All.Net

Fri Apr 8 06:49:41 PDT 2016

Technology: Logical Perimeters: What logical perimeters have what protection mechanisms?

Options:

For each type of logical facility, describe what protective mechanisms are associated with each layer.

World Deceptions / Perceptions / Reputation / Intelligence information

Mobile Systems Disk/file encryption / VPN / VMs / Firewalls / Access controls / Authentication / TCG:TCSEC Audit / Filters / NIRDS

Vendors Patches / Help desk / Vulnerability detection / Penetration Testing / IDS / Up-Down / Intelligence / Filters

Providers ISP / Anti-Bad-Content / SMTP / IdM / Gateways / QoS / Hosting / File sharing / Certificates

External users Web and other services

Main / Secondary / Campus / Field Facility Access limits / Personnel flow controls / Storage / Computing / Network / Telecommunications / Assistance / Firewall / Zoned architecture / Response support / Configuration controls

Users Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

Programmers Authentication / Separation of duties / Code validation / Change management / Access controls / Audit / VPN / VMs / VLAN

SysOps and DBAs Access controls / Audit / Separation of duties / Code validation / Change management / VPN / VMs / VLAN / Authentication

NOC Zones / Network management / Control zone / DMZ / Firewalls / Filters / Transforms / IdM

SOC Audit zone / NIRDS Controls / Alert systems / Incident controls / Surveillance systems / Key management

Operations Center / Plant / Remote MAC / NAC / VPN / Perimeters / FW / NIRDS / GW / Proxy / Audit / Query limits / Separation of duties / Redundancy / Identity Management / Change control / Testing

Control Personnel Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

DMZ Servers and Proxies Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication / IDRS / Change controls TCG-TCSEC controls / Software controls

Security servers Various special controls

Zone separation mechanisms Zone firewalls / Independent perimeter verification mechanisms / IDS machines / Correlation and analysis

Control Systems FW / Perimeter / NIRDS / Proxy / Audit / Filters / Transforms / Redundancy / Risk aggregation controls / Change control / Testing / Terminal services

HMIs Query limits / Access controls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

HMI x SCADA Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

SCADAs Query limits / Access controls / Application firewalls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

SCADA x PLC Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

PLCs Query limits / Access controls / Application firewalls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

PLC x Act / Sense Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Sensors / Actuators Query limits / Access controls / Application firewalls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls Actuators / Digital Diodes / FSM Inputs

Control x History

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

History servers Query limits / Access controls / Audit / Redundancy / Separation of duties / Replay and rollback / Transaction mechanisms / Aggregation controls

History Repositories FW / NIRDS / Audit / Filters / Transforms / TCB

Storage area networks Redundancy / Separation of duties / Backups

Direct connections: Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Inter-facility
Encryption / Authentication / VPN / VLAN / RF / Wired / Fiber / Dedicated lines

Logical facility protection overview

Decision:

For each type of logical facility, describe what protective mechanisms are associated with each layer.

High Risk

World Deceptions / Perceptions / Reputation / Intelligence information

Mobile Systems Disk/file encryption / VPN / VMs / Firewalls / Access controls / Authentication / TCG:TCSEC Audit / Filters / NIRDS

Vendors Patches / Help desk / Vulnerability detection / Penetration Testing / IDS / Up-Down / Intelligence / Filters

Providers ISP / Anti-Bad-Content / SMTP / IdM / Gateways / QoS / Hosting / File sharing / Certificates

External users Web and other services

Users Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

Programmers Authentication / Separation of duties / Code validation / Change management / Access controls / Audit / VPN / VMs / VLAN

SysOps and DBAs Access controls / Audit / Separation of duties / Code validation / Change management / VPN / VMs / VLAN / Authentication

NOC Zones / Network management / Control zone / DMZ / Firewalls / Filters / Transforms / IdM

SOC Audit zone / NIRDS Controls / Alert systems / Incident controls / Surveillance systems / Key management

Control Personnel Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

DMZ Servers and Proxies Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication / IDRS / Change controls TCG-TCSEC controls / Software controls

Security servers Various special controls

Zone separation mechanisms Zone firewalls / Independent perimeter verification mechanisms / IDS machines / Correlation and analysis

Control Systems FW / Perimeter / NIRDS / Proxy / Audit / Filters / Transforms / Redundancy / Risk aggregation controls / Change control / Testing / Terminal services

HMIs Query limits / Access controls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

HMI x SCADA Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

SCADA x PLC Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

PLC x Act / Sense Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Control x History

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

History servers Query limits / Access controls / Audit / Redundancy / Separation of duties / Replay and rollback / Transaction mechanisms / Aggregation controls

History Repositories FW / NIRDS / Audit / Filters / Transforms / TCB

Storage area networks Redundancy / Separation of duties / Backups

Direct connections: Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Inter-facility
Encryption / Authentication / VPN / VLAN / RF / Wired / Fiber / Dedicated lines

Logical high consequence facility protection overview

Medium Risk

World Deceptions / Perceptions / Reputation / Intelligence information

Mobile Systems Disk/file encryption / VPN / VMs / Firewalls / Access controls / Authentication / TCG:TCSEC Audit / Filters / NIRDS

Vendors Patches / Help desk / Vulnerability detection / Penetration Testing / IDS / Up-Down / Intelligence / Filters

Providers ISP / Anti-Bad-Content / SMTP / IdM / Gateways / QoS / Hosting / File sharing / Certificates

External users Web and other services

Users Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

Programmers Authentication / Separation of duties / Code validation / Change management / Access controls / Audit / VPN / VMs / VLAN

SysOps and DBAs Access controls / Audit / Separation of duties / Code validation / Change management / VPN / VMs / VLAN / Authentication

