Network Management

Network management will be provided throughout Venti Systems.

Head-Office Network Management

Management of devices within the Venti Systems network will be updated to include a more secure protocol, secure shell (SSH), for in-band connections. If the network is unavailable and SSH does not work, the network administrator can connect directly to the console ports of the devices. The Management module of the Enterprise Campus functional area is illustrated in Figure 12-12.

The Management module contains the following items:

• OTP/token server Works with the users' tokens to provide strong user authentication.

• Access control server Provides centralized command and control for all user authentication, authorization, and accounting (AAA).

• Network monitoring station Is responsible for monitoring the devices in the network. The Simple Network Management Protocol (SNMP) is the main protocol used by this station.

• IDS management server Provides configuration and viewing of alarms on IDS and IPS sensors deployed throughout the network. The IDS management server is alerted if suspicious activity is detected.

• Syslog server Collects network events and traps.

• System administration server Configures network management and other network devices.

Venti Systems will implement Network Admission Control (NAC) to ensure that users and their computers comply with the following corporate network policies:

• Host intrusion prevention

• Virus/spyware/adware protection

• Protection against buffer overflow attacks

• Operating system integrity assurance

• Application inventory

• Audit log consolidation

As described in Chapter 4, "Network Security Design," NAC requires a policy server, which is part of the network monitoring station; a network access device (NAD); and trust agent software installed on users' laptops. The NAD intercepts attempts to connect from local or remote users. The trust agent provides the NAD with pertinent information about the laptop's configuration, such as the version of antivirus software installed and the patch level of the operating system. The NAD passes this information to the policy server, which decides whether access will be granted to the laptop.

New laws require IT governance best practices and the privacy and security of customer and financial data to be assured, including a secure backup of such data. Examples of such regulations are Sarbanes-Oxley (SOX) and the California Law on Notice of Security Breaches (Senate Bill [SB] 1386) in the United States, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Reporting requirements under these regulations include identifying who can access data if critical information is secure (for example, if it is encrypted when it is stored), what information has been changed, and when the information was changed.

As part of security and network management, the company should also have auditing tools in place to collect and report on usage. A policy will be put in place so that someone looks at the collected data and compares it to what should be happening. For example, multiple attempts to access banned websites or services should be followed up on, as should invoices from service providers that are higher than the expected amounts.

The accounting function of the AAA server will provide monitoring of users' network activity.

Branch-Office Network Management

Critical devices within the Seattle office will also be managed through SNMP and accessed through SSH. This traffic will travel across the VPN. Syslog data will also be sent back to the head office through the VPN encrypted tunnel.

Remote User Network Management

Remote users' devices (for example, a home networking router) will be managed by the users themselves. Their laptops will be under the control of Venti Systems and protected by the implementation of NAC.