Info Security

‘Web-Tech Home Improvement’An Analysis of the Information Security Infrastructure For an E-Commerce Home Improvement Company.

SE571 – Term ProjectCourse Project

Final Report

Chris McCoyKeller Graduate School of Management

DeVry University3/13/2007

SE571 - Web-Tech Home Improvement’ Chris McCoyAn Analysis of the Information Security Infrastructure for an E-Commerce Home Improvement Company.

SE571 - Course Project

Presentation to the Board of Directors – WTHI (Web Tech Home Improvement)

Members of the Board, it is a pleasure to address you today on the subject of Corporate

Information Security. As you may be aware, the security of information here at WTHI is critical to

the company’s ability to maintain its competitive advantage as a Domestic Supplier of Home

Improvement Fixtures. Today, we are proud to lead in our market by way of a strategic sales

channel that allows our customers to receive their home improvement items faster than they would

from our other online competitors.

I would like to share with you a quote from the recent InfoSec conference held in Florida

at the end of March, “Attackers probably have less interest these days in bringing down large

numbers of computers than exploiting the data in them for financial gain, said Doug Sweetman,

senior technology manager in corporate information security at Boston financial services firm

State Street.”1 (As cited in Network World, 2007)

These words from Mr. Sweetman should be considered our call to arms to improve the

current state of our corporate security. It is a loud and powerful wakeup call that we can not

ignore. In order to maintain our competitive advantage, expand our marketing channels and

improve upon our abilities for future growth, we must first consider the improvement of those

safeguards necessary to protect our vital technological resources; Our four distribution centers,

supply chain systems, our e-commerce database information and our datacenters, containing the

equipment needed to support the transactions from which we generate and grow revenue via our

most powerful resource, the World Wide Web. The financial exploits mentioned in the quote from

‘InfoSec’ are our financial and transactional e-commerce data. This data is the vital link between

1 Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921).

2


us and our customers. It is at the heart of our competitive edge. The key to keeping that link strong

is maintaining a powerful, secure, well monitored environment where our physical and

information assets are protected in an ongoing process. We have made great strides, but the time

to take great action is now.

This report will discuss the current status of our physical and information security

infrastructure and the steps we must take to improve these systems to better protect our data and

maintain our leadership position in the ‘Home Improvement Appliance’ market.

There are 2 major components that make up the security of our information enterprise.

First is the physical security of our 4 locations. Our ability to perform adequate video surveillance

and access control at each of these sites is critical to protecting our information and physical

assets. Second is the protection of our data, databases and complete information systems

infrastructure. Finally, a third component is necessary to tie these two items together: Increased

Bandwidth and Restructuring of our Wide Area IP Network. Such an increase will allow us to

support the need for additional bandwidth and security required by the new technologies

introduced later in this report.

Following a comprehensive analysis of the security here at WTHI, we have determined

that the existing security infrastructure must be improved if we are to continue our competitive

advantage. To ignore this critical need could cost us this leadership position in the market or

worse, compromise the integrity and security of our data. A recent report from our CFO indicates

that the company’s current e-commerce revenue averages $45,000.00 per hour. In the event our e-

commerce capability is interrupted due to a security breach, we will lose $750.00 per minute in

revenue. Most of this revenue will go to one of our competitors; either a traditional ‘brick and

mortar’ (physical) store locations such as: “Home Depot”, “Lowe’s”, “True-Value Hardware”,

“Sears”, and “The Home Expo Center”. Other competitors are in Web-based e-commerce sales,

3


such as “Fixture Universe” (www.fixtureuniverse.com), “Finestfixtures.com”

(www.finestfixtures.com). With every minute of lost revenue, comes a lost minute of competitive

advantage as we come one step closer to losing our market share in the online home improvement

market. With our current Information Technology and Information Security infrastructure, there is

no question as to if we will suffer an outage. It’s simply a matter of when. The purpose of today’s

presentation is to show you where we are, where we need to be, and what we need to do to get

there in terms of a Capital Investment in the Security of our Physical and Informational Assets.

Though the picture painted here is not pretty, there is good news. The proposed plan of

Security for WTHI has a very short ROI. Approximately 10 hours of revenue will pay for the

required improvements to our infrastructure. Every 3 hours of revenue will pay for 1 year of WAN

service, and 1 hour of revenue will cover more than 2 years of technical support on every piece of

equipment shown in today’s presentation. .

To begin our presentation, we will look at the physical security in place at all four of our

distribution centers. Today, the buildings in our Washington DC, Los Angeles, Dallas, and

Chicago offices are all secured via ‘Acme Security’, a vendor we selected 3 years ago to provide

on site security guards and camera monitoring. Today, these security guards continue to work hard

to meet the Service Level Agreements of our contracts, but these SLA’s are no longer sufficient to

provide WTHI with a system capable of keeping our Datacenters safe from intrusion and theft.

There are two major technology components in the Physical Security Plan:

1. Physical Access Control to the Building perimeters, parking lot, and front door, loading dock,

elevators and specific internal areas such as the Warehouse and Computer room where access

should be restricted. A need to control access using individual employee badges is identified

below.

2. Closed Circuit Video Camera Surveillance of the critical access areas including the main

entrance, parking lot, lobby, computer room, loading docks, and inside warehouse.

4

http://www.finestfixtures.com/

http://www.fixtureuniverse.com/


The diagram below shows the current state of the camera surveillance and physical perimeter

access control (none) in place and identifies areas where security weaknesses exist.

This diagram identifies four weaknesses in our current facilities security plan:

1. There is No way to track who is in the building at any given time of the day.

2. The Camera System reports to a local camera monitor and is recorded locally to video tape,

but each tape only holds 8 hours of video. Should the guard forget to change tapes, there will

be no record kept of the security video.

3. The Data Center Doors and Perimeter Doors offer no way to limit entrance into critical areas

such as the Data Center.