NOC Zones / Network management / Control zone / DMZ / Firewalls / Filters / Transforms / IdM

SOC Audit zone / NIRDS Controls / Alert systems / Incident controls / Surveillance systems / Key management

Control Personnel Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

DMZ Servers and Proxies Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication / IDRS / Change controls TCG-TCSEC controls / Software controls

Security servers Various special controls

Zone separation mechanisms Zone firewalls / Independent perimeter verification mechanisms / IDS machines / Correlation and analysis

Control Systems FW / Perimeter / NIRDS / Proxy / Audit / Filters / Transforms / Redundancy / Risk aggregation controls / Change control / Testing / Terminal services

HMIs Query limits / Access controls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

HMI x SCADA Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

SCADA x PLC Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

PLC x Act / Sense Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Control x History

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

History servers Query limits / Access controls / Audit / Redundancy / Separation of duties / Replay and rollback / Transaction mechanisms / Aggregation controls

History Repositories FW / NIRDS / Audit / Filters / Transforms / TCB

Storage area networks Redundancy / Separation of duties / Backups

Direct connections: Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Inter-facility
Encryption / Authentication / VPN / VLAN / RF / Wired / Fiber / Dedicated lines

Logical medium consequence facility protection overview

Low Risk

World Deceptions / Perceptions / Reputation / Intelligence information

Mobile Systems Disk/file encryption / VPN / VMs / Firewalls / Access controls / Authentication / TCG:TCSEC Audit / Filters / NIRDS

Vendors Patches / Help desk / Vulnerability detection / Penetration Testing / IDS / Up-Down / Intelligence / Filters

Providers ISP / Anti-Bad-Content / SMTP / IdM / Gateways / QoS / Hosting / File sharing / Certificates

External users Web and other services

Users Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

Programmers Authentication / Separation of duties / Code validation / Change management / Access controls / Audit / VPN / VMs / VLAN

SysOps and DBAs Access controls / Audit / Separation of duties / Code validation / Change management / VPN / VMs / VLAN / Authentication

NOC Zones / Network management / Control zone / DMZ / Firewalls / Filters / Transforms / IdM

SOC Audit zone / NIRDS Controls / Alert systems / Incident controls / Surveillance systems / Key management

Control Personnel Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

DMZ Servers and Proxies Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication / IDRS / Change controls TCG-TCSEC controls / Software controls

Security servers Various special controls

Zone separation mechanisms Zone firewalls / Independent perimeter verification mechanisms / IDS machines / Correlation and analysis

Control Systems FW / Perimeter / NIRDS / Proxy / Audit / Filters / Transforms / Redundancy / Risk aggregation controls / Change control / Testing / Terminal services

HMIs Query limits / Access controls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

HMI x SCADA Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

SCADA x PLC Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

PLC x Act / Sense Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Control x History

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

History servers Query limits / Access controls / Audit / Redundancy / Separation of duties / Replay and rollback / Transaction mechanisms / Aggregation controls

History Repositories FW / NIRDS / Audit / Filters / Transforms / TCB

Storage area networks Redundancy / Separation of duties / Backups

Direct connections: Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Inter-facility
Encryption / Authentication / VPN / VLAN / RF / Wired / Fiber / Dedicated lines

Logical low consequence facility protection overview

The generic logical facility protection model is:

World Deceptions / Perceptions / Reputation / Intelligence information

Mobile Systems Disk/file encryption / VPN / VMs / Firewalls / Access controls / Authentication / TCG:TCSEC Audit / Filters / NIRDS

Vendors Patches / Help desk / Vulnerability detection / Penetration Testing / IDS / Up-Down / Intelligence / Filters

Providers ISP / Anti-Bad-Content / SMTP / IdM / Gateways / QoS / Hosting / File sharing / Certificates

External users Web and other services

Users Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

Programmers Authentication / Separation of duties / Code validation / Change management / Access controls / Audit / VPN / VMs / VLAN

SysOps and DBAs Access controls / Audit / Separation of duties / Code validation / Change management / VPN / VMs / VLAN / Authentication

NOC Zones / Network management / Control zone / DMZ / Firewalls / Filters / Transforms / IdM

SOC Audit zone / NIRDS Controls / Alert systems / Incident controls / Surveillance systems / Key management

Control Personnel Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication

DMZ Servers and Proxies Access controls / Disk-file encryption / VPN / VMs / VLAN / Addresses / Location / Audit / Authentication / IDRS / Change controls TCG-TCSEC controls / Software controls

Security servers Various special controls

Zone separation mechanisms Zone firewalls / Independent perimeter verification mechanisms / IDS machines / Correlation and analysis

Control Systems FW / Perimeter / NIRDS / Proxy / Audit / Filters / Transforms / Redundancy / Risk aggregation controls / Change control / Testing / Terminal services

HMIs Query limits / Access controls / Audit / Redundancy / Separation of duties / Roles and rules / Idm Interface / Aggregation controls / Change Controls / Digital Diodes / FSM Inputs

HMI x SCADA Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

SCADA x PLC Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

PLC x Act / Sense Comms

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Control x History

Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

History servers Query limits / Access controls / Audit / Redundancy / Separation of duties / Replay and rollback / Transaction mechanisms / Aggregation controls

History Repositories FW / NIRDS / Audit / Filters / Transforms / TCB

Storage area networks Redundancy / Separation of duties / Backups

Direct connections: Enc / Auth / VPN / VLAN / RF / Wired / Fiber / Ded lines

Inter-facility
Encryption / Authentication / VPN / VLAN / RF / Wired / Fiber / Dedicated lines

Logical facility protection overview

Basis:

This depiction of the structure of logical protection is based on the decisions made herein, as augmented by additional mechanisms that appear to be desired or are already in place. Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved