Security Architecture

Design, Deployment and Operations

Christopher M. King, Curtis E. Dalton, T. Ertem Osmanoglu

Publisher: Osborne, 2001, 481 pages

ISBN: 0-07-213385-6

Last modified: June 27, 2021, 11:33 a.m.

Synopsis

Apply the latest security technology to real-world corporate and external applications

Design a secure solution from start to finish and learn the principles needed for developing solid network architecture using this authoritative guide. You'll find hands-on coverage for deploying a wide range of solutions, including network partitioning, platform hardening, application security and more.

Get details on common security practices, standards, and guidelines and learn proven implementation techniques from case studies discussed in each chapter.

Written by recognized experts and endorsed by RSA Security Inc., the most trusted name in e-security, this comprehensive and practical security guide is your essential tool for planning and implementing a safe and reliable enterprise network.

This book will show you how to:

Develop an information classification and access control plan
Use the appropriate security policies and technology to best meet your security requirements
Comprehend security infrastructure design principles
Utilize appropriate security technology in the most secure method
Fully understand the tradeoffs between usability and liability
Ensure complete network security across multiple systems, applications, hosts, and devices
Develop and apply policies, assess risks, and understand requirements for running security-specific technology
Work with and configure IDS, VPN, PKI, and firewalls

Business and Application Drivers (Case Study)

The Multi-National Corporation (MCC)
Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp
Implementation Considerations

Security Policies, Standards, and Guidelines

Different Types of Policies, Standards, and Guidelines

Common Elements
Policy Examples

Policy, Standard, and Guideline Development

Policy Creation
Regulatory Considerations

Privacy Regulations
Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp
References

Information Classification and Access Control Plan

Background
Creating Classifications
Risk Assessment
Applying the IC
The IC and the Application Development Process
Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp
References

Applying the Policies to Derive the Requirements

Threats

External Security Threats
Internal Security Threats

Management Security Requirements

Defining the Security Model
Personnel Security
Security Awareness and Training Measures
Change Management
Password Selection and Change Requirements

Operational Security Requirements

Physical and Environmental Protection
Physical Access Controls
Business Continuity and Disaster Recovery Services
System and Application Maintenance
Disposal of Sensitive Materials

Technical Security Requirements

Data Integrity
Confidentiality
Availability
User Identification and Authentication
Non-repudiation
Authorization and Access Control
Privacy
Network Security Requirements
Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp

References

Security Infrastructure Design Principles

Component or Infrastructure…?

Infrastructure Components

Goals of a Security Infrastructure
Design Guidelines

Authentication
Authorization
Accounting
Physical Access Controls
Logical Access Controls

Case Study Overview

Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp

Conclusion

Network Partitioning

Overview of Network Partitioning

Firewall Platforms
Anatomy of the High-Availability Firewall
Air Gap Firewall Strategies
Partitioning Models and Methods
Perimeter Security Models
Internal Partitioning Models and Methods

Analysis of Case Study #1 — Corporate

MCC Network Security Policy
Logical Layout of Network

Analysis of Case Study #2 — FinApp

Physical Layout of Network
Logical Layout of Network

Analysis of Case Study #3 — HealthApp

MCC HealthApp Security Policy
Physical Layout of Network
Logical Payout of Network

Conclusion
References

Virtual Private Networks

What Is a VPN?
Why VPNs?
Types of VPNs
VPN Features — A Business Perspective

Security
Reliability
Manageability
Scalability
Usability
Interoperability
Quality of Service
Multiprotocol Support

VPN Technology

Cryptography
Authentication Systems
Tunneling and Security Protocols

VPN Solutions

Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp

Conclusion
References

Wireless Security

How Is Wireless Different?

Physical Security
Device Limitations

Bluetooth

Bluetooth Security
Safeguarding Bluetooth

Wireless Application Protocol (WAP)

WAP Security
Safeguarding WAP
What Else Is Available?

Wireless Local Area networks (WLANs)

Wireless LAN Security
Safeguarding Wireless LANs

Analysis of Case Study #1 — Corporate

Physical and Logical Security
Bluetooth Implementation
Wireless Application Protocol Implementation
Wireless LAN Implementation

Analysis of Case Study #2 — FinApp

Phase 1: Palm Pilot
Phase 2: WAP

Analysis of Case Study #3 — HealthApp
Conclusion

Platform Hardening

Business Case, Costs, and Resource Requirements
Platform Anatomy
Platform Hardening Approach

Identify
Assess
Design
Execute

Practical Hardening Guidelines

Ports and Processes
Patching
Password Stores and Strength
User Privilege
File System Security
Remote Access Security
Service Banners, OS Fingerprinting, and Disclaimer Screens

Hardening Tools

Titan3
Bastille-Linux4
JASS5
YASSP6
HardenNT7

Case Study Overview

Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp

Conclusion

Intrusion Detection Systems

Benefits of IDSs
Existing Limitations of IDSs

Security Policy Documents and Acceptable Use Policies
Taxonomy of IDSs

Classes of Events
Classes of IDSs

Case Study Overview

Analysis of Case Study #1 — Corporate
Analysis of Case Sudy #2 — FinApp
Analysis of Case Study #3 — HealthApp

Conclusions
In-Text References
Other References

Application Security

Application Security Background
Application Security Placement
Authorization Models

Associative Access Control
Entitlements
Logical Access Control

Protected Resources
Authentication Schemes

Single Sign-On
Impersonation

Security Repository

Authorization Namespace

Transparent Application Security (Web)

Web Access Control Solution
Web Server Integration

WAC Security Repository

WAC Scalability and High Availability
WAC Password Management

WAC Security Flow

WAC Authentication Schemes

Inline Application Security

Application Access Control Solution

Administration
Reporting
Analysis of Case Study #1 — SSO
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp
Conclusion
References

PKI: Components and Applications

Cryptography

Symmetric Key Cryptography
Asymmetric Key Cryptography
Digital Signatures
Strength of Cryptographic Algorithms

Digital Certificates
PKI Components

Certificate Authorities
Registration Authorities
Certificate Management Protocols
Certificate Revocation
Certificate Repositories
Time Stamp Authority

PKI Architectures

Hierarchical Model
Cross-Certification Model
Hybrid

Certificate Policy and Certificate Practice Statements
Analysis of Case Study #1 — MCC: Corporate E-mail Encryption and Smart card Solution

Business Need
Solution
Implementation

Analysis of Case Study #2 — FinApp: Certificate-Based IPSec Authentication for VPNs

Business Need
Solution
Implementation

Analysis of Case Study #3 — HealthApp: Web-Based Authentication

Business Need
Solution
Implementation

Bibliography

Security Event Management and Consolidation

Event Sources
Event Protocols

Passive Logging — syslog
Passive Logging — NT Event Log
Passive Logging — Proprietary
Active Polling — SNMP GET
Active Alerting — SNMP trap
Passive Network Host Monitoring
Active Host Vulnerability Assessment

Event Collection, Logical Grouping, and Classification
Logical Grouping and Classification
SEM Project Planning and Initiation

Project Planning and Initiation
Security Device Inventory and Assessment
Requirements Analysis
SEM Design Phase
Report and Recommendations
SEM Build Phase
SEM Documentation and Knowledge Transfer Phase
SEM Conversion and Turn-Up Phase
Ongoing Support, Enhancement, and Maintenance

Analysis of Case Study #1 — Corporate

Business Needs
Solution
Implementation
Operations

Analysis of Case Study #2 — FinApp

Business Needs
Solution
Implementation
Operations

Analysis of case Study #3 — HealthApp

Solution
Implementation
Operations

Conclusion

Security Management

What Is Security Management?
Why Is Security Management Important?
Best Practices to Managing the Security Infrastructure

Secure It from the Start
Understand and Enforce the Security Policies
Follow Defined Change Management Guidelines
Monitor Information Sources

Procedural Management

Account Management
Role-Based Administrative Functions
Security Incident Management
Component Management

Case Study Overview

Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp

Conclusion
References

Validation and Maturity

Risk Management
Security Maturity Model

Security Planning
Technology and Configuration
Operational Processes

Threats

Threat Agent Examples
Threat Scenarios and Countermeasures
Insider Threat Scenarios

Security Assessment Methodology

Security Assessment Techniques
Network Security Assessment
Platform Security Assessment
Database Security Assessment
Application Security Assessment

Analysis of Case Study #1 — Corporate
Analysis of Case Study #2 — FinApp
Analysis of Case Study #3 — HealthApp
Conclusion
References

Reviews