Enterprise Security Strategy Check List

1
Enterprise Security Strategy Check List

• Provided by
• Government Technology Solutions
• www.gvTechSolutions.com
• 800-326-5683
• info_at_gvTechSolutions.com

2
Document intentions

• This is intended to be a guideline for agencies
  to check their existing security tools against
  current federal suggestions and guidelines. It is
  not intended to be an all inclusive how-to for
  security policy, procedures or tools. Examples
  given are estimates only from specific products
  and can vary widely depending on the
  installation, agency requirements, and contract
  vehicles used.

3
Security Challenge

• Security is not a network only proposition
• Both the network as a whole and individual assets
  must be protected.
• Strategy must facilitate interventive and
  preventive approaches.
• Damage clean-up after intervention of attack.
• Security design paradigms
• Outside in
• Inside out

4
Defense in Depth

• Gateway protection
• Firewalls
• Gateway AV
• Network IDS/IPS
• Gateway Anti-spam
• Centralized policy management for all tools
• Network protection
• Web servers
• File/Database servers
• Clients (Desktops, Notebooks, PDAs, etc.)

5
Recommendations / Requirements

• Single firewall platform for garrisons and
  deployments.
• Stateful inspection
• Ease of use (implement, configure, maintain,
  etc.)
• Appliance model preferred.
• VPN
• High availability of Network Resources
• Load balancing for mission critical functions
• Redundant connections through router
• Content / Malicious code protection
• Content filtering on Ports 25, 80, 443
• DoDD 8500.1/DoDI 8500.2 compliance (NIAP)

6
Guidelines and Certifications Required
7
Cost vs. Protection Considerations(sample 5000
employee Division Low Level)

• AV cost per person Trend NeatSuite - 74,250 new
  cost. 14.85 per person
• Brightmail Anti-Spam Annual Cost - 28,000.
  5.60 per person
• 4 Firewalls Stonegate Enterprise Cluster,
  unlimited IP addresses, VPN, Enterprise
  Management System. 47,542 new cost. 9.51 per
  person
• Intrusion Prevention Cisco Security Agent
• 20 Servers - 28,560 new cost. 5.71 per
  person

8
Budget for Security Tools, Low Impact Protection
Level

• Basic Firewall, AV, IPS, VPN, Anti-Spam
  protection for all employees 35.40 or
  177,000.00 for a 5000 employee department.

9
Budget for Security Tools, Moderate Impact
Protection Level

• AV and content management cost per person Trend
  NeatSuite, e-Manager content filter - 86,250 new
  cost. 17.25 per person
• Brightmail Anti-Spam Annual Cost - 28,000.
  5.60 per person
• 8 Firewalls Stonegate Enterprise Cluster,
  unlimited IP addresses, VPN, Enterprise
  Management System (includes high availability and
  load balancing). 95,084.00 new cost. 19.02 per
  person
• Network Based IDS Real Secure 5000 device
  Internet Scanner 49,100. new cost. 9.82 per
  person.
• Client and Server Intrusion Prevention Cisco
  Security Agent
• 20 Servers - 28,560 new cost. 5.71 per
  person
• 5000 Clients - 210,000 new cost. 42.00 per
  person

10
Budget for Security Tools, Moderate Impact
Protection Level

• Firewall, AV, Content Inspection, IDS, IPS, VPN,
  Anti-Spam protection for all employees 99.40 or
  497,000 for a 5000 employee department.

11
Budget for Security Tools, High Impact Protection
Level

• Needs to be determined by Department, but should
  include
• PKI Management
• Centralized AV Protection
• Anti-Spam Protection
• IDS
• IPS/Mobile Code Security
• ESM
• Firewall with Centralized management, load
  balancing, high availability.
• Network appliances for multiple port scanning,
  redundancy, complete network coverage.
• Biometric authentication

12
Department Worksheet/Notes

• Currently installed Firewall
• Currently installed IDS
• Currently installed IPS/Mobile Code Security
  tool
• Currently installed Anti-Spam
• Currently installed ESM

13
Department Worksheet/Notes

• Currently installed PKI Tools
• Currently installed Biometrics tools
• Currently installed ESM
• NIAP Compliance required/desired?
• DITSCAP Compliance required/desired?
• NIST/OMB A130 Guidelines incorporated?
• Single contractor support desired?

14
Reference sites

• NIAP Web Page http//niap.nist.gov/
• Policy and Guidance documents http//mattche.iiie
  .disa.mil/policy.html
• Common Criteria Web page
  http//www.commoncriteria.org/
• NIST Web Page http//www.nist.gov/
• NSA INFOSEC Security recommendations
  http//www.nsa.gov/snac/index.html

15
Possible Solutions

• StoneSoft StoneGate
• Firewall with built in OS, clustering, VPN and
  redundant connections.
• Single CD installation with configuration
  backed-up on disk.
• Plug-and-play appliance available from
  TransDominion for tactical deployment
• NIAP compliance EAL 4 Augmented

16
Possible Solutions (Contd)

• Trend Micro AV
• 1 ranked gateway AV.
• Single scanning engine pattern file for
  enterprise suite.
• Granular content filtering by group or user on
  Port 25, 80, 443.
• NIAP compliance EAL 4

17
Possible Solutions (Contd)

• Cisco Security Agent
• Behavior-based malicious code protection no
  signature files
• Prevention of Day Zero attack
• Monitor/enforce IAVA deployment/compliance
• Malicious code filtering on Port 25, 80, 443
• NIAP compliance EAL 3 in evaluation

18
Possible Solutions (Contd)

• Brightmail
• Anti-spam solution
• Spam is next generation DDOS attack
• Protection from infection due to worms
• Filter on Port 25
• NIAP compliance in process

19
Possible Solutions (Contd)

• StoneSoft StoneBeat
• Clustering and load-sharing solution for all
  mission critical functions
• AV, Web Server Farm, etc.
• High Availability / Failover built in

20
Possible Solutions (Contd)

• Intellitactics NSM
• Enterprise Security Management (ESM)
• Log consolidation and event correlation
• Security forensics
• Single view of entire enterprise security threat
  situation
• NIAP compliance EAL 2 in process

21
Notes

• For assistance or questions please contact
  Government Technology Solutions (gvTechSolutions)
  at 1-800-326-5683 or info_at_gvTechSolutions.com