[CUSTOMER] Energy Information Technology

Technical Architecture Planning
Network Security Project

Approvals
APPROVAL PRIOR TO INITIAL PMOC MEETING: The undersigned agree that this document represents the high-level specifications for infrastructure and operations requirements, including resources. Recommendation is granted for the project to move forward, given these specifications delivered to IT from the project team. Approver IT Infrastructure Team Project Manager SIGNOFF PRIOR TO PROJECT BUILD PHASE: The undersigned agree that this document represents the definition of the project and accept the responsibility for the delivery of the defined outcomes. Approval is granted for the project to move forward. Approver Business Sponsor Technical Architect Project Manager IT Director Last Revision: [Month, Day, Year] Name Signature Date Signed Name James Cabe Signature Date Signed

Technical Architecture Planning Document ± Template

Document History
The following table shows a history of document changes. Refer to the Approvals section at the front of the document to see the approving bodies for those changes. Revision # 1 2 Revision Date 11-31-2010 4-13-2011 Author James Cabe James Cabe Description of Changes Initial Start of Document Final Rough

Project Header & Team Information
Project Manager: Sponsoring Organization: Business Sponsor:

[CUSTOMER]- Confidential

Page 2 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

Table of Contents
1 1.1 1.2 1.3 1.4 2 2.1 2.2 2.3 2.4 2.5 3 3.1 3.2 3.3 4 5 6 6.1 6.2 6.3 INTRODUCTION .................................................................................................................................................... 4 PROJECT OVERVIEW ............................................................................................................................................... 4 HIGH-LEVEL BUSINESS & TECHNICAL REQUIREMENTS ................................................................................................ 5 BUSINESS & TECHNICAL CONSTRAINTS/ ASSUMPTIONS ............................................................................................... 5 RELATED DOCUMENTS............................................................................................................................................. 6 RECOMMENDED SOLUTION ARCHITECTURE.................................................................................................... 7 SOLUTION OVERVIEW .............................................................................................................................................. 7 LOGICAL SOLUTION PROFILE .................................................................................................................................. 15 SEQUENCE OF I MPLEMENTATION ............................................................................................................................. 16 INFORMATION USAGE PROFILE ............................................................................................................................... 20 SOLUTION RETIREMENT ......................................................................................................................................... 20 TO-BE SOLUTION ARCHITECTURE DETAIL ..................................................................................................... 20 INFRASTRUCTURE ................................................................................................................................................. 20 TECHNICAL OPERATIONS COMPONENTS .................................................................................................................. 22 TECHNICAL RESOURCES ........................................................................................................................................ 22 RISKS AND LIMITATIONS................................................................................................................................... 23 FUTURE CONSIDERATIONS .............................................................................................................................. 23 APPENDIX ........................................................................................................................................................... 23 PRINCIPAL OF LEAST PRIVILEGE ............................................................................................................................. 23 MCAFEE AGENT ARCHITECTURE............................................................................................................................. 24 NEW EDGE ARCHITECTURE .................................................................................................................................... 25

[CUSTOMER]- Confidential

Page 3 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

1 Introduction
In computer security, the term threat modeling has two distinct, but related meanings. The first is a description of the security issues the designer cares about. This is the sense of the question, "What is the threat model for Web Browsing for [CUSTOMER]?" In the second sense, a threat model is a description of a set of security aspects; that is, when looking at a piece of software (or any computer system), one can define a threat model by defining a set of possible attacks to consider. It is often useful to define many separate threat models for one computer system. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. More recently, threat modeling has become an integral part of Microsoft's SDL (Security Development Lifecycle) process. The two senses derive from common military uses in the United States and the United Kingdom. Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats. Threat modeling looks at a system from an adversary's perspective to anticipate security attacks and is based on the premise that an adversary cannot attack a system without a means of supplying it with data or otherwise interacting with it. Documenting the system's entry points, i.e., interfaces it has with the rest of the world, is crucial for identifying possible vulnerabilities. Threat modeling uses traditional Data Flow Diagrams (DFDs) with securityspecific annotations to describe how data enters, leaves and traverses the system. One large project at Microsoft has over 1,400 completed and reviewed threat modeling DFDs, so we needed a semi-automated approach to support and enhance the current threat modeling process, still mostly manual. The Business Problem is sophisticated attacks continue to tax security and compliance operations teams. The proliferation of multiple point products complicates the ability to detect incidents and to find the root cause of breaches because the disparate tools don¶t share threat information. Moreover, audit preparation requires significant manual work to collect and report on compliance documentation from multiple data silos. [CUSTOMER] has chosen two strategic directions to secure their infrastructure. First and foremost, network infrastructure best practices that includes an audit of the current network infrastructure, and the second, the implementation of new systems that control the network. Network Admission Control, new Antivirus technologies, Internet Content Filtering (for browsing), and an Intrusion Prevention System are systems that will be controlled by ePolicy Orchestrator, a centralized management and logging console from McAfee. McAfee ePO extends traditional log management by collecting additional types of critical security information, including configuration, asset, performance, vulnerability, and network flow data on a centralized platform. This ensures that all teams work off the same data set with duplication of effort and exercise a new degree of agility created by understanding the relationships among these disparate sets of data. McAfee ePO will help [CUSTOMER] manage the strategic layers of infrastructure that are chosen to manage: End-Point: workstation\server, messaging, network port access, internet connection, content filtering. The server will also make available reporting and data collection from those strategic layers: y y y y y y Log and event data Configuration data Asset data Network flow data Vulnerability data Performance metrics

