Jan 282011

“There are no rules of architecture for a castle in the clouds.” ~G.K. Chesterton

I was reminded by this quote, as I compiled the best, best, best questions to ask regarding Intelligent Perimeters to follow Part 1, aren’t network perimeters of the future going to be the gateway to the Cloud? Look at the quote from G.K. Chesterton. Do you agree? From a security perspective, a CIO will need to understand even more clearly how security architecture and design integrate into building intelligent perimeters.

As I wrote the questions to part 2, I thought, “Oh no! More security information!” The quote from Eliot struck me as oddly correct. Use the information that you are gathering in these questions to feed the architecture. It is my intent to merge wisdom with knowledge.

“Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?” ~
T.S. Eliot, Choruses from The Rock

11. (Numbers cont’d from Part 1)Do you have gateway protection at the network perimeter for?

  • Virus
  • Malware / Spyware
  • IPS
  • Content management?
    • Are you using the perimeter to enforce email policy for “outbound email hygene?
  • Anti-phishing

12. Is your mail relay?

  • In the Cloud
  • Internal Network
    • DMZ

13. Do you prefer your security systems?

  • Physical
  • Virtual appliances
  • Software on servers

14. Do you prefer appliance strategies or software with perimeter defenses?

15. Where do your organizational skills lie? Microsoft/ Linux/ Other?

16. Can the DMZ be replicated at the DR site? If not, what aspects of it are needed? How manual will it be?

17. What is the philosophy regarding a PC anti-spyware versus “in-line” approach to anti-spyware?

18. Do you outsource any aspects of perimeter defense (Firewalls, SPAM, AV, etc.)?

19. Is remote access remediation integrated into the help desk appropriately?

20. IDP/ IDS/ IPS – Are they deployed

  • Where? Inside the network? Outside the network?
  • Do you outsource these services?
  • Why? (Yes/No)
  • How are logging, monitoring, and forensics/reporting handled?

21. Centralized Management of security devices

  • Remote Sites Firewalls
  • VPN client end-points
  • SSL VPN clients
Jan 172011

As the old fashioned firewall concept has morphed into one that is a multi faceted security perimeter, I have developed a series of questions that can uncover the correct answers to you as you continue to refine and define what the security edge should look like for you. Use the reference architecture for this post that I have built that you can find HERE

From an ease of digestion perspective, I am going to release this in two parts since there are 22 questions. As always, if you have questions email me at billm@cioes.org or post a question to my blog below. Thanks, Bill

Reference Architecture Intelligent Perimeters: Edge Sites, Private WAN, Internet, Public WAN, Cloud Access Control.

Sample Technologies covered are: Firewalls, UTM Firewalls, App Proxy, IDP/IDS, DLP Systems, SPAM Filters, Load Balancers, Content Filters

1. Are DMZs deployed for network segmentation for interfacing with Internet customers, and partners?

2. Confidence level of DMZ on a scale of 1-10. (10 is very confident)

3. Has a detailed cable trace been done to validate the DMZ?

4. Preferred Firewall manufacturer?
•Do the firewall rules explicitly deny traffic to and from the DMZ?
•Is the version level current with the offering of the manufacturer?

5. Are services like Ecommerce sites and other systems hosted in the DMZ?
Are there any concerns about architecture?

6. On a scale of 1-10 does your DMZ match the security policy of the organization?

7. Where does standard VPN access terminate? Have they been reviewed?

8. Firewall – Is it a UTM (Unified Threat Mgmt device) providing IPS, Gateway anti-virus, anti-spyware?
If no,
•What is the approach for IPS?
•What is being used for Anti-virus/
•What is the approach used for anti-spyware?

9. Do you have redundancy on the following?
•ISP – inbound
•ISP – outbound
•Load Balancers
•Content Filters

10. Is there a dedicated device for web content filtering?
•For What? Check all that apply? Web, Email, DLP
•Is it AD Aware?

11. How is Anti spam and Phishing handled?

Jan 112011

I have listed the best 12 questions that you the CIO can ask your team, security architect, security engineer, partners, vendors, manufacturers when discussing security and client integrity.

Utilize the reference architecture I developed so that you know where Client Integrity fits into the bigger picture of security architecture and design for you. Let me know your thoughts. Bill – billm@cioes.org

Layer 1 – Client Integrity: Users accessing corporate services via WAN, LAN, Internet (work at home, conference, consultant, partner, travel), & mobile devices
Sample Technologies: Smartphones (Droid, iPhone, Blackberry, etc.), PC firewalls, USB Mgmt, Laptop Mgmt, data encryption, device wipe.

CLASS of Users (We are assuming that all users have class!)

  • Internal Employees
  • External Employees: From the home, Other office, Kiosks, Hotels, Starbucks, etc.
  • Partners remote
  • Partners LAN
  • Consultants remote
  • Consultants on the LAN
  • kiosks

The goal of Layer 1 Questions is to determine the security direction and philosophy regarding device management: PCs, Laptops, and Smart Devices (Phones, iPads, etc.).

  • Antivirus
  • Anti-spyware
  • Patches
  • Version Updates
  • Upgrades
  • Backups
  • Firewalls
  • USB
  1. Can we trust the individual?
    1. How is trust enforced to the user groups listed above? e.g. Biometrics, Two Factor, Certificates, etc.
    2. Is comprehensive USB protection in place now? Yes/No/Only at Corporate
    3. Can you remotely ‘wipe’ data from a laptop or smart device? Yes/ No/ Only Certain Devices
  2. Wireless Access
    1. Is this managed centrally at corporate?
    2. Is it managed at remote offices? How?
    3. Is wireless managed on the firewall or through another management device?
  3. Can I trust machines remotely accessing my network?
    1. Do remote access devices have Anti–Spyware? … protection from Key loggers, malware, Trojans, etc.
    2. Are they running Antivirus Protection?
    3. Are there personal firewalls on client machines? Do I care?
    4. Is their operating system up to date? (Patches, versions, upgrades, etc)
    5. What is the process of remediation when a user tries to attach to the network and is not compliant?

4. Do I have Centralized Security Management? Edge Sites, PCs, Virus, Spyware, Malware, Personal firewalls

5. What are my plans to consolidate end point security into one centralized management console?

6. Contractors – How do I know if a contractor meets security policy when attaching to the network?

7. How does my team distribute patches for: Microsoft, Third party, Adobe, Java

8. How does my team distribute application version level updates handled?

9. How is cache clean-up from un-trusted public access points at a conference for example?

10. How is an un-trusted LAN user’s machine checked before accessing the network?

11. Are your Client Integrity devices Active Directory aware?

12. Is a consolidated and centralized USB strategy in place now? At corporate only? Remote Sites? If not, then when?

13. Bonus Question – What is the airspeed velocity of a swallow? See video below Monty Python’s Bridge of Death