5


4. The camera systems are antiquated and need to be replaced. Identifying minor details in the

video image is difficult.

A security solution is required to mitigate the risk of an intrusion into our buildings and theft

of our information systems and assets.

A network-based video solution is recommended to help better manage the perimeter access to all

four of WTHI’s facilities. In an article from the “Journal of Housing and Community

Development” the important value of investment in such a system is highlighted, as Stennett and

Wren (2006) observe, "By supporting access control and other systems, network video can

improve their effectiveness and even generate additional return-on investment on those

technologies.”2

Technology Solution

With a digital video system, smaller ‘ptz’ analog video cameras will record continuously to a

digital video recorder where their signal format is transformed from analog to digital, then stored

on a large hard drive and transferred to the central Chicago security center’s main DVR unit. This

recorder will offload its digital video across the network to a central server in the Chicago Office

once the Digital recorder reaches 70% capacity. The additional 30% is planned ‘overhead’ digital

storage capacity that will allow the recorder to continue to capture video in the event of a network

outage where the regular transfer of footage cannot be completed at its scheduled time.

2 Christopher A Stennett, Andrew Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help

Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131).

6


The following diagram provides a visual representation of the proposed video solution:

Note that the Camera system can now be monitored locally and remotely.

The digital capability allows deeper analysis of the video with more sophisticated analysis

tools in order to identify intruders and unauthorized access.

7


Cost information for proposed solution:

Solution Digital Video

Vendor info Vicon Systems Alternative Security

Cost info 4 DVRs @ $8,000.00 ea = $32,000.00

(4) 9-camera complete systems w/ cameras and DVR's @ $2,699.00 ea= $10,796.00

36 PTZ Cameras @ $463.85 ea = $16,698.60 n/ a (included above)

Central Console $1,352.65, joystick control unit: $200.00 = $1,552.65


Digital Video ArchiveEMC Clariion Ax (500 Gb expandable archive) $6,000.00

EMC Clariion Ax (500 Gb expandable archive) $6,000.00

Total Cost - Video: $ 56,251.00 $ 18,348.65

A diagram of the proposed DVR Centralized monitoring system is shown below:

8


As shown in the diagram above, camera footage is recorded locally into a DVR (Digital Video

Recorder) unit. Each unit at each office is connected via the local area network and managed using a fixed

IP address. Once the unit is configured, with its IP information it can communicate with the Master Control

unit in Chicago, where it offloads video to a central storage device as shown above. The device will archive

video for a predetermined time so it can be accessed later if needed for legal review.

(Continued on next page)

Physical Access to Buildings and Facilities

The second major component of physical security at WTHI is the physical access control to all

WTHI’s buildings. The current model of physical access control consists of a security guard seated at the

main security desk in the lobby of each of our four locations. This guard asks all employees to show a

badge. He/She also asks visitors to sign in on a ledger and show a valid ID such as a driver’s license or

military ID. Once ID is verified, the security guard issues a sticker with the word “visitor” and the current

date. There is nothing more than a visual indicator that the visitor has had his/her ID checked at the front

desk. There is also no policy requiring visitors to sign out. We really don’t know when they come and go,

only the date they were at our office.

Fortunately, technological advances in building security systems will allow us to move forward

with a new system that will provide WTHI with an elaborate means for tracking employee and visitor

movement throughout the building. This new system will involve issuance of a new employee badge for

every employee at each site. The badge will have the Company logo, employee name and picture as well as

the employee ID number. The badge will contain a small electronic chip called an RFID chip. A special

device designed to read the information from this chip (called a badge reader) will be installed at every

perimeter access point in each location. An additional badge reader will be installed in the elevator and on

the outside main entrance door to validate after-hours and weekend access. These readers will have a

keypad, which will verify the employee’s company issued pin number. The employee will hold the badge a

9


few inches from the reader. The reader will beep and small display window will prompt the employee to

enter his/her pin number. When this is verified, the reader will either grant or deny access to the employee.

When access is granted, the reader sends a message to the control panel to unlock the door. If the

employee’s access is denied, the door will remain locked. Note, not all employees should be given access

to all areas. For example, warehouse employees have no need to enter the data center; however, an IT

employee may need to enter the warehouse to fix a PC for shipping and receiving. Employees will be

trained in the use of badge reader systems. Additional fingerprinting and training will be required for

warehouse employees, as the warehouse perimeter access units will have an additional biometric

fingerprint reader. Employees will be encouraged to enter all doors, one person at a time. Holding doors for

others is discouraged by security, and can be tracked on the camera system. Should a security officer

observe an employee allowing others to enter through the same door, the manager of the employee who

swiped his/her badge at that particular door will be contacted and notified of the event. Repeat violations

will be reported to HR.

The diagram below shows placement of access point badge readers for all critical access areas:

10



11


Cost Information – Badge Access System

Due to limited pricing availability of components, a mixed solution cost from 2

vendors is shown:

Solution Perimeter Badge Access Control

Vendor infoSoftware House Ccure Badging System $1,000.00 (4) = $4,000.00

Cost info Control Panels $450.00 (8) $3,600.00ACTAtek badge readers $790.00 (26) = $20,540.00

ACTAtek Fingerprint and HI D ProxI / I I Combo badge and biometric readers $ 1,590.00 (8) = $12,720.00

Door Strikes - $175.00 (32) $5,600.00

Door Relay units - $179.00 (32) $5,728.00Total Cost - Badge Control System $ 52,188.00

Central Control of Panel Access

Occasionally, a badge may need to be enabled or disabled or have its access level changed. Should such a

request arise, the change is made centrally from the Chicago Security Center. Below is a diagram showing

the connectivity of the panels into the central control facility.