1.1 Project Overview
This project will foster standards. The project must take a holistic approach involving training, development, and maintenance. The Network Engineering team will document the installation of every phase of the security
[CUSTOMER]- Confidential Page 4 of 25 Network Security Architecture V1.0

Technical Architecture Planning Document ± Template infrastructure during implementation. After the implementation of each phase, training will be scheduled with stake holders for the hand-off of the monitoring, feeding, and care of the infrastructure. Typical network security methodology divides the infrastructure in two separate focus groups. The first focus group is the edge, which defines devices that provide entry points into enterprise or service provider core networks. Edge devices also provide connections into carrier and service provider networks such as internet carriers. The second focus group consists of the core network. Typically it refers to the high capacity communication facilities that connect primary nodes. The definition can be expanded to include devices that are directly connected to these devices. [CUSTOMER] Wind Energy Infrastructure network security currently covers the core with Best Practices such as the Principal of Least Privilege, antivirus, and network segmentation. The edge is covered with firewalls and antivirus technology. The topic of Network Security is dominated by consolidation. There is consolidation in terms of divergent network infrastructure vendors. Furthermore, there is consolidation of edge security functionality into universal threat management. Lastly, the consolidation of application patch data into regular updates. There are network-wide viruses, denial of service attacks (internal and external), spam threats, and white-collar data theft and resource misuse. There are regulatory pressures that could mean the end of the business and even prison time for company executives. If that were not enough, businesses are also facing increased security threats from new technologies and business culture changes, such as demands from the workforce or company strategy to enable remote working, and managing the use of instant messaging, deployment of technical resources (in a secure manner), and internal attacks which make up the majority of successful attacks on any enterprise. The proposal is that the HWE IT staff will consolidate logging, monitoring, policy management, and enforcement all into one efficient console. New technologies that cover the edge of the network and enable threat management such as Content Filtering and Intrusion Prevention (host and edge based) and clarify the problems that currently plague the infrastructure staff (hosted antivirus and network admission control). The new Edge Architecture will be deployed on mobile infrastructure as well to extend the threat management beyond the HWE infrastructure.

1.2 High-Level Business & Technical Requirements
The network security infrastructure must be easily managed through policy pushing, exception reporting, consolidated log management, and centralization. This infrastructure must be fault tolerant between Houston and Dallas (Data Center) hub sites because it will be critical infrastructure. If there are portions that are not deemed critical, they must fail open to prevent any interruption to the business. The security components must bring control, management, and monitoring of antivirus, content filtering, firewalling, admission control, configuration management (base-lining), and intrusion prevention to all network connected devices. These requirements bring a level of control and security to the HWE network and capital IT investment that is not even available at most of the Fortune 500.

1.3 Business & Technical Constraints/ Assumptions
1.3.1 Business Continuity
Fault tolerance between Houston and Dallas (Data Center) hub sites because network security and control is critical infrastructure. There is one exception. The Network Admission Control device is not deemed critical; this device will fail open to prevent any interruption to the business. Antivirus technology will have an exception and reporting technology that will be heavily tested with application stake holders and business users selected for their participation in past Information Technology projects. Windows Content Filtering will need heavy consulting with business interests (Legal and HR staff) to make sure there is corporate compliance before putting in place any supporting technology that would change the end-user experience. Intrusion prevention technologies on the host (workstation) and edge (network appliance) will be left in a monitor mode to insure business continuity and field advisement. This will help Infrastructure Staff and IT management to review logs to help develop network compliance in an organic manner. This will aid in consulting with executive level management and maintain business interests.

[CUSTOMER]- Confidential

Page 5 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template In all phases of the project there will be communication with the business to insure there is wide spread knowledge of everything that is being implemented for protection of the business and the end-users\business proprietary information.

1.4 Related Documents
Document Name doc.arch.networkSecurity.mcafee.bestPractices doc.arch.networkSecurity.mcafee.epoInstall doc.arch.networkSecurity.mcafee.intrushield.deploymentGuide doc.arch.networkSecurity.mcafee.networkAccessControl.integrationGuide doc.arch.networkSecurity.mcafee.webGateway.configGuide doc.reference.microsoftSecurityIntelligenceReport y Description Version Date Location location location location location location location location

[CUSTOMER]- Confidential

Page 6 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

2 Recommended Solution Architecture
y

2.1 Solution Overview
The infrastructure modules for the McAfee Security Solution require a phased ordering of specific infrastructure components. The Best Practices Guide used as a reference for the technical planning of the environment. The infrastructure modules are implemented in the order that they are defined. Virtual infrastructure will host the nonI/O dependent and well-connected portions of infrastructure. The current AD, Web, and storage infrastructures are currently ready for the installation (per Best Practices Guide). There will be a primary E-Policy Orchestrator Server in the Dallas Datacenter and a client access point configured in the Houston office. There will be no need to cluster either server as they will be on a clustered SCVMM (Virtual Machine) infrastructure that will itself have load-balancing and fault tolerance. The SQL servers hosting the ePO database are already a clustered set hosting other Tier 1 applications. The ePO server will be treated no differently from the current Disaster Recorvery Plan (DRP).

