Presentation By Mr.

G Srinivas ITS DGM(Dotsoft &Computers)

AP Telecom Circle

Network and Information

Security
Company

LOGO

Company

LOGO
BSNL

Agenda
1.
1.Introduction
Introduction
2.
2.Security
Securitytypes
types
3.
3.Activities
Activitiesin
inBSNL
BSNLAP
AP
4.
4.Conclusion
Conclusion

Company

LOGO
BSNL

NW & IS Security

What is Security:
}

Refers to techniques for ensuring that data stored

in a computer cannot be read or compromised by
any individuals without authorization

What is Network Security:

}

Protection of networks and their services from

unauthorized modification, destruction, or
disclosure, and provision of assurance that the
network performs its critical functions correctly and
there are no harmful side-effects.

Company

LOGO
BSNL

NW & IS Security

Information Security
Protection of information systems against unauthorized
access to or modification of information, whether in
storage, processing or transit, and against the denial of
service to authorized users or the provision of service to
unauthorized users, including those measures necessary
to detect, document, and counter such threats.

Company

LOGO
BSNL

NW & IS Security

Why Security Matters:

}

}
}

Surveys by US FBI estimate that 90 % of

corporations and government agencies
experienced computer breaches in 2002
Of which 80% suffered losses
Recovery usually takes significant time and effort

Source:http://www.microsoft.com/canada/smallbiz/sgc
/articles/why_security_matters.mspx

Company

LOGO
BSNL

Security standards adopted

Need for Security audit

Free security tools on internet
Vendors interaction
STQC
BS 7799( ISO 27001)
Phases/Stages
Application security
Connectivity to External Networks

Company

LOGO
BSNL

Why we choose STQC?

Company

LOGO
BSNL

Why we choose STQC?

Company

LOGO
BSNL

BS 7799 - Standards

BS 7799 Part 1 was a standard originally published as BS 7799

by the British Standards Institute (BSI) in 1995.
It was written by the United Kingdom Government's Department
of Trade and Industry (DTI), and after several revisions, was
eventually adopted by ISO as ISO 17799, "Information
Technology - Code of practice for information security
management." in 2000.
A second part to BS7799 was first published by BSI in 1999,
known as BS 7799 Part 2, titled "Information Security
Management Systems - Specification with guidance for use.
BS 7799-2 focused on how to implement an Information Security
Management System (ISMS), referring to the information security
management structure and controls identified in ISO 17799.
BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in
November 2005.

Company

LOGO
BSNL

Phases/Stages in the Security Audit by STQC

Phase-1
stage1:Penetration Testing(2 IP & 2 Hosts)
stage2:vulnerability assessment of servers(14
servers)
stage3:Vulnerability assessment of Network
stage4:Remote SSA internal Network
stage5:Roadmap
stage6:roles,BCP
Phase-2
Post Implementation
Periodic auditing for every 6 months

Company

LOGO
BSNL

Phases/Stages in the Security Audit by STQC

Phase-1 stage1:Penetration Testing(3 IPs)

Analysing the IT assets of the client that are
visible on the internet by running standard
vulnerability tools on a system/network
remotely.
Report mentioning fixes for each
vulnerability discovered.

Company

LOGO
BSNL

Phases/Stages in the Security Audit by STQC

Phase-1 stage 2:Vunlerability Assessment (14 servers)

1.
2.
3.
4.

Intranet server consisting of Windows NT Server, Webserver,

Database and some other applications like ASP,PERL, etc.
Proxy Server.
PGRAMS Server.

5. HTD Dotsoft Server (OS-Digital Tru 64 Unix ,RDBMS-ORACLE 8i)

6. BSNL Portal WebServer -- www.bsnl.in (OS- MS Windows 2000
Advanced Server, WebServer-IIS 5.0,Internet IP,etc.)
7. BSNL Mail Server -- www.mail.bsnl.in (OS- MS Windows 2000
Advanced Server, MailServer S/W - IMAIL,Internet IP,etc.)
8. AP TELECOM WebServer -- www.aptelecom.gov.in
(OS-MS Windows 2000 Advanced Server, WebServer -IIS, RDBMS- SQL 2000
Server,Internet IP,etc..)
9. ISA FireWalls in Portal :2-no's (OS- MS Windows 2000 Advanced
Server,S/W-MS ISA server 2000, Internet IP,etc.)

Company

LOGO
BSNL

Phases/Stages in the Security Audit by STQC

Phase-1 stage 3:Vunlerability and Network

Assessment (Remote SSA)
Nalgonda Dotsoft Server : (OS-Red Hat
Linux 9.2 ,
RDBMS-oracle 9i)
2 MBPS Internet Leased Line.
This networking also consists of Dial-up
connections for Intranet
access as well as DOTSOFT

Company

LOGO
BSNL

Phases/Stages in the Security Audit by STQC

Phase-1 stage 4:
Head Office Network Assessment :
Phase-1 Stage 5
--Implementation should be planned in 2
phases as given below:
(Proposed plan will be submitted)
a). High risks which can be eliminated by
configuration with out any purchase of security
components (involves post implementation audit).
b). Very critical risks which can be eliminated with
purchase of security components.(without involving
post implementation audit)

Company

LOGO
BSNL

Phases/Stages in the Security Audit by

STQC

Phase 1 Stage 6
i). An IT Security Policy Document based on BS7799.

