Security Architecture Blueprint
This blueprint is written for enterprise architects working in the area of infrastructure and system security. Other audiences may find the guide useful in understanding the scope, capabilities, and impact of an enterprise-class security architecture. This blueprint provided a practical process for the successful creation of an enterprise security architecture that covers several aspects of the security design, including the various evaluation and classification processes required by the Security Risk Management Discipline (SRMD).
In This Blueprint
The guidance provided for WSSRA has been proven in the test labs and is known to support all the services within the WSSRA scope. The security architecture and assessment process described in this blueprint provides an excellent starting point for the design of a security architecture and strategy that can support real-world business requirements. It is important to understand that there are factors to assess and mitigate when designing even the simplest of security architectures; it is not a precise art, and the information presented in this blueprint is designed to provide insights and examples to help complete a security architecture design that fits the organization’s needs.
The introduction of the simple Wingtip Toys scenario provided a demonstration of the SRMD process. The “CDC Design Considerations” and “SBO Design Considerations” sections provided valuable example data of the processes followed in the CDC and SBO security architecture designs. Security zoning was introduced in this blueprint to show how this process forms a solid basis for the network and service designers to align their security efforts. Also documented in this blueprint was the process by which specific service requirements were collected from the service designers to create the VLAN segmentation and network security matrices for the test lab instantiation of the CDC and SBO scenarios. These matrices formed the basis of the network security and were tested by the test team. Where the information generated in this process details the exact security data from the lab, the content has been provided in the ConfigurationMatrix.xls spreadsheet in the Implementation Guides. This data is unique for each instantiation and therefore is only relevant in the context of the specific implementation. Ultimately, the design is based on a combination of the specific requirements, environment, budgets, and preferences of the organization’s design team. There is no single right answer, only one that meets an organization’s requirements in a timely and affordable manner. Because there are a great many factors that can affect the final choice of securing devices in the design, it is impossible for this one blueprint to provide an exact choice.
Additional relevant information can be found in the Network Architecture Blueprint and the Network Devices Planning Guide, Firewall Services Planning Guide, and Remote Access Services Planning Guide for the test lab implementation. Ultimately, the output from this design process is a completed network infrastructure design, but it is important that the documentation created is not left to stagnate. Security is not a “set it and forget it” service. These designs will need to be reviewed and updated regularly to ensure that security is maintained.
The following links provide relevant information for the security architecture and documents related to security issues:
| • | “Security Services in Windows Server 2003” |
| • | "Windows Server 2003 Security Guide" |
The "Security" section of the Microsoft Developer Network (MSDN) Web site at the following URL:
http://msdn.microsoft.com/nhp/Default.asp?contentid=28001191&frame=true
"Writing Secure Code," by Michael Howard and David LeBlanc, ISBN 0-7356-1722-8, April 2002, from Microsoft Press. For more information refer to the following URL:
http://www.microsoft.com/mspress/books/5957.asp
"Designing Secure Web-Based Applications for Microsoft Windows 2000," by Michael Howard, ISBN 0-7356-0995-0, July 2000, from Microsoft Press. For more information refer to the following URL:
http://www.microsoft.com/mspress/books/toc/4293.asp
Microsoft Patterns & Practices: Reference Building Blocks at the following URL:
http://msdn.microsoft.com/practices/type/Blocks/default.asp
For information on network security best practices, refer to the following URLs:
