security Infrastructure

Security Services

Encryption Services

Security Management Services

Identity Management

Authentication / Authorization

Services

Anti-Virus & Content Control Services

Network Communication

Security Services

Mgmt Infrastructure

Services Mgmt

Incident Management

Problem Management

Capacity Management

Financial Management

Change Management

Configuration Management

Service Desk

Release Management

Service Level Management

Availability Management

Continuity Management

Application Infrastructure ServicesApplication Technology

Services

Application Framework

Integration

Orchestration

Channel Integration

Process Mgmt & Workflow

Utility Services

File Services

Print Services

Messaging Services

Directory Services

Collaboration Services

Naming & Addressing Svcs

Backup Services

Information Services

Data Management

Data Usage

Data Movement & Transformation

Content Access

Physical Infrastructure ServicesPlatform Services

Data Center Services

Storage ServicesShared Device Platforms

End User Device Platforms

High Availability Services

Network ServicesSite Network

Services

Remote Access Services

Business Partner Connectivity

Telephony Services

Enterprise Perf. Mgmt. Services

Wide Area Network Services

Data Center Network Services

Metropolitan Area Network Services

8

Key Architecture Representation Concepts Key concepts presented in each description include the following:

Services – Services define the capabilities and value the infrastructure must provide for its user groups, applications and data stores. Each represents and is formed through a unique view of technology standards, components and vendors.

Service Delivery / Control Domains - This is the background layout for each of the models. It consists of the following areas and is based on the level of control the enterprise has over the end user devices, network or services within the environment:

• External Services – Services or end user devices that are physically external to the enterprise• Site Services – End User devices and local shared services• Enterprise Shared Services – Services available in a centralized manner to the entire

enterprise, generally provided within Enterprise Data Centers Service Delivery or Access Point / Situation (some exceptions to definitions)

• Large Office User – individual employed by the enterprise utilizing a network-connected device inside the boundaries of a corporate-designated Large Site

• Small Office User – individual employed by the enterprise utilizing a network-connected device inside the boundaries of a corporate-designated Small Site

• Mobile User – individual employed by the enterprise utilizing a network-connected device while outside the boundaries of a corporate site

• Home User – individual employed by the enterprise utilizing a network-connected device while at their home

• Business Partner User – individual NOT employed by the enterprise accessing corporate services over their own external (or public) network

9

Key Architecture Representation Concepts (2)

Key concepts presented in each description include the following (2): Technology Maturity Classification -

• Core – technologies that are to be the first choice in new implementations, and toward which existing infrastructure will be migrated.

• HORIZON – emerging technologies that are expected to play a significant role in the architecture in the near future but cannot be labeled Core due to immaturity, lack of availability, or poor fit to transitional environment

• HERITAGE – existing technologies that are not Core but will continue to play a substantial role in the architecture within the timeframe under consideration.

• SUNSET – technologies that should be replaced and removed from the environment in the most rapid and efficient manner possible.

• TRANSITION – technologies that must be in place for a short time until either a chosen CORE market technology becomes a reality or until the client is prepared to deploy that CORE technology choice.

Service Cross-Dependency – Delivery of enterprise technology services requires that many of the services have dependencies upon others. In order to simplify the depiction of service definitions and models, service abstraction is used to focus only on the technology concepts inherent to the service currently being discussed

10

Security Infrastructure Guidelines

Use the concept of “Defense in depth” to guide security architecture Use multiple layers of controls between Untrusted devices/environments and

applications and data Use non-technology controls (physical, management, etc) in conjunction with

technology controls where appropriate; and use a combination of network- and application-layer technology controls

When architecting security, account for both external and internal threats Define a limited number of discrete network trust zones

Apply controls in a common way within zones Allow network traffic to flow freely within the Trusted Zone

Rather than attempt to characterize every permitted data flow between trusted devices, rely on physical, management, and application-level technology controls within the trusted zone

…while providing a means to segment or quarantine portions of the trusted network as needed in an emergency

Explicitly deny network traffic known to be malicious or against corporate policy Provide strong authentication mechanisms as appropriate

Two-factor or certificate-based authentication for systems administration access and for remote VPN access

Support strong authentication within applications as needed Use technology to enable coordination between multiple security information

sources, including thorough event correlation across all platforms

11

Security Services Definitions

Service Definition

Network Communication Security Services

Service that provides isolation of networks from other networks

Includes structures that control the flow of packets between devices on a network or between networks

Includes the technology used to define DMZs or semi-trusted network areas

Anti-Virus & Content Control Services

Service that prevents or controls the transmission of hostile applications, or any other content that is prohibited by policy

