© Minder Chen, 1998-2005 Security Policies - 1 Security Policies and Procedures Minder Chen, Ph.D.

© Minder Chen, 1998-2005 Security Policies - 1

Security Policies and Procedures

Minder Chen, Ph.D.


References• Information Security Management Handbook, 4th

edition, edited by Micki Krause and Harold F. Tipton.

• The SANS Security Policy Project www.sans.org/newlook/resources/policies/policies.htm

• Sample Policies and Procedures– www.sans.org/newlook/resources/policies/Appdb.doc


Policy and Procedure• A policy is typically a document that outlines specific requirements or

rules that must be met. • In the information/network security realm, policies are usually point-

specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.

• A standard is typically a collections or system-specific or procedural-specific requirements that must be meet by everyone. – For example, you might have a standard that describes to how to harden a

Windows NT workstation for placement on an external (DMZ) network.

– People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.

• A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. – They are not requirements to be met, but are strongly recommended.

• Effective security policies make frequent references to standards and guidelines that exist within an organization.


• Information Security Management Handbook, Fourth Editionby Micki Krause (Editor), Harold F. Tipton (Editor)

• The CISSP Prep Guide: Mastering the Ten Domains of Computer Securityby Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz

• CISSP All-in-One Exam Guideby Shon Harris


• SANS Security Policy Project at http://www.sans.org/newlook/resources/policies/policies.htm

• Policy Primer at http://www.sans.org/newlook/resources/policies/Policy_Primer.pdf

• Sample Policies and Procedures at http://www.information-security-policies-and-standards.com/

• HIPAA FAQ at http://www.rx2000.org/KnowledgeCenter/hipaa/hipfaq.htm


• Executive Order on Critical Infrastructure Protection Executive Order Critical Infrastructure Protection in the Information Age

• By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, in the information age, it is hereby ordered as follows:

http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html


• Section 1. Policy. • (a) The information technology revolution has

changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. The protection program authorized by this order shall consist of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Protection of these systems is essential to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors.


Level 2 - Major Enterprises• 2.1. Responsibility: Who in an enterprise should be responsible for IT

security? How often should that person brief the CEO? What role should the Board of Directors play in oversight of IT security? Should the Board require an outside audit and, if so, how often and from whom?

• 2.2. Best Practices: Where should the CEO, Board and/or auditors obtain guidance on best practices or standards to use in IT security self-evaluations and IT security policy development?

• 2.3. Disclosure: What information about IT security should the corporation disclose to its stockholders, to its creditors, to its auditors, to its Board

• 2.4. Enterprise Wide IT Security Policy: Should enterprises be required by their Boards of Directors or Auditors to have a regularly updated policy statement on IT security practices? Should enterprises be required by Boards and Auditors to employ software to enforce their IT policy?

• 2.5. Awareness: Should enterprises require employee participation in regular IT security awareness training? Where should enterprises obtain assistance in developing such training?

http://www.sans.org/nationalstrategy.php#level2


Continued…• 2.6. Insider Threats: How can a balance be struck between preventing

insiders from damaging the enterprise by mis-using its IT systems, and respecting the legitimate privacy concerns of employees?

• 2.7. Partners and Supply Chain: What IT security risks does an enterprise run from its relationships with its partners and supply chain? How can those relationships enhance or degrade IT security?

• 2.8. Event Reporting: What IT security events should an enterprise report and to whom?

• 2.9. Threat and Vulnerability Information: How should an enterprise learn about and decide how to react to IT security threats and vulnerabilities? How can an enterprise evaluate the numerous software "patches" distributed to it by its IT vendors?

• 2.10 . IT Vendors: To what extent should an enterprise "out source" its IT security functions? How can IT security vendors be evaluated? How can an enterprise act to improve the security of the IT products and services it procures?

• 2.11. Risk Management and Insurance: How can an enterprise evaluate the appropriate level of IT security spending or the return on investment in IT security? What role can insurance play in IT security for an enterprise?


Ten Immutable Laws of Security1. If a bad guy can persuade you to run his program on

your computer, it’s not your computer anymore2. If a bad guy can alter the OS on your computer, it’s not

your computer anymore3. If a bad guy has unrestricted physical access to your

computer, it’s not your computer anymore4. If you allow a bad guy to upload programs to your web

site, it’s not your site anymore5. Weak passwords trump strong security6. A machine is only as secure as the administrator is

trustworthy7. Encrypted data is only as secure as the decryption key8. An out of date virus scanner is only marginally better

than no virus scanner at all9. Absolute anonymity isn't practical, in real life or on the

web10. Technology is not a panacea


Ten Immutable Laws of Security Administration1. Nobody believes anything bad can happen to them,

until it does. 2. Security only works if the secure way also happens to

be the easy way. 3. If you don't keep up with security fixes, your network

won't be yours for long. 4. It doesn't do much good to install security fixes on a

computer that was never secured to begin with. 5. Eternal vigilance is the price of security. 6. There really is someone out there trying to guess your

passwords. 7. The most secure network is a well-administered one. 8. The difficulty of defending a network is directly

proportional to its complexity. 9. Security isn't about risk avoidance; it's about risk

management. 10. Technology is not a panacea


Security Services (OSI definition)• Access control: Protects against unauthorized use

• Authentication: Provides assurance of someone's identity

• Confidentiality: Protects against disclosure to unauthorized identities

• Integrity: Protects from unauthorized data alteration

• Non-repudiation: Protects against originator of communications later denying it

Source: http://www.cs.auckland.ac.nz/~pgut001/tutorial/


Security Mechanisms• Three basic building blocks are used:

– Encryption is used to provide confidentiality, can provide authentication and integrity protection

– Digital signatures are used to provide authentication, integrity protection, and non-repudiation

– Checksums/hash algorithms are used to provide integrity protection, can provide authentication

• One or more security mechanisms are combined to provide a security service


10 Domains of Computer Security• Domain 1 addresses access controlaccess control. Access control

consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.

• Domain 2 addresses communications securitycommunications security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.


Continued…• Domain 3 addresses risk management and

business continuity planning. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.

• Domain 4 addresses policy, standards, and policy, standards, and organizationorganization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.


Continued…• Domain 5 addresses computer architecture and computer architecture and

system securitysystem security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. PC and LAN security issues, problems, and countermeasures are also in this domain.

• Domain 6 addresses law, investigation, and ethicslaw, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.


Continued…• Domain 7 addresses application program securityapplication program security.

Application security involves the controls placed within the application program to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.

