Architectural Services | Resources | Views | Contact Arctec Group

    Arctec Views

    October 21, 2003

    In this issue:
        * Security Architecture Elements, Part II
        * Reader Views
        * Enterprise Architecture News
        * Arctec Group News: Arctec Group is featured speaker at
        Blackhat Federal Security conference (


    Arctec Group is an architectural services company focused on Enterprise Architecture issues. With this newsletter, we aim to serve our clients, partners, and colleagues by providing our view on current issues and best practices in Enterprise Architecture as well as aggregating interesting news from around the globe.

    We hope you find the newsletter useful and enlightening. We would like to hear your thoughts on current affairs and ideas to improve this offering. If you would like to unsubscribe to Arctec Views monthly newsletter, simply send an email to from the email account you would like to unsubscribe. Please include the word "unsubscribe" in the subject or first line of the email. Previous issues are available at


    Beyond Prevention: Security Architecture Elements, Part II

    In last month's newsletter (, we introduced common security architectural elements and the purpose they serve within organizations. This month we will take a more detailed look at the elements in the Prevention, Detection, and Response security spectrum. These elements should not be considered a comprehensive list for a full blown security system, but rather a broad overview of some important yet less publicized security architectural elements.

    Prevention, Detection, Response

    Looking at Security Architecture through the lens of Prevention, Detection and Response gives a holistic view of security processes and technologies and how they interact with the enterprise architecture. This viewpoint also engenders a perspective on how the security architectural elements relate to each other, i.e. How does firewall design impact intrusion detection? Design decisions and relationships amongst the elements should be driven by risk and business analysis.

    Prevention Elements

    The goal of prevention in the security architecture is to ensure that breaking in to the system is as difficult as possible. Note that this is not the same as “impossible” or “unbreakable”, systems which are impossible for attackers to break into also tend to be impossible for legitimate users to use, therefore “preventing” business.

    Currently, preventative technologies comprise the bulk of security mindshare. Firewalls are easily the single most well-renowned security tool. Firewalls and network address translation form an important part of defending the system's perimeter and enforcing policies. In addition to firewalls, there are several other preventative measures to consider with regard to the prevention layer.

      • Security Checklist: For functional reasons and ease of installation, most products' default installation contains numerous security bugs. Major vendors like SAP, Microsoft, and Sun provide security checklists and guidelines for hardening their products. The SANS Institute ( also provides checklists from an objective perspective for many technologies. Detailed, system-specific security checklists, while not as glamorous as other security entities, are a bedrock security element.

    Other important areas to address include:

      • Intrusion Protection System
      • Anti-virus/Malicious Code
      • Patch Management Strategy
      • User Security: Authentication/Administration/Keys
      • Secure Coding Guidelines
      • Secure Configuration Management

    Detection Elements

    Detection is the pragmatic wing of the Security Architecture. The role of Detection is to identify that a security incident has occurred and to alert and report in a manner commensurate with the threat posed.

    Much of the security industry's focus is currently on the detection space, Intrusion Detection Systems (IDS) in particular. IDS deployments require a balanced approach to be effective.The IDS system must not be too “noisy” so that every event sends a catastrophic alarm, or so quiet that the intruder can get by with an obvious attack. Getting an effective reporting balance from your IDS is harder than it sounds (or harder than many vendors would have you believe); in our opinion, effective reporting is currently one of the largest problems to solve going forward for IDS.

    In addition to reporting challenges, getting proper breadth of IDS coverage requires both network and host based IDS systems to ensure that both network and OS/Application types of attacks are monitored.

    Other important Detection areas to address include:

      • Logging and Reporting
      • Compliance Auditing
      • Vulnerability Scanning
      • Penetration Testing
      • Monitoring (including 3rd party monitoring)

    Response Elements

    Security Response includes personnel and technology driven responses to security incidents. Incident response planning is a proactive way to anticipate security issues and ensure that people and processes are identified to intervene accordingly. Organizations such as CERT ( and SANS provide excellent resources for response planning. Planning response action when the organization is not in fire drill mode allows for clear, direct, and effective action to be taken when it matters most.

    Other important Response areas to address include:

      • Event Notification
      • Event Handling
      • Chain of Command
      • Help Desk Training
      • Employment Status Change Processes

    As you can see, thinking about security in terms of firewalls only, just scratches the surface on what it means to secure a complex, distributed system. Taking an architectural view to ensure that each constituent in the architecture is leveraged and utilized properly is one of the Security Architect's biggest challenges.

    -Gunnar Peterson
    CTO, Arctec Group


    Reader Views
    Gerrit Muller writes:
    Your description of the enterprise architect is highly recognizable. I am trying myself to make the job of system architecting more well defined and accessible, but in the embedded systems domain. I have seen quite often that many of the issues and methods have a huge overlap, although the domains can be very different.

    You can find all of these articles on the public internet at the website Gaudi systems architecting:


    Enterprise Architecture News

    Sun On The Record
    Excellent, no holds barred interview with Sun chief Scott McNealy.

    @Stake CTO dismissed
    Security pioneer Dan Geer was relieved of his duties as @Stake CTO after participating in a report with a consortium of security experts. The report was critical of the effects of technological monoculture. Read the report here:

    Information around the firing:,2000048600,20279018,00.htm

    Another viewpoint: Marcus Ranum debunks the monoculture metaphor

    Tablet PCs Finally Taking Off
    Is freedom from cubicles far behind?,1282,60623,00.html

    Massachusetts Embraces Open Technologies
    Open source software will receive preferential treatment under a new procurements policy.

    Comparison of Linux and Windows Viruses

    Security in Cyprus
    October features the 3rd annual Cyprus Infosec conference. The conference brings together leaders from industry and academia.


    Have your say
    Agree? Disagree? Insufficient data to judge? Email us at, we want to hear from you.


    Arctec Group News

    Arctec Group CTO Gunnar Peterson spoke regarding "Security Design Patterns" at the Black Hat Federal briefing in Washington, DC. Gunnar's slides are available online at:

    The Black Hat conference was keynoted by Keith Rhodes, a Chief Technologist at the GAO. Mr. Rhodes' highly illuminating talk focused on the intersection of humans and technology with regard to security. All of the presentations should be available online in the next few weeks at the Blackhat website:


    Arctec Group: Strategic Technology Blueprints

    Arctec Group Newsletter is a free monthly newsletter. If you would like to subscribe to Arctec Views, simply send an email to from the email account you would like to receive the newsletter. Please include the word "subscribe" in the subject or first line of the email.

    If you would like to unsubscribe to Arctec Views monthly newsletter, simply send an email to from the email account you would like to unsubscribe. Please include the word "unsubscribe" in the subject or first line of the email.

Copyright © 2003 Arctec Group, LLC All Rights Reserved