View
228
Download
4
Category
Tags:
Preview:
Citation preview
© Minder Chen, 1998-2005 Security Policies - 2
References• Information Security Management Handbook, 4th
edition, edited by Micki Krause and Harold F. Tipton.
• The SANS Security Policy Project www.sans.org/newlook/resources/policies/policies.htm
• Sample Policies and Procedures– www.sans.org/newlook/resources/policies/Appdb.doc
© Minder Chen, 1998-2005 Security Policies - 3
Policy and Procedure• A policy is typically a document that outlines specific requirements or
rules that must be met. • In the information/network security realm, policies are usually point-
specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.
• A standard is typically a collections or system-specific or procedural-specific requirements that must be meet by everyone. – For example, you might have a standard that describes to how to harden a
Windows NT workstation for placement on an external (DMZ) network.
– People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.
• A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. – They are not requirements to be met, but are strongly recommended.
• Effective security policies make frequent references to standards and guidelines that exist within an organization.
© Minder Chen, 1998-2005 Security Policies - 4
• Information Security Management Handbook, Fourth Editionby Micki Krause (Editor), Harold F. Tipton (Editor)
• The CISSP Prep Guide: Mastering the Ten Domains of Computer Securityby Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz
• CISSP All-in-One Exam Guideby Shon Harris
© Minder Chen, 1998-2005 Security Policies - 5
• SANS Security Policy Project at http://www.sans.org/newlook/resources/policies/policies.htm
• Policy Primer at http://www.sans.org/newlook/resources/policies/Policy_Primer.pdf
• Sample Policies and Procedures at http://www.information-security-policies-and-standards.com/
• HIPAA FAQ at http://www.rx2000.org/KnowledgeCenter/hipaa/hipfaq.htm
© Minder Chen, 1998-2005 Security Policies - 7
• Executive Order on Critical Infrastructure Protection Executive Order Critical Infrastructure Protection in the Information Age
• By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, in the information age, it is hereby ordered as follows:
http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html
© Minder Chen, 1998-2005 Security Policies - 8
• Section 1. Policy. • (a) The information technology revolution has
changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. The protection program authorized by this order shall consist of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Protection of these systems is essential to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors.
© Minder Chen, 1998-2005 Security Policies - 9
Level 2 - Major Enterprises• 2.1. Responsibility: Who in an enterprise should be responsible for IT
security? How often should that person brief the CEO? What role should the Board of Directors play in oversight of IT security? Should the Board require an outside audit and, if so, how often and from whom?
• 2.2. Best Practices: Where should the CEO, Board and/or auditors obtain guidance on best practices or standards to use in IT security self-evaluations and IT security policy development?
• 2.3. Disclosure: What information about IT security should the corporation disclose to its stockholders, to its creditors, to its auditors, to its Board
• 2.4. Enterprise Wide IT Security Policy: Should enterprises be required by their Boards of Directors or Auditors to have a regularly updated policy statement on IT security practices? Should enterprises be required by Boards and Auditors to employ software to enforce their IT policy?
• 2.5. Awareness: Should enterprises require employee participation in regular IT security awareness training? Where should enterprises obtain assistance in developing such training?
http://www.sans.org/nationalstrategy.php#level2
© Minder Chen, 1998-2005 Security Policies - 10
Continued…• 2.6. Insider Threats: How can a balance be struck between preventing
insiders from damaging the enterprise by mis-using its IT systems, and respecting the legitimate privacy concerns of employees?
• 2.7. Partners and Supply Chain: What IT security risks does an enterprise run from its relationships with its partners and supply chain? How can those relationships enhance or degrade IT security?
• 2.8. Event Reporting: What IT security events should an enterprise report and to whom?
• 2.9. Threat and Vulnerability Information: How should an enterprise learn about and decide how to react to IT security threats and vulnerabilities? How can an enterprise evaluate the numerous software "patches" distributed to it by its IT vendors?
• 2.10 . IT Vendors: To what extent should an enterprise "out source" its IT security functions? How can IT security vendors be evaluated? How can an enterprise act to improve the security of the IT products and services it procures?
• 2.11. Risk Management and Insurance: How can an enterprise evaluate the appropriate level of IT security spending or the return on investment in IT security? What role can insurance play in IT security for an enterprise?
© Minder Chen, 1998-2005 Security Policies - 11
Ten Immutable Laws of Security1. If a bad guy can persuade you to run his program on
your computer, it’s not your computer anymore2. If a bad guy can alter the OS on your computer, it’s not
your computer anymore3. If a bad guy has unrestricted physical access to your
computer, it’s not your computer anymore4. If you allow a bad guy to upload programs to your web
site, it’s not your site anymore5. Weak passwords trump strong security6. A machine is only as secure as the administrator is
trustworthy7. Encrypted data is only as secure as the decryption key8. An out of date virus scanner is only marginally better
than no virus scanner at all9. Absolute anonymity isn't practical, in real life or on the
web10. Technology is not a panacea
© Minder Chen, 1998-2005 Security Policies - 12
Ten Immutable Laws of Security Administration1. Nobody believes anything bad can happen to them,
until it does. 2. Security only works if the secure way also happens to
be the easy way. 3. If you don't keep up with security fixes, your network
won't be yours for long. 4. It doesn't do much good to install security fixes on a
computer that was never secured to begin with. 5. Eternal vigilance is the price of security. 6. There really is someone out there trying to guess your
passwords. 7. The most secure network is a well-administered one. 8. The difficulty of defending a network is directly
proportional to its complexity. 9. Security isn't about risk avoidance; it's about risk
management. 10. Technology is not a panacea
© Minder Chen, 1998-2005 Security Policies - 13
Security Services (OSI definition)• Access control: Protects against unauthorized use
• Authentication: Provides assurance of someone's identity
• Confidentiality: Protects against disclosure to unauthorized identities
• Integrity: Protects from unauthorized data alteration
• Non-repudiation: Protects against originator of communications later denying it
Source: http://www.cs.auckland.ac.nz/~pgut001/tutorial/
© Minder Chen, 1998-2005 Security Policies - 14
Security Mechanisms• Three basic building blocks are used:
– Encryption is used to provide confidentiality, can provide authentication and integrity protection
– Digital signatures are used to provide authentication, integrity protection, and non-repudiation
– Checksums/hash algorithms are used to provide integrity protection, can provide authentication
• One or more security mechanisms are combined to provide a security service
© Minder Chen, 1998-2005 Security Policies - 15
10 Domains of Computer Security• Domain 1 addresses access controlaccess control. Access control
consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.
• Domain 2 addresses communications securitycommunications security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.
© Minder Chen, 1998-2005 Security Policies - 16
Continued…• Domain 3 addresses risk management and
business continuity planning. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.
• Domain 4 addresses policy, standards, and policy, standards, and organizationorganization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.
© Minder Chen, 1998-2005 Security Policies - 17
Continued…• Domain 5 addresses computer architecture and computer architecture and
system securitysystem security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. PC and LAN security issues, problems, and countermeasures are also in this domain.
• Domain 6 addresses law, investigation, and ethicslaw, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.
© Minder Chen, 1998-2005 Security Policies - 18
Continued…• Domain 7 addresses application program securityapplication program security.
Application security involves the controls placed within the application program to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.
• Domain 8 addresses cryptographycryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.
