200 likes | 1.08k Views
Extranet for Security Professionals (ESP). Group One. Team Members. Heather T. Kowalski, Project Lead Tong Xu Ying Hao Hui Huang Bill Halpin. Task. Extranet for Security Professionals Company: SEI Contact: Martin Lindner Security Analysis, using SNA Method. Milestones.
E N D
Team Members • Heather T. Kowalski, Project Lead • Tong Xu • Ying Hao • Hui Huang • Bill Halpin
Task • Extranet for Security Professionals • Company: SEI • Contact: Martin Lindner • Security Analysis, using SNA Method
Milestones • September 28, 2000 • Initial Overview Presentation • October 31, 2000 • Essential Services Review • November 14, 2000 • Attack Threat Analysis • December 5, 2000 • Final Recommendations
Client Meetings – To Date • September 15 • Introductions • High-level Review of Architecture • September 20 • Business Mission • Detailed Overview of Client Goals • Detailed Review of Architecture
Client Expectations • Review the System Design and Architecture • Identify and Document Vulnerabilities • Identify Alternative Approaches to ESP Mission
SNA – System Definition • Mission • Requirements • Environment • Risk Definition • Architecture Definition
ESP – Mission • Central Repository of Security Information • Central Location for Information Sharing • Secure Environment, Manageable Resource
ESP – Requirements • Security over Reliability • Exchange of Information • Responsible for Information Only While on ESP System • User Driven and Maintained
ESP – Environment • Dell PowerEdge Servers • Windows NT 4.0 (SP3) • Only Minimal Options Activated • SSL • Cold Fusion Middleware
ESP – System Elements • COTS • Easier to Find Support Staff • Easier to Maintain • Updates • Good Programming Practices • Prevention • Integrity • Code Revision Controls
© 2000 by Carnegie Mellon University/SEI ESP – Architecture The Internet Firewall Router Web Servers To: George Marty From: Steve Workstation Database Servers Firewall
ESP – Risk Definition • System Attacks • Abrogation of User Responsibilities • Equipment Failure • On-going Process
Client Meetings - Expected • Mid-October • Verify Traffic Flow • Early November • Discuss Attack Potential • Late November • Mitigation Recommendations
SNA - Step Two Pending • Essential Services & Assets • Trace Scenarios Through Architecture • Identify Essential Components of Architecture
SNA – Step ThreePending • Review Attacker Profiles • Discuss Likely Levels of Attack • Identify Possible Attack Scenarios • Determine Weak Links in Architecture
SNA – Step FourPending • Identify Architecture Deficiencies • Present Current Strategies for 3 R’s • Present Suggested Strategy Improvements • Present Plan to Implement Improvements