Security Assessment Checklist Westcon Security Checklist - Instructions The first step to protecting your business includes a careful and complete assessment of your security posture. Our Security Assessment Checklist can help you quickly assess whether your current security framework is providing the necessary protection across your data center, network infrastructure, unified communications, data, applications and cloud services. For a detailed assessment of how your security stacks up, use the 10-point security checklist below, each security category to determine if these devices, software, services or capabilities exist in your environment and mark your answer. Once you complete the self-assessment checklist, contact your Westcon representative or reseller partner to explore solutions for your security concerns. Customer Information Company Name: Contact: Phone Number: Email: security.westcon
security.westcon Page 2 of 10
1 Perimeter Security Firewall Permits traffic based on acceptable use policy Performs NAT for inside network Reacts to Denial of Service attacks Can be deployed as a Virtual Appliance Unified Communications SIP Enabled Firewall Provides session border control functionality for terminating SIP trunks Provides protection against tolll fraud, intrusion, unauthorized access and eavesdropping Provides demarcation and control at the enterprise edge Provides threat protection for SIP/VoIP Provides Network, User, Device, Media, Application, Routing, SIP Signaling, Device and ToD-based policy control Isolates attacks and compromised devices Business Continuity - Firewall High Availability VRRP (Virtual Router Redundancy Protocol mirroring) Allowance for firewall groupingg (SRC/DST/Protocol) HA Failover Support for Multivendor FWs FW Load Balancing VPN Concentrator Creates IPSEC-based tunnels Tunnels established over multiple links &/or Gateways HA of VPN tunnels Uses 3DES / AES encryption User Policy-Authentication SSL Gateway Combined IPSec and SSL VPN solution FIPS 140-1 Level 3 compliant End-to-End encryption Application-layer proxy features for SSL Extranet deployments allow secure remote access to enterprise applications without installing software clients Connect mobile employees using a non-enterprise device, such as public PC in an Internet café or airport kiosk User Policy-Authentication Page 3 of 10
1 Perimeter Security Cont Wireless/Mobilee Infrastructure Wireless Firewall Allows Wireless LAN Infrastructure Virtualization Wireless Threat Detection Rogue Access Point Detection Encryption User Policy-Authentication Public Access Management Secure Roaming Endpoint Security - User Policy-Management Policy Based Remote Access Controls Device Control/Policy Enforcement- (provides visibility into and continuous enforcement of security configurations and patches) Encryption (disk & data) Endpoint Defense(protects against viruses, worms, Trojans, spyware, bots, zero-day threats and root kits) Compliance (ability to create & enforce minimum security requirements for all remotely connected PCs and other devices) Authentication - Token Servers/Tokens Authentication & Federation Services (contains authorization information for a user or group to control access to securable objects and to control the ability of a user to perform various system-related operations on a local computer) Administration and Authentication of User Access to Web-based Applications & Services Certificate-Based Authenticators (ensuring that a user is who he claims to be) Provides Compliance (with security regulations including HIPAA, HSPD- 12, SOX, GLBA, FFIEC, Basel II, PCI and HITECH) TACACS+ / RADIUS Servers Strong Authentication Services (using industry standard protocols and user databases) Page 4 of 10
2 Physical Security IP Video Surveillance Multi Level Security (including restriction of setup, management, live and recorded viewing, PTZ control & operation, motion detection, access to layouts, facility maps, and rules) View Live and Recorded Video from Anywhere on the Internet, Network or Using a Smart Phone or Tablet Integrates with Existing Network Security & User Authentication Systems Access Control Door Access Control Systems/Keypads (thatt integrate with existing network security & user authentication systems) 3 Network Core Security Secure Routing, Switching and WAN Provides Layer 2, Layer 3, and Layer 4 (TCP/UDP) service protection Provides protection features against rogue services, including ICMP requests, DHCP snooping, ARP inspection, and IP source protection to prevent IP and MAC layer spoofing, as well as validating DHCP services Provides security features thatt protect the network infrastructure from being attacked by malicious or accidental users Encrypts Network Traffic Logs System Information Port Based Authentication Network Device Change Management Intrusion Detection/Preventionn Segments Networks Into Security Zones Isolates Attacks and Compromised Devices Can be Deployed as a Virtual Appliance Multi-Homing Stops inbound ICMP requests Prevents IP Spoofing Logs system information Highly available links with transparent failover Optimal content routing (policy/proximity) Secure Wirelesss Switching Rogue access point detection Public access management Port based authentication Page 5 of 10
3 Network Core Security Cont Business Continuity Load balancing Multi-homing Service Assurance (QoS) Can be Deployed as a Virtual Appliance Traffic Management Provides network and protocol-level security and filters application attacks Flow Management of specific traffic to specific antivirus/filtering device Content Filtering farm bypass for traffic thatt does not require inspection Can be Deployed as a Virtual Appliance 4 Server Security Virtualization Protects virtualized servers/hypervisors (VMware, etc..) Server Security can be deployed as a Virtual Appliance Protects Virtualized Unified Communications servers Protects Virtualized SAN Servers Protects Virtualized File Servers Protects Virtualized Web Servers (SOA/Web Services) Protects Virtualized Application Servers Protects Virtualized Database Servers Protects VDI Servers Provides Compliance for Virtualized Servers Provides Disaster Recovery for Virtualized Servers Dataa Integrity Change Management Malicious Code Detection Encryption User Policy-Authentication Malicious Code -Virus Monitoring Monitors for Malicious codes, viruses and SPAM Provides real time protection and alerts Stops viruses at the SMTP, HTTP, and FTP server gateway Page 6 of 10
4 Server Security Cont.. Antivirus & Filtering Traffic Management Antivirus & Filtering Farm Aggregation Multivendor AV/Filtering Support HA and transparent failover of AV/Filtering Solution Flow Management of specific traffic to specific antivirus/filtering device High Availability Load balancing Clustering Virtual Machine Migration Intrusion Detection/Protection Systems Provides real time intrusion detection/protection and alerts Analyzes both inbound and outbound network traffic Watches for unusual activity on Web server Monitors access to Operating System Works on signature matches and anomalies Has scheduled database updates Check what has changed (files, system, etc..) Server Management Accesss -Authentication Two-Factor Authentication Multi-level Administrator Policy Management 5 SAN Security Storage Network/FCoE Security Physical Device Security - theftt of disk drives, loss of backup tapes during transport, and security breaches from inside firewalls Data at Rest/Storage Media Encryption FCoE Data in Movement Encryption Administrative Controls and Policies Fibre Channel Device Access TCP/ /IP Vulnerabilities Management Access Controls Page 7 of 10
6 Endpoint Security Intrusion Detection/Protection Systems Provides real time intrusion detection/protection and alerts Can be deployed for desktop and all remotely connected PCs and other devices Analyzes both inbound and outbound network traffic Watches for unusual activity on Web server Monitors access to Operating System Works on signature matches and anomalies Provides scheduled database updates Check what has changed (files, system, etc..) Secure Client Access Management (Allows network administrators to manage access based on the configuration of remote end points) Provides AV updates to Host endpoints Device Control/Policy Enforcement/DLP - Provides Data & Leakage Control (port control, visibility into and continuous enforcement of security configurations and patches) Encryption (disk & data) Endpoint Defense/ /protects against viruses, worms, Trojans, spyware, bots, zero-day threats and root kits Compliance ability to create & enforce minimum security requirements for all remotely connected PCs and other devices Provides Real Time Protection and Alerts Stops viruses at the SMTP, HTTP, and FTP server gateway Works on Mobile Devices Malicious Code Anti Spam Monitors for SPAM Provides real time protection and alerts Stops SPAM at the server gateway User Policy-Authentication Two-Factor Authentication User Policy Management Security Policy Compliance Define and disseminate corporate security policies Ensure compliance with privacy and security regulations Test employee understanding of security policies Audit employee acceptance of security policies Visual Policy Editor Tool to develop and distribute security policy Page 8 of 10
7 Application/Web 2.0 Security Applications - High Availability Aggregation of IDS/IPS destined traffic to IDS Farm Multivendor IDS Support HA and transparent failover of IDS Flow Management of specific traffic to specific IDS IDS Bypass for traffic that does not require inspection Inspection of SSL traffic Application Firewall / Inspection of Web 2.0 Traffic Web Applications/ /Content- Fine-Grained Policy Management and Enforcement Capabilities 8 Data Security Dataa Protection At-Rest/In-Motion Server Disk Encryption Server Data/File Encryption - can be integrated at the database, application, drive, folder, or file level Endpoint Disk Encryption Endpoint Data/File Encryption Endpoint Port Control Data-in-Motion Security Backup/Duplication/Disaster Recovery Site Access/Authentication/Security Tokens/PKI/ /Key Management Logging, Auditing, and Reporting Policy Management 9 Messaging Security Messaging Security Provides Acceptable Use Policy Monitors E-mail and Communications Activities Antivirus/SPAM/Phishing/Malware Policy & Control Identity Policy & Control Password Policy & Control Encryption policy & Control Remote Access Policy & Control Provides Content Management & Control Provides Encryption Data & Leakage Control (DLP) Page 9 of 10
10 VoIP/SIP Security Communications Security Voice, Unified Communications Firewall and Intrusion Prevention System (IPS supports and unifies TDM and VoIP security) Protects Communications Resources from Telephony-based Attack, Fraud and Abuse Provides Session Border Control (SBC) Functionality for Terminating SIP Trunks Logs, Monitors, and Controls all Inbound/Outbound Voice Network Activity Prevents Abusive or Malicious Use of Voice Resources by Internal or External Callers Extends Data Leakage Protection (DLP) to Voice Lines and Communications Integrates with Softphones, Wi-Fi and Dual Mode Phones, e-mail, Voice, Video, Instant Messaging and Presence Provides Encryption The Ability to Apply Security Policies on UC Traffic Notes: Westcon Group and Westcon are registered trademarks and trademarks of Westcon Group, Inc. Copyright 2011 Westcon Group, Inc. All Rights Reserved. DocRef: 071 /Sep11