2.1.1 E-Policy Orchestrator
The primary prerequisite is an installed and operational ePO server with the current McAfee Agent checked in to the Master Repository along with its extension. The ePO installation program automatically checks in the McAfee Agent version available at the time of its initial release, though newer ones may have become available subsequent to its initial release. ePolicy Orchestrator 4.5 ships with McAfee Agent 4.0, although McAfee Agent 4.5 is now the currently available version at the time of this writing. It is recommended that the more current version of the McAfee Agent be checked in to gain additional benefits, although that will not be covered here. In addition, the installation files for VirusScan Enterprise and AntiSpyware Enterprise module will be needed. ePolicy Orchestrator 4.5 ± installed and operational McAfee Agent 4.5 ± product package already checked in VirusScan Enterprise 8.7 product package archive VirusScan Enterprise 8.7 latest patch package archive AntiSpyware Enterprise Module product package archive Server Infrastructure ± Servers The McAfee product suite requires: 2 E-Policy Orchestrator central servers designated with the MGT moniker (Virtual Machine) ± Operating System ± 2008R2 4 Netapp Filer Scanners ± 2 for each of the Netapp Storage Clusters (Dell R415) - Operating System ± 2008R2 2 Clustered SQL servers ± (existing infrastructure) ± Operating System ± 2008R2 ± Storage: SAN (FCP) ± Connectivity ± 4 port GBE Server Infrastructure ± Storage Storage will be on the Hyper-V infrastructure. Storage requirements for the repository\ePO servers are 400MB of free disk space. This is achieved on a second volume of the Hyper-V virtual machines in each location (Houston\Dallas). There is no need for storage on the Filer scanner appliances. Server Infrastructure ± Database

[CUSTOMER]- Confidential

Page 7 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template ePolicy Orchestrator requires MS SQL 2008 for the database. According to current policy, this will require an IT infrastructure instance and a Service Account with NTFS permissions as Database Owner (after install) and System Administrator (during installation). This database will exist on a new instance of the Infrastructure Database cluster. Disaster Recovery Planning: The ePO server, and the client access server in Houston, is installed on SCVMM clusters. In event of a network outage, the disk files are moved between sites. If there is an outage with the server, there are backups to snapshot via the Netapp Snap Manager software that is on the VM hosts. If there is a MAN outage to the datacenter from Houston there is a fail-over link over the F5 Link Controllers. If both of those circuits are cut, the VPN based internet connection will provide backup support to the datacenter.

2.1.2 Content Filter ± McAfee Web Gateway, McAfee Site Advisor Enterprise
Content filtering is commonly used by organizations such as offices and schools to prevent computer users from viewing inappropriate web sites or content, or as a pre-emptive security measure to prevent access of known malware hosts. Filtering rules will be set on the ePolicy Orchestrator Server and Site Advisor Enterprise will be pushed to the endpoints via McAfee Agent on individual computers or at a central point on the content filtering appliance, McAfee Web Gateway. Depending on the sophistication of the system used, it may be possible for different computer users to have different levels of internet access. It protects your network against threats arising from the web, such as viruses and other malware, inappropriate content, data leaks, and related issues. It also ensures regulatory compliance and a productive work environment. The appliance is installed as a gateway that connects your network to the web. Following the implemented web security rules, it filters the requests that users send to the web from within your network. Responses sent back from the web and embedded objects sent with requests or responses are also filtered. Malicious and inappropriate content is blocked, while useful matter is allowed to pass through. 2.1.2.1 McAfee Web Gateway Appliance Filtering web traffic is a complex process. The main functions of the appliance contribute to it in different ways: Filtering web objects ² Special anti-virus and anti-malware functions on the appliance scan and filter web traffic and block objects when they are infected. Other functions filter requested URLs, using information from the global TrustedSource intelligence system, or do media type and HTML filtering.They are supported by functions that do not filter themselves, but do such jobs as counting user requests or indicating the progress made in downloading web objects. Filtering users ² This is done by the authentication functions of the appliance, using information from internal and external databases and methods such as NTLM, LDAP, RADIUS, Kerberos, and others. In addition to filtering normal users, the appliance also gives you control over administrator rights and responsibilities. Intercepting web traffic ² This is a prerequisite for any filtering of web objects or users. It is achieved by the gateway functions of the appliance, using different network protocols, such as HTTP, HTTPS, FTP, Yahoo, ICQ, Windows Live Messenger, and others. As a gateway, the appliance can run in explicit proxy mode or in transparent bridge or router mode. Monitoring the filtering process ² The monitoring functions of the appliance allow you a continuous overview of the filtering process. They include a dashboard, providing information on web usage, filtering activities, and system behavior, as well as logging and tracing functions and options to forward data to an ePolicy Orchestrator or do event monitoring with an SNMP agent. The following are the main activities needed to administer the appliance: Perform the initial setup ² You can set up the appliance on a physical hardware platform or on a virtual machine. The setup procedure includes the initial configuration of system parameters, such as host name and IP address, implementing an initial system of filtering rules, and licensing. Two wizards are available in this phase, one for the initial configuration, another for the filtering rules. Configure the gateway functions ² After the initial setup, explicit proxy mode and the HTTP protocol are preconfigured on the appliance. You can modify this and also configure other network components that the appliance communicates with.