12


Physical Security Plan Purchase and Contract Requirements including SLAs

The implementation of this 2 part solution will be a combined integration project for IT and a

selected vendor. Required actions to complete the implementation of this solution include:

1. Negotiate purchase price (based on cost information included above) for all equipment including

cameras, collection units, and central monitoring equipment to be located in the Chicago Data Center.

A total of four separate computer ‘badging’ systems with encoding capability must be purchased (one for

each location). A digital fingerprint component is also required for fingerprinting employees (to be used

with the biometric readers installed on the warehouse doors.)

13


2. Negotiate inclusion of technical support contract at a 20% discount based on volume of equipment

purchased, to cover equipment at all sites, including cameras, collector systems, and central monitoring

station equipment.

3. Negotiate discount on tech support contract based on volume purchase for all badge control system

equipment including door locks, badge readers, control panels.

3. Wiring contractor to complete the installation and wiring of all cameras and systems in the four office

locations.

4. Wiring contractor to complete wiring of badge control system including door locks, readers, and control

panels, including central control system at Chicago security office.

5. Separate purchase of a Storage Area Network device to Archive at least 3 months of data.

This purchase will also require a technical support contract to cover hardware and software support for

management of the device.

6. Negotiate the inclusion of a separate alarm system, as a part of the badge access system purchase, to

monitor the Warehouse loading dock and perimeter doors is required.. An insurance clause should be

included to protect all warehouse assets against loss due to theft. The SLA for this contract should involve a

maximum response from the monitoring company of 10 minutes and an immediate call to local police

when no response is received from the local warehouse manager within 10 minutes.

7. SLA: Technical Support contracts for the Video and Badge Systems:

a.) Video System equipment failure: Onsite 24/7 support, technician on site within 4 hours of

reported failure, 24 hour hardware replacement for any failed component at any site. In the event of a DVR

failure, where no video is captured, a 3rd party security company will be contracted to provide security

officers to patrol the entire location and watch perimeters and warehouse activity until the replacement

DVR is delivered and setup.

14


b.) Badge System equipment failure: Onsite 24/7 support, technician on site within 2 hours or

reported failure, 24 hour hardware replacement for failed component at any site.

Additional requirement – Door lock open failure will be monitored by a 3rd party security company. Armed

Guard will be dispatched on site to physically monitor the door where badge reader/lock is failed and open

(Door cannot be locked due to system failure). Example of a company that provides this service is

“Securitas” http://www.securitasinc.com/

8. Contractual Penalties: WTHI’s legal department will negotiate an equitable settlement figure

based on the contract amount for each contract. This penalty amount will be consistent with industry rates

for contractual breach. Each vendor failing to meet the full requirements stated in the negotiated contract

will be subject to further legal action.

WAN Firewall Infrastructure (Existing):

One of our key security vulnerabilities is founded in the way our offices communicate across the wide are

network. Twelve years ago, this network was considered cutting edge, and served a great purpose in

transacting business communication between the offices. Today, it is a limitation to our continued revenue

growth, tied directly to the security of our data. This must change if we are to continue to grow our revenue

in a secure environment while maintaining a state-of-the art electronic supply chain management with our

vendors and partners.

15


A diagram containing the current wide area network configuration is shown below.

As indicated in the above diagram, each site has its own firewall connected to a local ISP

circuit/ISP router configuration. The connectivity from each site to the main Chicago Datacenter site is via

an encrypted tunnel. The firewall in each site consists of a pc based installation of “Raptor” firewall (which

was later purchased by Symantec). The pc’s have 3 network adapters: One internal, one external and one

‘DMZ’. Every time a virus outbreak occurs in an office, the Firewall crashes and Internet Access goes

down. Symantec has pushed the company to upgrade to a hardware based firewall ‘appliance’, but today,

this solution will not meet the requirements of our fast-paced electronic commerce model of business on

the Internet.

The Proposed new infrastructure will eliminate individual firewalls, ISP circuit connections and

tunnels. A new solution will incorporate a centralized private wan solution using newer MPLS technologies

from one of the major telecommunications providers, such as Sprint, MCI, SBC, or Verizon. This change to

16


the WAN is central to the successful implementation of a new security protocol within WTHI. The need for

the WAN upgrade is also based on expanded bandwidth requirements due to the additional technology

solutions introduced in this report (Digital video and perimeter access control traffic) to ensure a more

secure and rapid transfer of data between sites.


17


A diagram of the proposed WAN solution is shown here:

The use of a private, managed VPN architecture such as an MPLS WAN holds the benefit of

creating a larger bandwidth, better protected solution without the overhead of decentralized firewall

management and unsecured individual ISP circuits. The proposed WAN upgrade is an essential core

component of the Corporate Security Plan. The upgrade will require higher bandwidth capability on the

local office WAN circuits in order allow the network to carry the additional traffic loads generated by the

added video and badge access solutions and also the replication of Antivirus updates.

The data traversing the new WAN must also co-exist with regular replication of the e-commerce

database between the Chicago and Dallas sites. This replication must be completed regularly to provide a

failover solution for business continuity, should a disaster strike the Chicago region.

18


This upgrade will also pave the way for a major e-mail migration from Microsoft Exchange 5.5 to

Microsoft Exchange 2003. . This migration is needed in the near future to tighten security of e-mail data by

centralizing control of the e-mail server in the Chicago Data Center.

The contract and requirements for this upgrade are as follows (cost information follows):

1. Negotiated contract with Major Telecom Provider such as AT&T, SBC, SPRINT, or VERIZON to

provide such MPLS VPN Service at the corporate level to support all four sites.

2. Purchase of new circuits through this same provider. The recommendation is A Primary 10Mbps *Partial

DS3 and 4 bundled T1s as backup circuits for Chicago and Dallas, and a Primary bundled 4-T1 (6MB)

primary circuit with Dual ISDN 128kbps backup circuits for Los Angeles and Washington, DC.

