Presentation on theme: "Information Security in Real Business"— Presentation transcript:
1 Information Security in Real Business MSIT 458: Information Security and AssuranceAsian Connection and Craig
2 Secure Remote Access for Company XYZ Provide remote users secure access to internal corporate network resources – 1000 user companyRemote users access the perimeter network from public InternetQuantity of the threats are progressing and complexity is increasing – “Bot Nets”The end-points are hard to secure and network security is a corporate standardHow do we trust the remote users while verify they are secureProvide authenticated secure connection for remote usersIn order to protect company assets, personal and financial information from the outside world, Company XYZ plans to implement a secure remote access solution for its employees who virtually connect to the company’s network in order to perform their day-to-day duties. Here are the following reasons as to why remote access is needed to be implemented by Company XYZ:1- Since majority of employees travel and use their computers in unsecure locations (i.e. Starbucks, Airports, Wi-Fi hotspots)They access the public Internet in order to virtually connect to corporate resources (i.e. applications and/or data files) which introduces risk to the corporate network with the potential of security vulnerabilities.2. With the use of public internet to connect to corporate resources makes the end user machine susceptible to virus threats, botnets, or any malicious software - complexity to combat this kind of situation is time consuming for security engineers.3. Since majority of users travel to unsecure locations, it is more difficult to keep end user machines up to date with security patches and current virus definition files.Another security challenge that the Company XYZ is facing is how do they know the remote user is secure and how is this security validated?4. Solution – provide a new security process that authenticates remote users and provides a secure connect to the corporate network.Source: Gartner Research
3 Secure Remote Access for Company XYZ Why this problem is a general one that comes across multiple industry/education/government sectors?Globalization – Companies have operations outside the USTalent pool – No longer constrained by geographic limitationsRemote users - Increase in demand for users to work remotelyGlobalization- in order to stay competitive in its current market; company’s expand their line of business globally in order to capture global market share.To support these new markets – the trend is to outsource and offshore the talent pool, leverage resources outside the US in order to support other countries.Remote User- With flex schedule and the benefit to work at home; a great number of employees connect remotely to perform their daily duties.Source: Gartner Research
4 Global Setup Frankfort Chicago Singapore Currently, the main offices of Company XYZ corporate office is located at Chicago.The Frankfort and Singapore are the hubs for remaining countriesSource: Gartner Research
5 Secure Remote Access for Company XYZ Remote UsersAsia - 9 countries (100 users)Europe – 10 countries (120 users)Americas – 4 countries (780 users)Security VerificationsValidate virus definitions files and active monitoringVerify windows patches are currentIsolate worm virus from entering corporate networkCompany XYZ has a great number of remote users which are mainly in three continents:Some of the security verification designed for remote users of Company XYZValidate virus definitions files and active vulnerability monitoring – up-to-date virus definition and active monitoring are very important as it pertains to security, they are the first line of defense against attacks on the client computer.Verify windows patches are current – Staying up to date with windows patches are some of the simple ways to eliminate vulnerabilities as we learned in class with the Nessus scanning. These could eliminate application or operating system holes where viruses and botnets can penetrate.Isolate worm virus from entering corporate network – upon connection to the company’s network, it will be able to automatically detect if the machine that’s trying to connect is infected with virus.Source: Gartner Research
6 Existing State for Company XYZ Users login through the public Internet using VPN client accessNo Virus CheckingPatch Management is not verifiedThe user can use any computer with VPN client – no way to enforce corporate approved machinesNo validation for malware or bot net infected machinesBefore this project, remote users would simply use VPN to connect to the corporate network. There was no virus checking. There was no verification if patches were up to date. Users could connect from any computer with VPN client; there was no way to enforce usage of corporate-approved machines. This left a huge hole of vulnerabilities for infection from malwares, botnets, viruses, and worms.
7 Business Applications and SharePointBusiness Intelligence ToolsSAS & ETL ToolsBusiness DataStructuredUnstructuredFile ServerData WarehousingERP SystemsJust to give some idea about the application landscape, these are some examples of the type of applications. So we have and SharePoint, which is an online collaboration tool from Microsoft. We have business intelligence tools, such as SAS and ETL. We have various kind of business data, both in structured and unstructured format, in various file servers, data warehouses and ERP systems. As RB has pointed out earlier, we have users all around the globe. All of these application servers are hosted here in the US, and we want to provide secure access for international users.