[CUSTOMER]- Confidential

Page 8 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template Modify filtering rules ² The filtering rules are the building blocks of your web security policy. You can review the system of filtering rules that has been implemented during the initial setup and modify it. Authentication is not implemented initially. Working on the filtering rules includes also maintaining the lists that these rules use and configuring the settings for rule actions and for the modules involved in the filtering processs. Monitor the appliance ² When you have configured the appliance according to your requirements, you can monitor it to see how it performs the filtering process. You can also monitor system functions, such as CPU and memory usage. 2.1.2.2 McAfee Site Advisor Enterprise SiteAdvisor Enterprise Plus requires the following components be installed and running to provide managed web browsing protection: y ePolicy Orchestrator server and repository - The management tool that installs software, deploys policies, monitors activity, creates reports, and stores and distributes content and software updates.

Agent (ePO agent or McAfee Agent) - The agent installed on a managed computer that acts as the intermediary between the client system and the ePO server and database. It sends data between the client and the ePO server. SiteAdvisor Enterprise Plus management component (Site Advisor Enterprise Plus extension for ePolicy Orchestrator) - Provides the interface to policy management in the ePO console. SiteAdvisor Enterprise browser plug-in on the client ² Provides browsing protection for the client system on which it is installed. If you purchased Web Filtering for Endpoint, these additional components are included: Web Filtering for Endpoint management component (Web Filtering for Endpoint extension for ePolicy Orchestrator) - Provides web content filtering management on the SiteAdvisor Enterprise Plus policy pages in the ePO console. Web Reporter application - Provides more detailed reports based on site content category and rating.

2.1.3 Intrusion Prevention System ± Intrushield Appliance, McAfee Host Intrusion Prevention System (HIPS)
Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of µ¶¶intrusion prevention systems¶¶¶ are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. Intrusion prevention systems do more than intrusion detection systems because. IPS(s) monitor network traffic and/or system activities for malicious activity. Intrusion prevention systems, placed in-line, they are able to actively prevent/block intrusions that are detected. IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. These systems can also correct CRC, reorder fragmented packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. McAfee IntruShield IPS is a combination of network appliances and software that accurately detects and prevents intrusions, denial of service (DoS) and distributed denial of service (DDoS) attacks, and network misuse. The IntruShield IPS combines real-time intrusion detection and prevention The Intrushield is a multi-tiered solution with a web management console and adjoining ³sensors´ for the portions of the network that are to be protected. The management solution or ISM will be located on the ePO management server on a different IP address than the ePO itself. This will be installed at both the data center and Houston sites. Policies, signatures, and management of the IPS sensors will be done from either of these consoles.

[CUSTOMER]- Confidential

Page 9 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template The major components of IntruShield IPS are: IntruShield Security Manager (ISM) server IntruShield Sensors. McAfee Update Server ISM server communicates with the McAfee Update Server for signature set updates and software downloads. Intrusion sensors will be located at the internet chokes for Houston and Dallas Data Center. There will also be outside and inside management of the network segments at the firewalls. There several considerations with the placement of the sensors. Deployment of an IntruShield IPS requires specific knowledge of your network¶s security needs. Answering these questions will determine which sensor model will best suit your environment, and what in what operating mode you¶ll need to employ each sensor port: What is the size of the network? How many access points are there between the HWE network and the extranets or Internet? Where is the critical infrastructure that requires protection within the network? Where are the security operations located? 2.1.3.1 Network Size The HWE network is fairly large for the head count associated with the company. The Wind farms are geographically diverse and each If there is more than one wind farm within a short geographic area (typically 3-4 hours of driving) they usually share an Operations and Maintenance (O&M) facility. There are 13 O&M facilities on the network. These O&M facilities require Regional Offices (RO). These facilities house the middle-management and executives making strategic level logistics decisions. There are 7 RO(s) in the infrastructure. The last type of office that are on the network are temporary Construction Offices (CO). There are 33 edge-type sites in the network. The company is growing and will have 4 new sites in the New Year. The sites connect to two hubs that are well-connected and act as DR sites for each other. 2.1.3.2 Access Points (choke points) These offices types include their own internet connection. Traffic to the internet is allowed through the firewall that is local to the site. During the Network Security project, the traffic will change to route through the IPS located centrally at the hub sites. 2.1.3.3 Critical Infrastructure (applications) The majority of critical infrastructure is located in the hub sites referred to as µthe core¶. The core does not have a Demilitarized Zone (DMZ). One of the main features of this project is the creation of a DMZ between the server infrastructure and the rest of the hub and edge networks. The DMZ will not be a Network Address Translated NAT(ed) DMZ, but will be a function of the IPS sensors. This will keep the work to a minimum for the movement of infrastructure resources. 2.1.3.4 Proposed Two-Layer HIPS\IPS Flow

