TC Audit

01284 788902

Technical & Commercial Audit

Simplifying and Enhancing IT Security at xxxxxxx Council This document is designed to highlight existing infrastructure and security solutions and recommend alternative technology that could be used to simplify the management and enhance security at the council. Current Infrastructure

Windows Active Directory 2003 Mode with 2012 servers in operation.

2 Domains, 1 primary and 1 GCSX with a one way trust between them.

Approximately 600 users, with 350 regular PC clients.

Windows 7 Enterprise is running on most desktop machines.

IP v4.

Citrix thin clients. Most clients operate Internet Explorer or Chrome. Sites include:

Primary Council Office in xxxxxxx

2 Leisure centres

Waste Depot

Business centre

Parks

Network diagram illustrating current infrastructure

UTM A/PFirewall/IPS

Web SecurityReverse Proxy (active

sync+others)Wifi Control

Customer

Parks

leisure centre

Remote Ethernet

Connectivity

Remote Ethernet

Connectivity

Other required small sites

Remote Ethernet

Connectivity

Internet

DMZ

(x82 VMS)

NON PSN NON PSN NON PSN NON PSN

ARUBA AP105 (x4)

NON PSNNON PSN

NON PSN

NON PSN

PSTN

Internet Access

PSN

Domain Controller

StoneGateFW310Firewall

Exchange

FW logs

FWManagement

Console

Citrix App Citrix WI

Core Network

TMG FireWall

Telephony

Application (x1)

Exchange SharePoint Data Management

System

MS SQL ActiveDirectory

CitrixFarm

Swivel 2FAApplicationServers

Print Servers

FAS2240-2FAS2240-2

StoneGate 1030 Firewall

FTPKIRONA CONNECTORPLANS MINUTES MRM

n

ProductionNETAPP 2240 (30 TB)

ISCSI and NFS

Radius Server

Support Staff (x 5)

Remote Users(x100)

Juniper SSG5 Firewall

Fiery Printer Controller

Mirra Recording Device

StoneGate 310Firewall

Company

NON PSN

TelephonyGateway Telephony

Gateway

PSTN

(x 15)

(x 20)(x 10)

(x 1)

PSTN

Telephony Gateway

Physical Servers (x 30)

NETAPP 2240 (30 TB)ISCSI and NFS

All Data is being snap mirrored across from the Production NetApp 2240 filer, and by the SyncSort Backup software.

FAS2240-2FAS2240-2

Antivirus/Endpoint Security and Mobile Device Management (MDM)

Infrastructure Current Solution Proposed Alternative Technology Desktops/Laptops Kaspersky V6 or V10

roll out 1 Cloud based end user protection

Regular Servers Kaspersky V6 or V10 roll out 1

Cloud based end user protection

Critical Servers Kaspersky V6 or V10 roll out 1

Cloud based Server Protection with Advanced black/whitelisting

VDI/Vshield Kaspersky Security for Virtualization

VDI Protection

Mobile Device Management (MDM)

Sophos Hosted SMC Cloud based end user protection

Consolidating on premise desktop/laptop Anti-Virus, Server Protection, VDI Security and Mobile Device Management into a fully cloud hosted service with the only on premise management being the VDI agent. This will simplify the management and updating process associated with traditional malware defence. Primary benefits of adopting proposed alternative strategy:

Simpler management, including managing all devices (desktop, laptop, server and mobile) together,

Console and versions automatically upgraded,

Built in web filtering for remote and mobile* users,

Device control (USB control),

Client firewall,

Application control,

Malicious traffic detection,

AD Sync,

Critical Servers can be protected with Lockdown (whitelisting),

Increased server protection,

VDI agentless scanning for VMware Vshield,

Ongoing security integration with UTM technology.

Cloud based Anti-Virus/Endpoint controls allow simpler management of all devices together, including desktops/laptops, mobile devices (IOS/Android etc.) and servers. The cloud solution is automatically maintained and new features/controls are automatically made available when released.

Firewalls

Infrastructure Current Solution Proposed Alternative Technology Main Firewall(s) 2xStonegate FW1030 A/P

6xCopper Nics

UTM Technology A/P

Function Performance

Firewall Throughput 25 GBPS

IPS Throughput 7 GBPS

AV Throughput 2 GBPS

Concurrent connections 8,000,000

UTM Technology includes:

Module Core Features

Network Protection Next Generation Firewall, IPS, Country Blocking, QOS, VPN, RED device, Routing, Load Balancing.

Web Protection Web Category Filtering, App Control, Dual AV filtering, HTTPS analysis

Web Server Protection Reverse Proxy (WAF), Dual AV, Security profiles/controls.

Wireless Protection Wi-Fi Filtering, multi networks, password of the day, guest Wi-Fi

Email Filtering (included in the bundle, but due to on premise it is not recommended for this proposal)

AV/AS/Encryption

Stonegate 310 Associated with xxxxx council Consolidate and utilise the above UTM solution i.e. no further hardware required!

GCSX TMG Firewall and Stonegate 310

Function Performance

Firewall Throughput 13 GBPS

IPS Throughput 3 GBPS

AV Throughput 800 mbps

Concurrent connections 4,000,000

Juniper Firewall Legacy equipment Consolidate and utilise the above UTM solution i.e. no further hardware required!

Primary benefits of adopting proposed alternative strategy:

Stronger performance,

Enhanced scalability,

Integrated network functionality and security o Enhanced security over point solutions.

Consolidation of multiple firewall/technology providers,

Simpler Management,

Increased functionality: o Quick, secure and easy expansion of the network to remote sites via Remote Ethernet Devices

Integrated failover Link aggregation and failover detection Load Balancing Intrusion prevention App Control Enhanced Web filtering/HTTPS inspection Dual AV (Avira/Sophos) Etc.

o Direct cost savings, as security providers offer greater discounts the more solutions you take from one vendor o Indirect cost savings in terms of simpler management

Replacement of legacy equipment (that is due to become unsupported).

Encryption

Infrastructure Current Solution Proposed Alternative Technology

HDD Encryption Microsoft Bitlocker Microsoft Bitlocker, with Third Party Management.

File Shares None File Encryption Solution

Primary benefits of adopting proposed alternative strategy:

Simple centralised management,

Key backup/recovery,

Auditing and reporting of encrypted machines for data compliance purposes (i.e. proof they were encrypted.),

Network file share encryption, protecting sensitive documents with file based encryption.

Email

Infrastructure Current Solution Proposed Alternative Technology

AV/AS ICritical Cloud Email Alternative

Encryption None Cloud Email Alternative

Archiving None Cloud Email Alternative

Primary Benefits of adopting proposed alternative strategy

Simple management,

Business continuity,

AV/AS/Encryption/Email hygiene

Web Security/Filtering

Infrastructure Current Solution Proposed Alternative Technology

Web Filtering Bluecoat (cloud) Proposed UTM technology for the firewall

Web Security Bluecoat (cloud) Proposed UTM technology for the firewall

Primary Benefits of adopting proposed alternative strategy

Integrated Web Filtering/Security with Firewall/UTM,

Simple management and reporting,

User authentication with agentless filtering for machines,

Faster performance for internet access,

110 Categories and application control,

HTTPS Analysis,

Dual AV,

Bandwidth controls and application throttling,

Reputation analysis,

File type and mime type blocking.

Vulnerabilities

Infrastructure Current Solution Proposed Alternative Technology

Vulnerability Identification

GFI Languard, but for servers only

Complete Patch remediation solution

Vulnerability Remediation/Patching

Wsus for windows patches. GFI Languard for servers only

Complete Patch remediation solution (integrating with WSUS)

Primary Benefits of adopting proposed alternative strategy

Protect against malware or hacker exploitation of poorly patched machines,

Identify missing patches for third party apps (Adobe, Java) and Microsoft systems (50,000 systems covered),

Remediate patches via WSUS/SCOM integration, with advanced technology that strips out unwanted items (such as a bundled Chrome update),

Deploy patches at a schedule that fits with business requirements,

Wi-Fi

Infrastructure Current Solution Proposed Alternative Technology

Corp network Aruba Proposed UTM technology with access points

Guest network(s) zwifi Proposed UTM technology with access points

Primary benefits of adopting proposed alternative strategy

Integrated Wi-Fi with UTM technology (Firewall, Web Filtering, Routing etc.)

Simple Management

Define new networks: o What they have access to, o How they are web filtered (via UTM tech), o If they have a guest password of the day, o If they are Active Directory integrated authentication, o Remote Wi-Fi networks, off other UTMs or RED devices.

Reverse Proxy (WAF)

Infrastructure Current Solution Proposed Alternative Technology

Active Sync Microsoft TMG Proposed UTM technology

OWA None, not currently used. Proposed UTM technology

Sharepoint None, not currently used. Proposed UTM technology

Websites None, not currently used. Proposed UTM technology

Primary benefits of adopting proposed alternative strategy

Enhanced protection for web servers with security technology including (URL Hardening, SQL Injection Prevention, Cookie Signing, Dual AV Protection etc.),

Published Web servers, SharePoint, OWA.

Load balance servers behind the reverse proxy.

Intrusion Prevention & Detection

Infrastructure Current Solution Proposed Alternative Technology Main Firewall Stonegate Proposed UTM technology

Core Servers None. Proposed UTM technology

Network IDS None Agentless Network Access Control

Primary benefits of adopting proposed alternative strategy

Enhanced protection for services that are allowed to pass the firewall,

Protect core servers from the desktop estate by passing through the UTM with IPS protection.

Network Client Security and Guest Controls

Infrastructure Current Solution Proposed Alternative Technology Network Access Control

None Agentless Network Access Control

Network visibility None. Agentless Network Access Control

Guest Controls Limited to manually controlling live ports. Agentless Network Access Control

Primary benefits of adopting proposed alternative strategy

Stop unauthorised devices connecting to the network and potentially gaining access to secure information,

Identify what’s on the network: o Different devices, o Operating systems, o Mobiles, o Printers, o Appliances.

