konklone
commented
6 years ago [Attaching linked PDF files.]
2018SampleCompartmentNetworkOverview.pdf 2018Simplified_Defense-NetworkCompartment_Overview.pdf 2018Simplified_Judicial-NetworkCompartment_Overview.pdf 2018Simplified_Treasury-NetworkCompartment_Overview.pdf 2018Simplified_WH-NetworkCompartment_Overview.pdf 2018SimplifiedOOBM-IPMINetworkOverview.pdf 2018SimplifiedPartial-OD-IT-GovtNetworkOverview.pdf 2018SimplifiedPartial-OD-IT-GovtNtwrkOvrOpt2.pdf 2018SimplifiedPartial-WH-Detail-GovtNetworkOverview.pdf 2018SimplifiedPartial-WH-IT Network Detail-GovtNetworkOverview.pdf
Concerning IT Modernization Part 1 of 6
After reading some of the stuff I sent earlier I think it may be too confusing for a nontechnical reader and too disorganized for a technical reader so here is a more organized simplification of some of what I thought was already simplified.
Here are some better graphics to help explain network compartmentation with edge cloud connections:
Simplified White House Compartment Overview https://drive.google.com/file/d/0Byv_cnSQFHsmSlpWSHVPbXpJWVk/view?usp=sharing
Simplified Treasury Network Compartment Overview https://drive.google.com/file/d/0Byv_cnSQFHsmQmlYRHdqdUJNNzA/view?usp=sharing
Simplified Judicial Network Compartment https://drive.google.com/file/d/0Byv_cnSQFHsmYVNSRUZiYzVVQ3M/view?usp=sharing
Simplified Defense Network Compartment (an Einstein Source) https://drive.google.com/file/d/0Byv_cnSQFHsmR0dhdGptWWtaOTQ/view?usp=sharing
Simplified USA Overview 1st Option https://drive.google.com/file/d/0Byv_cnSQFHsmWVFrMGVpaHNMYmc/view?usp=sharing
Simplified USA Overview 2nd Option https://drive.google.com/file/d/0Byv_cnSQFHsmLVJHQWVYMUtQOWc/view?usp=sharing
Sample Compartment Overview https://drive.google.com/file/d/0Byv_cnSQFHsmS2xlZlhLamREcVU/view?usp=sharing
Simplified OOBM / IPMI Overview https://drive.google.com/file/d/0Byv_cnSQFHsmQnZpS2J2Wl9rNTQ/view?usp=sharing
Simplified Partial White House Layered Detail https://drive.google.com/file/d/0Byv_cnSQFHsmREtSQzFaTGJJUVU/view?usp=sharing
Simplified Partial White House Connection Detail https://drive.google.com/file/d/0Byv_cnSQFHsmVWpaOEVZUHVnV3c/view?usp=sharing
Reasons & Process After a Network Breach
Always Use Layered Security Reason for Multiple Layers of Security Preventative Each Layer must be breached for a hack to be completely successful When / If Breached Each Layer has some degree of monitoring and measurement When any layer is breached alerts should start a process to: Identify the breach Isolate to protect each layer as needed Locate and Detect, if any penetration is still on the network If So, Remove the Threat or Otherwise Respond to the Threat Repair any Damage the Threat Caused
Setting up Security Layers
Cloud Networks Perimeters Compartment Network Edge Cloud Networks The Larger the Cloud the more likely an internal hack will be attempted The Semi Private Perimeter cloud adds layered threat security at Internet Connection Edge clouds add a communication layer to any connected compartment networks Each Compartment Network has dedicated Threat Management between it and its edge clouds Each Compartment Network can communicate to others according to a user’s Authorization Level across its edge clouds IT or Semi-Private Cloud Network is Internet Connected Monitored by Cloud Administrators Monitored by Semi-Private Einstein 2 Cloud OT or Private Cloud Network is Isolated from the Internet (Not Connected) Monitored by Cloud Administrators Monitored by Private Einstein 1 Cloud
Compartment Networks Perimeter On Each Compartment Network Semi Private Side
On Each Workstation and Server (Note If Operations includes Control Networks then it will have some limitations. Generally Control Manufacturers are behind the curve.) Antivirus Exploit Protection Web Protection Custom Firewall Tamper Protection
Compartment Network Organization Each network should be separated into sub networks categories ie: Data network Communication network Peripheral Security Network IT Development network Secure Wireless networks IT network Mobile network Guest network DMZ (Demilitarized Zone) network High visibility and most vulnerable servers ie Web Servers (Apache, IIS, Etc) FTP Servers Mail Servers Honeypot network Use the Honey Pot (Fake Networks) as a Reverse Trojan Horse: To attract intruders as a diversion, A way to track catch intruders, A way to teach security to novice administrators To implement other measures to discourage hacks. Isolated Private Networks
OT Operational or Private Network This network is isolated from all other networks Exception to isolation Oneway communication to other networks (not from) Threat management connection to Operational or Private Cloud The Private Network should have a separate OOBM/IPMI Monitoring similar to the semi-private side.
In Each Network Compartment Network Threat Protection (Semi Private) Each Network Compartment connects to a Threat Protection Appliance (Universal Threat Management (UTM)) All network compartments sub networks connect to different ports on one appliance Each Threat Protection Appliance will then connect to the WAN (Semi-Private Cloud) Each Network Compartment connects to an appliance for Threat Protection which connects to a WAN (Semi-Private Cloud) Each Semi-Private Network Cloud connects to an appliance for Threat Protection Compartment to Cloud Cloud to Internet Network Threat Protection (Private) Each Network Compartment connect to a Threat Protection Appliance (Universal Threat Management (UTM)) All network compartments sub networks connect to different ports on one appliance Each Threat Protection Appliance will then connect the to Private WAN (Private Cloud) Each Network Compartment connects to an appliance for Threat Protection which connects to a Private WAN (Private Cloud) Each Private Network Cloud connects to an appliance for Threat Protection Compartment to Private Cloud Private Cloud Does Not Connect to the Internet Servers, Appliances, Workstations Set All Server Logging to feed a security database For efficient security Information retrieval and analysis For efficient security information comparison to other servers/appliances/workstations Set All Appliance Logs to feed a security database For efficient security Information retrieval For efficient security information comparison to other servers or appliances All Database Information is analyzed by: Network Administrators Einstein Security Cloud
Servers, Appliances, Workstations Add Protection with a central control Antivirus Web Security Exploit Security Firewall Tamper Protection Malware Security
Other Security Factors Einstein If Einstein can guard against intrusion it can: Einstein Can: 1) Do Intrusion testing on each Network Security Changes, Each Network Addition, and any Security Policy Changes. 2) Compare my security model up against your proposed draft model a) Show the president the strengths and weaknesses of each in terms a nontechnical person can understand. b) Compare costs both short and long term (My model will cost more short term and probably less long term) c) Compare Time to Implement (My security model will take longer to build and implement) d) Give short term and long term goals and methods to securing the networks short term and long term. e) Help everyone across these United States and not just the Government if it can be made cheap enough. (Note: IBM has a history of price gouging and manipulating when their technology becomes obsolete) f) Etc., Etc., Etc, Our imagination as to what is needed is the l 3) Work to each administrators strengths and understand and help them with their weaknesses. 4) Train network users to be responsible. 5) Can help with isolating protocols to only those that are needed on any network.
With something like Einstein available most likely you folks and I are 'spinning our wheels' because Einstein can probably come up with the solution with the highest probability of success. What is wrong with me that causes my guts to stir and me to really not like what I just said?
David Pinkston