2.1.3.5 Operations Considerations Ingress and egress on the network will be through the Internet connections located in Houston and in Dallas. These hub sites are the most connected and house the majority of the applications and critical infrastructure. The management and policy servers will be housed at these sites in the data center. The

[CUSTOMER]- Confidential

Page 10 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template console will be located on virtual servers that create a clustered affect to prevent a hardware outage affecting the management of the security infrastructure. More detail about the deployment of sensors (in multiport, inline, transparent mode) can be found in the IPS Deployment Guide.

2.1.4 Network Admission Control ± McAfee NAC Appliance, McAfee Network Access Control
McAfee Network Access Control is a security software that protects corporate networks by controlling access to systems that do not comply with IT security policies. The software integrates with McAfee ePolicy Orchestrator®, and provides robust policy creation, device detection and mapping, fast and accurate compliance assessment, network access control, and remediation capabilities for the systems on the network. The components of McAfee NAC are: McAfee NAC server (ePO) McAfee NAC sensor (appliance) McAfee NAC scanner (client\ePO\appliance) McAfee NAC remediation portal (phase II of project implementation) McAfee NAC detects and assesses systems attempting to enter the network and can enforce policy compliance on the systems before allowing them on to the network. However, network security is not complete with only preadmission control. Comprehensive and continuous network security requires effective post-admission control. IntruShield will provide the post-admission control. IntruShield can alert in real-time about post-admission threats and exploit attempts such as a system generating malicious traffic. McAfee NAC and IntruShield collaboratively handle the offending system. IntruShield can quarantine a rogue system and re-direct all HTTP traffic from the system to the remediation portal until remediation is complete.

2.1.4.1 HWE Layout The HWE network consists of two hub\aggregation points in the network. The Core1 switches connect the two sites with a 500MB Metropolitan Area Network. The Core1 connects the remote sites via MPLS cloud. The Core1 switches also connect the Internet connections for both hub sites. The two Core2 switches aggregate client connections on the LAN and remote access VPN and L2L VPN for remote site backup circuits. The logical choke point in the network for the IPS (Sensor) is on the connection between the Core1 switch in the Houston site (thus protecting the largest amount of end users and vital internal networks). The ePO server will reside in the Data Center on virtual infrastructure with matching infrastructure in Houston in case there is a need for backup (which will be snapped to Houston daily).

[CUSTOMER]- Confidential

Page 11 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

Figure 1 - NAC logical diagram

2.1.4.2 Components and Concerns McAfee NAC Server IP Address: You need to specify the IP address of your McAfee NAC server for an IntruShield sensor to communicate with it. Important: You can integrate IntruShield with the McAfee NAC-ePO integrated server or with a standalone McAfee NAC server. However, if you are to use your Windows logon credentials for logging on to the ePO server, then you can only integrate IntruShield with the McAfee NAC-ePO integrated server.

[CUSTOMER]- Confidential

Page 12 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template McAfee NAC Server Anonymous Port: This is the console-to-server communication port number. The IntruShield sensor uses this port number for its initial communication with the McAfee NAC server. The minimum port number that can be used is 1 and the maximum port number that can be used id 65535. The default port number is 8443. . McAfee NAC Server SSL Port: This is the network port number that an IntruShield sensor should use for its trusted communication with the McAfee NAC server. The default port number is 8444. This is the same port that McAfee NAC sensors and scanners use to communicate with the McAfee NAC server. Contact your McAfee NAC server administrator for more information. McAfee NAC Server Root Certificate: This is the self-signed electronic certificate that comes as part of your McAfee NAC installation. Store this certificate file at a location from where you can access it so that you can import it to ISM and subsequently push it to the IntruShield sensor when you install the communication between the sensor and the ISM.This certificate enables the IntruShield sensor to authenticate the McAfee NAC server. Note: You can find this certificate in the ePO install directory. By default it is stored at \db\certificates. ePO User Credentials: You need the administrator user name and password of the ePO server that is communicating with McAfee NAC. You need to pass it to the IntruShield sensor through the ISM. The sensor then uses these credentials for establishing trust with McAfee NAC.

