MPSS (Managed Perimeter Security Solution) Overview
Why do I need a Managed Perimeter Security Solution?
Many Organizations and Businesses are unsure of what their real regulatory compliance needs are, or do not understand the risks that are undertaken when the issue of Perimeter Security is not addressed adequately. Most businesses fall under regulatory compliance regulations (at the Federal, State, or Local level) that include certain requirements for securing customer data. Some organizations with such compliance needs are:
- Credit Unions must comply with NCUA Rules and Regulations Part 748, Appendix A & B, in regards to implementing, monitoring, and managing safeguards needed to prevent member information from being compromised.
- Financial Institutions must comply with the Gramm-Leach-Bliley Act (GLBA); specifically, this act requires that Financial Institutions safeguard client, consumer, and customer information. Some Financial Institutions that fall under the GLBA are:
- Non-Bank Mortgage Lenders
- Loan Brokers
- Some Financial or Investment Advisers
- Debt Collectors
- Tax Return Preparers
- Real Estate Settlement Service Providers
- Publicly-Traded Companies must comply with the Sarbanes-Oxley Act; specifically, this act includes requirements for implementation of internal controls (including Information Technology access controls and safeguards) to prevent fraud.
- Healthcare facilities, businesses, and Insurance companies all must comply with HIPAA regulations that require adequate and proper electronic safeguards that will protect the consumer from loss or exploitation of private information.
- Companies or Organizations that process payment card transactions (such as Credit Card or Debit Card transactions) are subject to compliance with the PCI (Payment Card Industry) Data Security Standard. This standard sets forth requirements for securing client / customer / consumer payment card information to prevent fraud. Included in the standard are requirments for protecting the network perimeter as well as improving access controls internal to the organization's network.
In addition to the regulatory requirements set forth by various government agencies, organizations should act in the best interest of their clients and themselves; the loss of reputation and business due to a breach can be significant, as can the cost of resolving claims that must be settled after litigation (which in and of itself can be quite significant in cost).
How does the Managed Perimeter Security Solution Work?
The CISS MPS (Managed Perimeter Security) Service is implemented at the perimeter of the managed customer’s network, at all points of contact with the Public Internet (and, in some cases, points of contact with other 3rd party networks). The solution detects attempted compromises / intrusions by external attackers using an ICSA and EAL4+ certified firewall and IPS (Intrusion Prevention System) module which also actively thwarts such attacks as they are launched against the customer’s managed network(s).
The MPS appliance can also act as a secure VPN access concentrator, which can be configured to allow remote users or sites to connect in securely from anywhere in the world. This differentiates our solution from others on the market; other managed IPS solutions require the client to purchase and maintain a separate firewall and / or VPN concentrator, all of which requires monitoring as well. By bundling these features, and providing a best-of-class firewall solution (which supports NAT, ISP Failover, basic embedded network services, QoS enforcement, etc.) embedded in our service, we can eliminate the need for additional firewalls or VPN concentrators at the perimeter, thus saving the client a significant amount of money, and reducing complexity.
All that is required on the customer site to implement the MPS system is the installation of a custom CISS monitoring / management appliance at each site that has direct internet connectivity. The unit will be preconfigured by CISS Security experts, so the installation will result in a minimum of downtime. CISS will maintain the management, logging, and reporting systems needed to meet the customer’s business reporting and compliance requirements that relate to perimeter security. MPS System Monitoring is maintained constantly, performed by a combination of system automation and security monitoring specialists.