Includes technologies to identify and control viruses, to limit users ability to execute arbitrary code, and to monitor text messages for sensitive content

Authentication / Authorization Services

Service that verifies the identity of communicating endpoints

Includes identity credentials themselves, technology that ties credentials to sessions or transactions, and technology that associates an identity with the permissions assigned to it

Identity Management Service for provisioning user accounts

Security Management Services

Service that provides security event detection, monitoring of security status, and configuration control of security devices

Encryption Services Service that enables storing or transmitting information such that it can only be read by a designated party or parties

12

Res

tric

ted

Network Communication Security Services:

Network and Platform Trust ZonesU

ntru

sted

Trus

ted

Tran

sitio

nal

Any Clients, Servers, Services

Controlled ConnectionsDefault ALLOW

Connections Logged

Controlled ConnectionsDefault ALLOW

Connections Logged

Controlled ConnectionsDefault DENY

Connections LoggedIDS Monitoring

Controlled ConnectionsDefault DENYConnections LoggedIDS Monitoring

Controlled ConnectionsDefault DENYConnections LoggedIDS Monitoring

Controlled ConnectionsDefault DENYConnections LoggedIDS Monitoring

Server LAN

1

Server LAN 2 … n

VPN VLANs

Default Allow Horizontal TrafficAbility to filter traffic at network choke points

Ability to monitor traffic at network choke points

Server LAN 1

Server LAN 2

Server LAN n

No Horizontal Traffic

DMZ 1

DMZ 2 … n Guest

No Horizontal Traffic

• External Systems• External Services

• Public Facing Servers• External Gateways• DMZ Networks• Guest & High Risk Devices

• User Devices• Business Systems and Data (Servers)• Internal Networks (LAN/MAN/WAN)

• Sensitive Data & Applications

User LAN

1

User LAN 2 … n

Mgmt. LANR&D

<Client> Governed VPN Clients on Untrusted

Networks

Controlled ConnectionsConnections Authenticated Connections LoggedIDS Monitoring

Unique Trusted SegmentsDefault Deny Horizontal Traffic

Connections Authenticated, Logged & Monitored

ExternalInternal

13

Trus

ted

Network Communication Security Services:

Network Communication ControlsU

ntru

sted

Res

tric

ted

Tran

sitio

nal

Legend

Packet Filter

User Device

Governed User Device

S/W Firewall

VPN Client

User Device or Application

External Servers

DD

DA

DD

Employee

Front Ends for Employee

Applications

A

DD DA

PartnerApps

Front Ends for Partner

Applications

A

DD DA

ProtectedPartnerVPN

Partner VPN

Endpoint

DD DA

Applications / Data

AGoverned

User Devices

Restricted Apps / Data

DD DD

FW DP

FW PR

DD

DA Default Allow

Default Deny

A Authentication

Hybrid Firewall with Deep Packet Inspection focus

Hybrid Firewall with App Proxy focus

A

FW DP

FW PRFW PR

FW PR

DD DD

Guest

DD DA

Guest Devices

DD

ProxyA

S/W Firewall

HORIZON

Public

Front End for Public Apps

FW PR

DD DD

DD DA

FW DP

Utility

App GWs(SMTP, DNS,

NTP, etc.)

DD

DDProxy

DD FW PR DDDD

DD DAA

EmployeeOutbound

Non

-Pro

xyab

le

VPN

DD

FW PR

UtilityApps

FW DP

Employee AnyBusiness Partner / Managed Service Provider

Partner VPN Endpoint

FW DP FW DP

User Device

A

14

Trus

ted

Unt

rust

edR

estr

icte

dTr

ansi

tiona

l EmployeeServices

HORIZON

Firewall

Network Communication Security Services:

Wireless Security

Legend

Trusted Network

Internet

802.11 b/g802.11 i

Proprietary Wireless Handheld

VPN-SecuredPublic Wireless

802.11 b/g

Wide Area

Public 802.11Access Point

Carrier Svc

VPNA

802.11Mapper A/A

Service

VP

NC

lientGoverned

Device S/W FW

VP

NC

lientGoverned

Device S/W FW

VP

NC

lientGoverned

Device S/W FW

Proprietary Network

Wireless eMail

Gateway

Unsecured Wireless withVPN-Secured Session

Shared 802.11 Access Point

Secured 802.11i

AP

A

A

802.