Note: Partial DS3’s should have ‘burstable’ option included in contract. This means that the

Network Operations Center will have the capability to monitor bandwidth utilization following the

implementation of all new services. If the bandwidth utilization is maxed into ‘burst’ capacity, then a

consideration for increasing the available bandwidth should be initiated. If it is determined that the largest

partial DS3 option can not provide sufficient bandwidth, then an upgrade to a full DS3 (*full T3) should be

considered.

3. Purchase of 2800 Series Cisco Routers to support the configuration required of the circuits at each of

these sites.

4. Network Engineering will need to create new routes at each Core switch to match the new MPLS

Network Routes.

5. SLA requirements Because WTHI runs its e-commerce enterprise on a 24/7 basis (Though Shipping and

Receiving are handled only during regular business hours) System downtime would produce a negative

impact to revenue channels. Accordingly, an upgrade to the new system should be negotiated as follows:

a). 20 minute Tech Support Escalation Heuristic (Each 20 minutes of downtime requires escalation)

b) For outages greater than 1 hour at either primary site (Chicago or Dallas), a full compensation of

19


monthly

circuit charges pro-rated based on the time of the primary circuit outage, plus full payment of monthly

charge on the 4 T1 backup circuits..

…..c) For outages greater than 1 hour at either Secondary site, full payment for ISDN charges incurred on

backup

circuits for the entire duration of the outage

d) Legal recourse (right to pursue legal action) for any data loss or revenue due to outages lasting greater

than

3 hours. (Note, this would not pertain to tape backup data as all tape backups are done locally)

The importance of a WAN architecture upgrade is highlighted in the following drawing, which displays the

business traffic as it is used by the new WAN.

20



Cost of WAN Solution:

Solution

Vendor info telcoI Q usa access

Cost info$400.00 per month per site - $1,600.00 per month for all 4 sites not available

Total Cost per month: $1,600.00 per month n/ a

Circuits

DS3 - partial Circuits and T1's

Vendor info telcoI Q usa access

Cost info $1,250.00 per month (6Mb) 4 bundled T1's DS3 full 1,500 per month

Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00

Total Telecom Data Circuit Charge for all sites per month:

Cisco 3725 Multiservice WAN Routers 6500.00 x (5) Two are needed in Chicago) 32,500.00

Total WAN investment for all sites, per month

Total WAN ROUTER Purchase: 32,500.00

$ 8,500.00

$ 10,100.00

WAN - MPLS Service and broadband circuits

Central Chicago Internet Gateway

With the upgraded WAN, the individual firewalls at each site are replaced with MPLS routers and Intrusion

Detection System ‘Taps’. These taps are connected to an IDS Server that contains sensor software used to

analyze potential attacks to the system and send alerts to the IT (Security) Staff. The Internet Access model

is changed from individual site access to centralized access through the Chicago Gateway. This gateway

consists of a load balanced high traffic firewall solution designed to control individual site Internet access

traffic, DMZ traffic for supply chain management and external e-mail traffic. Traditionally traffic from

each site would traverse the public internet across a VPN tunnel. The new model uses a private MPLS

‘Cloud’ to move all traffic to and from Chicago

21


The new Internet Gateway diagram is shown below:

Selection of Vendors Switches, Routers, Firewalls, IDS:

1. Switches and Routers

The company’s corporate IT Standard is “Cisco” Systems. Because of the current 5 year blanket support

contract and track record with Cisco (Almost no hardware failure in 5 years), IT feels strongly about

continuing the relationship with Cisco systems as our Router and Switch IT Vendor.

22


2. Firewalls

Due to the high level of traffic that will cross the Firewall infrastructure, the former firewall technology

consisting of “Raptor” software installed on a PC with multiple network interface cards is no longer

sufficient. The Raptor Software is no longer supported and our company’s support contract is expired. A

new firewall solution is needed. A full-featured firewall server capable of handling high volumes of traffic

throughput is required to support the new centralized firewall and internet gateway solution.

Cost Information for Firewalls and Routers to support the Internet Gateway :

Solution Firewall

Vendor info Nokia SonicWall Pro

Source: securehq.com I P 560 with Checkpoint FW-1 Sonic Wall 5060f

Cost info $16,000.00 $10,371.00

Total Cost - Firewalls $16,000.00 $10,371.00

3. IDS (Intrusion Detection System)

According to an article by Cavusoglu, Mishra, and Raghunathan (2005) “In the IT security

context, preventative controls such as firewalls, aim to develop a shield around IT systems to secure them

from intrusions. Detective controls such as IDSs try to detect intrusions that have already occurred.

Because complete prevention of intrusions is unlikely, detective controls have become an important

element in a firm’s overall security architecture.”3

WTHI has never implemented any means of detecting intrusion into its information systems. This

means that the implication for lost revenue and data is high. To mitigate any further damage due to possible

intrusion, a detection system is needed for better monitoring of the corporate networks and information

assets.

3 Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology

Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).

23


Cost Information for IDS:

Solution

Vendor info Enterasys Dragon Sensor J uniper I DP 200 Security Appliance

Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00

ethernet taps (560.00 ea) x 6 = $3,240.00ethernet taps (560.00 ea) x 6 = $3,240.00

total cost - I DS $ 78,240.00 $ 83,240.00

I ntrusion Detection

Service Level Agreement:

For the intrusion detection system, a negotiated 24/7 technical support contract will cover support of the

software application running on the IDS servers. A 24 hour hardware replacement should be included in

this contract. As IDS is a critical component of protecting the e-commerce enterprise, downtime could

indirectly impact revenue in the form of an undetected intrusion resulting in a compromise of protected

data.

VPN/Remote Access

The current Remote Access Solution in place is a Microsoft VPN client based solution.

Examination of the existing authentication system has revealed a significant security weakness that will

allow a hacker to guess a username and password to gain access to corporate resources.