• Domain 8 addresses cryptographycryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.


Continued…• Domain 9 addresses (computer) operations securityoperations security.

Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.

• Domain 10 addresses physical securityphysical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.


Vulnerabilities• The Twenty Most Critical Internet Security

Vulnerabilities (Updated): The Experts’ Consensus, Version 2.502 January 30, 2002Copyright 2001-2002, The SANS Institute at http://www.sans.org/top20.htm

• ICAT Top Ten List• http://icat.nist.gov/icat.cfm?function=topten


The 20 Most Critical Internet Security Vulnerabilities

• G1 - Default installs of operating systems and applications– G1.1 Description– G1.2 Systems impacted: – G1.3 CVE entries: – G1.4 How to determine if you are vulnerable: – G1.5 How to protect against it

• G2 - Accounts with No Passwords or Weak Passwords• G3 - Non-existent or Incomplete Backups• G4 - Large number of open ports• G5 – Not filtering packets for correct incoming and

outgoing addresses• G6 - Non-existent or incomplete logging• G7 - Vulnerable CGI Programs• Plus 6 Windows and 7 Unix Vulnerabilities


Log (Audit Trail)• One of the maxims of security is, "Prevention is ideal, but detection is

a must." As long as you allow traffic to flow between your network and the Internet, the opportunity for an attacker to sneak in and penetrate the network, is there. New vulnerabilities are discovered every week, and there are very few ways to defend yourself against an attacker using a new vulnerability. Once you are attacked, without logs, you have little chance of discovering what the attackers did. Without that knowledge, your organization must choose between completely reloading the operating system from original media, and then hoping the data back-ups were OK, or taking the risk that you are running a system that a hacker still controls.

• You cannot detect an attack if you do not know what is occurring on your network. Logs provide the details of what is occurring, what systems are being attacked, and what systems have been compromised.

• Logging must be done on a regular basis on all key systems, and logs should be archived and backed up because you never know when you might need them. Most experts recommend sending all of your logs to a central log server that writes the data to a write once media, so that the attacker cannot overwrite the logs and avoid detection.


Ports That Are Commonly Probed and Attacked

• Blocking these ports is a minimum requirement for perimeter security, not a comprehensive firewall specification list.

• A far better rule is to block all unused ports. And even if you believe these ports are blocked, you should still actively monitor them to detect intrusion attempts.

• A warning is also in order: Blocking some of the ports in the following list may disable needed services.

• Please consider the potential effects of these recommendations before implementing them.

• Keep in mind that blocking these ports is not a substitute for a comprehensive security solution.

• Even if the ports are blocked, an attacker who has gained access to your network via other means (a dial-up modem, a Trojan e-mail attachment, or a person who is an organization insider, for example) can exploit these ports if not properly secured on every host system in your organization.


Ports1. Login services-- telnet (23/tcp), SSH (22/tcp), FTP (21/tcp), NetBIOS

(139/tcp), rlogin et al (512/tcp through 514/tcp)

2. RPC and NFS-- Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp and 2049/udp), lockd (4045/tcp and 4045/udp)

3. NetBIOS in Windows NT -- 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp). Windows 2000 – earlier ports plus 445(tcp and udp)

4. X Windows -- 6000/tcp through 6255/tcp

5. Naming services-- DNS (53/udp) to all machines which are not DNS servers, DNS zone transfers (53/tcp) except from external secondaries, LDAP (389/tcp and 389/udp)

6. Mail-- SMTP (25/tcp) to all machines, which are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp)

7. Web-- HTTP (80/tcp) and SSL (443/tcp) except to external Web servers, may also want to block common high-order HTTP port choices (8000/tcp, 8080/tcp, 8888/tcp, etc.)

8. …


• Top 50 Security Tools – http://www.insecure.org/tools.html


A Security Policy Framework• Policies define appropriate behavior.• Policies set the stage in terms of what tools and

procedures are needed.• Policies communicate a consensus.• Policies provide a foundation for HR action in

response to inappropriate behavior.• Policies may help prosecute cases.



• An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system. The word "misuse" is broad, and can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam (though for many of us, that is a major issue!).

• An "Intrusion Detection System (IDS)" is a system for detecting such intrusions. IDS can be broken down into the following categories:


Risk Profiling Matrix Risk Profile Matrix

Threats: Rating Visibility Rating Score

None identified as active; exposure is limited 1 Very low profile, no active publicity 1

Unknown state or multiple exposures 3 Middle of the pack, periodic publicity 3

Active threats, multiple exposures 5 Lightning rod, active publicity 5

Consequences Rating Sensitivity Rating Score

No cost impact; well within planned budget; risk transferred

1 Accepted as cost of doing business; no organization issues

1

Internal functions impacted; budget overrun; opportunity costs

3 Unacceptable Business Unit management impact; good will costs

3

External functions impacted; direct revenue hit 5 Unacceptable Corporate Management impact; business relationships affected

5

Total Score:

Rating: Multiply Threat rating by Visibility rating, and Consequences rating by Sensitivity rating. Add the two values together: * 2 - 10: Low Risk * 11 - 29: Medium Risk * 30 - 50: High Risk


Stay Secure• Identify the risks • Put attacks in perspective • Store information securely • Perform reliable and secure backups • Transfer information securely across hostile

networks • Understand Public Key Infrastructure (PKI) and

its limitations • Protect against network threats • Set up firewalls • Deal with denial of service attacks • Understand online commerce and privacy


Importance of Security Policies

• Security policies are an absolute must for any organization.

• They provide the virtual glue to hold it all together.

• Policies lay the ground-work.

• Imagine a small city that did not have any rules? What would life be like? The same applies to your organization .


Who and What to Trust

• Trust is a major principle underlying the development of security policies.

• Initial step is to determine who gets access.• Deciding on level of trust is a delicate balancing

act.• Too much trust may lead to eventual security

problems• Too little trust may make it difficult to find and

keep employees or get jobs done• How much should you trust people regarding to

their access or usage of computer and network resources?


Possible Trust Models

• Trust everyone all of the time:– easiest to enforce, but impractical– one bad apple can ruin the whole barrel

• Trust no one at no time:– most restrictive, but also impractical– difficult to staff positions

• Trust some people some of the time:– exercise caution in amount of trust given– access is given out as needed– technical controls are needed to ensure trust

is not violated


Why the Political Turmoil?

• People view policies as:– an impediment to productivity– measures to control behavior

• People have different views about the need

for security controls. • People fear policies will be difficult to follow

and implement.• Policies affect everyone within the

organization.


Who Should Be Concerned?

• Users - policies will affect them the most.

• System support personnel - they will be required to implement, comply with and support the policies.

• Managers - they are concerned about protection of data and the associated cost of the policy.

• Company lawyers and auditors - they are concerned about company reputation, responsibility to clients/customers.


The Policy Design Process

• Choose the policy development team.

• Designate a person or a group to serve as the official policy interpreter.

• Decide on the scope and goals of the policy.– Scope should be a statement about who is

covered by the policy.

• Decide on how specific to make the policy– not meant to be a detailed implementation plan– don’t include facts which change frequently


The Policy Design Process

• A sample of people affected by the policy should be provided an opportunity to review and commentreview and comment.

• A sampling of the support staff effected by policy should have an opportunity to review it.

• Incorporate policy awarenesspolicy awareness as a part of employee orientation.

• Provide a refresher overview courserefresher overview course on policies once or twice a year.


Basic Policy Requirements

• Policies must:– be implementable and enforceable– be concise and easy to understand– balance protection with productivity

• Policies should:– state reasons why policy is needed– describe what is covered by the policies– define contacts and responsibilities– discuss how violations will be handled


Level of Control • Security needs and culture play major

role.• Security policies MUST balance level of

control with level of productivity.• If policies are too restrictive, people will

find ways to circumvent controls.• Technical controls are not always

possible.• You must have management commitment

on the level of control.


Policy Structure• Dependent on company size and goals.• One large document or several small ones?

– smaller documents are easier to maintain/update

• Some policies appropriate for every site, others are specific to certain environments.

• Some key policies:– acceptable use– remote access– information protection– perimeter security– baseline host/device security


The Acceptable Use Policy

• Discusses and defines the appropriate use of the computing resources.

• Users should be required to read and sign account usage policyaccount usage policy as part of the account request process.

• A key policy that all sites should have.


Some Elements• Should state responsibility of users in

terms of protecting information stored on their accounts.

• Should state if users can read and copy files that are not their own, but are accessible to them.

• Should state level of acceptable usage for electronic mail, internet news and electronic mail, internet news and web accessweb access.

• Should discuss acceptable non-business non-business usesuses of the resources.


Remote Access Policy• Outlines and defines acceptable methods

of remotely connecting to the internal network.

• Essential in large organization where networks are geographically dispersed and even extend into the homes.

• Should cover all available methods to remotely access internal resources:– dial-in (SLIP, PPP)– ISDN/frame relay– telnet/ssh access from internet– cable modem/VPN/DSL


Some Elements

• Should define who can have remote access.

• Should define what methods are allowed for remote access.

• Should discuss who is allowed to have high speed remote access such as ISDN, frame relay or cable modem.– extra requirements– appropriate use

• Should discuss any restrictions on data that can be accessed remotely.


Information Protection Policy

• Provides guidelines to users on the processing, storage and transmission of sensitive information.

• Main goal is to ensure information is appropriately protected from modification or disclosure.

• May be appropriate to have new employees sign policy as part of their initial orientation.

• Should define sensitivity levels of information.


Some Elements

• Should define who can have access to sensitive information.– "need-to-know"– special circumstances– non-disclosure agreements

• Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc).

• Should define on which systems sensitive information can be stored.


Some Elements• Should discuss what levels of sensitive

information can be printed on physically insecure printers.

• Should define how sensitive information is removed from systems and storage devices:– degaussing of storage media– scrubbing of hard drives– shredding of hardcopy output

• Should discuss any default file and directory permissions defined in system-wide configuration files.


The Perimeter Security Policy

• Describes, in general, how perimeter security is maintained.

• Describes who is responsible for maintaining it.

• Describes how hardware and software changes to perimeter security devices are managed and how changes are requested and approved.


Some Elements

• Should discuss who can obtain privileged access to perimeter security systems.

• Should discuss the procedure to request a perimeter device configuration change and how the request is approved.

• Should discuss who is allowed to obtain information regarding the perimeter configuration and access lists.

• Should discuss review cycles for perimeter device system configurations.


Virus Protection and Prevention Policy

• Provides baseline requirements for the use of virus protection software.

• Provides guidelines for reporting and containing virus infections.

• Provides guidelines for several levels of virus risk.

• Should discuss requirements for scanning email attachments.

• Should discuss policy for the download and installation of public domain software.


Virus Protection and Prevention Policy

• Should discuss frequency of virus data file updates.

• Should discuss testing procedures for installation of new software.


Password Policy

• Provides guidelines for how user level and system level passwords are managed and changed.

• Discusses password construction rules.• Provides guidelines for how passwords

are protected from disclosure.• Discusses application development

guidelines for when passwords are needed.

• Discusses the use of SNMP community strings and pass-phrases.


Other Important Policies

• A policy which addresses forwarding of email to offsite addresses.

• A policy which addresses wireless networks.

• A policy which addresses baseline lab security standards.

• A policy which addresses baseline router configuration parameters.

• A policy which addresses requirements for installing devices on a dirty network.


Security Procedures • Policies only define "what" is to be protected. • Procedures define "how" to protect resources

and are the mechanisms to enforce policy.• Procedures define detailed actions to take for

specific incidents.• Procedures provide a quick reference in times

of crisis.• Procedures help eliminate the problem of a

single point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).


Configuration Management Procedure

• Defines how new hardware/software is tested and installed.

• Defines how hardware/software changes are documented.

• Defines who must be informed when hardware and software changes occur.

• Defines who has authority to make hardware and software configuration changes.


Defense in Depth security model• A key component of this model is that the loss or

failure of a single component does not compromise the entire information infrastructure.

• Critical systems should be fault tolerant and have hot-standbys available. There should also be strong configuration management controls.

• Good configuration management practices will limit system changes that may trigger false alerts or failures.

• Each system needs established baseline standards. Documentation of initial configurations should be supplemented by a system that details all patches; updates and other modification made to each machine.


http://www.networkcomputing.com/1214/1214ws1.html

DMZ has evolved, however, to mean an isolated network segment for providing services to untrusted systems. Today the term is most often used by IT professionals to refer to a network segment between two firewalls (see "sandwich DMZ"), or a "dead-end" or "wing" network connected to a firewall (see "Single-Firewall DMZ"). Other common names for a DMZ are services network and atrium.


Solution for Systems Architecture: Internet Data Center


http

://img

.cmpn

et.com

/nc/815

/grap

hics/hotspo

ts.pd

f


Data Backup and Off-site Storage Procedures

• Defines which file systems are backed up.

• Defines how often backups are performed.

• Defines how often storage media is rotated.

• Defines how often backups are stored off-site.

• Defines how storage media is labeled and documented.


Incident Handling Procedure

• Defines how to handle anomaly investigation and intruder attacks.

• Defines areas of responsibilities for members of the response team.

• Defines what information to record and track.• Defines who to notify and when.• Defines who can release information and the

procedure for releasing the information. • Defines how a follow-up analysis should be

performed and who will participate.


Policy Resources

• RFC2196 - The site security procedures handbook at http://www.ietf.org/rfc/rfc2196.txt?Number=2196

• Some useful web sites:– www.gatech.edu/itis/policy/usage/contents.html– csrc.nist.gov/isptg/


Recap

• Policies are a crucial part of the infrastructure.

• Trust is frequently an issue.• Key policies:

– acceptable use policy– remote access policy– information protection policy– perimeter security management policy

• Key procedures:– CM procedure– incident handling procedure


Policy, Standard, and Guideline• A policy is typically a document that outlines specific requirements

or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. – For example, an “Acceptable Use” policy would cover the rules

and regulations for appropriate use of the computing facilities. • A standard is typically a collections or system-specific or procedural-

specific requirements that must be meet by everyone. – For example, you might have a standard that describes to how to

harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.

• A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended.

• Effective security policies make frequent references to standards and guidelines that exist within an organization.


Security Is an Industry Problem

““The conclusion here is that there is obviously a comparable number The conclusion here is that there is obviously a comparable number of security problems with the various flavors of Linux, as well as Sun’s of security problems with the various flavors of Linux, as well as Sun’s Solaris, as there are with Windows NT 4.0 and Windows 2000.”Solaris, as there are with Windows NT 4.0 and Windows 2000.”

John McCormick, TechRepublic, Inc., September 24, 2001, John McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus Bugtraq based on data provided by Security Focus Bugtraq

28

24

24

21

33

RedHat Linux 7.0

Sun Solaris 8.0

Windows 2000

SCO Open Server 5.0.6

MandrakeSoft Linux 7.2

Number of incidentsNumber of incidents


People, Process, Product challenges?

People

ProcessProd

uct

• Products lack security features

• Products have bugs• Many issues are not

addressed by technical standards

• Too hard to stay in the know andup-to-date

• Designing for security• Roles & responsibilities• Auditing, tracking, follow-

up• Calamity plans• Staying up-to-date with

security development

• Lack of knowledge• Lack of commitment• Human error


Why Is It Hard to Get Secure? Customers Need Our Help

• I didn’t know which patches I needed• I didn’t know where to find the updates• I didn’t know which machines needed the

update• We updated our production servers, but the

4,000 rogue servers got infected

More than 50% of the customers affected by More than 50% of the customers affected by Code Red were not patched in time for NimdaCode Red were not patched in time for Nimda

The product update failed because the people The product update failed because the people and process wasn’t there to implement the fixand process wasn’t there to implement the fix


STPP: “Get Secure”

Free Virus Support HotlineNow – 1-866-PCSAFETY (1-866-727-2338)

Security Assessment Program OfferingNow– Available immediately through MCS/PSS

Microsoft Security ToolkitNow– Server oriented security resources for server admins– New server security tools and updates, Windows Update

bootstrap client for Windows 2000

Enterprise Security ToolsDecember RTM– Server security configuration scanner– SMS security patch rollout tool– Windows Update Auto-update client

(Group Policy-enabled)


STPP: “Stay Secure”

Windows 2000 Security Rollup PatchesDecember 2001– Bundle all security fixes in single patches– Reduces reboots and administrator burden

Windows 2000 Service Pack (SP3)February 2002– Provide ability to install SP3 + security rollup with a single

reboot

Federated Corporate Windows Update ProgramFebruary 2002– Allows enterprise to host and select Windows Update content

Enhanced Product SecurityOngoing– Provide greater security enhancements in the releases of all

new products, including the Windows .NET Server family


Microsoft Security Toolkit

– HFNetChk– IIS Lockdown– URLScan

– SMS Install Scripts– Windows Update client for

Windows 2000

• Gets Windows NT and 2000 systems to a secure baseline, even in disconnected nets

• Automates server updates– One-button wizard and SMS Scripts

• Updates and Patches – Includes all Service Packs and critical OS and IIS patches

through 10/15• Tools


Security Response Process

Develop Patch/Workaround

Test

VulnerabilityReports

•[email protected]

•Mailing lists (NTBugTraq, BugTraq, etc)•Microsoft Technical Support

•Security web sites

Develop Documentation

•Knowledge Base•Premier Customer Alert

•Security Bulletin

Distribute fix andinformation

•Product Security Notification Service•Mailing Lists

•www.microsoft.com/security site

Product Team Security Team

Repro

DevelopmentPractices

Triage •Approximately 90% culled


The Challenge of Security

Provide services… Web access, e-mail, file access, messaging

while protecting your assets. Financial data, CPU cycles, network resources,

intellectual property, customer information

The right access The right access to the right contentto the right content

by the right peopleby the right people

Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with.


Life Was Much Simpler Back Then…

Mainframe– Terminal access– “Glass house”– Physical security, limited connectivity


Life Was Much Simpler Back Then…

Client-Server– LAN connectivity– File/print services– Limited external access


Life Became Complex After Internet

Then the world Then the world became complex became complex and difficult…and difficult…

The Internet– “Always on”– E-mail, instant

messaging– The Web

InternetInternet


Business Impact• According to the Computer Crime and Security Survey 2001, by the

Computer Security Institute (CSI) and the FBI:– Quantified financial losses of at least $377M, or $2M per

survey respondent

– 40% detected system penetration from the outside; up from 25% in 2000

– 94% detected computer viruses; 85% detected them in 2000

• InformationWeek estimates:– Security breaches cost businesses $1.4 trillion worldwide this year

– 2/3 of companies have experienced viruses, worms, or Trojan Horses

– 15% have experienced Denial of Service attacks

Security Breaches Have Real Costs

Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2001Source: InformationWeek.com, 10/15/01


High Profile Security Threats• Hostile Code

– Viruses– Worms– Trojan horses

• Denial of Service• Web page defacement• Eavesdropping, Interception• Identity theft

Common Methods of Cyber-CrimesCommon Methods of Cyber-Crimes


Recent Threats: Nimda, Code Red

• Nimda: spread by browsing an infected site or opening an infected e-mail message

• Code Red: infected Web servers and granted administrative access

• Others: Denial of Service, Defacement

• Some survived Nimda and Code Red:– Organizations that were up to date on

patches and security fixes stayed secure– Organizations which “locked down” their

systems withstood threats


Security Framework

ProcessProcess

TechnologyTechnology

PeoplePeople

Planning for securityPlanning for security PreventionPrevention Detection Detection ReactionReaction

Baseline technologyBaseline technology Standards, Encryption, ProtectionStandards, Encryption, Protection Product security featuresProduct security features Security tools and productsSecurity tools and products

Dedicated staffDedicated staff TrainingTraining Security - a mindset and a prioritySecurity - a mindset and a priority External peopleExternal people


Security in a Complex World

• Security requires a framework composed of:– Process (procedures, guidelines)– Technology (hardware, software,

networks)– People (culture, knowledge)

• Security will fail if only focusing on part of the problem

• Technology is neither the whole problem nor the whole solution


Security Process Guidance

• Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process:

• Assess– Define security requirements– Perform analysis of current and desired states

• Design– Develop security solution– Utilize Defense in Depth framework

• Deploy– Test and implement– Define and document policies, standards, procedures

• Manage– Operational management– Review and reassess on a regular basis


Internet Data Center Guide – Security

• Examples of topics included in Internet Data Center guide:– Defense in Depth strategy– Common Hacker Methods and

Prevention– Best practices for security IIS– Windows 2000 Active Directory Design

and Security Policies– Best practices for application security– Authentication


Defense in Depth

• Industry-wide security design methodology of layering defenses:– Perimeter defenses– Network defenses– Host defenses– Application defenses– Data and resources

• Provides a method and framework for designing security into infrastructure

• Prescriptive guidance and detail included in Microsoft Internet Data Center design guide


InternetDeploying Secure Infrastructure

Windows security features:Windows security features: AuthenticationAuthentication ACLsACLs Active DirectoryActive Directory

ISA Server:ISA Server:Enterprise Class Enterprise Class FirewallFirewallApplication level Application level filteringfiltering

.NET Enterprise Server .NET Enterprise Server integration with integration with Windows securityWindows security


Security Tools• In addition to product features, Microsoft has provided

security-specific tools:• IIS (one button) Lockdown Tool

– Configures server to be immune to many attacks– Disables unneeded services– Restricts access to system commands

• HFNetCHK– Administrator server scanning tool to ascertain patch status

across servers

• URLscan tool– ISAPI filter to run on server– Blocks URLs that “look like” attacks– Can be configured to support server configuration

• Microsoft personal Security Advisor– Ascertains patch status of individual workstation


Security Depends on People

From Information Security From Information Security Magazine July 1999 - "Top Magazine July 1999 - "Top Obstacle is Budget: What is Obstacle is Budget: What is the SINGLE greatest obstacle the SINGLE greatest obstacle to achieving adequate to achieving adequate infosecurity at your infosecurity at your organization?"organization?"

Security must be aconscious priority

Budget ConstraintsBudget Constraints Lack of Senior Management SupportLack of Senior Management Support

Lack of Employee Training / Lack of Employee Training / End-User AwarenessEnd-User Awareness

Lack of Competent Infosecurity PersonnelLack of Competent Infosecurity Personnel

Lack of Internal PoliciesLack of Internal PoliciesLack of Centralized AuthorityLack of Centralized Authority

Technical ComplexityTechnical ComplexityUnclear ResponsibilitiesUnclear Responsibilities

Lack of Good Security ProductsLack of Good Security ProductsOtherOther

9%9%

29%29%

14%14%

10%10%9%9%

8%8%

8%8%

6%6%

4%4%

3%3%



Product-Level Technology• Windows: Active Directory, authentication,

secure protocol support• ISA Server: Enterprise firewall and application

filtering• .NET Enterprise Servers: integration with

Windows security features: authentication, secure protocol support


HIPAA• HIPPA stands for Health Insurance Portability and

Accountability Act. • Passed in 1996, HIPAA is designed to protect

confidential healthcare information through improved security standards and federal privacy legislation. – It defines requirements for storing patient information before,

during and after electronic transmission. – It also identifies compliance guidelines for critical business

tasks such as risk analysis, awareness training, audit trail, disaster recovery plans, information access control, and encryption.

– These security standards for information access control and encryption may have the most significant impact on how the industry conducts its business.


Complying with Security Standards• There are more than sixty-eight information

security conditions in three areas that must be met to ensure compliance with HIPAA. These areas are: – Technical Security Services: user authorization and

authentication, access control and encryption – Administrative Procedures: formal security planning,

record maintenance and audits – Physical Safeguards: security to building, privacy for

office and workstations that handle patient information


Elements Covered by Security Policies• access controls – usually descriptions of logon warning screens on

a computer and access lists for dedicated computer rooms, non-disclosure agreements.

• system backups – by whom, how often and where stored (offsite is best).

• incident handling – what should be reported, to whom, what will be the response, by whom.

• virus protection – mandatory installation of, how often updated (automatic or manual), virus incident handling.

• unauthorized access – who is allowed to access the company's computer assets and LAN

• monitoring – stating who will monitor the network for internal and external intrusions, and users for violations of security policies, who has access to intrusion detection devices, who will review and/or disseminate the logs.

• encryption – what is the company standard encryption methodology, when will encryption be used and by whom.

• digital signatures – what is the company standard, when will digital signatures be used and by whom.


Continued…• web presence – what is and is not allowed to be placed on a public

web server and who is allowed to publish • disposing of resources – how to, by whom • passwords – duration, number of and what type of characters, who

must use passwords, for what and when, how to create. (UNI-C) • use of personal resources within the company – allowed or not

allowed, if so, under what conditions • inspections and reviews – of what resources, how often, conducted

by whom • entertainment software, games, etc. – allowed or not allowed, if

allowed when can be used. • removal media - CDs, floppy disk, for personal or company use and

usage marked • freeware or shareware - authorized or not, if authorized, under what

conditions. Excellent definitions of both shareware and freeware can be found on the Internet (CFS)

• software copyrights – software copyright laws are very stringent (SIIA), who will be liable if a copyright is violated, who is responsible to ensure copyrights are not violated.


Continued…• personnel/physical security – what happens if a system

containing sensitive information is moved out from a locked door.

• vendor responsibilities – what rules will a vendor follow when using a company IS asset or when using its own assets on company premises.

