3. PERIMETER
FIREWALLS
• Checkpoint UTM for site-to-site VPN
with UK
• Checkpoint UTM for ATG / IS data center
• Palo Alto for Atlanta Data Center (DMZ),
internet browsing, and disaster recovery
13. WORKSTATION STANDARDS
• Local administrative privilege allowed by
exception
• Guest and administrator account
disabled
• Administrator account renamed
• No windows firewall
• No pop-up blocker
14. WORKSTATION STANDARDS
• Unused computers are removed from the
domain
• Other policies as recommended in
Microsoft Baseline Security
Configuration Manager
• Variety of IE settings
• Altiris workstation images
15. SERVER STANDARDS
• Anti-virus / management agent
• Windows 2003 R2 or higher
• Redundant hardware / UPS to protect
against data loss
16. SERVER STANDARDS
• Regular backup with offsite storage to
ensure data availability
• Encryption and secure protocols
• Other policies as recommended in
Microsoft Baseline Security
Configuration Manager
• Altiris server images
Security is everyone’s job. For IT, it’s features are engrained in the technology and procedures they useI may touch on items managed by other people around this table and point those out
PAN 5020 internet browsing as part of the internet consolidation projectIt’s the new firewall- Full application firewall. Firewalls used to be port management. Now, most ports are blocked except 80 and 443. To the hacker, this is always availableGoal- Better understand and control what goes through those ports
Juniper VPN InfrastructureSSG520 Appliance Cluster – Concentrator for 90+ remote Site-to-Site offices connecting with Juniper Firewalls.Avaya VPN Phone connectivity for remote users. ISA 2006 –primary ISA firewall for Perimeter applications and reverse proxy of OWA, OCS, Active Sync, Outlook AnywhereISA 2006 Firewall for publishing current www.pbsj.com and external websites to Internet, used for northamerica.atkinsglobal.com website
ActiveSync and BES-Device encryption, remote wipe, encryption (yes for Iphone, no for Android?)
SendIT Appliance and application supportExternal FTP server and project folder managementSecure FTP infrastructure for Oracle Alert Driving data transferZscaler web filtering application management and configuration on 90+ Juniper firewallsURL filteringBotnet, browser exploits protectionWorks through a redirect of all HTTP trafficSoon to be replaced by PANMicrosoft Exchange Hosted Solution (EHS), Vircom server and application for SMTP mail flowQuarantine and Spam management
Complete management of External DNS and domains in Network Solutions for all PBSJ.com and PBSJ subdomainsGlobalSign external Public SSL certificate management for all perimeter and some internal SSL websites2 Microsoft DNS caching servers on DMZ for DNS caching of DNS requestsODCEDGE DMZ server for OCSMEWEB01 – for McLaren Enterprise
WSUS – Patch management application for enterprise-wide patching of servers & workstationsMcAfee InfrastructureEPO server configuration and management of software, policies and reporting5000+ nodes consisting of workstations and servers for Antivirus and SpywareAntigen/Forefront for Antivirus on current Exchange InfrastructureAD Rights Management (ADRMS) Infrastructure – configuration of policies, client deployment, setup, training guides etc.Internal PKI Infrastructure - Root CA server and Issuing CA server, architecture configuration, maintenance, security of infrastructure. Issuance of machine certificates to all enterprise workstations and servers. Issuance of internal code signing certificates and SSL certificates for internal applications.Wireless Aerohive InfrastructureHive Manager and Guest Manager Appliance: configuration, software updates, maintenance, security policy configuration.200 wireless access points: security policy configurations, RADIUS configuration and software updates
Password AuditingL0phtcrace-mail reminders upon 90 day expirationPassword Reset/enable. Unlocks userIDs, 2 Microsoft IAS RADIUS servers for Wireless, Switch and Router Authentication for users.Password Auditing Server: Running L0phtcrackLog Rhythm SIEM Appliance – Collection of Security logs and domain controller logs, future collection of networking equipment (i.e. switches and routers.) IAS- Internet Authentication ServerSIEM- Security Information and Event ManagementADRMS- Active Directory Rights Management ServiceInternal PKI- Allows us to issue our own internal certificates, plays role in federating domains
Complex password- At least 8 characters, 1 letter, 1 number, 1 special character
Software inventory is obtained through Altiris, compared against licenses on-file by the respective areaConcept of Least privilege- Grant only the privileges required to fulfill job responsibilities. 4 AD Domain administrators
Mcafee and ePO agent Ugh– IE 7To protect from retired workstations, there is an automated process to remove them from the domain
IE Settings- Zones, etc.Altiris workstation images- Used on new and rebuilt computers to provide a consistent, supportable, secure system
Desktop SecurityBrowser upgrades to IE8 for XP and IE9 to Windows 7 (IE9 is fully W3C compliant finally from Microsoft)Compatibility testing of all internal applicationsImplementation of Pop-up Blocker on Enterprise desktops Possible implementation of Windows Firewall on workstations (currently a requirement at DOT)