A more complex solution is required to insure that VPN client connections are limited to authorized

personnel only. The diagram below shows the current VPN remote access model.

Note: One positive security preventative measure was the retirement of RAS dialup 2 years ago.

A VPN session independent of a direct dialup modem is required to access the system.

Current Remote Access using Microsoft PPTP Client

The current model for remote access is the Microsoft VPN Client using PPTP encrypted authentication.

While this method of access provides a secure channel, the protection of user and password information is

24


not well protected. Should a hacker identify the proper IP address of the PPTP server, all he/she needs is a

valid username and guessed password. A better solution is required to prevent potential security breach via

the VPN Client. A better solution is available in the Cisco VPN client. This solution will allow WTHI to

leverage a combined access solution that protects password security through use of a ‘SecurID’ token. The

token is assigned to each VPN user account, and contains a unique number that changes every 30 seconds.

To authenticate on the VPN using the Cisco Client, the user enters a username and password, and in the

password field, an additional number shown on the ‘SecurID’ token to authenticate. The randomization of

this number makes it almost impossible for a thief to guess the password.

The diagram shown below illustrates the current model of remote client VPN authentication using the

traditional Microsoft VPN system. The second diagram shows a proposed implementation of the Cisco and

SecurID solution.

25


Proposed Remote Access using Cisco VPN Client:

Service Level Agreement:

For this implementation two technical support contracts are needed. The first will provide the Cisco VPN

solution and a second will provide support for the ‘SecurID’ token based solution. The need for Remote

Access VPN is secondary to protection of the physical enterprise and data center. Should a problem arise

with the VPN, traveling employees have a backup e-mail solution in Outlook Web Access. This means that

downtime of the VPN will not directly or indirectly impact revenue. IT staff at the Chicago data center

works in a rotating 24 hour shift, so there is always a group of technicians on site, meaning a VPN access

outage would not prevent the IT staff from resolving an issue remotely. Therefore, a downtime of the VPN

for up to 8 hours is acceptable. WTHI holds a blanket support contract with Cisco to cover all existing

routers and switches. The addition of a new VPN router will be added to the existing support contract. A

26


negotiation with the SecurID token provider (probably RSA/EMC) will incorporate a replacement policy

on hardware of 24 hours.

Cost Information: VPN Software, Access Token System and VPN Router

SolutionCisco VPN

Vendor info Cisco

Client Access License 40.00 (500 users) $ 2,000.00

Cisco 7204 VXR VPN Router $ 6,000.00

Total Cost - Cisco VPN $ 8,000.00

Solution SecurI D Fobs

Vendor info RSA CryptoCard

Cost info $45,000.00 $68,000.00

Authentication Manager Enterprise License: $50,000.00 Windows Starter Kit $500.00

Total Cost - Authentication Tokens $95,000.00 $72,000.00

Policy Changes with regard to resources and users::

The next several policy changes do not involve any purchase cost. However, they do require man-hour cost

to implement, using the existing IT Equipment in WTHI’s Active Directory Domain Architecture. The first

drawing shows the high level view of WTHI’s Active Directory Groups running on Windows 2000

(Windows 2003 is not an upgrade consideration for this project).

27


The access of these groups to corporate resources on the domain is limited to the needs of their group. In

accordance with Microsoft’s Active Directory Best Practices 4

Windows User Account Logon Password Policy

Some excellent resources in the field of ‘password protection’ have been cited as valuable resources for

protection of passwords against ‘cracking’ by hackers attempting to logon to protected resources. The

current system in place allows users to choose and keep their passwords indefinitely. A new system is

needed. Evidence of the weakness in WTHI’s current approach to password security is highlighted by

Monroe (2006) “A good password is long and complex - and hard to remember; weak ones are next to

4 .Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,

2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx

28


useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a

password.

We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently

long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than

others.”5

Print Server Limitations: For example, the Warehouse group is able to print orders for their warehouse to

any laser printer inside the warehouse, but not to the color printers in the accounting department. The IT

department can print network diagrams to its color printers, but not to the Black and White laser printers in

the Warehouse. The shipping department can print FedEx or UPS reports to printers in its department but

not to those in IT.

Restricting access to printers may seem like a trivial item in the security plan, but it can actually prevent

critical errors. For example, if an HR Manager were printing a list of terminations and he/she accidentally

selected the printer of a different department (in which several employees who were to be terminated

worked); this could create a big potential problem. Locking down printers to their specific groups helps to

prevent such situations from happening. Similarly, printing of Salary information to the Shipping and

Receiving department for an employee who was to receive his annual review, might end up in the hands of

a co-worker, and create confidentiality issues.

File Server Limitations: A restriction on file shares is needed to limit by group, access to the data specific

to each department. For example: the IT group can access shares on its own folders on the File server, but

not order processing or shipping documents. Accounting and Finance can access its tax document files and

shares on the File server, but not HR’s folders and documents.

5 Munro, K. (2006). How to crack (almost) any password in less than two minutes:[SURVEYS

EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. ( Document ID: 1140500361).

29


Applications: An Accounting employee can access the Solomon financial server, but this is not accessible

to IT. Troubleshooting an issue on such an application server would require the presence of an accounting

employee.

Network Security at the Router Level (ACL Controls for VLANS)

Often there are scenarios that require the Network Engineering team to lend a hand in securing data

channels. An ACL (access control list) on a network router or L3 switch can limit unnecessary traffic and

thus reduce bandwidth utilization and the possibility of virus propagation. Cisco (2006) technical

documentation on ACL’s advises “In an effort to protect routers from various risks both accidental and

malicious infrastructure protection ACLs should be deployed at network ingress points.”6

For example, an ACL blocking TCP port 443 prevents the SQL slammer worm from moving into a subnet

on a network by preventing any traffic using TCP port 443 from passing through the router. Packets that

encounter this ACL are dropped.

