1. ‘Web-Tech Home Improvement’
An Analysis of the Information Security Infrastructure
For an E-Commerce Home Improvement Company.
SE571 – Term Project
Course Project
Final Report
Chris McCoy
Keller Graduate School of Management
DeVry University
3/13/2007
2. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
SE571 - Course Project
Presentation to the Board of Directors – WTHI (Web Tech Home Improvement)
Members of the Board, it is a pleasure to address you today on the subject of Corporate
Information Security. As you may be aware, the security of information here at WTHI is critical to
the company’s ability to maintain its competitive advantage as a Domestic Supplier of Home
Improvement Fixtures. Today, we are proud to lead in our market by way of a strategic sales
channel that allows our customers to receive their home improvement items faster than they would
from our other online competitors.
I would like to share with you a quote from the recent InfoSec conference held in Florida
at the end of March, “Attackers probably have less interest these days in bringing down large
numbers of computers than exploiting the data in them for financial gain, said Doug Sweetman,
senior technology manager in corporate information security at Boston financial services firm
State Street.”1 (As cited in Network World, 2007)
These words from Mr. Sweetman should be considered our call to arms to improve the
current state of our corporate security. It is a loud and powerful wakeup call that we can not
ignore. In order to maintain our competitive advantage, expand our marketing channels and
improve upon our abilities for future growth, we must first consider the improvement of those
safeguards necessary to protect our vital technological resources; Our four distribution centers,
supply chain systems, our e-commerce database information and our datacenters, containing the
equipment needed to support the transactions from which we generate and grow revenue via our
most powerful resource, the World Wide Web. The financial exploits mentioned in the quote from
‘InfoSec’ are our financial and transactional e-commerce data. This data is the vital link between
1
Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved April 5, 2007, from
ABI/INFORM Global database. (Document ID: 1247736921).
2
3. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
us and our customers. It is at the heart of our competitive edge. The key to keeping that link strong
is maintaining a powerful, secure, well monitored environment where our physical and
information assets are protected in an ongoing process. We have made great strides, but the time
to take great action is now.
This report will discuss the current status of our physical and information security
infrastructure and the steps we must take to improve these systems to better protect our data and
maintain our leadership position in the ‘Home Improvement Appliance’ market.
There are 2 major components that make up the security of our information enterprise.
First is the physical security of our 4 locations. Our ability to perform adequate video surveillance
and access control at each of these sites is critical to protecting our information and physical
assets. Second is the protection of our data, databases and complete information systems
infrastructure. Finally, a third component is necessary to tie these two items together: Increased
Bandwidth and Restructuring of our Wide Area IP Network. Such an increase will allow us to
support the need for additional bandwidth and security required by the new technologies
introduced later in this report.
Following a comprehensive analysis of the security here at WTHI, we have determined
that the existing security infrastructure must be improved if we are to continue our competitive
advantage. To ignore this critical need could cost us this leadership position in the market or
worse, compromise the integrity and security of our data. A recent report from our CFO indicates
that the company’s current e-commerce revenue averages $45,000.00 per hour. In the event our e-
commerce capability is interrupted due to a security breach, we will lose $750.00 per minute in
revenue. Most of this revenue will go to one of our competitors; either a traditional ‘brick and
mortar’ (physical) store locations such as: “Home Depot”, “Lowe’s”, “True-Value Hardware”,
“Sears”, and “The Home Expo Center”. Other competitors are in Web-based e-commerce sales,
3
4. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
such as “Fixture Universe” (www.fixtureuniverse.com), “Finestfixtures.com”
(www.finestfixtures.com). With every minute of lost revenue, comes a lost minute of competitive
advantage as we come one step closer to losing our market share in the online home improvement
market. With our current Information Technology and Information Security infrastructure, there is
no question as to if we will suffer an outage. It’s simply a matter of when. The purpose of today’s
presentation is to show you where we are, where we need to be, and what we need to do to get
there in terms of a Capital Investment in the Security of our Physical and Informational Assets.
Though the picture painted here is not pretty, there is good news. The proposed plan of
Security for WTHI has a very short ROI. Approximately 10 hours of revenue will pay for the
required improvements to our infrastructure. Every 3 hours of revenue will pay for 1 year of WAN
service, and 1 hour of revenue will cover more than 2 years of technical support on every piece of
equipment shown in today’s presentation. .
To begin our presentation, we will look at the physical security in place at all four of our
distribution centers. Today, the buildings in our Washington DC, Los Angeles, Dallas, and
Chicago offices are all secured via ‘Acme Security’, a vendor we selected 3 years ago to provide
on site security guards and camera monitoring. Today, these security guards continue to work hard
to meet the Service Level Agreements of our contracts, but these SLA’s are no longer sufficient to
provide WTHI with a system capable of keeping our Datacenters safe from intrusion and theft.
There are two major technology components in the Physical Security Plan:
1. Physical Access Control to the Building perimeters, parking lot, and front door, loading dock,
elevators and specific internal areas such as the Warehouse and Computer room where access
should be restricted. A need to control access using individual employee badges is identified
below.
2. Closed Circuit Video Camera Surveillance of the critical access areas including the main
entrance, parking lot, lobby, computer room, loading docks, and inside warehouse.
4
5. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The diagram below shows the current state of the camera surveillance and physical perimeter
access control (none) in place and identifies areas where security weaknesses exist.
This diagram identifies four weaknesses in our current facilities security plan:
1. There is No way to track who is in the building at any given time of the day.
2. The Camera System reports to a local camera monitor and is recorded locally to video tape,
but each tape only holds 8 hours of video. Should the guard forget to change tapes, there will
be no record kept of the security video.
3. The Data Center Doors and Perimeter Doors offer no way to limit entrance into critical areas
such as the Data Center.
5
6. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
4. The camera systems are antiquated and need to be replaced. Identifying minor details in the
video image is difficult.
A security solution is required to mitigate the risk of an intrusion into our buildings and theft
of our information systems and assets.
A network-based video solution is recommended to help better manage the perimeter access to all
four of WTHI’s facilities. In an article from the “Journal of Housing and Community
Development” the important value of investment in such a system is highlighted, as Stennett and
Wren (2006) observe, "By supporting access control and other systems, network video can
improve their effectiveness and even generate additional return-on investment on those
technologies.”2
Technology Solution
With a digital video system, smaller ‘ptz’ analog video cameras will record continuously to a
digital video recorder where their signal format is transformed from analog to digital, then stored
on a large hard drive and transferred to the central Chicago security center’s main DVR unit. This
recorder will offload its digital video across the network to a central server in the Chicago Office
once the Digital recorder reaches 70% capacity. The additional 30% is planned ‘overhead’ digital
storage capacity that will allow the recorder to continue to capture video in the event of a network
outage where the regular transfer of footage cannot be completed at its scheduled time.
2
Christopher A Stennett, Andrew Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can Help
Increase Security at Public Housing Authorities. Journal of Housing and Community Development, 63(6), 28-30,32. Retrieved March
12, 2007, from ABI/INFORM Global database. (Document ID: 1183865131).
6
7. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The following diagram provides a visual representation of the proposed video solution:
Note that the Camera system can now be monitored locally and remotely.
The digital capability allows deeper analysis of the video with more sophisticated analysis
tools in order to identify intruders and unauthorized access.
7
8. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost information for proposed solution:
Solution Digital Video
Vendor info Vicon Systems Alternative Security
(4) 9-camera complete systems
w/cameras and DVR's @ $2,699.00
Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 ea= $10,796.00
36 PTZ Cameras @ $463.85 ea =
$16,698.60 n/a (included above)
Central Console $1,352.65, joystick control Central Console $1,352.65, joystick
unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65
EMC Clariion Ax (500 Gb expandable EMC Clariion Ax (500 Gb expandable
Digital Video Archive archive) $6,000.00 archive) $6,000.00
Total Cost - Video: $ 56,251.00 $ 18,348.65
A diagram of the proposed DVR Centralized monitoring system is shown below:
8
9. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
As shown in the diagram above, camera footage is recorded locally into a DVR (Digital Video
Recorder) unit. Each unit at each office is connected via the local area network and managed using a fixed
IP address. Once the unit is configured, with its IP information it can communicate with the Master Control
unit in Chicago, where it offloads video to a central storage device as shown above. The device will archive
video for a predetermined time so it can be accessed later if needed for legal review.
(Continued on next page)
Physical Access to Buildings and Facilities
9
10. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The second major component of physical security at WTHI is the physical access control to all
WTHI’s buildings. The current model of physical access control consists of a security guard seated at the
main security desk in the lobby of each of our four locations. This guard asks all employees to show a
badge. He/She also asks visitors to sign in on a ledger and show a valid ID such as a driver’s license or
military ID. Once ID is verified, the security guard issues a sticker with the word “visitor” and the current
date. There is nothing more than a visual indicator that the visitor has had his/her ID checked at the front
desk. There is also no policy requiring visitors to sign out. We really don’t know when they come and go,
only the date they were at our office.
Fortunately, technological advances in building security systems will allow us to move forward
with a new system that will provide WTHI with an elaborate means for tracking employee and visitor
movement throughout the building. This new system will involve issuance of a new employee badge for
every employee at each site. The badge will have the Company logo, employee name and picture as well as
the employee ID number. The badge will contain a small electronic chip called an RFID chip. A special
device designed to read the information from this chip (called a badge reader) will be installed at every
perimeter access point in each location. An additional badge reader will be installed in the elevator and on
the outside main entrance door to validate after-hours and weekend access. These readers will have a
keypad, which will verify the employee’s company issued pin number. The employee will hold the badge a
few inches from the reader. The reader will beep and small display window will prompt the employee to
enter his/her pin number. When this is verified, the reader will either grant or deny access to the employee.
When access is granted, the reader sends a message to the control panel to unlock the door. If the
employee’s access is denied, the door will remain locked. Note, not all employees should be given access
to all areas. For example, warehouse employees have no need to enter the data center; however, an IT
employee may need to enter the warehouse to fix a PC for shipping and receiving. Employees will be
trained in the use of badge reader systems. Additional fingerprinting and training will be required for
warehouse employees, as the warehouse perimeter access units will have an additional biometric
fingerprint reader. Employees will be encouraged to enter all doors, one person at a time. Holding doors for
others is discouraged by security, and can be tracked on the camera system. Should a security officer
10
11. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
observe an employee allowing others to enter through the same door, the manager of the employee who
swiped his/her badge at that particular door will be contacted and notified of the event. Repeat violations
will be reported to HR.
The diagram below shows placement of access point badge readers for all critical access areas:
11
12. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
(Continued on next page)
Cost Information – Badge Access System
Due to limited pricing availability of components, a mixed solution cost from 2 vendors is shown:
Solution Perimeter Badge Access Control
Software House Ccure Badging System
Vendor info $1,000.00 (4) = $4,000.00
Cost info Control Panels $450.00 (8) $3,600.00
ACTAtek badge readers $790.00 (26) =
$20,540.00
ACTAtek Fingerprint and HID ProxI/II
Combo badge and biometric readers $
1,590.00 (8) = $12,720.00
Door Strikes - $175.00 (32) $5,600.00
Door Relay units - $179.00 (32) $5,728.00
Total Cost - Badge Control
System $ 52,188.00
Central Control of Panel Access
Occasionally, a badge may need to be enabled or disabled or have its access level changed. Should such a
request arise, the change is made centrally from the Chicago Security Center. Below is a diagram showing
the connectivity of the panels into the central control facility.
12
13. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Physical Security Plan Purchase and Contract Requirements including SLAs
The implementation of this 2 part solution will be a combined integration project for IT and a
selected vendor. Required actions to complete the implementation of this solution include:
1. Negotiate purchase price (based on cost information included above) for all equipment including
cameras, collection units, and central monitoring equipment to be located in the Chicago Data Center.
A total of four separate computer ‘badging’ systems with encoding capability must be purchased (one for
each location). A digital fingerprint component is also required for fingerprinting employees (to be used
with the biometric readers installed on the warehouse doors.)
13
14. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
2. Negotiate inclusion of technical support contract at a 20% discount based on volume of equipment
purchased, to cover equipment at all sites, including cameras, collector systems, and central monitoring
station equipment.
3. Negotiate discount on tech support contract based on volume purchase for all badge control system
equipment including door locks, badge readers, control panels.
3. Wiring contractor to complete the installation and wiring of all cameras and systems in the four office
locations.