• public disclosure – who can release information to the public and under what restrictions. And what about non-disclosure agreements for employees as well as vendors.

• computer room facilities/areas – IS Security personnel should be involved in the design stage of new computer room facilities in order in insure safeguards to protect company IS assets.

• system configuration change – changes that alter the security profile (risk) of a company IS asset should not be instituted without consulting IS Security personnel first.


Continued…• audit of IS Security compliance – who will audit for compliance?

(the Audit Department), how will the audit be conducted. An excellent source for auditing criteria is the Information Systems Audit and Control Association (ISACA™). They publish several auditing guidelines, some free for downloading.

• security awareness and training – mandates an IS Security awareness training program, indicates who should attend this training, how often training will be conducted and what will be included in the training.

• inventory of IS assets –who should keep an inventory of all the company's IS assets, who should have access to that inventory, is it available to the risk management/audit teams

• documentation – to support risk management what support documentation should be maintained, by whom and how (electronically, etc.), i.e. risk assessment, countermeasures, test results documentation, standard operating procedures(SOPs), disaster recovery/ contingency plans.


Business Mission is Critical

data

Constituency Data

Decision Capability

Productivity

Today, information is the axis on which your agency revolves. When information is unavailable to an organization, it is at risk of losing its

competitive edge.

Technology disruption . . . Leads to lost . . .

Poor Service

Credibility

Source: Availability and Continuity of Operations for Web Infrastructures

Bob Barr, Director, Government Marketing, Dell Computer Corporation, February 6, 2002


Drivers for Continuity Services• Seventy-two percent (72%) of companies do not have a business

continuity plan.• Fifty percent (50%) of companies who experience a major disruption

are no longer in business 1 to 2 years later.• Business interruptions cost billions of dollars in lost revenue and

penalties. System outages and downtime have an especially large effect on e-businesses: – For example, eBay lost 28% of its market capitalization following a 22-

hour outage, a decrease of over $3B. – Forrester Research estimates that Amazon.com would lose $4.5M in

revenue in 24 hours of downtime. Yahoo would lose $1.6M for 3 hours; companies as large as Intel and Cisco would lose $35M, $33M, and $30M in 24 hours, respectively.

• Most downtime is not attributable to a “disaster”: – 40 percent of downtime is caused by application failures (e.g.,

performance issues or "bugs")– 40 percent by operator error or lack of procedures– 20 percent by system or environmental failures. – Overall, less than 5 percent of application downtime is attributable to

disasters.


Downtime - Planned & Unplanned

1 3 5 7 9 11 13 15

70

80

90

100

Perc

ent

Upt

ime

Days

100 % UptimeGoal

Lost TimeFactors

Planned

Unplanned

•Maintenance•Backup•Upgrades•Transitions

•Maintenance•Backup•Upgrades•Transitions

•Human Error•Fire, Catastrophe•Equipment Failure

•Human Error•Fire, Catastrophe•Equipment Failure


Transportation Package Shipping $24,000 – 32,000 $28,000

The Cost of Downtime

Information inaccessibility causes inefficiencies that translate into lost dollars.

Financial Brokerage Operations $5.6 – 7.3 Million $6.45 Million

Financial Credit Card Sales $2.2 – 3.1 Million $2.6 Million

Financial ATM Fees $12,000 – 17,000 $14,500

Media Pay-Per-View $67,000 – 233,000 $150,000

Media Tele-Ticket Sales $56,000 – 82,000 $69,000

Retail Home Shopping (TV) $87,000 – 140,000 $113,000

Retail Home Catalog Sales $60,000 – 120,000 $90,000

Transportation Airline Reservations $67,000 – 112,000 $89,500

Industry Cost Average Cost PerIndustry Business Function Range Per Hour Hour of Downtime


The Causes of Downtime

Causes of Failure Examples Impacts…

Driver hangs, OS hangs/reboots, virus, file corruption

Software defects/failures

Platform, data, applications

Upgrade components, firmware, drivers, O/S, software

Planned administrative downtime

Platform, data, applications

Accidental file deletion, unskilled operation, guessing

Operator error Platform, data, applications

Software/systems requiring reboot, system board failure

System outage/maintenance

Applications

Fire, storms, collapse, explosion, and other localized disasters

Building/site disaster Site

Earthquake, hurricanes, floods, other regional natural catastrophes

Metropolitan disaster Site

When a failure occurs, it makes an impact. Whether or not downtime is the result depends on how well information is protected.

Bad memory chip, fan, power, HDD, data path, controller

Component failure Platform, data


Foundations for Business Continuity

Business Continuity means…

Business

Continuance

Plan

Technology Processes

PeopleMaintaining the availability of systems critical to ongoing agency operations during a system failure or service outage…

Recovering from unplanned, catastrophic events or disasters in an orderly, timely, appropriate manner based on the risk, costs and importance of the business system…

Continuing with your Business

Protecting people, processes and technology from threats in order to avoid a disruption of normal business operations…

Highly Available Systems

Disaster Recovery Systems

Security


Traditional Definitions of Availability

Redundant Architectures Specialized Logic and Components

Redundant system components,RAID for Data

$1OM

$1M

$1OOK

$1OK

1OO1O1O.1

Avg Syst

Price

Downtime Hrs./Syst/Yr

System Availability

99.999% 99.99% 99.9% 99.0%

As systems approach 100% uptime, costs begin to skyrocket, demonstrating diminishing returns on your investment.

While continuous business operation is often desired, solutions guaranteeing zero-downtime are often cost-prohibitive, especially after weighing all risks of failure and determining what kind of downtime is acceptable for your needs.

Contiguous Processing

Fault Tolerant

Fault Resilient

High Availability

Commercial Availability

Utmost Reliability, Data Integrity and Security built in, 24x7 systems monitoring, business continuity services

Multiple Machines with Recovery Mechanisms, 24x7 proactive & reactive support


Reality Check on Availability• Goal of availability planning is to balance cost,

complexity, and flexibility in delivering the desired fault tolerance/recovery solution

• Majority of agency requirements are not at the highest levels of availability

• Assessment typically shows a varying level of availability requirements within an agencies IT infrastructure

• Implementing and guaranteeing higher end/ multiple 9’s availability – is usually cost prohibitive to agencies– is unrealistic in majority of environments due to complexity of

implementation– can be marred/ruined by simple human error or delay


SiteBeyond the Building

The Continuity Continuum

Increasing cost, functionality and complexity

ApplicationSystem Interaction

DataBeyond the Box

PlatformIn the Box

Redundant Systems/Load BalancingServer, Storage, Network availability

Clustering/Application FailoverContinuous application access

High Availability Server SystemsHot- swappable, redundant components with Mission-critical support

Rapid Equipment ReplacementVendor services and financing programs

SAN, NAS & DASContinuous data access

Backup and RestoreReal-time tape backup, Off-site storage

Site/ Datacenter FailoverRe-route data to replication/mirrored sites

Commercial Recovery SitesResuming in hot, cold, mobile or host facilities

Maintaining the availability systems critical to ongoing government operations during a system failure or service outage. Recovering from unplanned, catastrophic events or disasters in an orderly, timely, appropriate manner based on the risk, costs and importance of the business system


Building Blocks of High Availability

Platform

Data

Application

Site


Availability scales through the continuum, addressing the causes of downtime and recovery at each level.