--Designing security policy for complete network infrastructure,

security devices, critical devices based on BS7799 standards.
ii). Guidelines for all Roles .

--Suggesting Guidelines for all Roles like Network administrator,

System administrator, Security administrator, DBA, Developers & users .
Guidance will be given to develop Security policy statement and standard
policies as required by BS7799 and also guidelines for roles
Phase 1 Stage 7
viii). Business Continuity Plan/Disaster Recovery Plan.

--Identification of areas that would suffer the greatest financial and

operational loss in the event of range of possible disasters, including
natural, technical and human threats.
--Identification of organization's mission critical activities and their
dependencies and the single points of failures.
--Creating a plan for continuity & recovery strategies.
Methodology will be given and BCP shall be developed for your site

Company

LOGO
BSNL

Key Observations STQC Audit

SQL Injection
Running of unwanted services and ports
Weak password policies
Auditing not enabled
Improper ACL implementation
Insecured dial up access
SNMP
Need for firewalls
Identification of critical resources and need for network
seperation
Usage of Hubs

Company

LOGO
BSNL

Precautions being taken in BSNL

Servers after STQC Audit

Regular updation of Patches

Unnecessary services/ports are closed on the servers.
Antivirus updates being applied on regular basis.
System logs/application logs/Security logs checking
Running the MBSA(Microsoft Baseline security Analyzer) tool for
identifying the missing patches on the Windows Servers.
Enforcing the strong security policy on the server.
Enforcing the strong password policy on the server.
Enforcing the audit policy on the server.
Security auditing by Internal as well as External(STQC) in a
timely manner.
Backing up the registry / application / Data regularly.
Maintaining /Monitoring the DR (Disaster Recovery )site.
Hardening of RDBMS and other applications
Applications hosting on the production webserver are tested
rigorously on the staging environments

Company

LOGO
BSNL

Precautions being taken in BSNL

NETWORK after STQC Audit

DMZ Zone for web server/Mail Server

A well configured Application Level firewall
with anti spoofing and IDS Configured.
Security Policy in the Firewall is designed in
such a way that only required services are
allowed on the Internet
Routers with ACL's and Complex Passwords.
Role assignment for Security Administrator for
checking the logs on daily basis and the traffic
monitoring at all the times.
IOS updations on the Routers / updates on
Firewalls.

Company

LOGO
BSNL

Application Security - Dotsoft

Flagship Customer Care and Billing platform for

Basic phone and CDMA services
In house package
Works on centralised/ decentralised concept
Very cost effective
Implemented in more than 200 districts in BSNL
Managing close to 10,000 crore revenue of
BSNL

Company

LOGO
BSNL

Application Security - Dotsoft

Restricting users Password usage

}
}
}
}
}
}
}

Idle Time
Sessions per user
Failed login attempts
Password Life time
Password Verify Function
Password Reuse Time
Password Grace Time

Access Control using Roles

Allotment of Dynamic Roles at the time of login
Sub routing Feature
.

Company

LOGO
BSNL

Application Security - Dotsoft

Important dotsoft tables transaction reference

stored in audit tables with user name, date and
type of activity for reference.
Online payment module is not accessible from
two machines with the same username.
Version Check control is incorporated in all
dotsoft Modules.
For all dotsoft users user contact information
and user in charge is stored while creation of
user.

Company

LOGO
BSNL

Application Security - Dotsoft

Security patch
Blocking SQL access to menu users.
Individual modules cannot be opened. All
modules will work only through Menu
Object grants given to individual users/public will
be revoked.
DBA grants given to any user will be revoked
Roles/Sys privileges given to public will be
revoked.
Usage of any Third party tools like TOAD/ODBC
will be blocked from all users Except DBA

Company

LOGO
BSNL

Connectivity to External Network

Eseva
Network connectivity
Server hardening
Determination of roles and responsibilites
Configuration of security elements
Others
Rural Eseva
BSNL Portal
Centralised and Convergent Customer Care and Billing
.

Company

LOGO
BSNL

Conclusion

Efforts to be made for standardising the

interfaces
Of course, there is no way to guarantee
100 percent security.
As the old saying goes, "You can make
a door only so strong before it's easier to
come through the wall."
.

Company

LOGO
BSNL

Q&A

Company

LOGO
BSNL

.
G Srinivas ITS
DGM(Dotsoft & Computers)
BSNL AP
Email : gsrinivas@bsnl.co.in