4. Wiring contractor to complete wiring of badge control system including door locks, readers, and control
panels, including central control system at Chicago security office.
5. Separate purchase of a Storage Area Network device to Archive at least 3 months of data.
This purchase will also require a technical support contract to cover hardware and software support for
management of the device.
6. Negotiate the inclusion of a separate alarm system, as a part of the badge access system purchase, to
monitor the Warehouse loading dock and perimeter doors is required.. An insurance clause should be
included to protect all warehouse assets against loss due to theft. The SLA for this contract should involve a
maximum response from the monitoring company of 10 minutes and an immediate call to local police
when no response is received from the local warehouse manager within 10 minutes.
7. SLA: Technical Support contracts for the Video and Badge Systems:
a.) Video System equipment failure: Onsite 24/7 support, technician on site within 4 hours of
reported failure, 24 hour hardware replacement for any failed component at any site. In the event of a DVR
failure, where no video is captured, a 3rd party security company will be contracted to provide security
officers to patrol the entire location and watch perimeters and warehouse activity until the replacement
DVR is delivered and setup.
14
15. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
b.) Badge System equipment failure: Onsite 24/7 support, technician on site within 2 hours or
reported failure, 24 hour hardware replacement for failed component at any site.
Additional requirement – Door lock open failure will be monitored by a 3rd party security company. Armed
Guard will be dispatched on site to physically monitor the door where badge reader/lock is failed and open
(Door cannot be locked due to system failure). Example of a company that provides this service is
“Securitas” http://www.securitasinc.com/
8. Contractual Penalties: WTHI’s legal department will negotiate an equitable settlement figure
based on the contract amount for each contract. This penalty amount will be consistent with industry rates
for contractual breach. Each vendor failing to meet the full requirements stated in the negotiated contract
will be subject to further legal action.
WAN Firewall Infrastructure (Existing):
One of our key security vulnerabilities is founded in the way our offices communicate across the wide are
network. Twelve years ago, this network was considered cutting edge, and served a great purpose in
transacting business communication between the offices. Today, it is a limitation to our continued revenue
growth, tied directly to the security of our data. This must change if we are to continue to grow our revenue
in a secure environment while maintaining a state-of-the art electronic supply chain management with our
vendors and partners.
15
16. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
A diagram containing the current wide area network configuration is shown below.
16
17. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
As indicated in the above diagram, each site has its own firewall connected to a local ISP
circuit/ISP router configuration. The connectivity from each site to the main Chicago Datacenter site is via
an encrypted tunnel. The firewall in each site consists of a pc based installation of “Raptor” firewall (which
was later purchased by Symantec). The pc’s have 3 network adapters: One internal, one external and one
‘DMZ’. Every time a virus outbreak occurs in an office, the Firewall crashes and Internet Access goes
down. Symantec has pushed the company to upgrade to a hardware based firewall ‘appliance’, but today,
this solution will not meet the requirements of our fast-paced electronic commerce model of business on
the Internet.
The Proposed new infrastructure will eliminate individual firewalls, ISP circuit connections and
tunnels. A new solution will incorporate a centralized private wan solution using newer MPLS technologies
from one of the major telecommunications providers, such as Sprint, MCI, SBC, or Verizon. This change to
the WAN is central to the successful implementation of a new security protocol within WTHI. The need for
17
18. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
the WAN upgrade is also based on expanded bandwidth requirements due to the additional technology
solutions introduced in this report (Digital video and perimeter access control traffic) to ensure a more
secure and rapid transfer of data between sites.
(Continued on next page)
A diagram of the proposed WAN solution is shown here:
18
19. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The use of a private, managed VPN architecture such as an MPLS WAN holds the benefit of
creating a larger bandwidth, better protected solution without the overhead of decentralized firewall
management and unsecured individual ISP circuits. The proposed WAN upgrade is an essential core
component of the Corporate Security Plan. The upgrade will require higher bandwidth capability on the
local office WAN circuits in order allow the network to carry the additional traffic loads generated by the
added video and badge access solutions and also the replication of Antivirus updates.
The data traversing the new WAN must also co-exist with regular replication of the e-commerce
database between the Chicago and Dallas sites. This replication must be completed regularly to provide a
failover solution for business continuity, should a disaster strike the Chicago region.
19
20. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
This upgrade will also pave the way for a major e-mail migration from Microsoft Exchange 5.5 to
Microsoft Exchange 2003. . This migration is needed in the near future to tighten security of e-mail data by
centralizing control of the e-mail server in the Chicago Data Center.
The contract and requirements for this upgrade are as follows (cost information follows):
1. Negotiated contract with Major Telecom Provider such as AT&T, SBC, SPRINT, or VERIZON to
provide such MPLS VPN Service at the corporate level to support all four sites.
2. Purchase of new circuits through this same provider. The recommendation is A Primary 10Mbps *Partial
DS3 and 4 bundled T1s as backup circuits for Chicago and Dallas, and a Primary bundled 4-T1 (6MB)
primary circuit with Dual ISDN 128kbps backup circuits for Los Angeles and Washington, DC.
Note: Partial DS3’s should have ‘burstable’ option included in contract. This means that the
Network Operations Center will have the capability to monitor bandwidth utilization following the
implementation of all new services. If the bandwidth utilization is maxed into ‘burst’ capacity, then a
consideration for increasing the available bandwidth should be initiated. If it is determined that the largest
partial DS3 option can not provide sufficient bandwidth, then an upgrade to a full DS3 (*full T3) should be
considered.
3. Purchase of 2800 Series Cisco Routers to support the configuration required of the circuits at each of
these sites.
4. Network Engineering will need to create new routes at each Core switch to match the new MPLS
Network Routes.
5. SLA requirements Because WTHI runs its e-commerce enterprise on a 24/7 basis (Though Shipping and
Receiving are handled only during regular business hours) System downtime would produce a negative
impact to revenue channels. Accordingly, an upgrade to the new system should be negotiated as follows:
a). 20 minute Tech Support Escalation Heuristic (Each 20 minutes of downtime requires escalation)
b) For outages greater than 1 hour at either primary site (Chicago or Dallas), a full compensation of
20
21. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
monthly
circuit charges pro-rated based on the time of the primary circuit outage, plus full payment of monthly
charge on the 4 T1 backup circuits..