11i

Clie

ntGoverned Device S

/W FW

Authentication

Uncontrolled Guest Device

Proxy

Guest Wireless802.11 b/g

Proprietary Svc

15

Enterprise Services

Legend

Site Services

External Services

Device Site Shared

Anti-Virus and Content Control:

Anti-Virus and Content Control Capabilities

Proxy Server

Proxy DataO/S, F/S, RAM

URL or IPText Pattern

Active Content

Content FiltersAV ScanTargets

IM Gateway

File Transfer File TransferText Pattern

AV ScanTargets Content Filters

SMTP Gateway

SMTP QueueO/S, F/S, RAM

Email SourceText PatternAttachment

AV ScanTargets Content Filters

Internal IM Service

File TransferO/S, F/S, RAM

AV ScanTargets

User Desktop

O/S, F/S, RAM

Removable Media

Internal Utility Server

O/S, F/S, RAM

Internal App, Server or Data Store

O/S, F/S, RAM

Front End Server

O/S, F/S, RAM

External Servers

(Public, BP, Etc.) IM,

SMTP, HTTP

External Client

Application

A Remote Employee System Tunneled into the Network via a VPN connection is equivalent to an Internal Client System. Refer to Client System for Data Flows. HORIZON

Internal Mail Service

User Mail BoxO/S, F/S, RAM

AV ScanTargets

O/S, F/S, RAM

16

Trus

ted

Res

tric

ted

HORIZON

Tran

sitio

nal TRANSITION

Enterprise Authentication/Authorization Service:

Supplicants and CredentialsU

ntru

sted

Legend

ServiceProvider

User Device

Public DMZ Application

Partner DMZ Application

Emp. DMZ Application

Standard App or Utility Service Sensitive

App

Server or Network Device

Public

User Device

Business Partner/Customer

User Device

Employee

User Device

User Device

S/W FirewallVPN Client

SatelliteOffice

User Device

Management Console

Restricted Applications

VPN Site to Site VPN

Proxy (Outbound)

Site to Site VPN

A

B

CD

UserID/Password

User Certs (+UserID/Password)

One-time Password token (transitional) (+UserID/Pwd)Device Certs

A BorB

D

B

And possiblyD

B

User Device

A

B

B

B

B

HORIZONB

Depending onimplementation

Or pass-thru from Local logon

Passthru from Local logonNetwork Device

D

ALocal logon

Smart Card

Reader

User Device

CNo Credentials

FacilitiesAccessSystem

Proximity or Mag. Stripe

Card Reader

A A

Proximity chipor mag. stripe onsame physical card as B

or or

Depending onapplication

Depending onapplication

Cor

IP F

ilter

17

Enterprise Services

HORIZON

SUNSET SUNSET

TRANSITION

Legend

Site Services

External Services

Device Site Shared

Second AD forest (non-employees)

TRANSITION

Enterprise Authentication/Authorization Service:

Authentication Systems Model

Legacy System

Some Packaged

Applications

Most Applications

Web Applications Network

Device

App-specific A/A Data

AD A/A Store

(employees)

RADIUS or TACACS+ accounts

Utility:DirectoryServices

Legacy A/A Data

App-proprietary A/A

Active Directory

Authentication Service

RADIUS/ TACACS+

Service

One-Time Password Service

(e.g., ACE)

Legacy A/A System

(e.g., RACF)

OTP accounts

ProprietaryHERITAGENTLM

Kerberos

NativeDataInterface

Data Movement / Integration

Authentication Protocol Comm.Authorization Query

OTP One Time Password

Physical A/A

Service

Physical A/A

Accounts

NativeDataInterface

OTP I/F

PKI I/F

PKI: CRL Publishing

CRLs

RADIUSProprietary

Web SSOlayer

NativeData

Interface

HORIZON

18

Enterprise Services

Site Services

External Services

Device Site Shared

Identity Management Service:

Public Key Infrastructure (PKI)

Root CA

Internal User Issuing CA

Device Issuing CA

External User Issuing CA

Online Status

Checking

HSM

Utility:DirectoryServices

HTTP CRL distribution

Second AD forest (non-employees)

AD A/A Store

(employees)

Certs / CRLs

Certs / CRLs

Certs / CRLs

Key Recovery

Policy & Procedures:- Enterprise Certificate Policy- Certification Practice Statements- Best Practices

User Certs live on:-Machines (DS)-Cards-Tokens

(offline)

HSM

HSM

Key Recovery

HSM

CRLsHSM

19

Enterprise Services

Legend

Site Services

External Services

Device Site Shared

Identity Management Service:

Provisioning and Account Management Model

App-specific A/A Data

AD A/A Store (employees)

LDAP A/A Store (other

users)

RADIUS or TACACS+ accounts

Legacy A/A Data

App-proprietary

Account Mgmt

One-Time Password

Account Tools (e.g., ACE)

Legacy System

Account Mgmt(e.g., RACF)