© Minder Chen, 1998-2005 Security Policies - 19
Continued…• Domain 9 addresses (computer) operations securityoperations security.
Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.
• Domain 10 addresses physical securityphysical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.
© Minder Chen, 1998-2005 Security Policies - 20
Vulnerabilities• The Twenty Most Critical Internet Security
Vulnerabilities (Updated): The Experts’ Consensus, Version 2.502 January 30, 2002Copyright 2001-2002, The SANS Institute at http://www.sans.org/top20.htm
• ICAT Top Ten List• http://icat.nist.gov/icat.cfm?function=topten
© Minder Chen, 1998-2005 Security Policies - 21
The 20 Most Critical Internet Security Vulnerabilities
• G1 - Default installs of operating systems and applications– G1.1 Description– G1.2 Systems impacted: – G1.3 CVE entries: – G1.4 How to determine if you are vulnerable: – G1.5 How to protect against it
• G2 - Accounts with No Passwords or Weak Passwords• G3 - Non-existent or Incomplete Backups• G4 - Large number of open ports• G5 – Not filtering packets for correct incoming and
outgoing addresses• G6 - Non-existent or incomplete logging• G7 - Vulnerable CGI Programs• Plus 6 Windows and 7 Unix Vulnerabilities
© Minder Chen, 1998-2005 Security Policies - 22
Log (Audit Trail)• One of the maxims of security is, "Prevention is ideal, but detection is
a must." As long as you allow traffic to flow between your network and the Internet, the opportunity for an attacker to sneak in and penetrate the network, is there. New vulnerabilities are discovered every week, and there are very few ways to defend yourself against an attacker using a new vulnerability. Once you are attacked, without logs, you have little chance of discovering what the attackers did. Without that knowledge, your organization must choose between completely reloading the operating system from original media, and then hoping the data back-ups were OK, or taking the risk that you are running a system that a hacker still controls.
• You cannot detect an attack if you do not know what is occurring on your network. Logs provide the details of what is occurring, what systems are being attacked, and what systems have been compromised.
• Logging must be done on a regular basis on all key systems, and logs should be archived and backed up because you never know when you might need them. Most experts recommend sending all of your logs to a central log server that writes the data to a write once media, so that the attacker cannot overwrite the logs and avoid detection.
© Minder Chen, 1998-2005 Security Policies - 23
Ports That Are Commonly Probed and Attacked
• Blocking these ports is a minimum requirement for perimeter security, not a comprehensive firewall specification list.
• A far better rule is to block all unused ports. And even if you believe these ports are blocked, you should still actively monitor them to detect intrusion attempts.
• A warning is also in order: Blocking some of the ports in the following list may disable needed services.
• Please consider the potential effects of these recommendations before implementing them.
• Keep in mind that blocking these ports is not a substitute for a comprehensive security solution.
• Even if the ports are blocked, an attacker who has gained access to your network via other means (a dial-up modem, a Trojan e-mail attachment, or a person who is an organization insider, for example) can exploit these ports if not properly secured on every host system in your organization.
© Minder Chen, 1998-2005 Security Policies - 24
Ports1. Login services-- telnet (23/tcp), SSH (22/tcp), FTP (21/tcp), NetBIOS
(139/tcp), rlogin et al (512/tcp through 514/tcp)
2. RPC and NFS-- Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp and 2049/udp), lockd (4045/tcp and 4045/udp)
3. NetBIOS in Windows NT -- 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp). Windows 2000 – earlier ports plus 445(tcp and udp)
4. X Windows -- 6000/tcp through 6255/tcp
5. Naming services-- DNS (53/udp) to all machines which are not DNS servers, DNS zone transfers (53/tcp) except from external secondaries, LDAP (389/tcp and 389/udp)
6. Mail-- SMTP (25/tcp) to all machines, which are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp)
7. Web-- HTTP (80/tcp) and SSL (443/tcp) except to external Web servers, may also want to block common high-order HTTP port choices (8000/tcp, 8080/tcp, 8888/tcp, etc.)
8. …
© Minder Chen, 1998-2005 Security Policies - 25
• Top 50 Security Tools – http://www.insecure.org/tools.html
© Minder Chen, 1998-2005 Security Policies - 26
A Security Policy Framework• Policies define appropriate behavior.• Policies set the stage in terms of what tools and
procedures are needed.• Policies communicate a consensus.• Policies provide a foundation for HR action in
response to inappropriate behavior.• Policies may help prosecute cases.
© Minder Chen, 1998-2005 Security Policies - 28
• An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system. The word "misuse" is broad, and can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam (though for many of us, that is a major issue!).
• An "Intrusion Detection System (IDS)" is a system for detecting such intrusions. IDS can be broken down into the following categories:
© Minder Chen, 1998-2005 Security Policies - 29
Risk Profiling Matrix Risk Profile Matrix
Threats: Rating Visibility Rating Score
None identified as active; exposure is limited 1 Very low profile, no active publicity 1
Unknown state or multiple exposures 3 Middle of the pack, periodic publicity 3
Active threats, multiple exposures 5 Lightning rod, active publicity 5
Consequences Rating Sensitivity Rating Score
No cost impact; well within planned budget; risk transferred
1 Accepted as cost of doing business; no organization issues
1
Internal functions impacted; budget overrun; opportunity costs
3 Unacceptable Business Unit management impact; good will costs
3
External functions impacted; direct revenue hit 5 Unacceptable Corporate Management impact; business relationships affected
5
Total Score:
Rating: Multiply Threat rating by Visibility rating, and Consequences rating by Sensitivity rating. Add the two values together: * 2 - 10: Low Risk * 11 - 29: Medium Risk * 30 - 50: High Risk
© Minder Chen, 1998-2005 Security Policies - 30
Stay Secure• Identify the risks • Put attacks in perspective • Store information securely • Perform reliable and secure backups • Transfer information securely across hostile
networks • Understand Public Key Infrastructure (PKI) and
its limitations • Protect against network threats • Set up firewalls • Deal with denial of service attacks • Understand online commerce and privacy
© Minder Chen, 1998-2005 Security Policies - 31
Importance of Security Policies
• Security policies are an absolute must for any organization.
• They provide the virtual glue to hold it all together.
• Policies lay the ground-work.
• Imagine a small city that did not have any rules? What would life be like? The same applies to your organization .
© Minder Chen, 1998-2005 Security Policies - 32
Who and What to Trust
• Trust is a major principle underlying the development of security policies.
• Initial step is to determine who gets access.• Deciding on level of trust is a delicate balancing
act.• Too much trust may lead to eventual security
problems• Too little trust may make it difficult to find and
keep employees or get jobs done• How much should you trust people regarding to
their access or usage of computer and network resources?
© Minder Chen, 1998-2005 Security Policies - 33
Possible Trust Models
• Trust everyone all of the time:– easiest to enforce, but impractical– one bad apple can ruin the whole barrel
• Trust no one at no time:– most restrictive, but also impractical– difficult to staff positions
• Trust some people some of the time:– exercise caution in amount of trust given– access is given out as needed– technical controls are needed to ensure trust
is not violated
© Minder Chen, 1998-2005 Security Policies - 34
Why the Political Turmoil?
• People view policies as:– an impediment to productivity– measures to control behavior
• People have different views about the need
for security controls. • People fear policies will be difficult to follow
and implement.• Policies affect everyone within the
organization.