…..c) For outages greater than 1 hour at either Secondary site, full payment for ISDN charges incurred on
backup
circuits for the entire duration of the outage
d) Legal recourse (right to pursue legal action) for any data loss or revenue due to outages lasting greater
than
3 hours. (Note, this would not pertain to tape backup data as all tape backups are done locally)
21
22. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The importance of a WAN architecture upgrade is highlighted in the following drawing, which displays the
business traffic as it is used by the new WAN.
22
23. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
(Continued on next page)
Cost of WAN Solution:
23
24. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Solution WAN - MPLS Service and broadband circuits
Vendor info telcoIQ usa access
$400.00 per month per site - $1,600.00
Cost info per month for all 4 sites not available
Total Cost per month: $1,600.00 per month n/a
Circuits
DS3 - partial Circuits and T1's
Vendor info telcoIQ usa access
$1,250.00 per month (6Mb) 4 bundled
Cost info T1's DS3 full 1,500 per month
Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00
Total Telecom Data Circuit
Charge for all sites per
month: $ 8,500.00
Cisco 3725 Multiservice
WAN Routers 6500.00 x (5) Two are needed in Chicago) 32,500.00
Total WAN investment for
all sites, per month $ 10,100.00
Total WAN ROUTER
Purchase: 32,500.00
Central Chicago Internet Gateway
With the upgraded WAN, the individual firewalls at each site are replaced with MPLS routers and Intrusion
Detection System ‘Taps’. These taps are connected to an IDS Server that contains sensor software used to
analyze potential attacks to the system and send alerts to the IT (Security) Staff. The Internet Access model
is changed from individual site access to centralized access through the Chicago Gateway. This gateway
consists of a load balanced high traffic firewall solution designed to control individual site Internet access
traffic, DMZ traffic for supply chain management and external e-mail traffic. Traditionally traffic from
each site would traverse the public internet across a VPN tunnel. The new model uses a private MPLS
‘Cloud’ to move all traffic to and from Chicago
The new Internet Gateway diagram is shown below:
24
25. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Selection of Vendors Switches, Routers, Firewalls, IDS:
1. Switches and Routers
The company’s corporate IT Standard is “Cisco” Systems. Because of the current 5 year blanket support
contract and track record with Cisco (Almost no hardware failure in 5 years), IT feels strongly about
continuing the relationship with Cisco systems as our Router and Switch IT Vendor.
2. Firewalls
Due to the high level of traffic that will cross the Firewall infrastructure, the former firewall technology
consisting of “Raptor” software installed on a PC with multiple network interface cards is no longer
25
26. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
sufficient. The Raptor Software is no longer supported and our company’s support contract is expired. A
new firewall solution is needed. A full-featured firewall server capable of handling high volumes of traffic
throughput is required to support the new centralized firewall and internet gateway solution.
Cost Information for Firewalls and Routers to support the Internet Gateway :
Solution Firewall
Vendor info Nokia SonicWall Pro
Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f
Cost info $16,000.00 $10,371.00
Total Cost - Firewalls $16,000.00 $10,371.00
3. IDS (Intrusion Detection System)
According to an article by Cavusoglu, Mishra, and Raghunathan (2005) “In the IT security
context, preventative controls such as firewalls, aim to develop a shield around IT systems to secure them
from intrusions. Detective controls such as IDSs try to detect intrusions that have already occurred.
Because complete prevention of intrusions is unlikely, detective controls have become an important
element in a firm’s overall security architecture.”3
WTHI has never implemented any means of detecting intrusion into its information systems. This
means that the implication for lost revenue and data is high. To mitigate any further damage due to possible
intrusion, a detection system is needed for better monitoring of the corporate networks and information
assets.
Cost Information for IDS:
3
Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in Information Technology
Security Architecture. Information Systems Research, 16(1), 28-46. Retrieved April 6, 2007, from ABI/INFORM Global database.
(Document ID: 836085061).
26
27. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Solution Intrusion Detection
Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance
Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00
ethernet taps (560.00 ea) x 6 =
ethernet taps (560.00 ea) x 6 = $3,240.00 $3,240.00
total cost - IDS $ 78,240.00 $ 83,240.00
Service Level Agreement:
For the intrusion detection system, a negotiated 24/7 technical support contract will cover support of the
software application running on the IDS servers. A 24 hour hardware replacement should be included in
this contract. As IDS is a critical component of protecting the e-commerce enterprise, downtime could
indirectly impact revenue in the form of an undetected intrusion resulting in a compromise of protected
data.
VPN/Remote Access
The current Remote Access Solution in place is a Microsoft VPN client based solution.
Examination of the existing authentication system has revealed a significant security weakness that will
allow a hacker to guess a username and password to gain access to corporate resources.
A more complex solution is required to insure that VPN client connections are limited to authorized
personnel only. The diagram below shows the current VPN remote access model.
Note: One positive security preventative measure was the retirement of RAS dialup 2 years ago.
A VPN session independent of a direct dialup modem is required to access the system.
Current Remote Access using Microsoft PPTP Client
The current model for remote access is the Microsoft VPN Client using PPTP encrypted authentication.
While this method of access provides a secure channel, the protection of user and password information is
not well protected. Should a hacker identify the proper IP address of the PPTP server, all he/she needs is a
valid username and guessed password. A better solution is required to prevent potential security breach via
27
28. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
the VPN Client. A better solution is available in the Cisco VPN client. This solution will allow WTHI to
leverage a combined access solution that protects password security through use of a ‘SecurID’ token. The
token is assigned to each VPN user account, and contains a unique number that changes every 30 seconds.
To authenticate on the VPN using the Cisco Client, the user enters a username and password, and in the
password field, an additional number shown on the ‘SecurID’ token to authenticate. The randomization of
this number makes it almost impossible for a thief to guess the password.
The diagram shown below illustrates the current model of remote client VPN authentication using the
traditional Microsoft VPN system. The second diagram shows a proposed implementation of the Cisco and
SecurID solution.