OTP accounts

LDAPNativeDataInterface

System – Data Interactions

User - System InteractionsSystem - System Interactions

OTP One Time Password

Physical A/A Account

Tools

Physical A/A Accounts

IDM System

Connectors

User Self Svc

Workflow

Admin Services

BusinessRules

Administrator

User

Delegated Admin

Administrator

Email Notification

NativeDataInterface

NativeDataInterface

RADIUSLDAPNativeDataInterface

API or scripted

Bulk UpdatesHR

20

Trus

ted

Unt

rust

ed

HO

RIZO

N

Security Management Services:

Intrusion Detection / PreventionR

estr

icte

dTr

ansi

tiona

l

Legend

Managed IDS Service

IDS Alert Logging

VPN

IDSData

Server with HIDS

R

VPN

VPN

Server with HIDS

Server with HIDS

NIDS Engine(s)

IDS Monitoring

System

Exposed Router

Firewall

VPN Proxy

Host IDS Agent

IDS Traffic

Network IDS Data Collection

Firewall

NIDS

NIDS NIDS

NIDS

NIDS

NIDS

NIDS

HIDS

Firewall

Server w/o HIDS

IPS

IPS

IPS IPS IPS

IPS

Intrusion Prevention System

Out of Band IDS communication

IDSData

IDS Collectors

IDS Monitoring

System

IP F

ilter

21

Enterprise Services

Security Management Services:

Alert Processing

Site Services

External Services

Device Site Shared

Alert Correlation System

Data Normalization

Data Processing

Alert Generation

Raw Data

Refined Data

Mgmt./ Monitoring Console

Email, Pager, SMB, MOM,

etc.

Log Mining & Trend Reporting

DSS

Forensic Tools

Vulnerability Assessment

UserDevice

NetworkingDevices &Firewalls

NetworkingDevices &Firewalls

IDS System

Servers

A/V Alerts

SNMP Traps, Security logs

SNMP Traps,Security logs

A/V Alerts,SNMP Traps,HIDS Alerts

SNMP Traps,IDS Alerts

AggregationSystems

Enterprise A/V Server

SNMP Console

IDSConsole

Syslog Server

AdvisoryAlerts

MessagingServices

Manual processes

22

Enterprise Services

Site Services

External Services

Device Site Shared

Security Management Services:

Update Management

Enterprise Content Filter System

Operations: Release

ManagementUpdates pushed to all appropriate platforms

Signature Update Service Virus

Signatures

Filter Update Service

Filter Triggers

Signature Updates Pulled From External Service

O/S or App Patch

ServicesPatches

Patch Staging Server

Enterprise Anti-Virus Management System

Update ServicePush to AV Clients

Internet

Virus Signatures

Customized Filters

Policy Management

Consoles Security Policies

Filter Triggers

Patches

23

Untrusted

Transitional

Firewall

Trusted

Business Partners (Ad Hoc)

MessagingServices

Business Partners or Public(Ad Hoc)

Encryption Services:

Secure Messaging

Restricted

Legend

User Device

Email Client

Employee Device

File Service Client

Firewall

Firewall

Firewall

Utility

SMTP Gateway

SMTP Gateway

Normal Email Transport

File Services

Firewall

A Authentication

Encrypted Data

Unencrypted Data

Employee DeviceEmail Client

EncryptionUtility

Employee Device

Business Partners (Planned)

User DeviceEmail Client

SMTP Gateway

Email Client

SMTP Gateway

Email encrypted between domains using MTA-to-

MTA S/MIME

Employee DeviceEmail Client

Certificate

User DeviceEmail Client

SMTP Gateway

SMTP Gateway

Normal Email Transport

Certificate

Published Certificate directory

BP Certificate directory

Normal email with self-decrypting file attachment (Password transmitted out of band)

E-Mail encrypted with client-to-client S/MIME

User Device

HTTP Client SCP Client

Data Server

HTTPS Service

SFTPService

A

24

Trus

ted

HORIZON

Encryption Services:

Network EncryptionU

ntru

sted

Res

tric

ted

Tran

sitio

nal

Legend

External System

Trusted User Device

S/W Firewall

VPN Interface

External Servers

External Servers

External Servers

SMTP Gateway, DNS, NTP, etc.

Application Front End

Application Front End

BP User Device or

Application

External Servers

External Servers

Applications

Data

Restricted Data

Restricted Applications

UserDevices

Management Workstation

Management Applications

Proxy

Firewall

Firewall VPN

SSL, TLS, SFTP SSL, TLS SSL, SSH, SFTP IPSEC, AES, 3DES

S/MIME SSL, TLS

SSL, SSH, SFTP

SSL

SSL SSL

SSL

VPN Tunnel

Firewall

802.11Access Point

802.11 ClientEAP