RE: Security design methodology

["Dave, Manish, R. - ESIL \(MUM\)" <Manish.Dave () essar com>]

I feel it's not more than a marketing gimmick to sell UTM device. I fully agree with Terence that vendor 
recommendations are biased. I would recommend adherence to a framework custom designed for your organization's business 
type. Take feeds from 'Cobit 5 for Information Security' and SANS Top 20 controls. Map your existing controls with 
layered DID 'Defense In Depth' approach. This will help in building your strategy & prioritizing control deployment. 
All popular solutions come with external connectors so integrating might not be that big a challenge. You can also get 
connectors developed to have a central dashboard.

My comments are based on my understanding of your problem. If you were expecting something else, let me know.

Regards,




Manish Dave|Chief Information Security Officer|Essar Services India Limited|
Essar House , 11 , K .K.Marg,Mahalaxmi,Mumbai|400034|Maharashtra|India|
T +91 9930134942|+91 22 66601100 VoIP: 7 21 1357|Blackberry PIN 28018A44|
E Manish.Dave () essar com|www.essar.com|


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alex Creek
Sent: Sunday, November 04, 2012 6:24 AM
To: Terrence O'Connor
Cc: security-basics () securityfocus com
Subject: Re: Security design methodology

Would a consolidated framework be a UTM device or something larger scale?

Alex

________________________________
From: Terrence O'Connor <terrence.oconnor () gmail com>
To: Alex Creek <acreek83 () yahoo com>
Cc: "security-basics () securityfocus com" <security-basics () securityfocus com>
Sent: Saturday, November 3, 2012 7:17 PM
Subject: Re: Security design methodology

Alex,

I think the goal of a security professional is to understand those needs of the business and recommendations from the 
industry to find the right mix of interoperable systems.  There are many standards for various security needs and if 
one player in a space isn't compatible with the next they are crossed off the list.

Recommendations from vendors is biased.  Even product agnostic companies have a natural bias towards high margins.

Keeping that in mind, I am a fan of consolidated frameworks that give the biggest bang for the buck.  Even then you'll 
have a mix of providers and you need to understand capabilities and how they all work together.

Hit me up if you have specific questions .

On Nov 2, 2012, at 4:15 PM, Alex Creek <acreek83 () yahoo com> wrote:

> Finding requirements first makes sense.  I can see how that would set
> the tone for what's needed.  Say if a company has a lot of users who connect externally, then a VPN would probably be 
> the main driver.
>
> For compatibility between security systems, would it be best to just
> follow vendor recommendations?
>
>
> Alex
> ________________________________
> From: Chris Stefan <chris.stefan1844 () gmail com>
> To: Alex Creek <acreek83 () yahoo com>
> Cc: "security-basics () securityfocus com"
> <security-basics () securityfocus com>
> Sent: Friday, November 2, 2012 3:40 PM
> Subject: Re: Security design methodology
>
>
> Get the client requirements and objectives out of the way first. Then decide on hardware/software.
> On Nov 2, 2012 3:26 PM, "Alex Creek" <acreek83 () yahoo com> wrote:
>
> Lately I've been doing some research into network security.  For anyone with experience in network security 
> design/build,  is there a method for what to do first when planning?  For example, should security be planned 
> externally first then internally or vice versa? Which system is the most important?  Does everything need to work 
> with firewall xyz or does everything need to work with a monitoring system abc?
> > Alex
> >
> >
> > ---------------------------------------------------------------------
> > --- Securing Apache Web Server with thawte Digital Certificate In
> > this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
> > it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be
> > 442f727d1
> > ---------------------------------------------------------------------
> > ---
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this
> guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it 
> benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Please don't print this e-mail unless you really need to.

Disclaimer:
The information contained in this electronic message and in any attachments to this message is confidential, legally 
privileged and intended only for the person or entity to which this electronic message is addressed. If you are not the 
intended recipient, please notify the system manager and you are hereby notified that any distribution, copying, 
review, retransmission, dissemination or other use of this electronic transmission or the information contained in it 
is strictly prohibited. Please accordingly also note that any views or opinions presented in this email are solely 
those of the author and may not represent those of the Company or bind the Company. This message has been scanned for 
viruses and dangerous content by Mail Scanner, and is believed to be clean. The Company accepts no liability for any 
damage caused by any virus transmitted by this email. www.essar.com <http://www.essar.com/> .

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------