organization for security and cooperation in europe · pdf filefo pakrac wh rajlovac leased...
TRANSCRIPT
Organization for Security Organization for Security and Cooperation in Europeand Cooperation in Europe
OECD ICT Management OECD ICT Management Workshop Workshop
Paris, October 2004Paris, October 2004
OSCE OSCE -- backgroundbackground
55 member states, annually rotating Chair, 55 member states, annually rotating Chair, consensus based decision making.consensus based decision making.Permanent Council in Vienna establishes Permanent Council in Vienna establishes mandatemandateSecretariat (administrative centre) in ViennaSecretariat (administrative centre) in Vienna25 countries of operations (Missions)25 countries of operations (Missions)Management Reform introduced in 2000Management Reform introduced in 2000Central ERP system implemented in 2004Central ERP system implemented in 2004Central document management system being Central document management system being implemented 2004implemented 2004--20052005
missionNW
IS
IR
UK
SDFI
ES
F
EP
LV
NL
B
DK
D
CH
I
RUS
BL
UKR
PL
CZ
SK
HA
RO
MO
L
CRBH
SaMBUL
ALBSkp
GRE
TUR
GEO
AR
AZ
KAZ
SL
UZB
TKM
KGZ
TAD
LI
Croatia
BiH
Kosovo
Georgia
Moldova
Ukraine
Tajikistan
Skopje Albania
Vienna
Belarus
Tashkent
AlmatyBishkek
Ashgabad
Yerevan
OSCE Global Presence Map
SaM
PR CiO
Baku
HCNM
ODIHR
Prague
OSCE Field Operations
OSCE Institutions
OSCE Information Security OSCE Information Security Organizational EnvironmentOrganizational Environment
Governance IssuesGovernance IssuesSG/SG/HoMHoM/CIO responsibility/CIO responsibilityStaff and information classificationStaff and information classificationOSCE deOSCE de--centralized organizational environmentcentralized organizational environmentNeed mandate (and budget) from Member StatesNeed mandate (and budget) from Member States
OSCE InfoSec management priorities:OSCE InfoSec management priorities:OSCE InfoSec Strategy OSCE InfoSec Strategy -- what do we need to protect, from whom, at what do we need to protect, from whom, at what level ? what level ? How do we protect OSCE information and systems in the short and How do we protect OSCE information and systems in the short and long long term?term?Move from decentralized fragmented patchwork of ICT security Move from decentralized fragmented patchwork of ICT security practices to corporate frameworkpractices to corporate framework
OSCE Information Security OSCE Information Security Action PlanAction Plan
InfoSecInfoSec strategy (Information Security strategy (Information Security Management Plan)Management Plan)Established interim policiesEstablished interim policiesDesigned solutions where neededDesigned solutions where neededCreated Virtual OSCE Created Virtual OSCE InfoSecInfoSec teamteam
Governance/approval Governance/approval -- standardizationstandardization
InfoSec Virtual Team InfoSec Virtual Team
Created OSCECreated OSCE--wide virtual wide virtual InfoSecInfoSecteam in May 2004team in May 2004Established a prioritized action plan for Established a prioritized action plan for corporate solutioncorporate solutionFirst set of corporate solutions First set of corporate solutions implemented in September 2004implemented in September 2004Action Plan revised and work ongoingAction Plan revised and work ongoing
OSCE InfoSec Short Term OSCE InfoSec Short Term StrategyStrategy
Consolidation of the existing infrastructureConsolidation of the existing infrastructure
Finalize implementation of the standard security solutions in Finalize implementation of the standard security solutions in all OSCE Missionsall OSCE MissionsImplement reliable solution for firewall backup and software Implement reliable solution for firewall backup and software managementmanagementImplement a VPN failover and traffic shaping solution Implement a VPN failover and traffic shaping solution Implement standard secure mobile computing solutionsImplement standard secure mobile computing solutionsImplement a secure wireless solution for OSCE environmentImplement a secure wireless solution for OSCE environmentEE--mail spam filtering, content filtering and intruder detection mail spam filtering, content filtering and intruder detection solutions for OSCE environmentsolutions for OSCE environment
OSCE InfoSec Long Term OSCE InfoSec Long Term StrategyStrategy
Design and implement an OSCE Design and implement an OSCE Information Technology Security Information Technology Security FrameworkFramework
Business Continuity PlanBusiness Continuity Plan
Compliance with International Compliance with International Standards Standards
Governance/approval Governance/approval -- enforcementenforcement
OSCE OSCE InfoSecInfoSec reality todayreality today
Major goals of Information Security : Major goals of Information Security : Confidentiality, Integrity, AvailabilityConfidentiality, Integrity, Availability