2.1.5 Network Infrastructure
The current topology of the [CUSTOMER] Wind Energy (henceforth HWE) Core network is a tiered\open design between server infrastructure and workstations in all location. This describes a network layout where all machines, including servers, can communicate with each other. While the switching infrastructure is segmented, there is no network choke or control between those networks. Business-based rulesets based on need-only based access will be created and documented on the ePO server and the Cisco Security Manager for implementation on the Cisco ASA firewalls, the McAfee NAC (Network Admission Control) appliance, the McAfee Content Filter, and the McAfee IPS (Intrusion Prevention System). The infrastructure group will use a combination of Cisco and McAfee tools to segregate and secure traffic to a higher order. This will increase security and performance of the network as well as providing two different management domains for business information flow.

Figure 2 ± [CUSTOMER] Current Network

[CUSTOMER]- Confidential

Page 13 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

Figure 3 - After implementation

[CUSTOMER]- Confidential

Page 14 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

2.2 Logical Solution Profile

Figure 4 - Logical Core

[CUSTOMER]- Confidential

Page 15 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

Figure 5 - Logical Edge

2.3 Sequence of Implementation
2.3.1 Phase One ± ePO Server stand up, McAfee Agent\Antivirus Deployment
Provision virtual machines in the Houston and Data Center locations (prerequisites) Build databases and delegate permissions based on prerequisites

[CUSTOMER]- Confidential

Page 16 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template Plan your ePolicy Orchestrator System Tree and updating scheme. Create the ePolicy Orchestrator System Tree. Distribute the McAfee Agent to the systems you want to manage with ePolicy Orchestrator. Create the updating repositories. Check in to the repositories the products ePolicy Orchestrator is to manage. Then configure their policy settings. Deploy products to the managed computers. Configure the advanced features of ePolicy Orchestrator. These are the files that you must check in to the master repository after you install or upgrade the software. For more information, see the ePolicy Orchestrator 4.5 Product Guide. Custom packages ² Only managed product packages that were created with McAfee Installation Designer 8.7 or later can be checked in to the master repository. Product extensions² If the extension for a managed product was not added to the repository during the installation, you must manually add it as a zip file. Product plug-in files ² Any product plug-in (.dll) files that were not checked in as part of the installation must be checked in to the master repository manually as zip files. Products ² Check the software you intend to deploy into the repository. If you are installing ePolicy Orchestrator for the first time, you must check in all products that you want to deploy via ePolicy Orchestrator. If you are upgrading ePolicy Orchestrator, any supported products that were not already present must be checked in to the master repository manually as zip files. Product updates ² You must check in all product updates that you want to deploy via ePolicy Orchestrator. Scan exception lists will be created for directories. The product installation guide for the antivirus client has a list of often-used application and infrastructure files and directories. The client package created with McAfee Installation Designer will be pushed out to clients in a phased approach after warning the offices. This will require a reboot.

2.3.2 Phase 2 - Content Filtering ± Gateway Appliance, Site Advisor Enterprise
Platform You can run the appliance on different platforms: suggested configuration ± hardware appliance ‡ Hardware-based appliance ² On a physical hardware platform. ‡ Virtual appliance ² On a virtual machine. Network integration: suggested configuration ± Transparent Bridge The appliance can intercept, filter, and transmit web traffic in different modes: Explicit proxy mode ² The clients that the appliance communicates with are aware of it. You must configure them ³explicitly´ to direct their traffic to the appliance. Transparent bridge ² The appliance acts as an ³invisible´ bridge between its clients and the web. You need not configure the clients for this. Transparent router ² The appliance routes traffic according to a routing table, which you need to fill out. The first gateway will be setup in Central Management mode. Infrastructure staff will set up the appliance as a node in a complex configuration and administer other nodes on its user interface, including the distribution of updates. You can then also administer the appliance on other nodes and let it receive updates from them

[CUSTOMER]- Confidential

Page 17 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

2.3.3 Phase 3 - Intrusion Prevention System ± McAfee Intrushield, Host Intrusion Prevention System (HIPS)
2.3.3.1 Setting up the sensors for the desired deployment mode(s) Installing the ISM software and establishing sensor-to-ISM communication Configuring your deployment using the ISM Updating your signatures and software Viewing and working with data generated by IntruShield 2.3.3.2 Tuning the deployment Invoking the Sensor Installation Wizard Selecting Signature Set Update Method Importing the signature set from a local directory. Downloading the signature set from McAfee Update Server Skip the above options and continue with the default signature set that you received along with ISM installation. Adding a Sensor to ISM Configuring the sensor using CLI Assigning & Editing port configuration on sensor Applying policies to the interfaces on the sensor Pushing Configuration Information From ISM To The Sensor Viewing the Sensor Installation Summary page More detailed information on specific tasks for each step is in the Intrushield Deployment Guide. 2.3.3.3 Client-based HIPS

2.3.4 Phase 4 ± Network Admission Control
The McAfee Network Access Control software installs the McAfee NAC server onto an existing ePolicy Orchestrator 4.0 server. During installation: The McAfee NAC client installation files are added to the ePO master repository. A default NAC client policy and network access policy are added to the master repository and listed in the Policy Catalog. McAfee NAC queries are added to the master repository. The Benchmark Editor is installed (if it has not been previously installed). The Check Builder and check content are added. A McAfee NAC Scan Task is created for all NAC clients on managed systems that runs a scan daily at 12 A.M., by default.

