IT Security Solutions for Small Business Security Policy Security Audit Firewall IDS Stealth Firewall VPN Client Server VPN Site to Site.
Summary
Malicious attacks against IT infrastructure are on the rise and the need for securing these systems has become vital to ensure the integrity of business data and operations.
This document is designed to inform and assist Technogenics customers in addressing current IT infrastructure security concerns policies and procedures as well as helping Technogenics customers understand the options available to them for the implementation of reliable secure and efficient security systems.
Goals
Develop organization IT security policy and procedures manual.
Perform organization IT security risk assessment.
Enforce organization IT security policy.
Design build and implement a Security Solution for Technogenics Customers which will exceed the requirements of many standards, compliance and industry regulators.
IT Security Policy
Initially, determine precisely in terms of information technology, which data must be protected and what it must be protected from. Security policies will be applied to ensure systems protection and data integrity.
Develop an organizational security policy based the following considerations:
- What level of data integrity policies must be enforced?
- Which data must strictly adhere to security policy guidelines to ensure confidentiality?
- Which systems/data are subject to compliance, regulatory/legal obligations?
- What are the Physical/Remote Access (LAN/WAN) availability and authorized access needs?
- What measures should be taken to protect against malicious activity?
- What measures should be taken to protect against unexpected interruptions of service?
Policies should address security threats such as computer viruses, hardware failures, power outages, natural disaster, physical/remote unauthorized access to systems/data and distributed denial of service attacks.
Systems Software Hardware & Security Audit
Once a clearly defined IT infrastructure security policy is in place perform a thorough audit of systems software & hardware.
The audit will include:
- Software Inventory
- Hardware Inventory
- External Pen Test (used to identify exploitable network services)
- Vulnerability scanning (used to identify vulnerable systems software)
The information obtained in this audit will be confidential and serve to:
- Ensure that current systems are compliant with organizational security policy.
- Identify and correct any existing vulnerabilities before the implementation of new security systems and hardening measures.
- Compare security conditions before enforcement of security policy with security conditions after policy is applied.
The information will be compiled and prepared for your review as a comprehensive examination of IT infrastructure hardware software and security systems.
Network Topology & design
Install Virtualization platform to facilitate partitioning of network services and server consolidation.
Build system with sufficient resources to allow for future growth. New installs including services, servers remotely accessible desktops and applications require no additional hardware procurement.
Transparent/Bridged Firewall
Implement enterprise grade stealth firewall solution based on a modified BSD kernel which will provide for OSI Layer2 packet filtering to completely separate the external from the internal.
Firewall/Router
Implement enterprise grade firewall solution based on a modified BSD kernel which will provide for Quality of Service (QoS) Network Address Translation (NAT) Hierarchical Fair Service Curve Packet Scheduler (HFSC) Traffic Shaping and stateful tracking options (STO)
This firewall will ensure that only necessary protocols and services will be allowed network traversal.
The firewall will increase network performance and require that network resources be used only for authorized purposes. The Firewall will create the ability to prioritize network traffic in order to provide optimal network resource utilization for services which are considered mission critical.
Firewall Failover Services
Failover services protect the network against a single point of failure. Failover services occur transparently to system users and will be connected to monitoring software which will notify system administrators in the event a problem occurs. All state information is inherited by the secondary failover system which translates to no user connections will ever be dropped and there will be no noticeable interruption of services.
Extended Firewall Failover Services
This would include the normal Firewall Failover Services with the added benefit of un-interruptible power supply as well as UTMS (Universal Mobile Telecommunications System) connected network devices to eliminate the possibility of service interruption in the event of a provider network outage or other related power outages.
Intrusion Detection System
All traffic entering the network from the internet to an internal network destination will be subjected to additional integrity checking referred to as an Intrusion Detection System Sensor (IDS). By monitoring the flow of packets and matching them against known attack types the IDS will determine the probability of attack on entering traffic. The IDS will redirect malicious traffic to the stealth firewall for an automatic block log all rule to be applied on the traffic source.
IDS notification systems will contact administrators by SMS and email to ensure appropriate review/actions are taken in the event of an attack.
The IDS will be IPSEC capable.
The IDS will exceed the requirements of many standards, compliance and industry regulators.
VPN
Implement secure virtual private networking (VPN) features to facilitate fast reliable remote access to internal network resources. The VPN will have its own set of security controls, data encryption and auditing/monitoring service and compression for higher network performance.
Road Warrior VPN Capability
Client Server VPN using l2tp/IPsec tunnels for remote access to internal network resources such as shared storage printers and other resources that would otherwise be unavailable unless physically present.
Tunnels can also be initiated through PPTP which will by default be disabled due to its lack of support for the additional integrity check provided by IPsec.
Both PPTP and L2tp with IPsec offer cross platform compatibility and require no proprietary client software in order to connect.
Site To Site VPN
Site to Site VPN capabilities will be present for permanent connection to remote offices.
This will provide local users with access to all of the network resources available such as printers and storage on both sides of the secure tunnel.
Site to Site implementation would require that an additional hardware be installed at the remote location.
Protocols and Encryption
To provide for cross platform compatibility and ease of use l2tp tunneling service with IPsec for data integrity checking, IPsec, IKE for establishing security associations between remote users and sites 2040 bit 3DES/TDEA Encryption for data.
Final Security Audit
The information obtained from this audit will be kept confidential and can be used to:
- Satisfy compliance requirements and industry regulatory organizations such as PCI DSS
- Assess improvements made by security hardening measures.
- Assist in IT security policy changes and updates when called for.
The final security audit will consist only of pen testing and vulnerability scanning.
Conclusion
You will have a fast secure reliable IT security solution that provides
- cross platform compatibility
- ease of use
- multi layered security
- network monitoring
- standards compliance
- remote access
- system consolidation
- organization policies …
and threat notification systems which will alert system administrators in the event of attack, outage or other network related anomaly.
The system can be fully operational in five business days with all network services secured and functioning properly.
If you would like more in-depth information regarding the solutions in this design contact us by email or telephone