The following diagram shows the current core VLAN routed/switched architecture for the Chicago Office

of WTHI. All other offices have a similar core switching architecture.

6 Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists. Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf

30


Note, a WAN upgrade is mentioned for strong consideration in this report.

See local switching architecture change impacted in the diagram below.

31


Proposed router site implementation based on the new WAN framework

The new framework will continue with the same core configuration; however the new WAN circuits will

require router upgrades. The two DS3 circuits in Chicago and Dallas will require a DSU/CSU unit to bring

the DS3 circuit into the Data Center area.

Internet Browsing Limitations

The current Information Security policies do not limit Internet Browsing. Employees at all four

offices are free to access any website they chose for purposes of browsing the World Wide Web. In the last

2 weeks, several PC’s have been infected with viruses. This is becoming more and more of an issue in all 4

offices. Bandwidth is also at a premium. One user was identified streaming NFL highlights videos during

32


work hours. This idea caught on and soon several employees were streaming video from CNN, NFL.com

and “YouTube” to their desktops. According to one IT desktop support analyst, Some employees have

installed “iTunes” on their Pc’s and are downloading and playing music at the office. E-mail performance

has suffered and many users have called the help desk to report “poor network performance”. Although the

consumption of bandwidth may have been an issue, a virus infected pc may also be slowing network

performance.

Proposed Solution:

Deployment of a web-filtering solution is intended to mitigate potential violations of the company’s ethics

policy regarding proper use of IT resources and appropriate web-browsing.

The deployment of the actual web-filtering device is depicted in the Chicago Internet Gateway diagram

shown previously in this report.

The Legal department has agreed to revise its ethics policy in coordination with the IT department. This

revised plan will determine the criteria used to filter websites. Some suggested criteria include:

Pornography, Gambling, Cookie Tracking/Info gathering sites, Known phishing sites, and more will be

added to this list following a full review of the new plan.

A sample screen that a user would encounter when attempting to access a banned/filtered site would appear

similar to the one shown here:

33


Cost Comparison Information – Web Filter:

Solution

Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance

Cost info $4,000.00 (1) add 2,000.00 for 1 year support and updates 1,000 users, 1 year, $10,010 direct

Total Cost - Web Filter $ 6,000.00 $ 10,010.00

Web Browsing Filter

AntiVirus Software and Microsoft Updates

The company’s four sites have never been given a mandate to standardize on a specific Anti-Virus solution.

Each site’s IT department has purchased individual copies of McAfee and Norton antivirus, and is running

a mix of both products on the desktops, with purchases occurring on an ‘as-needed basis’. Although the IT

34


staff has done its best to configure each desktop to automatically update virus definitions, this does not

always work. With the WAN being used to backup the corporate database from Chicago to Dallas, there are

times when the firewalls get ‘bogged down’ with replication traffic in those sites, and the result is the virus

definition downloads often fail due to network congestion. The same problem exists for Microsoft Security

updates. Desktop computers need to be patched regularly to meet Microsoft security update requirements.

To reduce the amount of WAN traffic for Microsoft updates, the IT group will set up a domain level policy

to force each desktop computer to download updates during non-business hours.

A Centralized solution for virus updates will allow WTHI to control Software and Security Patching from

its Chicago Datacenter. This is part of the expanded capability the increased circuit bandwidth and the

MPLS Private Network will provide. A diagram of the proposed solution is shown below:

35


Cost Comparison – Enterprise Level Antivirus:

Solution

Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense

Cost info 1000 licenses 1000 licenses

60,800.00$ $ 55,090.00

Antivirus Server Hardware

(3) Dell Poweredge 1950 and one Dell poweredge 2650


$ 10,000.00 $ 10,000.00

Total cost - Antivirus $ 70,800.00 $ 65,090.00

Corporate Antivirus

36


E-mail Spam Filtering:

Spam filtering is a recommended high-priority initiative for WTHI. Spam can be more damaging than

simply wasting e-mail bandwidth and inbox space. According to a recent article in Barron’s, “APWG

(www.antiphishing.org) Casey (2007)says that in the first month of 2007, there were 29,930 reports of

attempts to steal passwords or other important personal information from corporate customers, up more

than 25% from December and up 5% above the previous record, set in June of last year.”7

In the course of this analysis, a decision was made to keep the existing Microsoft Exchange 5.5 E-mail

server architecture in place. This decision is centered on cost reduction to create more budgetary focus on

the critical need to upgrade both the WAN and Security Infrastructure. The upgraded WAN will eventually

allow for the migration to a centralized Exchange 2003 and later Exchange 2007 environment, where one

redundant e-mail server is located in the Chicago datacenter. Spam e-mail can quickly kill productivity for

employees in all departments where time is better spent conducting company business rather than deleting

unsolicited e-mail. This can also lead to a virus attack if the spam message contains a hidden executable or

compressed file containing the executable file.

With the existing 5.5 server architecture in place, the deployment of a short-term anti-spam solution is

recommended at each site. To keep cost efficiency, an SMB sized anti-spam appliance is recommended.

Cost Comparison Information – Spam Filter:

Solution

Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100

Cost info $4,000.00 (4) $16,000.00 plus 8,000.00 for 1 year support and updates

$2,000.00 (4) $8,000.00 plus 2 years extended support

Total Cost - Antispam $ 24,000.00 $ 13,021.60

Anti-Spam Filter


7Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM

Global database. (Document ID: 1249851201).

37


The diagram below outlines the connectivity of the spam filter at each location.

