[ Pobierz całość w formacie PDF ]
.1 Type of System Present in Each ZoneZone Class of SystemZ1: Executive management Department server holding strategic-planning dataStandard user workstationsZ2: Audit Department server holding audit dataStandard user workstationsZ3: Customer-related services Department servers holding customer dataDepartment server with no sensitive dataStandard user workstationsZ4: Production systems Mainframe holding customer dataMidrange systems holding customer dataMidrange systems with no sensitive dataCustomer facing transactional systemsInfrastructure serversMidrange server holding data warehouseZ5: Development systems Mainframe with no sensitive dataMidrange servers with no sensitive dataStandard user workstationsDevelopment workstationsZ6: Intranet infrastructure NASFirewallNetworking devicesZ7: Internet infrastructure Company Web serverProxy serverFirewallNetworking devicesStandard user workstationsZ8: Branch office Department server holding customer dataNetworking devicesStandard user workstationsZ9: Commercial networks Network infrastructureZ10: Internet Network infrastructureTLFeBOOK8.4 The design phase 191Table 8.2 Important Data Flows Between ZonesDestination ZoneZ1 Z2 Z3 Z4 Z5 Z6 Z7 Z8 Z9 Z10Z1Z2Z3Z4Z5Z6Z7Z8Z9Z10×%Flows into zone Z1 are reports to executive management.Apart frommail messages, which link everyone with everyone, very little infor-mation flows out of Z1 in electronic form.Communication with mid-dle management usually occurs via weekly meetings.×%Flows into zone Z2 are information flows used to support auditfunctions.×%Flows from zone Z7 occur via diskette and involve internal users copy-ing downloaded files to the internal network (bypassing the control ofthe isolated network).While this is currently tolerated and a knownproblem, the flow of data in the opposite direction is strictly prohibited.×%The flow from zone Z4 to Z5 involves transferring production data todevelopment systems to facilitate testing and represents a major secu-rity issue.The Secure Bank has defined no particular policy requirements relatedto the segregation of internal networks and currently makes no attempt tocontrol traffic flows within the network perimeter.At this stage, we alreadyhave enough information to single out two internal flows worthy of specialattention namely, the latter two flows.The decomposition of the organizational infrastructure into securityzones, together with the classes of system in each zone and the summary ofimportant network flows constitute the model against which we will con-duct a risk analysis.In real life, this model would contain more contextualinformation, such as a description of each class of systems, together with aTLFeBOOKSource Zone192 Building an IT security architecturemapping from the actual architecture to the simplified model.In creatingthis model, we have considerably simplified the subsequent analysis steps:×%Security zones enable us to discuss specific problems with the appro-priate audience.×%By classifying systems within zones, we have reduced the number ofsystems to be analyzed from approximately 150 servers (includingbranch offices), a range of networking devices, and 2,000 workstationsto 25 types of system.×%Key information flows are useful in deciding whether to implementnetwork access-control measures within the organization and canalso help determine how trust relationships are to be established.By conducting a risk analysis against this model, we will be able to con-struct a picture of how risks are distributed throughout the infrastructurewithout getting bogged down in unnecessary detail.This is the objective ofthe next step.8.4.4 Risk analysisIn this step of the design phase, a risk analysis is carried out against this sim-plified architecture, and it is to be expected that this analysis will largelyconfirm the selected model.However, the design of the security architectureshould be seen as an iterative process, and, if necessary, the initial modelshould be modified to reflect any new information arising out of the riskanalysis.It is not usually desirable to start with the risk analysis itselfbecause the infrastructure is too complex.The decision to model the infra-structure first therefore involves a compromise by sacrificing detail in orderto obtain useful results in a reasonable timeframe.The aim of this step is to identify the most important risks with whichthe IT infrastructure as a whole is confronted.We then classify these risksinto two sets: those that can be mitigated using an architectural approachand those that are application specific and are best dealt with locally.Risksin the former category are used to derive required security services at thearchitectural level, whereas specific risks are checked against current appli-cation functionality and dealt with in coordination with the application-support team.We carry out this analysis as follows:×%Analysis of the risks associated with each class of system identified inthe previous step;×%Analysis of the two data flows of interest;×%Identification of required security services at the platform, network,and zone levels;×%Modification to reflect likely future requirements.TLFeBOOK8.4 The design phase 193FRA techniques are used to perform this analysis (see the Appendix fordetails).The starting point for such analyses is to ignore any existing secu-rity services, as these will be derived by the process.The result is a set of riskanalyses that can be summarized in the form of a table, showing how secu-rity services are distributed over platforms and networks.Table 8.3 summa-rizes this information for each defined security zone.The following comments should be kept in mind when interpretingTable 8.3:×%The matrix identifies security services that are required to secure thezone.This information summarizes the risk analyses performed at theplatform and network flow levels.×%The derived security services are not necessarily implemented withinthe zone itself.For instance, zones Z1, Z2, Z3, Z4, Z5, and Z8 (rows 1, 2,3, 4, 5, and 8) require the network access control security service toTable 8
[ Pobierz całość w formacie PDF ]