The Challenges of Implementing Enterprise Network Security

by Jeffrey D. Abish, Executive Vice President

The challenges to provide end-to-end security for your network infrastructure are many. Federal agencies have struggled with the mandates from Homeland Security Presidential Directive-12 (HSPD-12) and the Federal Information Security Management Act (FISMA). It is a delicate balancing act to manage the risks of threats that exist from both external and internal attacks and still support organizational objectives to share information and collaborate with other stakeholders potentially located anywhere in the world.

Security Architecture and Network Zones
In order to reduce the risk of intrusions, your network design should have the following features:

• Layering - using multiple firewalls from different vendors to reduce vulnerability from hackers
• Segmentation - leveraging physical, not just logical, separation
• Firewall Hardening - denying all access unless explicitly required

A multi-zone architecture with firewalls and intrusion detection (both network-based and host-based) in each zone is the most secure approach. The budget realities influence the level of security hardening. A three-zone approach is common with the public-facing zone or DMZ containing DNS and Web Servers. All users interact with Web front ends in the public-facing zone only. The middle zone is where the Application Servers (containing business logic) reside. Only the Web Servers interact with the Application Servers. At the back-end is where the critical organizational data resides, containing Database Servers and Data Warehouses. Interaction with the Database Servers comes from the Application Servers. This latter zone is the most secure as it protects the organization's confidential information.

Managing Access to Enterprise Applications
It is an expensive proposition to proactively address security concerns that impact applications, databases, and other business assets essential to daily operations. Meeting these challenges requires new thinking; a new model for security management that weaves the disparate elements that protect your agency's assets into a single, complete, and easily managed solution.

Developing a centralized identity and access management solution as the front-end to critical IT assets is an important starting point in security management. The advantages of this approach include:

• A single user identity for application users
• Secure automated password management to improve service and lower costs
• User self-service and delegated administration to lower support costs
• Comprehensive auditing and reporting to improve security compliance

Summary
Balancing the needs of protecting your organization's IT assets, compliance with Federal mandates, and living within tight budgets are the current realities that we all live with. Meeting these needs is possible by leveraging multi-zoned network architectures and centralized identity management. Having these resources in place improve compliance with the Federal Enterprise Architecture (FEA) requirements and help in the decision making process of building vs. consolidation applications.