Monday, January 05, 2009
Login  | 
You are here :: Security Services » Managed Perimeter Security
 
   

Why do I need a Managed Perimeter Security Solution?

Many Organizations and Businesses are unsure of what their real regulatory compliance needs are, or do not understand the risks that are undertaken when the issue of Perimeter Security is not addressed adequately.  Most businesses fall under regulatory compliance regulations (at the Federal, State, or Local level) that include certain requirements for securing customer data. Some organizations with such compliance needs are:

  • Credit Unions  must comply with NCUA Rules and Regulations Part 748, Appendix A & B, in regards to implementing, monitoring, and managing safeguards needed to prevent member information from being compromised.
  • Financial Institutions must comply with the Gramm-Leach-Bliley Act (GLBA); specifically, this act requires that Financial Institutions safeguard client, consumer, and customer information.  Some Financial Institutions that fall under the GLBA are:
    • Non-Bank Mortgage Lenders
    • Loan Brokers
    • Some Financial or Investment Advisers
    • Debt Collectors
    • Tax Return Preparers
    • Banks
    • Real Estate Settlement Service Providers
  • Publicly-Traded Companies must comply with the Sarbanes-Oxley Act; specifically, this act includes requirements for implementation of internal controls (including Information Technology access controls and safeguards) to prevent fraud.
  • Healthcare facilities, businesses, and Insurance companies all must comply with HIPAA regulations that require adequate and proper electronic safeguards that will protect the consumer from loss or exploitation of private information.
  • Companies or Organizations that process payment card transactions (such as Credit Card or Debit Card transactions) are subject to compliance with the PCI (Payment Card Industry) Data Security Standard.  This standard sets forth requirements for securing client / customer / consumer payment card information to prevent fraud.  Included in the standard are requirments for protecting the network perimeter as well as improving access controls internal to the organization's network.

In addition to the regulatory requirements set forth by various government agencies, organizations should act in the best interest of their clients and themselves; the loss of reputation and business due to a breach can be significant, as can the cost of resolving claims that must be settled after litigation (which in and of itself can be quite significant in cost).
   
How Does the Managed Perimeter Security Service Work?
 
The CISS MPS (Managed Perimeter Security) Service is implemented at the perimeter of the managed customer’s network, at all points of contact with the Public Internet (and, in some cases, points of contact with other 3rd party networks). The solution detects attempted compromises / intrusions by external attackers using an ICSA-certified firewall and IPS (Intrusion Prevention System) module which also actively thwarts such attacks as they are launched against the customer’s managed network(s). The MPS appliance can also act as a secure VPN access concentrator, which can be configured to allow remote users or sites to connect in securely from anywhere in the world. This differentiates our solution from others on the market; other managed IPS solutions require the client to purchase and maintain a separate firewall and / or VPN concentrator, all of which requires monitoring as well. By bundling these features, and providing a best-of-class firewall solution (which supports NAT, ISP Failover, basic embedded network services, QoS enforcement, etc.) embedded in our service, we can eliminate the need for additional firewalls or VPN concentrators at the perimeter, thus saving the client a significant amount of money, and reducing complexity.
 
All that is required on the customer site to implement the MPS system is the installation of a custom CISS monitoring / management appliance at each site that has direct internet connectivity. The unit will be preconfigured by CISS Security experts, so the installation will result in a minimum of downtime. CISS will maintain the management, logging, and reporting systems needed to meet the customer’s business reporting and compliance requirements that relate to perimeter security. MPS System Monitoring is maintained constantly, performed by a combination of system automation and security monitoring specialists.
 
In addition to firewall and IPS protection, CISS MPS Service may also be configured with optional Web Filtering and Email Filtering features: 
  • Web Filtering enables the MPS appliance to be configured to block Web Site access by category (gaming, gambling, adult, etc.) or blacklist. The blocking feature can be directly controlled by a user’s membership in a group in the network’s enterprise directory service (LDAP, OpenLDAP, eDirectory, Microsoft Active Directory, RADIUS, etc.), or by the IP Address of the workstation used. All access (blocked and allowed) is logged, and the data will be included in the Monthly MSP Report.  In addition, the customer can designate certain staff with the rights to view the near real-time and archived access logs and reporting as an auditor on the MSP system any time that it may be needed. Additionally, the Web Filtering feature enables dual anti-virus engine scanning of all HTTP traffic (downloads, images, etc.) at the perimeter before the data is even relayed to the client workstation or server. This feature also enables the organization to easily block, monitor, and control Peer to Peer and Instant Messaging access, something a basic firewall or IPS can not do.
  •  Email Filtering enables the MPS appliance to be configured to scan all inbound and outbound SMTP and POP3 email traffic for Phishing emails, Spam, and Viruses / Worms. The system includes an integrated Quarantine Manager End User Portal that will allow end users to manage their own whitelists and to view, release, or whitelist emails that are designated as suspected spam without any network administrator or CISS intervention.
  • Email Filtering also includes the use of an integrated Email Encryption engine which will automatically decrypt and encrypt email, determined by availability of a trusted Certificate Authority, manually installed S/MIME Certificate, PGP Keyring Server, or manually installed PGP keys, and the MPS policies. The system will also digitally sign (and verify incoming digital signatures) emails, thus assuring the recipient that the email they receive was authored by the purported sender.
Compliance reporting will be provided monthly (special reports will also be made available, as requested, as allowed per the MPS contract), transmitted to the customer either as a PGP or S/MIME encrypted email. Incidents, defined as a significant attack attempt, will be immediately reported to authorized client contacts by phone and secure email, and any necessary reactive action needed will be taken as required.
 
The MPS appliance(s) that is installed remains the property of CISS, and support for the device is all handled by CISS technicians, with very little interaction with the client’s IT personnel required after initial installation. If there is an issue with the hardware appliance (as determined by CISS technicians), a replacement will be shipped the same day, overnight. Client personnel on site will be required to perform the exchange with the assistance of CISS technicians when the replacement arrives, which is a simple process. The replacement unit will be preconfigured and will restore connectivity immediately upon installation and startup. CISS maintains encrypted backups of the MPS configuration for use in the event of a hardware or software issue with the MPS appliance(s). In addition, our technicians are available 24/7/365 to assist our clients with any issues that arise, or security alert(s) that may be triggered.
  
Minor reconfiguration of the MPS system will be performed upon request (such as minor email filtering reconfiguration, minor packet filter or IPS reconfiguration, etc.) and will be performed in accordance with the MPS contract; major reconfiguration (adding new network subnets, adding additional ISP connections, configuration of clustering or failover, etc.) will be performed upon acceptance of an addendum to the contract for the requested work to be performed.
 
The MPS System requires periodic software updates (often monthly or bi-monthly) which are essential to maintaining the security of the system, and which also add new features. CISS will notify the client when such updates are available and need to be installed; since installation of these updates often results in 15 minutes or more (depending on the number of update packages, and whether or not a restart of the MPS is required), CISS will schedule a proper time and date to install the updates (performed remotely, and often during after hours) to suit the Client’s uptime requirements.
 
Managed Perimeter Security | Network Security Consulting
Privacy Statement | Terms Of Use
 
Copyright 2008 by Convergent Information Security Solutions, LLC