8 Remote Users User Landscape Global Remote Offices - DSL connections Home Users – Broadband ConnectionsPartnersLocal and Off Shore – DSL / Public InternetHigher Level privileges – above guest accessThese are the categories of the remote users. So we have remote offices in foreign countries. Some of these offices are small, consist only around 10 people. These small offices use DSL for their internet access. We have employees working from their home as well, in that case they use broadband access. For these small offices and home users, they don’t have sophisticated security on their end-points. Virtually, there is almost none or barely minimum security. So it’s really up to the company to enforce a security policy that is up to the company’s standard.We also have partners both located in the US and also offshore.We learned in the class about the principle of “least priviledge”. The same principle also applies here. So for guest users, we just want to provide access for guest-level only. Partners are not employess, but they need certain access so to be able to do their work properly. So here, we want to provide access, higher than just the guest-level. For employees, we also want to make sure each is assigned the most appropriate access level, so they can do their work properly, nothing more, nothing less.
9 Symantec Network Admission Control Technical SolutionSymantec Network Admission ControlEnd Point Product is currently being used forAnti-Virus and Client security“Single Pane of Glass” – One Management Interface is used to manage Anti-Virus, Client Firewall, Client Intrusion Prevention System and Network Admission ControlMicrosoft Certificate AdministrationManagement is built into 2008 Active DirectorySymantec Network Admission ControlThis solution integrates three vendors (Microsoft, Cisco, and Symantec)We are picking the best technology from each vendorAs we learned with the Cisco solution that is fully UTM – this is a cost effectiveThis solution could be installed in a couple of weeks vs. the Cisco solution would take monthsThe operation benefit is Level 2 (Technical Support team that manages A/V) can support this moving forwardIntegrates with the Microsoft Network Access Protection (NAP) – Windows 2008, Vista and XP SP3This is new security feature built into the Microsoft operating systemsSymantec Endpoint Product line (version 11.0)Integrates with Symantec Network Access Control the gateway-based enforcement (appliance) and Self enforcementThe Self enforcement leverages the client side firewall capabilities with-in the Endpoint productSource: Gartner Research
10 Network Access Control (NAC) Technical SolutionUser attempts to connect to vpn.xyz.com2. Cisco ASA validates user Certificate with Windows 2008 Certificate ServerVLAN 0VLAN 1CertificateServerSymantec Endpoint ProtectionASAFirewall12ADInternetAntivirusSecurity Patterns3 - OK1 - The client initiates the VPN connection through our Cisco ASA firewall2 - X.509 certificate is used to validate the identity of the client systemThis is deployed from a Windows 2008 Certificate serverWindows 2008 has fully integrated certificate managementSymantec Gateway EnforcerNetwork Access Control (NAC)Remote employees or partnersSource: Gartner Research
11 Network Access Control (NAC) Technical Solution3. If Certificate is valid, information is passed back through the Cisco ASA and the user is allowed access to VLAN0Computer information is passed to the Symantec Gateway Enforcer Gateway Enforcer checks for policy information from Symantec Endpoint Protection ServerVLAN 0VLAN 1Symantec Endpoint ProtectionCertificateServerASAFirewall12AD3InternetAntivirusSecurity Patterns3 - OK44Once the client is connected to perimeter network “VLAN0”Symantec Gateway Enforcer appliance performs a “posture check”Posture checkCustom policy can be defined on the management serverCan include specific Windows Patch LevelsSpecific Anti-Virus definitionsCheck for vulnerabilities – malware, Trojans and worm virusesVerify for non-corporate software (i.e. P2P)Symantec Endpoint protection serverManage NAC PoliciesVirus definition signaturesClient firewall settingsReview client vulnerbilitiesSymantec Gateway EnforcerNetwork Access Control (NAC)Remote employees or partnersSource: Gartner Research
12 Network Access Control (NAC) Technical Solution5 . Gateway Enforcer compares remote computer security with policy from Symantec Endpoint Protection - If computer is not compliant information is presented to the user on steps needed to become compliant6. When computer is compliant access is granted to internal VLANVLAN 0VLAN 1CertificateServerSymantec Endpoint ProtectionASAFirewall12AD3InternetAntivirusSecurity Patterns3 - OK446Non-Compliant ClientClient is connected to the remediation serverClient can download the Windows patchesA/V virus client installation and definition filesCompliant ClientGateway appliance allows the client to connect to Internal network resource “VLAN 1”Symantec Gateway EnforcerNetwork Access Control (NAC)Remote employees or partners5 – Policy CheckSource: Gartner Research
13 Network Access Control (NAC) Technical SolutionComputer Connects locally to our network - Network Access Control performs policy check8. NAC will also determine what resources local users can accessVLAN 0VLAN 1CertificateServerSymantec Endpoint ProtectionASAFirewall12AD3InternetAntivirusSecurity Patterns3 - OK446NAC Appliance featuresNetwork resources can be delegated or controlledSymantec Gateway EnforcerNetwork Access Control (NAC)Remote employees or partners5 – Policy CheckSource: Gartner Research