38


Oracle Database Security

Within this report, many security solutions are recommended to ultimately protect the data of the

company’s databases. These solutions offer the most protection at each perimeter of the Information

Systems Infrastructure. A critical consideration is the application level security of the Database

Management System Software. WTHI uses Oracle for its DBMS provider. Oracle has a long standing

reputation for leading the industry in e-commerce database management products. The use of Oracle’s

security features will insure the database at a final core level against attacks and data theft. Oracle adds an

additional layer to database security through its own technology resource center. As indicated by Oracle

Corporation (2007) “Fixes for security vulnerabilities are released in quarterly Critical Patch Updates

(CPU), on dates announced a year in advance and published on the Oracle Technology Network. The

patches address significant security vulnerabilities and include other fixes that are prerequisites for the

security fixes included in the CPU. The major products patched are Oracle Database Server, Oracle

Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite,

PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards Enterprise One, and JD Edwards One World

XE.”8

Oracle (http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428)

provides a comprehensive list of potential database security issues and resolutions. This list includes items

such as “Unauthorized users, unauthorized access to data, eavesdropping, corruption, and denial of

service.”9

With the many solutions offered to mitigate the risk of data loss, WTHI will follow the Oracle

recommended solutions. A critical component to this risk management solution will be a new WTHI

Information Technology policy in cooperation with the Database Administration group and Network

8Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html9 Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html

39

http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428

http://www.oracle.com/security/critical-patch-update.html

http://www.oracle.com/technology/deploy/security/alerts.htm



Operations staffs to follow published Oracle security recommendations and patch all reported

vulnerabilities as soon as possible. At present time, the adherence to the existing Oracle recommendations

will not require any additional purchase by WTHI. Our current support contract with Oracle is 24/7

technical support. All database administrators at WTHI are Oracle Certified DBA’s, with at least 5 years of

database administration experience. Database backups are performed nightly, and a full database

replication is done daily with the Dallas datacenter.

Business Continuity Planning

WTHI has a solid plan for continuation of business in the event of a major technical outage at the main

Chicago data center. The plan for business continuity consists of a complete operations failover from

Chicago to Dallas.

To continuously prepare for such an event, WTHI regularly replicates its database with the Dallas

office. Redundant application servers operate in the Dallas location and are ready to pick up in less than 20

minutes in the event such service is required. Local personnel in Dallas are trained to take over main

operations from Chicago. Key management personnel have an emergency travel budget to temporarily

relocate from Chicago to Dallas until the Chicago site is ready to go back on line. This plan is sufficient to

continue operations, and there is no requirement to upgrade or change the plan at this time. With

continuous innovation in the Information Technology and Security fields, this plan should be revisited

annually to identify new opportunities for improvement.

Disaster Recovery

Nightly tape backups are performed at all sites. All major e-mail systems including e-mail, voicemail,

and file servers are backed up. Database transaction logs are backed up, and can be ‘rolled-back’ or ‘rolled

forward’ to restore data that may have been damaged during a server outage. All servers are configured

with a RAID capability and spare hardware replacements are kept ready and available at all sites should the

need arise to rebuild a RAID system. An offsite storage vendor keeps 2 weeks of backup tapes at a climate

40


control facility, and these may be recalled at any time if for any of the four offices as needed. At present

time, this plan is sufficient to restore data operations, and there is no requirement to upgrade or change the

plan at this time. With continuous innovation in the Information Technology and Security fields, this plan

should be revisited annually to identify new opportunities for improvement.

Summary List of Recommendations:

1. Control Physical Access to Buildings, Offices, Warehouses and Data Centers; Implement a

Perimeter Security Access Control (Badge Reader) System

2. Migrate Camera System from Analog to Digital Network Controlled System with Online Storage.

3. Migrate WAN Circuit Connectivity from Internet Based to MPLS (Private VPN) Based.

4. Migrate Firewalls from Decentralized Raptor Solution to Centralized Internet Gateway.

5. Enforce Password Policy on all Domain Accounts:

a. Require password change every 90 days

b. Require at least 1 number, 1 special character, and 1 uppercase letter, minimum 8 characters.

6. Implement an Intrusion Detection system.

7. Enforce Desktop Policy via Active Directory Group Policy Object. Include Scheduled After Hours

Download Cycle for MS-Security Patches.

8. Limit Web Site Browsing with a Web Filter Appliance.

9. Migrate Remote Access VPN from Microsoft PPTP to Cisco Client VPN.

10. Implement Anti-Spam Email Filter Device on all Exchange E-mail Servers.

41


11. Follow Oracle Best Practices for Database Security as Published on Oracle’s Corporate Website.

12. Standardize Anti-virus software to Enterprise, server based version.

Conclusion

The Web Tech Home Improvement Corporate Security Plan as proposed in this report is vital to

the company’s ability to maintain its competitive advantage. The center of this plan is the upgrade of WAN

technology from the existing decentralized ISP solution to a centralized MPLS Private WAN with

increased bandwidth. The physical access control and video surveillance solutions will utilize more

bandwidth in data transfer. The Migration and Upgrade of the Firewall solution using a centralized Internet

Gateway will streamline the administration of the Firewall at the Chicago Data Center, and take some of

the strain off of local IT personnel by shifting this responsibility to Headquarters. Creating a policy for the

existing Windows 2000 Active Directory environment will tighten desktop security by and enforce

restriction on resources so that the appropriate groups and departments will access only the resources

required to conduct daily business. This will also allow IT administrators to enforce a new global password

policy for number and type of characters and fixed password renewal requirement. The server based anti-

virus model will decrease the internet traffic at each office by centralizing virus definition updates on a

master server and pushing these updates to servers in each office. This in turn will reduce WAN traffic by

allowing local client pc’s in each office to update using LAN bandwidth rather than WAN bandwidth. The

addition of a web-filter appliance will control appropriate Internet website browsing and reduce bandwidth

42


utilization across the WAN by blocking streaming media sites such as “Napster”, “iTunes”, “myspace”, and

“youtube”. The migration from Microsoft VPN to a combined Cisco VPN/SecurID token solution will

increase security by randomizing the second part of the user password in the Authentication process. It will

also strengthen the reliability of the VPN hardware solution by moving away from a server based solution

to a more robust Cisco router solution. This plan should be re-evaluated on a regular basis to consider new

technology developments and innovations in the field of security that might better protect the infrastructure

and help to maintain the company’s competitive advantage. A line item budget consideration is strongly

suggested to continue the needed updates to these technologies needed for maintaining security of the

company’s physical and informational assets.