28
29. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Proposed Remote Access using Cisco VPN Client:
29
30. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Service Level Agreement:
For this implementation two technical support contracts are needed. The first will provide the Cisco VPN
solution and a second will provide support for the ‘SecurID’ token based solution. The need for Remote
Access VPN is secondary to protection of the physical enterprise and data center. Should a problem arise
with the VPN, traveling employees have a backup e-mail solution in Outlook Web Access. This means that
downtime of the VPN will not directly or indirectly impact revenue. IT staff at the Chicago data center
works in a rotating 24 hour shift, so there is always a group of technicians on site, meaning a VPN access
outage would not prevent the IT staff from resolving an issue remotely. Therefore, a downtime of the VPN
for up to 8 hours is acceptable. WTHI holds a blanket support contract with Cisco to cover all existing
routers and switches. The addition of a new VPN router will be added to the existing support contract. A
negotiation with the SecurID token provider (probably RSA/EMC) will incorporate a replacement policy
on hardware of 24 hours.
30
31. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost Information: VPN Software, Access Token System and VPN Router
Cisco VPN
Solution
Vendor info Cisco
Client Access License 40.00 (500
users) $ 2,000.00
Cisco 7204 VXR VPN Router $ 6,000.00
Total Cost - Cisco VPN $ 8,000.00
Solution SecurID Fobs
Vendor info RSA CryptoCard
Cost info $45,000.00 $68,000.00
Authentication Manager Enterprise
License: $50,000.00 Windows Starter Kit $500.00
Total Cost - Authentication
Tokens $95,000.00 $72,000.00
Policy Changes with regard to resources and users::
The next several policy changes do not involve any purchase cost. However, they do require man-hour cost
to implement, using the existing IT Equipment in WTHI’s Active Directory Domain Architecture. The first
drawing shows the high level view of WTHI’s Active Directory Groups running on Windows 2000
(Windows 2003 is not an upgrade consideration for this project).
31
32. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The access of these groups to corporate resources on the domain is limited to the needs of their group. In
accordance with Microsoft’s Active Directory Best Practices 4
Windows User Account Logon Password Policy
Some excellent resources in the field of ‘password protection’ have been cited as valuable resources for
protection of passwords against ‘cracking’ by hackers attempting to logon to protected resources. The
current system in place allows users to choose and keep their passwords indefinitely. A new system is
needed. Evidence of the weakness in WTHI’s current approach to password security is highlighted by
Monroe (2006) “A good password is long and complex - and hard to remember; weak ones are next to
4
.Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,
2007 from http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx
32
33. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
useless. They are also expensive to manage. One of the most requested helpdesk services is resetting a
password.
We know that the strongest passwords contain non-alphanumeric characters or symbols, are sufficiently
long, and do not contain dictionary words. But some non-alphanumerics are a whole lot better than
others.”5
Print Server Limitations: For example, the Warehouse group is able to print orders for their warehouse to
any laser printer inside the warehouse, but not to the color printers in the accounting department. The IT
department can print network diagrams to its color printers, but not to the Black and White laser printers in
the Warehouse. The shipping department can print FedEx or UPS reports to printers in its department but
not to those in IT.
Restricting access to printers may seem like a trivial item in the security plan, but it can actually prevent
critical errors. For example, if an HR Manager were printing a list of terminations and he/she accidentally
selected the printer of a different department (in which several employees who were to be terminated
worked); this could create a big potential problem. Locking down printers to their specific groups helps to
prevent such situations from happening. Similarly, printing of Salary information to the Shipping and
Receiving department for an employee who was to receive his annual review, might end up in the hands of
a co-worker, and create confidentiality issues.
File Server Limitations: A restriction on file shares is needed to limit by group, access to the data specific
to each department. For example: the IT group can access shares on its own folders on the File server, but
not order processing or shipping documents. Accounting and Finance can access its tax document files and
shares on the File server, but not HR’s folders and documents.
5
Munro, K. (2006). How to crack (almost) any password in less than two minutes:[SURVEYS
EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. (
Document ID: 1140500361).
33
34. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Applications: An Accounting employee can access the Solomon financial server, but this is not accessible
to IT. Troubleshooting an issue on such an application server would require the presence of an accounting
employee.
Network Security at the Router Level (ACL Controls for VLANS)
Often there are scenarios that require the Network Engineering team to lend a hand in securing data
channels. An ACL (access control list) on a network router or L3 switch can limit unnecessary traffic and
thus reduce bandwidth utilization and the possibility of virus propagation. Cisco (2006) technical
documentation on ACL’s advises “In an effort to protect routers from various risks both accidental and
malicious infrastructure protection ACLs should be deployed at network ingress points.”6
For example, an ACL blocking TCP port 443 prevents the SQL slammer worm from moving into a subnet
on a network by preventing any traffic using TCP port 443 from passing through the router. Packets that
encounter this ACL are dropped.
The following diagram shows the current core VLAN routed/switched architecture for the Chicago Office
of WTHI. All other offices have a similar core switching architecture.
6
Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control Lists.
Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf
34
35. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Note, a WAN upgrade is mentioned for strong consideration in this report.
See local switching architecture change impacted in the diagram below.
35
36. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Proposed router site implementation based on the new WAN framework
36
37. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
The new framework will continue with the same core configuration; however the new WAN circuits will
require router upgrades. The two DS3 circuits in Chicago and Dallas will require a DSU/CSU unit to bring
the DS3 circuit into the Data Center area.
Internet Browsing Limitations
The current Information Security policies do not limit Internet Browsing. Employees at all four
offices are free to access any website they chose for purposes of browsing the World Wide Web. In the last
2 weeks, several PC’s have been infected with viruses. This is becoming more and more of an issue in all 4
offices. Bandwidth is also at a premium. One user was identified streaming NFL highlights videos during
work hours. This idea caught on and soon several employees were streaming video from CNN, NFL.com
and “YouTube” to their desktops. According to one IT desktop support analyst, Some employees have
37
38. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
installed “iTunes” on their Pc’s and are downloading and playing music at the office. E-mail performance
has suffered and many users have called the help desk to report “poor network performance”. Although the
consumption of bandwidth may have been an issue, a virus infected pc may also be slowing network
performance.
Proposed Solution:
Deployment of a web-filtering solution is intended to mitigate potential violations of the company’s ethics
policy regarding proper use of IT resources and appropriate web-browsing.
The deployment of the actual web-filtering device is depicted in the Chicago Internet Gateway diagram
shown previously in this report.