What are we protecting?What are we protecting?InformationInformationOSCE Corporate applicationsOSCE Corporate applications::
EE--mail systemmail system
IRMA: Integrated Resources Management systemIRMA: Integrated Resources Management system
DOC.IN: (Knowledge and Document management system)DOC.IN: (Knowledge and Document management system)
OSCE Portal: Common ICT platform for data and information sharinOSCE Portal: Common ICT platform for data and information sharingg
WAN infrastructure WAN infrastructure -- hope to consolidate communications contracts (100+)hope to consolidate communications contracts (100+)
The BIG pictureThe BIG picture
CroatiaZagreb
TurkmenistanAshkabad
KazakhstanAlmaty
PRCiOTbilisi
UkraineKiev
Hofburg
ODIHRWarsaw
HCMNThe Hague
Bosnia andHerzegovina
Sarajevo
Prague
Bishkek/Kyrgistan
AlbaniaTirane
MoldovaKishinau
Serbia andMontenegro
Belgrade
BelarusMinsk
UzbekistanTashkent
Armenia/Yerevan
HLPGVienna
Tajikistan
OMIKPrishtine
GeorgiaTbilisi
FoMVienna
Azerbadjan/Baku
FYROMSkopje
InternetInternet Internet
Internet x 2
Internet
Internet Internet
Internet
Internet x 2 &leased Line
Internet x2
Leased Line
InternetInternet
Internet x 2
In-house
Internet x3& VSAT
Internet &Leased line
In-house
Internet
Internet x 2
Internet
Internet
Internet
Internet
OSCE Secretariat
Peje
Prizren
Police School
Mitrovice 1
Mitrovice 2
Gjilan
MW link
MW Link
Strepce
Lipjan
Rahovec
Logistcs &Procurem.BBC 1
MW Link
MW Link
MW Link
MW Link
MW Link
MW Link
MW link
MW Link
FO Caplina
FO Tebinje
FO Siroki Brijeg
RC Srajevo
FO Srajevo
FO Pale
FO Visegrad
FO Foca/Srbinje
FO Bugojno
FO Travnik
RC Tuzla
FO Bijelina
BiHPACK
PRI
FO Drvar
FO Bihac
RC Mostar
BiHPACK
RC BanjaLuka
FO SanskiMost
FO Zvornik
FOSrebenica
FO Zenica
FO Doboj
BiH PACK
Hodjan
Hulab
Kurgantepa
Shartuz
Garm
Internet
Internet
Internet
No AccessVlore
Gjirokaster
Korce
Kukes
Shkoder
Elbasan
Internet Internet
Internet
InternetInternet
TetovoPolice
Academy
KumanovoWarehouse
Leased Line
Leased Line
Leased Line
Leased Line
Tchinkvali
Suchumi
BMO 1
BMO 2
BMO 3
BMO n-1
BMO n
TeamStepanakert
Team Erevan
Team ErevanOsh
Podgorica
P. TrainingCentre Zemun
P. TrainingCentre South
FC Knin
FO Zadar
FC Sisjak
FC Vukovar
IRMA Portal G/Wise
DataStorage
Peshkopi
Dial up
FO Prijedor
FO Orasje
Oracle
Oracle
Oracle
OracleOracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle Oracle
Oracle
Working Document - OSCE WAN Layout(23/10/2003)
FOKarlovac
FOPetrinja
FO Split
FO Korenica
FOB.Monastir
FO Pakrac
WHRajlovac
Leased Line
Annex 5
OracleOracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle*12 / 03
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
OracleOracle
Oracle
Legend
Temporary Solution (to beinstalled within 2003)
OracleExisting Long term solution
How we protect OSCE informationHow we protect OSCE informationInternational Organizations /
Partner Sites
IPSec-compliant Gateway
VPN-1 SecuRemote /RSA SecureID token
authentication
CheckPoint VPN-1SecureClient
Remote Users
OSCE Missions and Institutions
CheckPoint Express VPN-1/FireWall-1
Management Console• Visual Policy Editor• SecureUpdate• Real-time Monitor• Reporting Module• Account Management Module• Open Security Extension
Web Server (planned)
Extranet Application Servers
LDAP Directory
Data Center – Hosting Facility
Corporate Network/Services
Router
CheckPoint VPN-1/FireWall-1 Gateway• VPN-1 Accelerator Card• FloodGate-1• Extranet Management Interface
Authentication / Reverse Proxy
Server
“BIG” Internet
OSCE Standard Security SolutionsOSCE Standard Security Solutions
CheckPoint VPNCheckPoint VPN--1 Gateway:1 Gateway:Protects resources with Protects resources with FireWallFireWall--1, Stateful Inspection 1, Stateful Inspection Allows centralized management Allows centralized management and distributed deployment of both and distributed deployment of both security policy and softwaresecurity policy and softwareProtects data in transit with VPN Protects data in transit with VPN industry standards industry standards
3DES and AES encryption3DES and AES encryptionIPSec / IKE IPSec / IKE All leading user authentication All leading user authentication schemes (including RADIUS schemes (including RADIUS and RSA SecureID token)and RSA SecureID token)
Provides reliable performance with Provides reliable performance with integrated QoS and hardware integrated QoS and hardware accelerationacceleration
VPNVPN--1 SecureClient:1 SecureClient:Basic VPN Client for Windows Basic VPN Client for Windows 98/ME, NT, 2000 and XP 98/ME, NT, 2000 and XP Centrally managed “personal Centrally managed “personal firewall” policiesfirewall” policiesSecurity Configuration Security Configuration Verification (SCV)Verification (SCV)Software packaging and Software packaging and distribution featuresdistribution features
OSCE Standard Security SolutionsOSCE Standard Security Solutions
NOKIA IP Series AppliancesNOKIA IP Series Appliances
Platform Layer
Application Layer
Management Layer
Support LayerSupport Layer