In addition to Firewall and IPS protection, CISS MPS Service may also be configured with optional Web Filtering, Email Filtering, Web Application Firewall, Wireless Security, and Endpoint features:
- Web Filtering enables the MPS appliance to be configured to block Web Site access by category (gaming, gambling, adult, etc.) or blacklist. The blocking feature can be directly controlled by a user’s membership in a group in the network’s enterprise directory service (LDAP, OpenLDAP, eDirectory, Microsoft Active Directory, RADIUS, etc.), or by the IP Address of the workstation used. All access (blocked and allowed) is logged, and the data will be included in the Periodic MSP Report. In addition, the customer can designate certain staff with the rights to view the near real-time and archived access logs and reporting as an auditor on the MSP system any time that it may be needed. Additionally, the Web Filtering feature enables dual anti-virus engine scanning of all HTTP traffic (downloads, images, etc.) at the perimeter before the data is even relayed to the client workstation or server. This feature also enables the organization to easily block, monitor, and control Peer to Peer and Instant Messaging access, something a basic firewall or IPS can not do.
- Email Filtering enables the MPS appliance to be configured to scan all inbound and outbound SMTP and POP3 email traffic for Phishing emails, Spam, and Viruses / Worms. The system includes an integrated Quarantine Manager and End User Portal that will allow end users to manage their own whitelists and to view, release, or whitelist emails that are designated as suspected spam without any network administrator or CISS intervention.
- Email Filtering also includes the use of an integrated Email Encryption engine which will automatically decrypt and encrypt email, determined by availability of a trusted Certificate Authority, manually installed S/MIME Certificate, PGP Keyring Server, or manually installed PGP keys, and the MPS policies. The system will also digitally sign (and verify incoming digital signatures) emails, thus assuring the recipient that the email they receive was authored by the purported sender.
- The Web Application Firewall enables the Astaro Software to be configured as a Reverse HTTP/S Proxy, allowing scanning of all access to internally hosted website, even SSL-secured site access attempts. Attacks using SQL Injection, Cross Site Scripting (XSS), and uploading of Trojans or other malware can all be detected via the Web Application Firewall. The Web Application Firewall also supports URL Hardening, which prevents site visitors from “exploring” for vulnerabilities on your web site; additionally, Cookie Protection is also available, which ensures that cookies used by your website have not been tampered with via a digital signing security scheme. These features combined serve to prevent defacement of your website, the theft of confidential data, or having your website(s) used as a distribution point for malware.
- The Wireless Security Feature allows your organization to deploy Wi-Fi services securely. Combined with the Astaro AP10 and AP30 Wireless Access Points, the Astaro Security Gateway supports Enterprise-Level encryption system-wide – keeping your data safe from data thieves. Guest-Level internet access can also be configured using the same Access Points; multiple SSIDs can be configured, all separately secured and controlled centrally.
- There are hundreds of thousands of pieces of new malware detected every day. Nearly all of these threats are targeted at computers browsing the web and plugging in devices. Endpoint Protection is easily deploys our antivirus software to your computers and set policies to keep them safe wherever and however they’re connected. Endpoint Protection can also control which devices can be connected to these computers.
Compliance reporting is provided periodically (special reports are also be made available, as requested, as allowed per the MPS contract). Incidents defined as a significant attack attempt are immediately reported to authorized client contacts by phone and secure email, and any necessary reactive action needed will be taken as required and authorized.
The MPS appliances that are installed remain the property of CISS, and support for the device is all handled by CISS technicians, with very little interaction with the client’s IT personnel required after initial installation. If there is an issue with the hardware appliance (as determined by CISS technicians), a replacement is shipped the same day, overnight.
Replacement units are preconfigured and will restore connectivity immediately upon installation and startup. CISS maintains encrypted backups of the MPS configuration for use in the event of a hardware or software issue with the MPS appliance(s). In addition, our technicians are available 24/7/365 to assist our clients with any issues that arise, or security alert(s) that may be triggered.
The MPS System requires periodic software updates (often monthly or bi-monthly) which are essential to maintaining the security of the system, and which also add new features. CISS notifies our clients when such updates are available and need to be installed; since installation of these updates often results in 15 minutes or more (depending on the number of update packages, and whether or not a restart of the MPS is required), CISS schedules a proper time and date to install the updates (performed remotely, and often during after hours) to suit the Client’s uptime requirements.