Analyse the security posture of machines/devices: o Is the device a domain member? o Is it running up to date AV? o Are its windows’ patches up to date? o Is it running a P2P application right now? o Does it have an xyz registry key?

Remediate devices based on policy,

Quarantine insecure machines,

Stop P2P apps running,

Group machines without an xyz registry key,

Change the Vlan of a device, limiting its web or network access,

Authenticate non AD domain devices and request sponsorship to access the network,

Dynamic Intrusion Detection (with honeypots) system built in.

Technology Consolidation (Simplification) Overview Shown below, in Foursys recommended priority order (in terms of simplification/security benefit), are the changes proposed to the network solutions that are currently implemented.

Technology Area Current Solution Alternative Technology/Simplification Firewall Stonegate, TMG, Juniper (3) UTM Technology

Web Security/Filtering Bluecoat Cloud and agent UTM Technology

Wi-FI Aruba & Z-wifi (2) UTM Technology

Reverse Proxy (WAF) TMG UTM Technology

Intrusion Prevention System Stonegate / no protection for servers from Internal network

UTM Technology

AV/Endpoint Kaspersky on Premise Cloud AV/MDM

Mobile Devices Sophos Cloud Cloud AV/MDM

Encryption Microsoft Bitlocker (little/no management) Bitlocker with integrated management

Anti-Virus and Endpoint can be simplified by adopting the latest cloud managed solution(s), ensuring console upgrades are a thing of the past. This technology can also integrate mobile device management; ensuring management is one console for all clients. Firewall, Web Security, Wi-Fi and reverse proxy can all be integrated into the latest UTM technology. This will simplify management, but also allow the technology to work together, extending the capabilities over the existing solutions. Commercially utilising this technology from a single vendor will also offer cost savings, whilst UTM technology incorporates dual AV filtering ensuring that security isn’t compromised. Network/Firewall Security

Network security and efficiency as a whole can be increased via consolidation around UTM technology. Since the parks can be connected to the core network via a low cost layer 2 tunnelling device (RED), ensuring they can be connected to the network quickly and easily with firewall/IPS controls from the core UTM firewall ensuring security is maintained. This type of technology could be used to replace legacy point to point connections, enhancing security via Intrusion Prevention (IPS) and simplifying the design whilst allowing for lower cost broadband connections to be used rather than expensive leased lines.

UTM Network Technology includes IPS, Country Blocking, and quality of service (bandwidth controls) allowing existing in place security to be replaced with next generation firewall capabilities that also include stronger performance via upgraded hardware.

Consolidation of firewalls for GCSX network, but the ability to report centrally across all UTMs/Firewalls in a single management or reporting interfaces.

Wi-Fi Security

Wi-Fi can be integrated with the UTM configuration, ensuring full firewall, web filtering and appropriate security controls for guests, BYOD and corporate Wi-Fi networks.

The ability to extend Wi-Fi to remote sites via RED technology results in fast deployment times, highly secure networks, multiple networks of single access points, etc.

Web Security

Direct Web Filtering and security for all devices whether LAN or Wi-Fi based.

Different policies for different users, networks or groups.

Dual AV controls

Category and Application Filtering

User authentication with agentless (transparent) authentication possible. Possible network diagram (for illustration purposes only):

(x82 VMS)

NON PSN

NON PSNNON PSN

NON PSN

Access Points (x4)

NON PSN

NON PSN

NON PSN

NON PSN

PSTN

Internet Access

PSN

Domain Controller

UTM Technology

Exchange

FW logs

FWManagement

Console

Citrix App Citrix WI

UTM Technology

Telephony

Application (x1)

Exchange SharePoint Data Management

System

MS SQL ActiveDirectory

CitrixFarm

Swivel 2FAApplicationServers

Print Servers

FAS2240-2FAS2240-2

UTM TechnologyFTPKIRONA CONNECTORPLANS MINUTES MRM

n

ProductionNETAPP 2240 (30 TB)

ISCSI and NFS

Support Staff (x 5)

Remote Users(x100)

Fiery Printer Controller

Mirra Recording Device

Company

NON PSN

WebSite

TelephonyGateway

Telephony Gateway

(x 15)

(x 20) (x 10)(x 1)

PSTN

Telephony Gateway

E-mail

Physical Servers (x 30)

NETAPP 2240 (30 TB)ISCSI and NFS

All Data is being snap mirrored across from the Production NetApp 2240 filer, and by the SyncSort Backup software.

Parks

Remote Ethernet Connectivity

FAS2240-2FAS2240-2

Areas to enhance security further, whilst ensuring simple management/maintenance

Technology Area Current Solution Alternative Technology/Simplification

Vulnerabilities WSUS for Microsoft patching only Patch remediation for all applications (50,000 supported)

Network Client Security and Guest Controls

None Agentless NAC

Encryption Microsoft Bitlocker Microsoft Bitlocker with full encryption management solution.