© Minder Chen, 1998-2005 Security Policies - 35
Who Should Be Concerned?
• Users - policies will affect them the most.
• System support personnel - they will be required to implement, comply with and support the policies.
• Managers - they are concerned about protection of data and the associated cost of the policy.
• Company lawyers and auditors - they are concerned about company reputation, responsibility to clients/customers.
© Minder Chen, 1998-2005 Security Policies - 36
The Policy Design Process
• Choose the policy development team.
• Designate a person or a group to serve as the official policy interpreter.
• Decide on the scope and goals of the policy.– Scope should be a statement about who is
covered by the policy.
• Decide on how specific to make the policy– not meant to be a detailed implementation plan– don’t include facts which change frequently
© Minder Chen, 1998-2005 Security Policies - 37
The Policy Design Process
• A sample of people affected by the policy should be provided an opportunity to review and commentreview and comment.
• A sampling of the support staff effected by policy should have an opportunity to review it.
• Incorporate policy awarenesspolicy awareness as a part of employee orientation.
• Provide a refresher overview courserefresher overview course on policies once or twice a year.
© Minder Chen, 1998-2005 Security Policies - 38
Basic Policy Requirements
• Policies must:– be implementable and enforceable– be concise and easy to understand– balance protection with productivity
• Policies should:– state reasons why policy is needed– describe what is covered by the policies– define contacts and responsibilities– discuss how violations will be handled
© Minder Chen, 1998-2005 Security Policies - 39
Level of Control • Security needs and culture play major
role.• Security policies MUST balance level of
control with level of productivity.• If policies are too restrictive, people will
find ways to circumvent controls.• Technical controls are not always
possible.• You must have management commitment
on the level of control.
© Minder Chen, 1998-2005 Security Policies - 40
Policy Structure• Dependent on company size and goals.• One large document or several small ones?
– smaller documents are easier to maintain/update
• Some policies appropriate for every site, others are specific to certain environments.
• Some key policies:– acceptable use– remote access– information protection– perimeter security– baseline host/device security
© Minder Chen, 1998-2005 Security Policies - 41
The Acceptable Use Policy
• Discusses and defines the appropriate use of the computing resources.
• Users should be required to read and sign account usage policyaccount usage policy as part of the account request process.
• A key policy that all sites should have.
© Minder Chen, 1998-2005 Security Policies - 42
Some Elements• Should state responsibility of users in
terms of protecting information stored on their accounts.
• Should state if users can read and copy files that are not their own, but are accessible to them.
• Should state level of acceptable usage for electronic mail, internet news and electronic mail, internet news and web accessweb access.
• Should discuss acceptable non-business non-business usesuses of the resources.
© Minder Chen, 1998-2005 Security Policies - 43
Remote Access Policy• Outlines and defines acceptable methods
of remotely connecting to the internal network.
• Essential in large organization where networks are geographically dispersed and even extend into the homes.
• Should cover all available methods to remotely access internal resources:– dial-in (SLIP, PPP)– ISDN/frame relay– telnet/ssh access from internet– cable modem/VPN/DSL
© Minder Chen, 1998-2005 Security Policies - 44
Some Elements
• Should define who can have remote access.
• Should define what methods are allowed for remote access.
• Should discuss who is allowed to have high speed remote access such as ISDN, frame relay or cable modem.– extra requirements– appropriate use
• Should discuss any restrictions on data that can be accessed remotely.
© Minder Chen, 1998-2005 Security Policies - 45
Information Protection Policy
• Provides guidelines to users on the processing, storage and transmission of sensitive information.
• Main goal is to ensure information is appropriately protected from modification or disclosure.
• May be appropriate to have new employees sign policy as part of their initial orientation.
• Should define sensitivity levels of information.
© Minder Chen, 1998-2005 Security Policies - 46
Some Elements
• Should define who can have access to sensitive information.– "need-to-know"– special circumstances– non-disclosure agreements
• Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc).
• Should define on which systems sensitive information can be stored.
© Minder Chen, 1998-2005 Security Policies - 47
Some Elements• Should discuss what levels of sensitive
information can be printed on physically insecure printers.
• Should define how sensitive information is removed from systems and storage devices:– degaussing of storage media– scrubbing of hard drives– shredding of hardcopy output
• Should discuss any default file and directory permissions defined in system-wide configuration files.
© Minder Chen, 1998-2005 Security Policies - 48
The Perimeter Security Policy
• Describes, in general, how perimeter security is maintained.
• Describes who is responsible for maintaining it.
• Describes how hardware and software changes to perimeter security devices are managed and how changes are requested and approved.
© Minder Chen, 1998-2005 Security Policies - 49
Some Elements
• Should discuss who can obtain privileged access to perimeter security systems.
• Should discuss the procedure to request a perimeter device configuration change and how the request is approved.
• Should discuss who is allowed to obtain information regarding the perimeter configuration and access lists.
• Should discuss review cycles for perimeter device system configurations.
© Minder Chen, 1998-2005 Security Policies - 50
Virus Protection and Prevention Policy
• Provides baseline requirements for the use of virus protection software.
• Provides guidelines for reporting and containing virus infections.
• Provides guidelines for several levels of virus risk.
• Should discuss requirements for scanning email attachments.
• Should discuss policy for the download and installation of public domain software.
© Minder Chen, 1998-2005 Security Policies - 51
Virus Protection and Prevention Policy
• Should discuss frequency of virus data file updates.
• Should discuss testing procedures for installation of new software.
© Minder Chen, 1998-2005 Security Policies - 52
Password Policy
• Provides guidelines for how user level and system level passwords are managed and changed.
• Discusses password construction rules.• Provides guidelines for how passwords
are protected from disclosure.• Discusses application development
guidelines for when passwords are needed.
• Discusses the use of SNMP community strings and pass-phrases.
© Minder Chen, 1998-2005 Security Policies - 53
Other Important Policies
• A policy which addresses forwarding of email to offsite addresses.
• A policy which addresses wireless networks.
• A policy which addresses baseline lab security standards.
• A policy which addresses baseline router configuration parameters.
• A policy which addresses requirements for installing devices on a dirty network.
© Minder Chen, 1998-2005 Security Policies - 54
Security Procedures • Policies only define "what" is to be protected. • Procedures define "how" to protect resources
and are the mechanisms to enforce policy.• Procedures define detailed actions to take for
specific incidents.• Procedures provide a quick reference in times
of crisis.• Procedures help eliminate the problem of a
single point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).
© Minder Chen, 1998-2005 Security Policies - 55
Configuration Management Procedure
• Defines how new hardware/software is tested and installed.
• Defines how hardware/software changes are documented.
• Defines who must be informed when hardware and software changes occur.
• Defines who has authority to make hardware and software configuration changes.
© Minder Chen, 1998-2005 Security Policies - 56
Defense in Depth security model• A key component of this model is that the loss or
failure of a single component does not compromise the entire information infrastructure.
• Critical systems should be fault tolerant and have hot-standbys available. There should also be strong configuration management controls.
• Good configuration management practices will limit system changes that may trigger false alerts or failures.
• Each system needs established baseline standards. Documentation of initial configurations should be supplemented by a system that details all patches; updates and other modification made to each machine.