[CUSTOMER]- Confidential

Page 18 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template 2.3.4.1 McAfee NAC server The hardware requirements for the McAfee NAC server are the same as for the ePolicy Orchestrator server. When adding McAfee NAC, we suggest using the recommended hardware configuration rather than the minimum configuration. For details, see the ePolicy Orchestrator documentation The software requirements are: y y y y y y y y y ePolicy Orchestrator 4.0 with patch 2 installed. Rogue System Detection 2.0 or later. McAfee NAC client Systems on which you install the NAC client must meet these requirements. Option Definition Memory 512MB or higher RAM Operating System: Windows Server 2003 Enterprise, Service Pack 1 or later. ePO products McAfee Agent 3.6 patch 2 or later.

2.3.4.2 Tasks y y y Download the product zip file from the McAfee product download site, and store it on your ePolicy Orchestrator server. Unzip the archive, then double-click the Setup program. In the Setup Requirements window, check that each section displays the message All required applications were found. If the required applications were not found, they are listed, and you must exit and install these applications. Accept the license agreement. Type your ePolicy Orchestrator global administrator username and password. Accept the default port (8444) for Network Security Sensor communications with the NAC client unless you changed this port when configuring McAfee® Network Security Platform.This port cannot be changed unless you re-install the software. Accept the default location to install the software, or select a different location on the ePolicy Orchestrator server. Verify that all information is correct, then start the installation. Use this task to install the McAfee Network Access Control remediation portal on the ePolicy Orchestrator server. You must install the portal to the default installation path specified in the installer.C:\Program Files\McAfee\ePolicy Orchestrator\Server\extensions\installed\NAC.0.<build_number>\webapp\portal. When installed on the ePO server, the URL to the guest cleint portal is:https://localhost:8443/nac/portal/default.htm

y y y

y y y

Before you begin The requirements for this task are: ‡ You must be running ePolicy Orchestrator 4.0. ‡ You must install McAfee Network Access Control 3.0 first. Task If necessary, unzip the archive, then double-click the Setup program. Accept the default installation path.
[CUSTOMER]- Confidential Page 19 of 25 Network Security Architecture V1.0

Technical Architecture Planning Document ± Template Click Install when you reach the final installer screen.

More information for each of the individual tasks can be found on the NAC Configuration Guide.

2.4 Information Usage Profile
The E-Policy Orchestrator (ePO) server will control and monitor most of the solution. This includes all Endpoint Security which is the host-based (workstation\server) portion of the solution that is handled by the McAfee agent. The MacAfee Agent is the actual client that loads and controls all software from the ePO server. The one exception is the network security manager for the Intrusion Prevention System (IPS) and the Network Admission Control device (NAC). They are heavily integrated. Together they provide remediation abilities. However, these abilities will be provided in the final phase of the project.

2.5 Solution Retirement
This is a highly integrated system. The solution has a half-life of 2-3 years before needing further maintenance and upgrade.

3 To-Be Solution Architecture Detail
3.1 Infrastructure
3.1.1 Proposed Hardware
3.1.1.1 Development 4 VMware servers (located in Houston) 3.1.1.2 Test 4 VMware servers (located in Houston) 3.1.1.3 Production 4 VMware Servers (2 in Houston 2 in the DC) 4 Dell R410 hardware servers (2 in Houston 2 in the DC)

3.1.2 Proposed Software
3.1.2.1 Development ePO 4.5 Patch 3 Network Security Manager 5.1.x (6.0.x if it makes it into general distribution) End Point Security ± Antispyware 8.7, NAC 3.2.x, Site Advisor Enterprise 3.0.x, VirusScan 8.8, HIPS 8.0 Messaging ± Groupshield 7.0.1 for Exchange 2007, Quarantine Manager 7.0 3.1.2.2 Test ePO 4.5 Patch 3 Network Security Manager 5.1.x (6.0.x if it makes it into general distribution) End Point Security ± Antispyware 8.7, NAC 3.2.x, Site Advisor Enterprise 3.0.x, VirusScan 8.8, HIPS 8.0 Messaging ± Groupshield 7.0.1 for Exchange 2007, Quarantine Manager 7.0 Web Reporter Premium 5.11 Web Gateway (appliance)
[CUSTOMER]- Confidential Page 20 of 25 Network Security Architecture V1.0

Technical Architecture Planning Document ± Template Network Security Platform (appliance ± formerly Intrushield and NAC)

3.1.2.3 Production ePO 4.5 Patch 3 Network Security Manager 5.1.x (6.0.x if it makes it into general distribution) End Point Security ± Antispyware 8.7, NAC 3.2.x, Site Advisor Enterprise 3.0.x, VirusScan 8.8, HIPS 8.0 Messaging ± Groupshield 7.0.1 for Exchange 2007, Quarantine Manager 7.0 Web Reporter Premium 5.11 Web Gateway (appliance) Network Security Platform (appliance ± formerly Intrushield and NAC)