The Legal department has agreed to revise its ethics policy in coordination with the IT department. This
revised plan will determine the criteria used to filter websites. Some suggested criteria include:
Pornography, Gambling, Cookie Tracking/Info gathering sites, Known phishing sites, and more will be
added to this list following a full review of the new plan.
A sample screen that a user would encounter when attempting to access a banned/filtered site would appear
similar to the one shown here:
38
39. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost Comparison Information – Web Filter:
Solution Web Browsing Filter
Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance
$4,000.00 (1) add 2,000.00 for 1 year
Cost info support and updates 1,000 users, 1 year, $10,010 direct
Total Cost - Web Filter $ 6,000.00 $ 10,010.00
AntiVirus Software and Microsoft Updates
The company’s four sites have never been given a mandate to standardize on a specific Anti-Virus solution.
Each site’s IT department has purchased individual copies of McAfee and Norton antivirus, and is running
a mix of both products on the desktops, with purchases occurring on an ‘as-needed basis’. Although the IT
39
40. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
staff has done its best to configure each desktop to automatically update virus definitions, this does not
always work. With the WAN being used to backup the corporate database from Chicago to Dallas, there are
times when the firewalls get ‘bogged down’ with replication traffic in those sites, and the result is the virus
definition downloads often fail due to network congestion. The same problem exists for Microsoft Security
updates. Desktop computers need to be patched regularly to meet Microsoft security update requirements.
To reduce the amount of WAN traffic for Microsoft updates, the IT group will set up a domain level policy
to force each desktop computer to download updates during non-business hours.
A Centralized solution for virus updates will allow WTHI to control Software and Security Patching from
its Chicago Datacenter. This is part of the expanded capability the increased circuit bandwidth and the
MPLS Private Network will provide. A diagram of the proposed solution is shown below:
40
41. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
41
42. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Cost Comparison – Enterprise Level Antivirus:
Solution Corporate Antivirus
Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense
Cost info 1000 licenses 1000 licenses
$ 60,800.00 $ 55,090.00
(3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one
poweredge 2650 Dell poweredge 2650
Antivirus Server Hardware
$ 10,000.00 $ 10,000.00
Total cost - Antivirus $ 70,800.00 $ 65,090.00
E-mail Spam Filtering:
Spam filtering is a recommended high-priority initiative for WTHI. Spam can be more damaging than
simply wasting e-mail bandwidth and inbox space. According to a recent article in Barron’s, “APWG
(www.antiphishing.org) Casey (2007)says that in the first month of 2007, there were 29,930 reports of
attempts to steal passwords or other important personal information from corporate customers, up more
than 25% from December and up 5% above the previous record, set in June of last year.”7
In the course of this analysis, a decision was made to keep the existing Microsoft Exchange 5.5 E-mail
server architecture in place. This decision is centered on cost reduction to create more budgetary focus on
the critical need to upgrade both the WAN and Security Infrastructure. The upgraded WAN will eventually
allow for the migration to a centralized Exchange 2003 and later Exchange 2007 environment, where one
redundant e-mail server is located in the Chicago datacenter. Spam e-mail can quickly kill productivity for
employees in all departments where time is better spent conducting company business rather than deleting
7
Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007, from ABI/INFORM
Global database. (Document ID: 1249851201).
42
43. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
unsolicited e-mail. This can also lead to a virus attack if the spam message contains a hidden executable or
compressed file containing the executable file.
With the existing 5.5 server architecture in place, the deployment of a short-term anti-spam solution is
recommended at each site. To keep cost efficiency, an SMB sized anti-spam appliance is recommended.
Cost Comparison Information – Spam Filter:
Solution Anti-Spam Filter
Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100
$4,000.00 (4) $16,000.00 plus 8,000.00 $2,000.00 (4) $8,000.00 plus 2
Cost info for 1 year support and updates years extended support
Total Cost - Antispam $ 24,000.00 $ 13,021.60
(Continued on next page)
The diagram below outlines the connectivity of the spam filter at each location.
43
44. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Oracle Database Security
44
45. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Within this report, many security solutions are recommended to ultimately protect the data of the
company’s databases. These solutions offer the most protection at each perimeter of the Information
Systems Infrastructure. A critical consideration is the application level security of the Database
Management System Software. WTHI uses Oracle for its DBMS provider. Oracle has a long standing
reputation for leading the industry in e-commerce database management products. The use of Oracle’s
security features will insure the database at a final core level against attacks and data theft. Oracle adds an
additional layer to database security through its own technology resource center. As indicated by Oracle
Corporation (2007) “Fixes for security vulnerabilities are released in quarterly Critical Patch Updates
(CPU), on dates announced a year in advance and published on the Oracle Technology Network. The
patches address significant security vulnerabilities and include other fixes that are prerequisites for the
security fixes included in the CPU. The major products patched are Oracle Database Server, Oracle
Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, Oracle E-Business Suite,
PeopleSoft Enterprise Tools, PeopleSoft CRM, JD Edwards Enterprise One, and JD Edwards One World
XE.”8
Oracle (http://download-east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428)
provides a comprehensive list of potential database security issues and resolutions. This list includes items
such as “Unauthorized users, unauthorized access to data, eavesdropping, corruption, and denial of
service.”9
With the many solutions offered to mitigate the risk of data loss, WTHI will follow the Oracle
recommended solutions. A critical component to this risk management solution will be a new WTHI
Information Technology policy in cooperation with the Database Administration group and Network
Operations staffs to follow published Oracle security recommendations and patch all reported
vulnerabilities as soon as possible. At present time, the adherence to the existing Oracle recommendations
will not require any additional purchase by WTHI. Our current support contract with Oracle is 24/7
8
Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
9
Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
45
46. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
technical support. All database administrators at WTHI are Oracle Certified DBA’s, with at least 5 years of
database administration experience. Database backups are performed nightly, and a full database
replication is done daily with the Dallas datacenter.
Business Continuity Planning
WTHI has a solid plan for continuation of business in the event of a major technical outage at the main
Chicago data center. The plan for business continuity consists of a complete operations failover from
Chicago to Dallas.
To continuously prepare for such an event, WTHI regularly replicates its database with the Dallas
office. Redundant application servers operate in the Dallas location and are ready to pick up in less than 20
minutes in the event such service is required. Local personnel in Dallas are trained to take over main
operations from Chicago. Key management personnel have an emergency travel budget to temporarily
relocate from Chicago to Dallas until the Chicago site is ready to go back on line. This plan is sufficient to
continue operations, and there is no requirement to upgrade or change the plan at this time. With
continuous innovation in the Information Technology and Security fields, this plan should be revisited
annually to identify new opportunities for improvement.
Disaster Recovery
Nightly tape backups are performed at all sites. All major e-mail systems including e-mail, voicemail,
and file servers are backed up. Database transaction logs are backed up, and can be ‘rolled-back’ or ‘rolled
forward’ to restore data that may have been damaged during a server outage. All servers are configured
with a RAID capability and spare hardware replacements are kept ready and available at all sites should the
need arise to rebuild a RAID system. An offsite storage vendor keeps 2 weeks of backup tapes at a climate
control facility, and these may be recalled at any time if for any of the four offices as needed. At present
time, this plan is sufficient to restore data operations, and there is no requirement to upgrade or change the
46
47. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
plan at this time. With continuous innovation in the Information Technology and Security fields, this plan
should be revisited annually to identify new opportunities for improvement.
Summary List of Recommendations:
1. Control Physical Access to Buildings, Offices, Warehouses and Data Centers; Implement a
Perimeter Security Access Control (Badge Reader) System
2. Migrate Camera System from Analog to Digital Network Controlled System with Online Storage.
3. Migrate WAN Circuit Connectivity from Internet Based to MPLS (Private VPN) Based.
4. Migrate Firewalls from Decentralized Raptor Solution to Centralized Internet Gateway.
5. Enforce Password Policy on all Domain Accounts:
a. Require password change every 90 days
b. Require at least 1 number, 1 special character, and 1 uppercase letter, minimum 8 characters.
6. Implement an Intrusion Detection system.
7. Enforce Desktop Policy via Active Directory Group Policy Object. Include Scheduled After Hours
Download Cycle for MS-Security Patches.
8. Limit Web Site Browsing with a Web Filter Appliance.
9. Migrate Remote Access VPN from Microsoft PPTP to Cisco Client VPN.
10. Implement Anti-Spam Email Filter Device on all Exchange E-mail Servers.
11. Follow Oracle Best Practices for Database Security as Published on Oracle’s Corporate Website.
12. Standardize Anti-virus software to Enterprise, server based version.
47
48. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Conclusion
The Web Tech Home Improvement Corporate Security Plan as proposed in this report is vital to
the company’s ability to maintain its competitive advantage. The center of this plan is the upgrade of WAN
technology from the existing decentralized ISP solution to a centralized MPLS Private WAN with
increased bandwidth. The physical access control and video surveillance solutions will utilize more
bandwidth in data transfer. The Migration and Upgrade of the Firewall solution using a centralized Internet
Gateway will streamline the administration of the Firewall at the Chicago Data Center, and take some of
the strain off of local IT personnel by shifting this responsibility to Headquarters. Creating a policy for the
existing Windows 2000 Active Directory environment will tighten desktop security by and enforce
restriction on resources so that the appropriate groups and departments will access only the resources
required to conduct daily business. This will also allow IT administrators to enforce a new global password
policy for number and type of characters and fixed password renewal requirement. The server based anti-
virus model will decrease the internet traffic at each office by centralizing virus definition updates on a
master server and pushing these updates to servers in each office. This in turn will reduce WAN traffic by
allowing local client pc’s in each office to update using LAN bandwidth rather than WAN bandwidth. The
addition of a web-filter appliance will control appropriate Internet website browsing and reduce bandwidth
utilization across the WAN by blocking streaming media sites such as “Napster”, “iTunes”, “myspace”, and
“youtube”. The migration from Microsoft VPN to a combined Cisco VPN/SecurID token solution will
increase security by randomizing the second part of the user password in the Authentication process. It will
also strengthen the reliability of the VPN hardware solution by moving away from a server based solution
to a more robust Cisco router solution. This plan should be re-evaluated on a regular basis to consider new
48
49. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
technology developments and innovations in the field of security that might better protect the infrastructure
and help to maintain the company’s competitive advantage. A line item budget consideration is strongly
suggested to continue the needed updates to these technologies needed for maintaining security of the
company’s physical and informational assets.
References
1. Messmer, E. (2007, March). Net security experts share tips. Network World, 24(12), 1,10. Retrieved
April 5, 2007, from ABI/INFORM Global database. (Document ID: 1247736921).
2. Stennett, C., A.Wren. (2006, November). TECHNOLOGY AND SAFETY: How Network Video Can
Help Increase Security at Public Housing Authorities. Journal of Housing and Community
Development, 63(6), 28-30,32. Retrieved March 12, 2007, from ABI/INFORM Global database.
(Document ID: 1183865131).
3. Cavusoglu, H., B. Mishra and S. Raghunathan. (2005). The Value of Intrusion Detection Systems in
Information Technology Security Architecture. Information Systems Research, 16(1), 28-46.
Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).
4. Microsoft Corporation (2007, April). Securing Windows 2000 Network Resources Retrieved April 12,
2007 from
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/netres.mspx
.5 Munro, K. (2006, October 4). How to crack (almost) any password in less than two minutes:[SURVEYS
EDITION]. Financial Times,p. 6. Retrieved April 5, 2007, from ABI/INFORM Global database. (
Document ID: 1140500361).
6. Cisco Corporation (2006). Protecting Your Core: Infrastructure Protection Access Control
Lists.
Retrieved April 12, 2007 from: http://www.cisco.com/warp/public/707/iacl.pdf
7. Morrissey, P. (1998, April). Demystifying Cisco access control lists. Network Computing, 9(7), 116.
Retrieved April 7, 2007, from ABI/INFORM Global database. (Document ID: 28520861).
8. Huseyin C., B. Mishra, S. Raghunathan. (2005). The Value of Intrusion Detection Systems in
Information Technology Security Architecture. Information Systems Research, 16(1), 28-46.
Retrieved April 6, 2007, from ABI/INFORM Global database. (Document ID: 836085061).
8. Keep your database safe from intrusions at all network levels. (2006, April). Exploring
Oracle, 11(4), 6. Retrieved March 12, 2007, from ProQuest Computing database. (Document
ID: 1025469841).