14 Research Findings Cisco Symantec NAC appliances are expensive There is integration with Microsoft’s Network Access Protection. (This can be utilized as we migrate to Windows 2008 and the next Desktop OS we roll-out)Uses optional dissolvable or permanent agent or scanning functionNeed to define how they will integrate 802.1x enforcementSymantecUses the existing Endpoint infrastructureUses dissolvable agent or agentless scanning option for non-Symantec endpoints.They have a separate model for 802.1x enforcementCisco Unified Threat Management:The Cisco Solution is very expensiveRequires high level staff to support and install this system (Can not be managed by Level 1 or Level 2 support staff like the Symantec NAC)As we learned in last week’s presentation it is considered “Vapor Ware”Symantec NAC:Requires only a single agent and is managed by a single management consoleThey are the leaders in A/V protectionThe endpoint product comes with the Symantec Network Access Control built-in "SNAC-ready“Instant upgrade – license key and drop the H/W in placeUnlike the Cisco solution – No additional software deployments are required on the endpointsSource: Gartner ResearchSource: Gartner Research
15 Cost Comparison Hardware Software Installation Symantec One Time Cost CiscoOn-GoingOn-Going CiscoHardwareNAC Hardware$27,000$125,000$2,700$22,000SoftwareClient Licensing and Microsoft SA$25000$46,000$2,500$9,500InstallationConsulting$5000$65,000Total$57,000$236,000$5,200$31,500This slide looks at the cost comparison between the two solutions. There are two categories that the cost are divided intoOne Time Cost and On-Going Cost.One Time Cost – The one time cost is the total cost of purchasing the hardware, software, licenses, implementation and consulting fees.Employee time, etc.On-Going Cost – This cost includes annual maintenance, employee time to manage the system, additional staff salaries which are hired due to the new solution, etc.Based on the above numbers it is clear that Symantec not only had a significant lower one time cost, but also significantly lower on-going cost.Source: Gartner Research
16 Requirements Requirement Symantec Cisco $$$ (<200K) Yes No Ease of UseInteroperabilityEase of TrainingWarrantyCustomer SupportThe table in this slide looks at the key requirements for the company and based on these requirements puts the two vendors for the security solutions (Symantec and Cisco) side by side and does the comparison.The top requirement is Cost, the budget that was approved was $200K, so the solutions needed to be below that amount, Symantec was a clear winner for this requirement.Easy of Use – Since the Symantec suite was already installed on users machines it was relatively easy to use. For the IT department the easy of use of symantec vs cisco was very important and less training was required.Interoperability – The ability of diverse systems to work together was important and both Symantec and Cisco were able to meet this requirement.Training – Since Symantec anti-virus solution was already used by the organization and the IT staff was trained on it, getting trained on the security suite was easier for the department. For Cisco security the IT department would have to get additional training as Cisco security suite compared to Symantec is more complex, or the organization would have to hire cisco certified professionals which are quite easy to get but have a higher salary requirement as compared to non-cisco certified professionals.Warranty – Both vendors had excellent Warranty options available.Customer Support – Both vendors had 24X7 customer support available cisco annual support fees was highter then symantec as cisco’s cost of acquisition was higher then Symantec and usually customer support and maintenance is usally around 10% of the total sales amount.Source: Gartner Research
17 Some of the Consequences Better protection for corporate assets against:Trade secret leakageMalwares, botnets, viruses, worms, etcEnsuring proper usage of corporate resourcesTrade off between additional security vs. additional operational overheadIncreasing IT support staff24x7 support availabilityInitial time to establish connection is longer than the traditional VPNAdditional complexity requiring training for non-technical usersThere are some positive and some negative consequences for implementing this security solution.The positive aspects are related to increase in over all security. The security solution protects companies assets.There are numerous databases, spreadsheets, word documents etc that contain confidential information that if leaked could cause both financial and goodwill loss. Also the security solution protects companies computer systems again virus, worms etc thus reducing opportunity loss.Also it ensure that the IT resources are focused on improving overall IT processes for the benefit of Business instead of spending time and energy in cleaning virus infected system which could be protected by a reliable security solution.However the implementation of a security selection will mean that they will need to increase IT support staff during the initial roll out and for some time after the full implementation as users will be calling in with issues which might be due to slow initial connection as compared to the traditional VPN access.Also educating the remote users who are mostly business users not technical, to spend time and resources to educate them and work with them ensuring that during the initial implementation phase the business operation do not suffer.Source: Gartner Research