3.1.3 Proposed Network Requirements
3.1.3.1 Development Secure testing for products not on the domain. This includes all software installations on the proposed operating systems with resources that have been allocated for the servers and workstations. The proposed testing will cover three security areas that have been deemed high-risk: y Endpoint protection ± Host-based Intrusion Prevention, Antivirus, Antispyware, Web Filtering y Internal Network Security ± Intrusion Prevention, Network Admission Control y Messaging ± email antivirus and site admission control (HTTP control in email) y Management ± logging, policy control, remediation

3.1.3.2 Test Software installations on the proposed production servers and network equipment with resources that have been allocated for the servers and workstations. The testing will cover four security areas that have been deemed high-risk: y Endpoint protection ± Host-based Intrusion Prevention, Antivirus, Antispyware, Web Filtering y Internal Network Security ± Intrusion Prevention, Network Admission Control y Web-filtering - control of corporate policy and policing for HTTP access y Messaging ± email antivirus and site admission control (HTTP control in email) y Management ± logging, policy control, remediation The test phase will include all new network equipment such as the Web Gateways, Intrusion Prevention system, CIFS Filer Scanners, and Network Access Appliance. These will be racked and plugged into the network in the appropriate locations but will not be put into production until some initial focus-groups can be tested with (ROCC, SCADA, Finance). 3.1.3.3 Production The test systems will be put into production in a phased rollout: 1 Management ± logging, policy control, remediation 2 Endpoint protection ± Host-based Intrusion Prevention, Antivirus, Antispyware, Web Filtering 3 Messaging ± email antivirus and site admission control (HTTP control in email) 4 Web-filtering ± control of corporate policy and policing for HTTP access 5 Internal Network Security ± Intrusion Prevention, Network Admission Control

[CUSTOMER]- Confidential

Page 21 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

3.2 Technical Operations Components
3.2.1 Operational Requirements (or attach SLA)
y y y What time of day is the service operational? What are the service¶s requirements with respect to availability? Performance? Reliability? Security? What are the reporting requirements of the service, and to whom are reports directed? Are there any other expectations or requirements for the service that influence how the IT service must be operated?

3.2.2 Operational Work Requirements
y y y y y y y y y y y What repetitive tasks/activities are required to perform maintenance on the service (for example, defragmentation of databases)? What administrative tasks/activities need to be performed (for example, account administration)? How is the service backed up? How is the service restored? In the event of a disaster, what tasks and activities are required to recover the service? What tasks/activities are required to maintain the security of the service? What should be monitored to ensure the service is healthy? How will the service be monitored for performance? Capacity? Availability? What kinds of reports are necessary to confirm that service levels are being met, and to whom should they be directed? What operational tasks/activities are recommended by the vendor of the service? Does the service require any specific operational tools?

3.2.3 Required Changes for Service Desk/Incident Management

3.3 Technical Resources
3.3.1 Developer Skill Set
Internal Infrastructure resources and outside architecture consulting will be used.

3.3.2 Development Software Required
Microsoft Hyper-V, Microsoft SCCM

3.3.3 Infrastructure Team Resources Required
Eric Hons, Don Leichhardt, James Cabe, Jason Clogston

3.3.4 Operations Team Resources Required
Jaron Cook, Evan Stein, Brad Stocki

3.3.5 Operational Build Requirements
y y y y What technologies make up the service? Hyper-V, Microsoft Server, Cisco Network Equipment, McAfee Network Security Platform Who in the organization is knowledgeable about these technologies? Infrastructure Staff Who understands the architecture and design of the service being released? Infrastructure Staff Who is responsible for operating the technologies that make up the service? Infrastructure Staff and Desktop Support Staff

[CUSTOMER]- Confidential

Page 22 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template y y How can vendor information contribute to the development of the work instructions? They will be consulted at all phases of the project and deployment. Is existing operations documentation available? No, it is being done at every phase of the deployment.

4 Risks and Limitations
Probability 100% 50% 5%

Risk Description In-line connection of security devices

Inability to Performance deploy degradation outage Impact

Mitigation

Scheduled Change Control

Antivirus testing ± application performance

Extensive application testing

Network Port density

Audit network port usage

5 Future Considerations
Development resources will need to be put on different signature update schedules. This provides a testing ground for these updates to prevent outages. The same considerations that are made for the patching process are also applicable to the signature update process.

6 Appendix
6.1 Principal of Least Privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary for its legitimate purpose. In other words, this means giving a user only those powers which are absolutely essential to do his/her work. For example, a backup user need not install software. Hence the backup user has rights only to run backup and backup related applications. Any other powers (privileges) like installing software etc. are blocked. When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.

[CUSTOMER]- Confidential

Page 23 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

6.2 McAfee Agent Architecture

[CUSTOMER]- Confidential

Page 24 of 25

Network Security Architecture V1.0

Technical Architecture Planning Document ± Template

6.3 New Edge Architecture

[CUSTOMER]- Confidential

Page 25 of 25

Network Security Architecture V1.0