Components Data System Infrastructure

REDUNDANCY LEVELS

In the Box

Beyond the Box

System Interaction

Beyond the Building

ATTRIBUTES

Hot Plug Devices

Hot Plug Adapters

ECC Memory

Remote Management

UPS

Redundant Devices

Enhanced Support

ATTRIBUTES

Redundant Data Paths

Redundant Controllers

Storage Area Networks

Network Attached Storage

Online Tape Backup

Database Replication

Online Volume Expansion

Snapshot Copy

Server Based RAID

External SCSI Enclosure

External Fiber Enclosures

Enhanced Support

ATTRIBUTES

HA Clustering

Redundant Networks

Application Failover/Restart

Data Switchover

Database Recovery

Application Checking

Network Load Balancing

O/S Advancements

Security/Virus Integration

Application Monitoring

Planned Online Upgrades

Consulting Services

Optional HA Guarantee

Remote Monitoring

Enh. /Premium Support

ATTRIBUTES

Custom Solution

Site Replication

Mirroring

Stretch Clustering

WAN load balancing

Multi-tier Infrastructure

Phone Home Systems

Site Planning, Design & Implementation

Change Management

Optional HA Guarantee or Service Level Agreement

Remote Monitoring

Storage Service Provider On-Site Engineers/Parts

Premium Support

Disaster Recovery for Off-site Back-ups


Building Blocks of Disaster Recovery

Platform

Data

Application

Site


Disaster Recovery scales through the continuum, to address recovery time objectives (RTO) for each level of failure…

Hardware Data System Infrastructure

FAILURE LEVELS

In the Box

Beyond the Box

System Interaction

Beyond the Building

ATTRIBUTES

System Diagnostics

Online Serviceability

Reboot on Failure

Remote Management

Spare parts inventory

Vendor rapid ship & deploy

Lease\Financing programs

Enhanced Support

ATTRIBUTES

RAID

Hot plug drives

Tape Backup

Database Replication

Roll back/Roll forward

Snapshot Copy

Storage Mirroring

ATTRIBUTES

Application Service Provider

Application Failover/Restart

Data Switchover

Database Recovery

Security/Virus Integration

Application Monitoring

Consulting Services

ATTRIBUTES

Site Planning Design & Implementation

Site Replication

Hot site service

Cold site service

Mobile site service

Disaster Recovery for Off-site Back-ups

Off-site Data Storage

Electronic Vaulting

Consulting Services


Business

Continuity

Plan

Small Organization Continuity Scenario

500-2000 VA UPS

NetworkAttachedStorage (NAS)

Network/CommunicationsSCSIPower

Fractional T1 or T3(ADSL backup)

BusinessContinuit

yPlan

Backup agent

Servers• File/print• Messaging/email• Database• Web serving• Applications

Clients

1000-3000 VA UPS

Tape Backup

Tape autoloader300-500 GB capacity8-36GB/hour

Expansion enclosures…

Mobile andWorkstationUsers

Rack form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 5

Directly attaches to networkExpandable up to 7.44TB capacityHot swap drives and componentsInternal SCSI disks RAID 0, 1, 5


1000-3000 VA UPS

Mid-Sized Organization Continuity Scenario

Network Attached Storage or Storage Area Network

Network/CommunicationsFibre channelPower

T1 or T3(SDSL or Fractional T1

backup)

Backup agent

Production Servers• File/print• Messaging/email• Database• Web serving• Applications

Clients


Rack-dense form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 0/5

Business

Continuity

Plan

Business

Continuity

Plan


1000-3000 VA UPS

Redundant Servers• Active-Passive• Active-Active

Automatic application failover Transparent to end-usersPlanned maintenance & upgrades

Directly attaches to networkExpandable up to 7.3TB capacityHot swap drives and componentsInternal Fibre channel disks RAID 5, 1, 0

Tape BackupMini-Library

Tape autoloader4TB capacity80-216GB/hour


1000-5000VA UPS

Large Organization Continuity Scenario

StorageAreaNetwork (SAN)

Network/CommunicationsFibre ChannelPower

T1 or T3(SDSL or Fractional T1 backup)

Backup agent

Production Servers• File/print• Messaging/email• Database• Web serving• Applications

Clients


Business

Continuity

Plan

Business

Continuity

Plan


5000-16,000 VA UPS

Redundant Servers• Active-Passive• Active-Active

Automatic application failover Transparent to end-usersPlanned maintenance & upgrades

Tape BackupLibrary

Fully redundant storage, 64 serversExpandable up to 8.7TB capacityHot swap drives and componentsInternal disks RAID 5

Rack-dense form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 0/5

Tape autoloader14.4 TB capacity216-650GB/hour


Standby HostProduction Host

SP-A DIRECT CONNECT FIBRE CHANNEL TOPOLOGY

Site A Site B

Synchronous,bi-directional mirror

SEPARATION

Primary system

ProductionA

Mirror B

Secondary system

MirrorA

ProductionB

MirrorA

ProductionB

SP-B DIRECT CONNECT FIBRE CHANNEL TOPOLOGY

500m

LOCAL MIRRORING UP TO 60km BETWEEN SITES

SEPARATIONSEPARATION

Additional 5200s can be added for UHA

Or, single links between Optera devices

Production Host

Site A Synchronous,bi-directional mirror

Site B

Standby Host

Primary system Secondary system

Up to 60km

Optera 5200 Optera 5200Optera 5200 Optera 5200

Optera 5200 Optera 5200Optera 5200 Optera 5200Optera 5200 Optera 5200

Optera 5200 Optera 5200Optera 5200 Optera 5200Optera 5200 Optera 5200

ProductionA

Mirror B

MirrorA

ProductionB

MirrorA

ProductionB

Disaster Tolerant

BC

P V

alu

e A

dd

Mid-range NAS High-end SAN

Enterprise Continuity Scenario


N-Tier Architecture• Add hardware where scale needed• Redundancy decisions made at each tier• Simplified application development model• Integrate Web technologies into legacy systems

webservices application data


“The N-tier architecture is the best strategy for agility, multiple points of interaction, and site-level availability without a single point of failure.” – Meta Group

“By partitioning Website functions into components that reside separately on different systems, enterprises can achieve greater availability, scalability, and flexibility.” -- Gartner Group

“Flexibility and improved high availability are both promoted by multi-tier computing architecture.” -- IDC

Industry Perspective


History of Dell.com

1994/951994/95 19961996 19971997 19981998 19991999 20002000

E-commerceLaunched

www.dell.comLaunched

Premier PagesLaunched

80,000 visits/week

Q1 $1M/day

Q2 $2M/day

Q3 $3M/day

Q4 $4M/day

Q2 100

Q3 450

Q4 800

400,000 visits/week

Q1 $5M/day

Q2 $6M/day

Q3 $10M/day

Q4 $14M/day

Q1 3,000

Q2 5,750

Q3 8,500

Q4 12,000

1,500,000 visits/week

OnlineConfiguratorLaunched

Q1 $18M/day

Q2 $30M/day

Q1 19,000

Q2 27,000

3,000,000 visits/week

Q3 $35M/day

Q4 $40M/day

Q3 35,000

Q4 40,000

Q1 $40M/day

Q2 $50M/day

Q1 45,000

50,000 +Pages

4,000,000+ visits/week

50+%Total Revenue


web app data

Basic Infrastructure


Site Architecture• Hardware – Dell on Dell

– Entire site runs on Dell hardware

• Development – Microsoft COM/DCOM– Windows 2000, IIS, Commerce Server, SQL

• Website – Internally hosted and supported– Multiple data center locations– Eliminate “single points of failure”

• Resources – MS Trained and Certified– MCSE, MCSD, MCP, etc.


Server Utilization• 10 static content web servers

– Static HTML pages

• 120+ application servers– Load Balanced with PowerApp.Big-IP– Segmented by function and responsibility

• 50+ database servers– Segmented by application support

• 160+ “non-production” backend servers– Mirrors, staging, backup, prototype, & testing


Availability99.9985%


Web Servers• Front-end web servers hold static content

– Microsoft Windows 2000 Advanced Server Microsoft Internet Information Server 5.0 (IIS) Network Load Balancing (NLB)

– Provide access to applications– Multiple mirrored copies of content

• PowerEdge 2550 servers (10)– 2 processors, 512MB RAM, 5x9GB disk, RAID 5


Cisco Cisco Distributed Distributed

DirectorDirector

Static Layer uses “round robin” load balancing from the Cisco DD and all ten 2550 servers provide the same service. Loss of any server is not noticed by the site and can be easily replaced.

Availability: Web Services


Application Servers• Microsoft Commerce Server 2000

– Separate servers by function– Load Balanced “clusters”– Smooth Scaling as needs arise– Provides views “into” data layer

Index and search Usage analyst Commerce applications Personalization and membership Content Deployment Service Custom developed components

• PowerEdge 4400 & 2450 servers (120+)– 2 processors, 1-2GB RAM, 6x9GB disk, RAID 5


The application layer uses both Windows clustering technology (Windows 2000 Advance Server - 2 node clustering) and intelligent load balancing “NLB” to provide high availability of applications as well as improved response time.

Availability: Application Layer


Database Servers• Microsoft SQL Server 2000

– Standardized on one relational database– Microsoft Cluster Server (MSCS)– High performance

ADO and Active Server Pages (ASP)

– Tight integration with Microsoft tools

• PowerEdge 6450 & 8450 servers (50+)– 2-8 processors, 2-16GB RAM, 6x9GB RAID 5– External Storage when required


• Data Base reliability is provided by utilizing RAID (Redundant Array of Independent Disk) 1 & 5

• SAN Utilizing Fiber Channel Technology, offers high availability by providing redundant components including Host Bus Adapters, switches and RAID controllers within the storage array.

PowerVault 6450

PowerVault 650

PowerVault 630

Availability: Data Layer


Availability: Hardware• Redundant / Hot Swappable

– Power Supplies– Fans– Hard Drives – Replaced before failure through pre-

failure warranty program *– System Backplane supports hot plug – hard drive

support– Battery Backed Cache– Dual embedded NICs with fail-over support– * Self Monitoring Analysis, and Reporting,

Technology (SMART) function sends notice to administrator that a hard drive is getting ready to fail


Availability: System Mgmt.• Server & Application monitoring & alerting

– NetIQ AppManager® – Dell OpenManage

• ISP and internal network operations • Overall site performance reporting

– Keynote Systems

• Application Load testing– Mercury Interactive LoadRunner®

• “Click stream” capture & analysis


Continuity of Operations(Disaster Recovery)


Continuity of Operations • Data Center Site Redundancy

– Primary data center has dual power feeds Two Different Power Companies

– Battery backup and generator power– Multiple ISP connectivity – Physical access restricted

• Data Back Up and Retrieval– Data is Backed Up to disk then tape– Tape Stored offsite – daily rotation


Router

Cisco DD

IDS Web Servers

App Servers

SQL Servers

Router

Cisco DD

IDS

Web Servers

App Servers

SQL Servers

ISP 1,2,3

3 x DS3

ISP 4,5,63x DS3

DMZ

Dat

a C

ente

r 1

Dat

a C

ente

r 2

Co

rpo

rate

Net

wo

rk

FW

FW

FW

FW

Continuity of Operations


Web Infrastructure Security • Routers

– Follow rules based traffic acceptance– Allow for minimum ports open (ex. HTTP, FTP, SSL)

• Firewalls– DMZ-based architecture– no sacrificial “honey pot” systems

• Servers– Integrate NTFS security and Access Control Lists– Limited "administrator" access to production servers– Focus on good planning, not fancy technology

• Monitoring, Alerting, and Auditing– Stay current on service-packs, patches, and hot fixes– Year-round internal and external audits

Date post:	27-Dec-2015
Category:	Documents
Upload:	randolph-paul
View:	228 times
Download:	4 times

© Minder Chen, 1998-2005 Security Policies - 1 Security Policies and Procedures Minder Chen, Ph.D.

Documents