9. Carey, T. (2007, April). Phighting Phishes and Pharmers. Barron's, 87(14), 37. Retrieved April 5, 2007,
from ABI/INFORM Global database. (Document ID: 1249851201).
10. Oracle Corporation (2007, April). Quarterly Patch Update: Quarterly Release of Security Updates.
Retrieved April 12, 2007 from: http://www.oracle.com/security/critical-patch-update.html
11. Oracle Corporation (2007, April). Oracle Security Review 10g Release 1. Retrieved April 12, 2007
from: http://download-
east.oracle.com/docs/cd/B14117_01/network.101/b10777/overview.htm#1006428
49
50. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
12 Microsoft Corporation (2007, April). Step-by-Step Guide to Understanding the Group Policy Feature
Set Retrieved April 12, 2007 from:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx
13. RSA Security (2005). RSA SecurID SID800 Hardware Authenticator. Retrieved from:
http://www.rsa.com/products/securid/datasheets/SID800_DS_0205.pdf
Appendix A: Cost Information
Budget Requirement - Capital Asset Equipment Investment: $442, 079.00
Budget Requirement - Recurring Service Charges: $10,100.00 per month
Cost Information
Solution WAN - MPLS Service and broadband circuits
Vendor info telcoIQ usa access
Cost info $400.00 per month per site - $1,600.00 per not available
month for all 4 sites
Total Cost per month: $1,600.00 per month n/a
Circuits
DS3 - partial Circuits and T1's
Vendor info telcoIQ usa access
Cost info $1,250.00 per month (6Mb) 4 bundled T1's DS3 full 1,500 per month
Total Cost per month: $ 2,500.00 4,500.00 - 6,000.00
Total Telecom Data Circuit $
Charge for all sites per 8,500.00
month:
Cisco 3725 Multiservice WAN 6500.00 x (5) Two are needed in Chicago) 32,500.00
Routers
Total WAN investment for all $
sites, per month 10,100.00
Total WAN ROUTER Purchase: 32,500.00
Solution Cisco VPN
Vendor info Cisco
Client Access License 40.00 (500 $ 2,000.00
users)
Cisco 7204 VXR VPN Router $ 6,000.00
Total Cost - Cisco VPN $ 8,000.00
Solution Firewall
50
51. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Vendor info Nokia SonicWall Pro
Source: securehq.com IP 560 with Checkpoint FW-1 Sonic Wall 5060f
Cost info $16,000.00 $10,371.00
Total Cost - Firewalls $16,000.00 $10,371.00
Solution SecurID Fobs
Vendor info RSA CryptoCard
Cost info $45,000.00 $68,000.00
Authentication Manager Enterprise License: Windows Starter Kit $500.00
$50,000.00
Total Cost - Authentication $95,000.00 $72,000.00
Tokens
Solution Digital Video
Vendor info Vicon Systems Alternative Security
Cost info 4 DVRs @ $8,000.00 ea = $32,000.00 (4) 9-camera complete systems
w/cameras and DVR's @ $2,699.00
ea= $10,796.00
36 PTZ Cameras @ $463.85 ea = $16,698.60 n/a (included above)
Central Console $1,352.65, joystick control Central Console $1,352.65, joystick
unit: $200.00 = $1,552.65 control unit: $200.00 = $1,552.65
Digital Video Archive EMC Clariion Ax (500 Gb expandable archive) EMC Clariion Ax (500 Gb expandable
$6,000.00 archive) $6,000.00
Total Cost - Video: $ 56,251.00 $ 18,348.65
Solution Perimeter Badge Access Control
Vendor info Software House Ccure Badging System Software House Ccure Badging System
$1,000.00 (4) = $4,000.00 $1,000.00 (4) = $4,000.00
Cost info Control Panels $450.00 (8) $3,600.00 Control Panels $450.00 (8) $3,600.00
ACTAtek badge readers $790.00 (26) = ACTAtek badge readers $790.00 (26) =
$20,540.00 $20,540.00
ACTAtek Fingerprint and HID ProxI/II Combo ACTAtek Fingerprint and HID ProxI/II
badge and biometric readers $ 1,590.00 (8) Combo badge and biometric readers $
= $12,720.00 1,590.00 (8) = $12,720.00
Door Strikes - $175.00 (32) $5,600.00 Door Strikes - $175.00 (32) $5,600.00
Door Relay units - $179.00 (32) $5,728.00 Door Relay units - $179.00 (32)
$5,728.00
Total Cost - Badge Control $ 52,188.00 $ 52,188.00
System
Solution Corporate Antivirus
Vendor info Symantec (Norton) Enterprise Edition McAfee "Active Virus Defense
Cost info 1000 licenses 1000 licenses
$ 60,800.00 $ 55,090.00
51
52. SE571 - Web-Tech Home Improvement’ Chris McCoy
An Analysis of the Information Security Infrastructure
for an E-Commerce Home Improvement Company.
Antivirus Server Hardware (3) Dell Poweredge 1950 and one Dell (3) Dell Poweredge 1950 and one Dell
poweredge 2650 poweredge 2650
$ 10,000.00 $ 10,000.00
Total cost - Antivirus $ 70,800.00 $ 65,090.00
Solution Anti-Spam Filter
Vendor info Barracuda Spam Firewall - model 400 Mail Foundry 2100
Cost info $4,000.00 (4) $16,000.00 plus 8,000.00 for $2,000.00 (4) $8,000.00 plus 2 years
1 year support and updates extended support
Total Cost - Antispam $ 24,000.00 $ 13,021.60
Solution Web Browsing Filter
Vendor info Barracuda Web Filter - model 410 iPrism M1200 Web Filter Appliance
Cost info $4,000.00 (1) add 2,000.00 for 1 year 1,000 users, 1 year, $10,010 direct
support and updates
Total Cost - Web Filter $ 6,000.00 $ 10,010.00
Solution Intrusion Detection
Vendor info Enterasys Dragon Sensor Juniper IDP 200 Security Appliance
Cost info $15,000.00 x 5 = $75,000.00 $16,000.00 x 5 = $80,000.00
ethernet taps (560.00 ea) x 6 = $3,240.00 ethernet taps (560.00 ea) x 6 =
$3,240.00
total cost - IDS $ 78,240.00 $ 83,240.00
52