IT-Sicherheit

Go Deep

30.12.2002 von Teng-Fang Yih
Die eigenen Informationen Partnern und Lieferanten zur Verfügung zu stellen macht einen Spagat erforderlich. Notwendiger Offenheit steht zwingend erforderliche Sicherheit gegenüber. Chartered Semiconductor hat sich für ein mehrstufiges Modell entschieden.

Quelle: CIO Asia

At the turn of this century, Chartered SemiconductorManufacturing--already one of the world's top three semiconductorfoundries businesses, providing wafer fabrication services andtechnologies to semiconductor suppliers and systems companies--wantedto develop a highly scalable and extendable integrated IT system thatwas both open to any organisation along its supply chain and providedfor maximum security.

The main reason for Chartered's demand for greater 'openness' is thecompany's approach to running its business, which necessitatescollaboration with its many partners, often on a global scale. Takingthis approach means that the company's operating IT environment has tooffer as much access to as many parties as needed. This is an eventaller order if you consider the size of its operations today.Established in 1987, Chartered now operates five wafer fabricationfacilities, and expects to complete outfitting a sixth facility tohandle 300 mm wafer fabrication. And to ensure smooth operations inall these facilities as well as in its business offices, the companyuses: a corporate network extended across 400 servers housed in itsdata centres in Singapore and the U.S., and wired by varioustechnologies and standards ranging from 100 Ethernet (for local areanetworks) and G-bit Ethernet (for direct server connections); a globalwide area network; and direct connections from fab environments tojoint-venture partners and selected suppliers to facilitate remoteoperations and maintenance of fab equipment. Add to that mix, theconnections between the company and its various customers via theInternet, including traffic across a virtual private network (VPN),and you have possibly one of the largest and also most open networksin the industry.

So imagine how big a challengeit is to, one, maintain and ensure that this network remains open toaccommodate and drive business growth, and, two, make it secure at thesame time. Bret Watson, Head of IT Assurance and Security IT atChartered, does not need to imagine. He lived it, beginning in 2000."Security is critical. At the same time, the network has to remainopen to the extent that the efficiency of the entire supply chain canbe realised," says Watson, who adopted what he calls the"defence-in-depth" model of security.

Multi-layer Defence

"Defence in depth consists of a layered approach to protecting anasset. By using multiple layers we ensure that our security does notrely on a single protection device," Watson explains. "For Layer 1,ACL [access control list] rules on the edge router. For Layer 2, wehave a firewall. For Layer 3, we have a validating proxy. For Layer 4,another firewall. For Layer 5, we have packet filtering on a server.And for Layer 6, we enforce access controls on valuabledata."

"Each layer has different detection mechanisms as well. And for eachlayer, we consider four attributes," Watson says. "Deterrence--thebest security is one that deters an intruder--as in the physical worldrazor wire is a good deterrent, in IT the logon warning message is aform of deterrence. Detection--ideally, we want to detect the intruderbefore he has actually completely breached the layer, but this is abalancing act, since too many 'detections' can result in 'the boy whocried wolf' syndrome, where the operator ignores the alarm in future'because it always goes off'. Delay--the layer needs to delay theintruder long enough for us to get a response to the point of attack.And response--we want to respond to the intrusion--ideally byapprehending the intruder, but at the very least by scaring him awayor throwing him out."

"A measure of a good security system is where the detection system ofany layer only picks up real intrusions and the time between thedetection and the response is less that of the delay of that layer,"Watson adds.

Ideal Platform

In 2000, Watson and his team began wiring security into Chartered's ITenvironment, along the lines of this defence-in-depth model. Theydecided to switch from a multi-vendor firewall system to a singlefirewall platform, in order to get the benefits of implementationconsistency and better control access across the company's differentoffices across the world, as well as minimise cycle time required forsoftware updates and patches, along with other maintenance work, byenabling single point access to these tasks.

Choosing a firewall solution was not difficult, according to Watson.At the time, the company had already installed Check Point SoftwareTechnologies' FireWall-1 and VPN-1 applications at various locationsin its network on a trial basis. "We knew we would be using CheckPoint in our network," says Watson, for whom it was essential that thetechnologies used were provided by vendors who were reliable andtimely when it came to good global support delivered by technicalsupport teams that were experienced and very familiar with all mannerof firewall products and Chartered's requirements.

Choosing a firewall platform was a bit of work, though. "What weneeded was a platform that was the best to operate this applicationon, that could be implemented as a turnkey solution, and that is easyto manage," says Watson. But after a three-month process of evaluationand trials, which involved Chartered's IT Network, and Assurance andSecurity departments, the company settled on a platform constructed ofa number of different IP series security appliances byNokia.

Immediately after the decision was made the Nokia IP650 was deployedat Chartered's Singapore data centre, the IP330 at a number of thecompany's larger sites, the IP120 at smaller remote sites, and theIP71 at even smaller offices with five or fewer staff.

Savings and Freedom

Now, two years on, Chartered's choice in firewall solution andplatform has delivered on its promise, unequivocally, even though thecompany has yet to put its entire global network on thisplatform--which is expected to happen, along with a plannedenterprise-wide migration to Check Point's latest version of firewallsoftware called NG, by the middle of next year. "The key benefit isthat the main focus of the IT Assurance and Security staff no longerhas to be on the management of the firewalls," says Watson, whose teamnow handles complex installations and configuration work, as well asadminister software patches more easily and quickly, and remotely froma central location, using the Nokia Horizon Manager.

"We no longer need to send personnel to our remote offices to updatethe firewalls--that saves costs associated with staff travel time,expenses, and manhours. Also, it takes approximately three days to aweek to install a Check Point firewall from scratch; but to set it upfrom turnkey [which we now do with our architecture] takes less than aday if all goes smoothly," says Watson, who knows very well that hecan turn to Nokia for vendor-neutral 24x7 global support under thevendor's First Call Final Resolution programme, when all does not gosmoothly, and for problems that he and his team cannot solve arise.