References

1. Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921). 2. Stennett, C., A.Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131).

3. Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).

4. Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12, 2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx

.5 Munro, K. (2006, October 4). How to crack (almost) any password in less than two minutes:[SURVEYS

EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. ( Document ID: 1140500361).6. Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists. Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf7. Morrissey, P. (1998, April). Demystifying Cisco access control lists. Network Computing, 9(7), 116. Retrieved April 7, 2007, from ABI/INFORM Global database. (Document ID: 28520861).8. Huseyin C., B. Mishra, S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).8. Keep your database safe from intrusions at all network levels. (2006, April). Exploring Oracle, 11(4), 6. Retrieved March 12, 2007, from ProQuest Computing database. (Document

43


ID: 1025469841).9. Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM Global database. (Document ID: 1249851201).10. Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates. Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html

11. Oracle Corporation (2007, April). Oracle Security Review 10g Release 1. Retrieved April 12, 2007 from: http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428

12 Microsoft Corporation (2007, April). Step-by-Step Guide to Understanding the Group Policy Feature Set Retrieved April 12, 2007 from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx

13. RSA Security (2005). RSA SecurID SID800 Hardware Authenticator. Retrieved from: http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf

Appendix A: Cost Information

Budget Requirement - Capital Asset Equipment Investment: $442, 079.00

Budget Requirement - Recurring Service Charges: $10,100.00 per month

Cost Information

Solution WAN - MPLS Service and broadband circuits

Vendor info telcoIQ usa access

Cost info $400.00 per month per site - $1,600.00 per month for all 4 sites

not available

Total Cost per month: $1,600.00 per month n/a

Circuits

DS3 - partial Circuits and T1's

Vendor info telcoIQ usa access

Cost info $1,250.00 per month (6Mb) 4 bundled T1's DS3 full 1,500 per month

Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00

Total Telecom Data Circuit Charge for all sites per month:

$ 8,500.00

Cisco 3725 Multiservice WAN Routers

6500.00 x (5) Two are needed in Chicago) 32,500.00

Total WAN investment for all sites, per month

$ 10,100.00

Total WAN ROUTER Purchase: 32,500.00

44

http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx





Solution Cisco VPN

Vendor info Cisco

Client Access License 40.00 (500 users) $ 2,000.00

Cisco 7204 VXR VPN Router $ 6,000.00

Total Cost - Cisco VPN $ 8,000.00

Solution Firewall

Vendor info Nokia SonicWall Pro

Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f

Cost info $16,000.00 $10,371.00

Total Cost - Firewalls $16,000.00 $10,371.00

Solution SecurID Fobs

Vendor info RSA CryptoCard

Cost info $45,000.00 $68,000.00

Authentication Manager Enterprise License: $50,000.00

Windows Starter Kit $500.00

Total Cost - Authentication Tokens

$95,000.00 $72,000.00

Solution Digital Video

Vendor info Vicon Systems Alternative Security

Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 (4) 9-camera complete systems w/cameras and DVR's @ $2,699.00 ea= $10,796.00

36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above)



Digital Video Archive EMC Clariion Ax (500 Gb expandable archive) $6,000.00

EMC Clariion Ax (500 Gb expandable archive) $6,000.00

Total Cost - Video: $ 56,251.00 $ 18,348.65

Solution Perimeter Badge Access Control

Vendor info Software House Ccure Badging System $1,000.00 (4) = $4,000.00

Software House Ccure Badging System $1,000.00 (4) = $4,000.00

Cost info Control Panels $450.00 (8) $3,600.00 Control Panels $450.00 (8) $3,600.00

ACTAtek badge readers $790.00 (26) = $20,540.00

ACTAtek badge readers $790.00 (26) = $20,540.00

ACTAtek Fingerprint and HID ProxI/II Combo badge and biometric readers $ 1,590.00 (8) = $12,720.00

ACTAtek Fingerprint and HID ProxI/II Combo badge and biometric readers $ 1,590.00 (8) = $12,720.00

45


Door Strikes - $175.00 (32) $5,600.00 Door Strikes - $175.00 (32) $5,600.00

Door Relay units - $179.00 (32) $5,728.00 Door Relay units - $179.00 (32) $5,728.00

Total Cost - Badge Control System

$ 52,188.00 $ 52,188.00

Solution Corporate Antivirus

Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense

Cost info 1000 licenses 1000 licenses

$ 60,800.00 $ 55,090.00

Antivirus Server Hardware (3) Dell Poweredge 1950 and one Dell poweredge 2650


$ 10,000.00 $ 10,000.00

Total cost - Antivirus $ 70,800.00 $ 65,090.00

Solution Anti-Spam Filter

Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100

Cost info $4,000.00 (4) $16,000.00 plus 8,000.00 for 1 year support and updates

$2,000.00 (4) $8,000.00 plus 2 years extended support

Total Cost - Antispam $ 24,000.00 $ 13,021.60

Solution Web Browsing Filter

Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance

Cost info $4,000.00 (1) add 2,000.00 for 1 year support and updates

1,000 users, 1 year, $10,010 direct

Total Cost - Web Filter $ 6,000.00 $ 10,010.00

Solution Intrusion Detection

Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance

Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00

ethernet taps (560.00 ea) x 6 = $3,240.00 ethernet taps (560.00 ea) x 6 = $3,240.00

total cost - IDS $ 78,240.00 $ 83,240.00

46

Date post:	20-Nov-2014
Category:	Documents
Upload:	chris20854
View:	1,803 times
Download:	3 times

Info Security

Documents