© Minder Chen, 1998-2005 Security Policies - 57
http://www.networkcomputing.com/1214/1214ws1.html
DMZ has evolved, however, to mean an isolated network segment for providing services to untrusted systems. Today the term is most often used by IT professionals to refer to a network segment between two firewalls (see "sandwich DMZ"), or a "dead-end" or "wing" network connected to a firewall (see "Single-Firewall DMZ"). Other common names for a DMZ are services network and atrium.
© Minder Chen, 1998-2005 Security Policies - 58
Solution for Systems Architecture: Internet Data Center
© Minder Chen, 1998-2005 Security Policies - 59
http
://img
.cmpn
et.com
/nc/815
/grap
hics/hotspo
ts.pd
f
© Minder Chen, 1998-2005 Security Policies - 60
Data Backup and Off-site Storage Procedures
• Defines which file systems are backed up.
• Defines how often backups are performed.
• Defines how often storage media is rotated.
• Defines how often backups are stored off-site.
• Defines how storage media is labeled and documented.
© Minder Chen, 1998-2005 Security Policies - 61
Incident Handling Procedure
• Defines how to handle anomaly investigation and intruder attacks.
• Defines areas of responsibilities for members of the response team.
• Defines what information to record and track.• Defines who to notify and when.• Defines who can release information and the
procedure for releasing the information. • Defines how a follow-up analysis should be
performed and who will participate.
© Minder Chen, 1998-2005 Security Policies - 62
Policy Resources
• RFC2196 - The site security procedures handbook at http://www.ietf.org/rfc/rfc2196.txt?Number=2196
• Some useful web sites:– www.gatech.edu/itis/policy/usage/contents.html– csrc.nist.gov/isptg/
© Minder Chen, 1998-2005 Security Policies - 63
Recap
• Policies are a crucial part of the infrastructure.
• Trust is frequently an issue.• Key policies:
– acceptable use policy– remote access policy– information protection policy– perimeter security management policy
• Key procedures:– CM procedure– incident handling procedure
© Minder Chen, 1998-2005 Security Policies - 64
Policy, Standard, and Guideline• A policy is typically a document that outlines specific requirements
or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. – For example, an “Acceptable Use” policy would cover the rules
and regulations for appropriate use of the computing facilities. • A standard is typically a collections or system-specific or procedural-
specific requirements that must be meet by everyone. – For example, you might have a standard that describes to how to
harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.
• A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended.
• Effective security policies make frequent references to standards and guidelines that exist within an organization.
© Minder Chen, 1998-2005 Security Policies - 65
Security Is an Industry Problem
““The conclusion here is that there is obviously a comparable number The conclusion here is that there is obviously a comparable number of security problems with the various flavors of Linux, as well as Sun’s of security problems with the various flavors of Linux, as well as Sun’s Solaris, as there are with Windows NT 4.0 and Windows 2000.”Solaris, as there are with Windows NT 4.0 and Windows 2000.”
John McCormick, TechRepublic, Inc., September 24, 2001, John McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus Bugtraq based on data provided by Security Focus Bugtraq
28
24
24
21
33
RedHat Linux 7.0
Sun Solaris 8.0
Windows 2000
SCO Open Server 5.0.6
MandrakeSoft Linux 7.2
Number of incidentsNumber of incidents
© Minder Chen, 1998-2005 Security Policies - 67
People, Process, Product challenges?
People
ProcessProd
uct
• Products lack security features
• Products have bugs• Many issues are not
addressed by technical standards
• Too hard to stay in the know andup-to-date
• Designing for security• Roles & responsibilities• Auditing, tracking, follow-
up• Calamity plans• Staying up-to-date with
security development
• Lack of knowledge• Lack of commitment• Human error
© Minder Chen, 1998-2005 Security Policies - 68
Why Is It Hard to Get Secure? Customers Need Our Help
• I didn’t know which patches I needed• I didn’t know where to find the updates• I didn’t know which machines needed the
update• We updated our production servers, but the
4,000 rogue servers got infected
More than 50% of the customers affected by More than 50% of the customers affected by Code Red were not patched in time for NimdaCode Red were not patched in time for Nimda
The product update failed because the people The product update failed because the people and process wasn’t there to implement the fixand process wasn’t there to implement the fix
© Minder Chen, 1998-2005 Security Policies - 69
STPP: “Get Secure”
Free Virus Support HotlineNow – 1-866-PCSAFETY (1-866-727-2338)
Security Assessment Program OfferingNow– Available immediately through MCS/PSS
Microsoft Security ToolkitNow– Server oriented security resources for server admins– New server security tools and updates, Windows Update
bootstrap client for Windows 2000
Enterprise Security ToolsDecember RTM– Server security configuration scanner– SMS security patch rollout tool– Windows Update Auto-update client
(Group Policy-enabled)
© Minder Chen, 1998-2005 Security Policies - 70
STPP: “Stay Secure”
Windows 2000 Security Rollup PatchesDecember 2001– Bundle all security fixes in single patches– Reduces reboots and administrator burden
Windows 2000 Service Pack (SP3)February 2002– Provide ability to install SP3 + security rollup with a single
reboot
Federated Corporate Windows Update ProgramFebruary 2002– Allows enterprise to host and select Windows Update content
Enhanced Product SecurityOngoing– Provide greater security enhancements in the releases of all
new products, including the Windows .NET Server family
© Minder Chen, 1998-2005 Security Policies - 71
Microsoft Security Toolkit
– HFNetChk– IIS Lockdown– URLScan
– SMS Install Scripts– Windows Update client for
Windows 2000
• Gets Windows NT and 2000 systems to a secure baseline, even in disconnected nets
• Automates server updates– One-button wizard and SMS Scripts
• Updates and Patches – Includes all Service Packs and critical OS and IIS patches
through 10/15• Tools
© Minder Chen, 1998-2005 Security Policies - 72
Security Response Process
Develop Patch/Workaround
Test
VulnerabilityReports
•Secure@microsoft.com
•Mailing lists (NTBugTraq, BugTraq, etc)•Microsoft Technical Support
•Security web sites
Develop Documentation
•Knowledge Base•Premier Customer Alert
•Security Bulletin
Distribute fix andinformation
•Product Security Notification Service•Mailing Lists
•www.microsoft.com/security site
Product Team Security Team
Repro
DevelopmentPractices
Triage •Approximately 90% culled
© Minder Chen, 1998-2005 Security Policies - 73
The Challenge of Security
Provide services… Web access, e-mail, file access, messaging
while protecting your assets. Financial data, CPU cycles, network resources,
intellectual property, customer information
The right access The right access to the right contentto the right content
by the right peopleby the right people
Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with.
© Minder Chen, 1998-2005 Security Policies - 74
Life Was Much Simpler Back Then…
Mainframe– Terminal access– “Glass house”– Physical security, limited connectivity
© Minder Chen, 1998-2005 Security Policies - 75
Life Was Much Simpler Back Then…
Client-Server– LAN connectivity– File/print services– Limited external access
© Minder Chen, 1998-2005 Security Policies - 76
Life Became Complex After Internet
Then the world Then the world became complex became complex and difficult…and difficult…
The Internet– “Always on”– E-mail, instant
messaging– The Web
InternetInternet
© Minder Chen, 1998-2005 Security Policies - 77
Business Impact• According to the Computer Crime and Security Survey 2001, by the
Computer Security Institute (CSI) and the FBI:– Quantified financial losses of at least $377M, or $2M per
survey respondent
– 40% detected system penetration from the outside; up from 25% in 2000
– 94% detected computer viruses; 85% detected them in 2000
• InformationWeek estimates:– Security breaches cost businesses $1.4 trillion worldwide this year
– 2/3 of companies have experienced viruses, worms, or Trojan Horses
– 15% have experienced Denial of Service attacks
Security Breaches Have Real Costs
Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2001Source: InformationWeek.com, 10/15/01
© Minder Chen, 1998-2005 Security Policies - 78
High Profile Security Threats• Hostile Code
– Viruses– Worms– Trojan horses
• Denial of Service• Web page defacement• Eavesdropping, Interception• Identity theft
Common Methods of Cyber-CrimesCommon Methods of Cyber-Crimes
© Minder Chen, 1998-2005 Security Policies - 79
Recent Threats: Nimda, Code Red
• Nimda: spread by browsing an infected site or opening an infected e-mail message
• Code Red: infected Web servers and granted administrative access
• Others: Denial of Service, Defacement
• Some survived Nimda and Code Red:– Organizations that were up to date on
patches and security fixes stayed secure– Organizations which “locked down” their
systems withstood threats
© Minder Chen, 1998-2005 Security Policies - 80
Security Framework
ProcessProcess
TechnologyTechnology
PeoplePeople
Planning for securityPlanning for security PreventionPrevention Detection Detection ReactionReaction
Baseline technologyBaseline technology Standards, Encryption, ProtectionStandards, Encryption, Protection Product security featuresProduct security features Security tools and productsSecurity tools and products
Dedicated staffDedicated staff TrainingTraining Security - a mindset and a prioritySecurity - a mindset and a priority External peopleExternal people
© Minder Chen, 1998-2005 Security Policies - 81
Security in a Complex World
• Security requires a framework composed of:– Process (procedures, guidelines)– Technology (hardware, software,
networks)– People (culture, knowledge)
• Security will fail if only focusing on part of the problem
• Technology is neither the whole problem nor the whole solution
© Minder Chen, 1998-2005 Security Policies - 82
Security Process Guidance
• Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process:
• Assess– Define security requirements– Perform analysis of current and desired states
• Design– Develop security solution– Utilize Defense in Depth framework
• Deploy– Test and implement– Define and document policies, standards, procedures
• Manage– Operational management– Review and reassess on a regular basis
© Minder Chen, 1998-2005 Security Policies - 83
Internet Data Center Guide – Security
• Examples of topics included in Internet Data Center guide:– Defense in Depth strategy– Common Hacker Methods and
Prevention– Best practices for security IIS– Windows 2000 Active Directory Design
and Security Policies– Best practices for application security– Authentication
© Minder Chen, 1998-2005 Security Policies - 84
Defense in Depth
• Industry-wide security design methodology of layering defenses:– Perimeter defenses– Network defenses– Host defenses– Application defenses– Data and resources
• Provides a method and framework for designing security into infrastructure
• Prescriptive guidance and detail included in Microsoft Internet Data Center design guide
© Minder Chen, 1998-2005 Security Policies - 85
InternetDeploying Secure Infrastructure
Windows security features:Windows security features: AuthenticationAuthentication ACLsACLs Active DirectoryActive Directory
ISA Server:ISA Server:Enterprise Class Enterprise Class FirewallFirewallApplication level Application level filteringfiltering
.NET Enterprise Server .NET Enterprise Server integration with integration with Windows securityWindows security
© Minder Chen, 1998-2005 Security Policies - 86
Security Tools• In addition to product features, Microsoft has provided
security-specific tools:• IIS (one button) Lockdown Tool
– Configures server to be immune to many attacks– Disables unneeded services– Restricts access to system commands
• HFNetCHK– Administrator server scanning tool to ascertain patch status
across servers
• URLscan tool– ISAPI filter to run on server– Blocks URLs that “look like” attacks– Can be configured to support server configuration
• Microsoft personal Security Advisor– Ascertains patch status of individual workstation
© Minder Chen, 1998-2005 Security Policies - 87
Security Depends on People
From Information Security From Information Security Magazine July 1999 - "Top Magazine July 1999 - "Top Obstacle is Budget: What is Obstacle is Budget: What is the SINGLE greatest obstacle the SINGLE greatest obstacle to achieving adequate to achieving adequate infosecurity at your infosecurity at your organization?"organization?"
Security must be aconscious priority
Budget ConstraintsBudget Constraints Lack of Senior Management SupportLack of Senior Management Support
Lack of Employee Training / Lack of Employee Training / End-User AwarenessEnd-User Awareness
Lack of Competent Infosecurity PersonnelLack of Competent Infosecurity Personnel
Lack of Internal PoliciesLack of Internal PoliciesLack of Centralized AuthorityLack of Centralized Authority
Technical ComplexityTechnical ComplexityUnclear ResponsibilitiesUnclear Responsibilities
Lack of Good Security ProductsLack of Good Security ProductsOtherOther
9%9%
29%29%
14%14%
10%10%9%9%
8%8%
8%8%
6%6%
4%4%
3%3%
© Minder Chen, 1998-2005 Security Policies - 89
Product-Level Technology• Windows: Active Directory, authentication,
secure protocol support• ISA Server: Enterprise firewall and application
filtering• .NET Enterprise Servers: integration with
Windows security features: authentication, secure protocol support
© Minder Chen, 1998-2005 Security Policies - 90
HIPAA• HIPPA stands for Health Insurance Portability and
Accountability Act. • Passed in 1996, HIPAA is designed to protect
confidential healthcare information through improved security standards and federal privacy legislation. – It defines requirements for storing patient information before,
during and after electronic transmission. – It also identifies compliance guidelines for critical business
tasks such as risk analysis, awareness training, audit trail, disaster recovery plans, information access control, and encryption.
– These security standards for information access control and encryption may have the most significant impact on how the industry conducts its business.
© Minder Chen, 1998-2005 Security Policies - 91
Complying with Security Standards• There are more than sixty-eight information
security conditions in three areas that must be met to ensure compliance with HIPAA. These areas are: – Technical Security Services: user authorization and
authentication, access control and encryption – Administrative Procedures: formal security planning,
record maintenance and audits – Physical Safeguards: security to building, privacy for
office and workstations that handle patient information
© Minder Chen, 1998-2005 Security Policies - 92
Elements Covered by Security Policies• access controls – usually descriptions of logon warning screens on
a computer and access lists for dedicated computer rooms, non-disclosure agreements.
• system backups – by whom, how often and where stored (offsite is best).
• incident handling – what should be reported, to whom, what will be the response, by whom.
• virus protection – mandatory installation of, how often updated (automatic or manual), virus incident handling.
• unauthorized access – who is allowed to access the company's computer assets and LAN
• monitoring – stating who will monitor the network for internal and external intrusions, and users for violations of security policies, who has access to intrusion detection devices, who will review and/or disseminate the logs.
• encryption – what is the company standard encryption methodology, when will encryption be used and by whom.
• digital signatures – what is the company standard, when will digital signatures be used and by whom.
© Minder Chen, 1998-2005 Security Policies - 93
Continued…• web presence – what is and is not allowed to be placed on a public
web server and who is allowed to publish • disposing of resources – how to, by whom • passwords – duration, number of and what type of characters, who
must use passwords, for what and when, how to create. (UNI-C) • use of personal resources within the company – allowed or not
allowed, if so, under what conditions • inspections and reviews – of what resources, how often, conducted
by whom • entertainment software, games, etc. – allowed or not allowed, if
allowed when can be used. • removal media - CDs, floppy disk, for personal or company use and
usage marked • freeware or shareware - authorized or not, if authorized, under what
conditions. Excellent definitions of both shareware and freeware can be found on the Internet (CFS)
• software copyrights – software copyright laws are very stringent (SIIA), who will be liable if a copyright is violated, who is responsible to ensure copyrights are not violated.
© Minder Chen, 1998-2005 Security Policies - 94
Continued…• personnel/physical security – what happens if a system
containing sensitive information is moved out from a locked door.
• vendor responsibilities – what rules will a vendor follow when using a company IS asset or when using its own assets on company premises.
• public disclosure – who can release information to the public and under what restrictions. And what about non-disclosure agreements for employees as well as vendors.
• computer room facilities/areas – IS Security personnel should be involved in the design stage of new computer room facilities in order in insure safeguards to protect company IS assets.
• system configuration change – changes that alter the security profile (risk) of a company IS asset should not be instituted without consulting IS Security personnel first.
© Minder Chen, 1998-2005 Security Policies - 95
Continued…• audit of IS Security compliance – who will audit for compliance?
(the Audit Department), how will the audit be conducted. An excellent source for auditing criteria is the Information Systems Audit and Control Association (ISACA™). They publish several auditing guidelines, some free for downloading.
• security awareness and training – mandates an IS Security awareness training program, indicates who should attend this training, how often training will be conducted and what will be included in the training.
• inventory of IS assets –who should keep an inventory of all the company's IS assets, who should have access to that inventory, is it available to the risk management/audit teams
• documentation – to support risk management what support documentation should be maintained, by whom and how (electronically, etc.), i.e. risk assessment, countermeasures, test results documentation, standard operating procedures(SOPs), disaster recovery/ contingency plans.
© Minder Chen, 1998-2005 Security Policies - 96
Business Mission is Critical
data
Constituency Data
Decision Capability
Productivity
Today, information is the axis on which your agency revolves. When information is unavailable to an organization, it is at risk of losing its
competitive edge.
Technology disruption . . . Leads to lost . . .
Poor Service
Credibility
Source: Availability and Continuity of Operations for Web Infrastructures
Bob Barr, Director, Government Marketing, Dell Computer Corporation, February 6, 2002
© Minder Chen, 1998-2005 Security Policies - 97
Drivers for Continuity Services• Seventy-two percent (72%) of companies do not have a business
continuity plan.• Fifty percent (50%) of companies who experience a major disruption
are no longer in business 1 to 2 years later.• Business interruptions cost billions of dollars in lost revenue and
penalties. System outages and downtime have an especially large effect on e-businesses: – For example, eBay lost 28% of its market capitalization following a 22-
hour outage, a decrease of over $3B. – Forrester Research estimates that Amazon.com would lose $4.5M in
revenue in 24 hours of downtime. Yahoo would lose $1.6M for 3 hours; companies as large as Intel and Cisco would lose $35M, $33M, and $30M in 24 hours, respectively.
• Most downtime is not attributable to a “disaster”: – 40 percent of downtime is caused by application failures (e.g.,
performance issues or "bugs")– 40 percent by operator error or lack of procedures– 20 percent by system or environmental failures. – Overall, less than 5 percent of application downtime is attributable to
disasters.
© Minder Chen, 1998-2005 Security Policies - 98
Downtime - Planned & Unplanned
1 3 5 7 9 11 13 15
70
80
90
100
Perc
ent
Upt
ime
Days
100 % UptimeGoal
Lost TimeFactors
Planned
Unplanned
•Maintenance•Backup•Upgrades•Transitions
•Maintenance•Backup•Upgrades•Transitions
•Human Error•Fire, Catastrophe•Equipment Failure
•Human Error•Fire, Catastrophe•Equipment Failure
© Minder Chen, 1998-2005 Security Policies - 99
Transportation Package Shipping $24,000 – 32,000 $28,000
The Cost of Downtime
Information inaccessibility causes inefficiencies that translate into lost dollars.
Financial Brokerage Operations $5.6 – 7.3 Million $6.45 Million
Financial Credit Card Sales $2.2 – 3.1 Million $2.6 Million
Financial ATM Fees $12,000 – 17,000 $14,500
Media Pay-Per-View $67,000 – 233,000 $150,000
Media Tele-Ticket Sales $56,000 – 82,000 $69,000
Retail Home Shopping (TV) $87,000 – 140,000 $113,000
Retail Home Catalog Sales $60,000 – 120,000 $90,000
Transportation Airline Reservations $67,000 – 112,000 $89,500
Industry Cost Average Cost PerIndustry Business Function Range Per Hour Hour of Downtime
© Minder Chen, 1998-2005 Security Policies - 100
The Causes of Downtime
Causes of Failure Examples Impacts…
Driver hangs, OS hangs/reboots, virus, file corruption
Software defects/failures
Platform, data, applications
Upgrade components, firmware, drivers, O/S, software
Planned administrative downtime
Platform, data, applications
Accidental file deletion, unskilled operation, guessing
Operator error Platform, data, applications
Software/systems requiring reboot, system board failure
System outage/maintenance
Applications
Fire, storms, collapse, explosion, and other localized disasters
Building/site disaster Site
Earthquake, hurricanes, floods, other regional natural catastrophes
Metropolitan disaster Site
When a failure occurs, it makes an impact. Whether or not downtime is the result depends on how well information is protected.
Bad memory chip, fan, power, HDD, data path, controller
Component failure Platform, data
© Minder Chen, 1998-2005 Security Policies - 101
Foundations for Business Continuity
Business Continuity means…
Business
Continuance
Plan
Technology Processes
PeopleMaintaining the availability of systems critical to ongoing agency operations during a system failure or service outage…
Recovering from unplanned, catastrophic events or disasters in an orderly, timely, appropriate manner based on the risk, costs and importance of the business system…
Continuing with your Business
Protecting people, processes and technology from threats in order to avoid a disruption of normal business operations…
Highly Available Systems
Disaster Recovery Systems
Security
© Minder Chen, 1998-2005 Security Policies - 102
Traditional Definitions of Availability
Redundant Architectures Specialized Logic and Components
Redundant system components,RAID for Data
$1OM
$1M
$1OOK
$1OK
1OO1O1O.1
Avg Syst
Price
Downtime Hrs./Syst/Yr
System Availability
99.999% 99.99% 99.9% 99.0%
As systems approach 100% uptime, costs begin to skyrocket, demonstrating diminishing returns on your investment.
While continuous business operation is often desired, solutions guaranteeing zero-downtime are often cost-prohibitive, especially after weighing all risks of failure and determining what kind of downtime is acceptable for your needs.
Contiguous Processing
Fault Tolerant
Fault Resilient
High Availability
Commercial Availability
Utmost Reliability, Data Integrity and Security built in, 24x7 systems monitoring, business continuity services
Multiple Machines with Recovery Mechanisms, 24x7 proactive & reactive support
© Minder Chen, 1998-2005 Security Policies - 103
Reality Check on Availability• Goal of availability planning is to balance cost,
complexity, and flexibility in delivering the desired fault tolerance/recovery solution
• Majority of agency requirements are not at the highest levels of availability
• Assessment typically shows a varying level of availability requirements within an agencies IT infrastructure
• Implementing and guaranteeing higher end/ multiple 9’s availability – is usually cost prohibitive to agencies– is unrealistic in majority of environments due to complexity of
implementation– can be marred/ruined by simple human error or delay
© Minder Chen, 1998-2005 Security Policies - 104
SiteBeyond the Building
The Continuity Continuum
Increasing cost, functionality and complexity
ApplicationSystem Interaction
DataBeyond the Box
PlatformIn the Box
Redundant Systems/Load BalancingServer, Storage, Network availability
Clustering/Application FailoverContinuous application access
High Availability Server SystemsHot- swappable, redundant components with Mission-critical support
Rapid Equipment ReplacementVendor services and financing programs
SAN, NAS & DASContinuous data access
Backup and RestoreReal-time tape backup, Off-site storage
Site/ Datacenter FailoverRe-route data to replication/mirrored sites
Commercial Recovery SitesResuming in hot, cold, mobile or host facilities
Maintaining the availability systems critical to ongoing government operations during a system failure or service outage. Recovering from unplanned, catastrophic events or disasters in an orderly, timely, appropriate manner based on the risk, costs and importance of the business system
© Minder Chen, 1998-2005 Security Policies - 105
Building Blocks of High Availability
Platform
Data
Application
Site
Increasing cost, functionality and complexity
Availability scales through the continuum, addressing the causes of downtime and recovery at each level.
Components Data System Infrastructure
REDUNDANCY LEVELS
In the Box
Beyond the Box
System Interaction
Beyond the Building
ATTRIBUTES
Hot Plug Devices
Hot Plug Adapters
ECC Memory
Remote Management
UPS
Redundant Devices
Enhanced Support
ATTRIBUTES
Redundant Data Paths
Redundant Controllers
Storage Area Networks
Network Attached Storage
Online Tape Backup
Database Replication
Online Volume Expansion
Snapshot Copy
Server Based RAID
External SCSI Enclosure
External Fiber Enclosures
Enhanced Support
ATTRIBUTES
HA Clustering
Redundant Networks
Application Failover/Restart
Data Switchover
Database Recovery
Application Checking
Network Load Balancing
O/S Advancements
Security/Virus Integration
Application Monitoring
Planned Online Upgrades
Consulting Services
Optional HA Guarantee
Remote Monitoring
Enh. /Premium Support
ATTRIBUTES
Custom Solution
Site Replication
Mirroring
Stretch Clustering
WAN load balancing
Multi-tier Infrastructure
Phone Home Systems
Site Planning, Design & Implementation
Change Management
Optional HA Guarantee or Service Level Agreement
Remote Monitoring
Storage Service Provider On-Site Engineers/Parts
Premium Support
Disaster Recovery for Off-site Back-ups
© Minder Chen, 1998-2005 Security Policies - 106
Building Blocks of Disaster Recovery
Platform
Data
Application
Site
Increasing cost, functionality and complexity
Disaster Recovery scales through the continuum, to address recovery time objectives (RTO) for each level of failure…
Hardware Data System Infrastructure
FAILURE LEVELS
In the Box
Beyond the Box
System Interaction
Beyond the Building
ATTRIBUTES
System Diagnostics
Online Serviceability
Reboot on Failure
Remote Management
Spare parts inventory
Vendor rapid ship & deploy
Lease\Financing programs
Enhanced Support
ATTRIBUTES
RAID
Hot plug drives
Tape Backup
Database Replication
Roll back/Roll forward
Snapshot Copy
Storage Mirroring
ATTRIBUTES
Application Service Provider
Application Failover/Restart
Data Switchover
Database Recovery
Security/Virus Integration
Application Monitoring
Consulting Services
ATTRIBUTES
Site Planning Design & Implementation
Site Replication
Hot site service
Cold site service
Mobile site service
Disaster Recovery for Off-site Back-ups
Off-site Data Storage
Electronic Vaulting
Consulting Services
© Minder Chen, 1998-2005 Security Policies - 107
Business
Continuity
Plan
Small Organization Continuity Scenario
500-2000 VA UPS
NetworkAttachedStorage (NAS)
Network/CommunicationsSCSIPower
Fractional T1 or T3(ADSL backup)
BusinessContinuit
yPlan
Backup agent
Servers• File/print• Messaging/email• Database• Web serving• Applications
Clients
1000-3000 VA UPS
Tape Backup
Tape autoloader300-500 GB capacity8-36GB/hour
Expansion enclosures…
Mobile andWorkstationUsers
Rack form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 5
Directly attaches to networkExpandable up to 7.44TB capacityHot swap drives and componentsInternal SCSI disks RAID 0, 1, 5
© Minder Chen, 1998-2005 Security Policies - 108
1000-3000 VA UPS
Mid-Sized Organization Continuity Scenario
Network Attached Storage or Storage Area Network
Network/CommunicationsFibre channelPower
T1 or T3(SDSL or Fractional T1
backup)
Backup agent
Production Servers• File/print• Messaging/email• Database• Web serving• Applications
Clients
Mobile andWorkstationUsers
Rack-dense form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 0/5
Business
Continuity
Plan
Business
Continuity
Plan
Expansion enclosures…
1000-3000 VA UPS
Redundant Servers• Active-Passive• Active-Active
Automatic application failover Transparent to end-usersPlanned maintenance & upgrades
Directly attaches to networkExpandable up to 7.3TB capacityHot swap drives and componentsInternal Fibre channel disks RAID 5, 1, 0
Tape BackupMini-Library
Tape autoloader4TB capacity80-216GB/hour
© Minder Chen, 1998-2005 Security Policies - 109
1000-5000VA UPS
Large Organization Continuity Scenario
StorageAreaNetwork (SAN)
Network/CommunicationsFibre ChannelPower
T1 or T3(SDSL or Fractional T1 backup)
Backup agent
Production Servers• File/print• Messaging/email• Database• Web serving• Applications
Clients
Mobile andWorkstationUsers
Business
Continuity
Plan
Business
Continuity
Plan
Expansion enclosures…
5000-16,000 VA UPS
Redundant Servers• Active-Passive• Active-Active
Automatic application failover Transparent to end-usersPlanned maintenance & upgrades
Tape BackupLibrary
Fully redundant storage, 64 serversExpandable up to 8.7TB capacityHot swap drives and componentsInternal disks RAID 5
Rack-dense form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 0/5
Tape autoloader14.4 TB capacity216-650GB/hour
© Minder Chen, 1998-2005 Security Policies - 110
Standby HostProduction Host
SP-A DIRECT CONNECT FIBRE CHANNEL TOPOLOGY
Site A Site B
Synchronous,bi-directional mirror
SEPARATION
Primary system
ProductionA
Mirror B
Secondary system
MirrorA
ProductionB
MirrorA
ProductionB
SP-B DIRECT CONNECT FIBRE CHANNEL TOPOLOGY
500m
LOCAL MIRRORING UP TO 60km BETWEEN SITES
SEPARATIONSEPARATION
Additional 5200s can be added for UHA
Or, single links between Optera devices
Production Host
Site A Synchronous,bi-directional mirror
Site B
Standby Host
Primary system Secondary system
Up to 60km
Optera 5200 Optera 5200Optera 5200 Optera 5200
Optera 5200 Optera 5200Optera 5200 Optera 5200Optera 5200 Optera 5200
Optera 5200 Optera 5200Optera 5200 Optera 5200Optera 5200 Optera 5200
ProductionA
Mirror B
MirrorA
ProductionB
MirrorA
ProductionB
Disaster Tolerant
BC
P V
alu
e A
dd
Mid-range NAS High-end SAN
Enterprise Continuity Scenario
© Minder Chen, 1998-2005 Security Policies - 111
N-Tier Architecture• Add hardware where scale needed• Redundancy decisions made at each tier• Simplified application development model• Integrate Web technologies into legacy systems
webservices application data
© Minder Chen, 1998-2005 Security Policies - 112
“The N-tier architecture is the best strategy for agility, multiple points of interaction, and site-level availability without a single point of failure.” – Meta Group
“By partitioning Website functions into components that reside separately on different systems, enterprises can achieve greater availability, scalability, and flexibility.” -- Gartner Group
“Flexibility and improved high availability are both promoted by multi-tier computing architecture.” -- IDC
Industry Perspective
© Minder Chen, 1998-2005 Security Policies - 113
History of Dell.com
1994/951994/95 19961996 19971997 19981998 19991999 20002000
E-commerceLaunched
www.dell.comLaunched
Premier PagesLaunched
80,000 visits/week
Q1 $1M/day
Q2 $2M/day
Q3 $3M/day
Q4 $4M/day
Q2 100
Q3 450
Q4 800
400,000 visits/week
Q1 $5M/day
Q2 $6M/day
Q3 $10M/day
Q4 $14M/day
Q1 3,000
Q2 5,750
Q3 8,500
Q4 12,000
1,500,000 visits/week
OnlineConfiguratorLaunched
Q1 $18M/day
Q2 $30M/day
Q1 19,000
Q2 27,000
3,000,000 visits/week
Q3 $35M/day
Q4 $40M/day
Q3 35,000
Q4 40,000
Q1 $40M/day
Q2 $50M/day
Q1 45,000
50,000 +Pages
4,000,000+ visits/week
50+%Total Revenue
© Minder Chen, 1998-2005 Security Policies - 115
Site Architecture• Hardware – Dell on Dell
– Entire site runs on Dell hardware
• Development – Microsoft COM/DCOM– Windows 2000, IIS, Commerce Server, SQL
• Website – Internally hosted and supported– Multiple data center locations– Eliminate “single points of failure”
• Resources – MS Trained and Certified– MCSE, MCSD, MCP, etc.
© Minder Chen, 1998-2005 Security Policies - 116
Server Utilization• 10 static content web servers
– Static HTML pages
• 120+ application servers– Load Balanced with PowerApp.Big-IP– Segmented by function and responsibility
• 50+ database servers– Segmented by application support
• 160+ “non-production” backend servers– Mirrors, staging, backup, prototype, & testing
© Minder Chen, 1998-2005 Security Policies - 118
Web Servers• Front-end web servers hold static content
– Microsoft Windows 2000 Advanced Server Microsoft Internet Information Server 5.0 (IIS) Network Load Balancing (NLB)
– Provide access to applications– Multiple mirrored copies of content
• PowerEdge 2550 servers (10)– 2 processors, 512MB RAM, 5x9GB disk, RAID 5
© Minder Chen, 1998-2005 Security Policies - 119
Cisco Cisco Distributed Distributed
DirectorDirector
Static Layer uses “round robin” load balancing from the Cisco DD and all ten 2550 servers provide the same service. Loss of any server is not noticed by the site and can be easily replaced.
Availability: Web Services
© Minder Chen, 1998-2005 Security Policies - 120
Application Servers• Microsoft Commerce Server 2000
– Separate servers by function– Load Balanced “clusters”– Smooth Scaling as needs arise– Provides views “into” data layer
Index and search Usage analyst Commerce applications Personalization and membership Content Deployment Service Custom developed components
• PowerEdge 4400 & 2450 servers (120+)– 2 processors, 1-2GB RAM, 6x9GB disk, RAID 5
© Minder Chen, 1998-2005 Security Policies - 121
The application layer uses both Windows clustering technology (Windows 2000 Advance Server - 2 node clustering) and intelligent load balancing “NLB” to provide high availability of applications as well as improved response time.
Availability: Application Layer
© Minder Chen, 1998-2005 Security Policies - 122
Database Servers• Microsoft SQL Server 2000
– Standardized on one relational database– Microsoft Cluster Server (MSCS)– High performance
ADO and Active Server Pages (ASP)
– Tight integration with Microsoft tools
• PowerEdge 6450 & 8450 servers (50+)– 2-8 processors, 2-16GB RAM, 6x9GB RAID 5– External Storage when required
© Minder Chen, 1998-2005 Security Policies - 123
• Data Base reliability is provided by utilizing RAID (Redundant Array of Independent Disk) 1 & 5
• SAN Utilizing Fiber Channel Technology, offers high availability by providing redundant components including Host Bus Adapters, switches and RAID controllers within the storage array.
PowerVault 6450
PowerVault 650
PowerVault 630
Availability: Data Layer
© Minder Chen, 1998-2005 Security Policies - 124
Availability: Hardware• Redundant / Hot Swappable
– Power Supplies– Fans– Hard Drives – Replaced before failure through pre-
failure warranty program *– System Backplane supports hot plug – hard drive
support– Battery Backed Cache– Dual embedded NICs with fail-over support– * Self Monitoring Analysis, and Reporting,
Technology (SMART) function sends notice to administrator that a hard drive is getting ready to fail
© Minder Chen, 1998-2005 Security Policies - 125
Availability: System Mgmt.• Server & Application monitoring & alerting
– NetIQ AppManager® – Dell OpenManage
• ISP and internal network operations • Overall site performance reporting
– Keynote Systems
• Application Load testing– Mercury Interactive LoadRunner®
• “Click stream” capture & analysis
© Minder Chen, 1998-2005 Security Policies - 127
Continuity of Operations • Data Center Site Redundancy
– Primary data center has dual power feeds Two Different Power Companies
– Battery backup and generator power– Multiple ISP connectivity – Physical access restricted
• Data Back Up and Retrieval– Data is Backed Up to disk then tape– Tape Stored offsite – daily rotation
© Minder Chen, 1998-2005 Security Policies - 128
Router
Cisco DD
IDS Web Servers
App Servers
SQL Servers
Router
Cisco DD
IDS
Web Servers
App Servers
SQL Servers
ISP 1,2,3
3 x DS3
ISP 4,5,63x DS3
DMZ
Dat
a C
ente
r 1
Dat
a C
ente
r 2
Co
rpo
rate
Net
wo
rk
FW
FW
FW
FW
Continuity of Operations
© Minder Chen, 1998-2005 Security Policies - 129
Web Infrastructure Security • Routers
– Follow rules based traffic acceptance– Allow for minimum ports open (ex. HTTP, FTP, SSL)
• Firewalls– DMZ-based architecture– no sacrificial “honey pot” systems
• Servers– Integrate NTFS security and Access Control Lists– Limited "administrator" access to production servers– Focus on good planning, not fancy technology
• Monitoring, Alerting, and Auditing– Stay current on service-packs, patches, and hot fixes– Year-round internal and external audits
Recommended