Home » Securing Microsoft Terminal Services First Web Edition

Chapter 5: Enterprise Security Architecture

Posted May 1st, 2008 by roddyr

Chapter 5: Enterprise Security Architecture

Chapter Overview:
This chapter will introduce Enterprise Security Architecture (ESA), beginning with an introduction of Enterprise Security Architecture and Risk Management and a review of a Risk Assessment Policy, followed by an Enterprise Security Policy. Next we will highlight Enterprise Security Architecture infrastructure design concepts: defense in depth, the principle of least privilege, compartmentalization of information, and security domains. The chapter will conclude with two example network topologies, highlighting the Enterprise Security Architecture infrastructure design concepts in this chapter. The goal of this chapter is to show how Enterprise Security Architecture design concepts with Terminal Server can be used to provide secure access to different classifications of data, applications and users.
 
Enterprise Security Architecture introduces Risk Management techniques, methodologies and practices used to secure today’s complex Enterprise. Enterprise Security Architecture is an integral component of an Enterprise Architecture and an information security program. Enterprise Architecture provides the foundation to develop and deploy technologies, while Enterprise Security Architecture is used as a guideline in making strategic, architectural security decisions.
 
Note: Because Enterprise Security Architecture and Risk Management are separate and distinct disciplines, a detailed discourse is beyond the scope of this book. I will, therefore, delve only into the details that are most relevant.
 
Risk Management & Risk Assessments
 
The goal of Risk Management is to protect the organization and its ability to achieve its mission. Risk Management is a process that provides a framework to enable people and organizations to assess risk and develop strategies to manage it. Risk Management strategies include transferring risk to others, risk avoidance, minimizing the negative effect of risk or accepting risk. A Risk Assessment is a step in the Risk Management process that can be used to assess a specific risk. An information security Risk Assessment is used to determine areas of vulnerability within the IT environment to initiate remediation.
 
Figure 5.1 shows the elements of a Risk Assessment.
 
Figure 5.1
 
In terms of information security, there are many advantages in using Risk Management and Risk Assessments. The advantages are the ability to identify, quantify and manage risk along with cost justification. Many IT organizations leverage Risk Assessments to educate management on security awareness and to justify spending to shore up the security posture of their environments.
 
Tip: In terms of assessing Information Technology risk, evaluate the NIST Special Publication 800-30, Risk Management Guide to Information Technology Systems. It is a detailed guide on how to conduct a Risk Assessment and determine suitable technical, management and operational security controls.
 
The following example is a Risk Assessment Policy from the SANS Policy Project. It is used to sanction InfoSec to perform periodic information security Risk Assessments (RAs) in order to determine areas of vulnerability, and when applicable, to initiate remediation. This policy is intended for informational purposes only.
 
 
Purpose
To empower InfoSec to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability and to initiate appropriate remediation.
 
Scope
Risk assessments can be conducted on any entity within <Company Name> or any outside entity that has signed a Third Party Agreement with <Company Name>. RAs can be conducted on any information system, to include applications, servers and networks, and any process or procedure by which these systems are administered and/or maintained.
 
Policy
The execution, development and implementation of remediation programs are the joint responsibility of InfoSec and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan.
 
Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
 
The proceeding Risk Assessment Policy was presented to demonstrate how organizations use policy to communicate management’s endorsement of InfoSec in order to perform a Risk Assessment. The policy states that InfoSec can conduct a Risk Assessment on any entity within the organization or on any outside entity that has signed a Third Party Agreement. The execution, development and implementation of remediation will be a joint engagement between InfoSec and the department responsible for the assessed systems.
 
The next section will review an Enterprise Security Policy. An Enterprise Security Policy is used to bridge the gap between technical and administrative security controls used together to instruct employees and business partners onhow to securely access systems and consume data securely.
 
An organization’s Enterprise Security Policy is an integral part of an information security program because it encompasses the human factor of information security. It provides organizations an effective way to educate employees on acceptable system usage, corporate conduct and overall information security. It is one of the first steps in enforcing information security; therefore, it istypically introduced to employees during new hire training. Most organizations require new employees to read and sign an Enterprise Security Policy before they are granted access to any corporate voice or data communication system.
 
The followingexample is an Enterprise security policy intended for employees and business partners. It illustrates how a security policy can communicate acceptable system usage while promoting information security. This security policy is intended for informational purposes only.
 
 
Enterprise Security Policy
 
Purpose and Scope
The primary purpose of this Security Policy is to inform employees and non-employees working for or with <Company Name> assets of their shared responsibilities to insure the protection of <Company Name> systems and corporate data. InfoSec is responsible for auditing and maintaining policy compliance. Human Resources is responsible for ensuring that all employees and non-employees working for or with <Company Name> assets have read and signed this Security Policy before they gain access to any <Company Name> voice and data communication systems.
 
This Security Policy applies to all employees, and non-employees at <Company Name>. This policy applies to all equipment and assets that are owned or leased by <Company Name>.
 
Responsibilities
All voice and data communication systems and related transmitted information, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, internet browsing and FTP, are the property of <Company Name>. <Company Name> has the right to monitor and review usage of all voice and data communication systems at any time. These systems are to be used for business purposes serving the interests of <Company Name>.
 
Human Resources
Human Resources’ purpose is to provide new hire training, to communicate a security awareness program, and to ensure that all employees and non-employees have read and signed this Security Policy before they gain assess to any <Company Name> systems. This department also ensures that up-to-date policies are easily available to employees.
 
Management
Management ensures that all personnel have reviewed this policy and are in compliance and are to contact InfoSec immediately if a policy violation is discovered.
 
InfoSec
InfoSec develops and maintains security policies, identifies and deploys automated security controls and audits for policy compliance.
 
Employee
An employee should review this policy and all referenced policies herewith to maintain compliance.
 
Related Policies
Acceptable Use Policy
Password Policy
 
Scheduled Review
Annually
 
Security Policy Table of Contents
  1. Physical Security
  2. Internet Usage
  3. Messaging Systems and Email Access
  4. Anti-virus
  5. Unauthorized Networks (Wireless, Modems)
  6. Remote Access
  7. System Access Passwords
  8. Enforcement
  9. Employee Acknowledgement
 
Physical Security
Physical security is an essential part of <Company Name> information security program. Physical security forms the basis for all other security efforts, including data security. <Company Name> employs physical security controls for its employees and assets. These controls must be followed by all <Company Name> employees:
  • Wear your badge at all times while on company property.
  • Lock your office door or cubicle storage when you leave your area.
  • Lock your computer when stepping away from your work area.
  • Log off your workstation at the end of the working day.
  • Escort, observe and supervise guests for their entire visit.
  • Watch out for "tailgaters." Tailgaters wait for an authorized person to enter a controlled area (such as with a locked door) and then follow him or her through the door.
  • Shred or otherwise destroy all sensitive information and media when it isno longer necessary.
  • Do not allow anyone to add hardware or software to your computer without proper authorization.
  • Do notallow the removal of any corporate assets without ensuring that the person removing it has proper authorization.
  • Report suspicious activities to your manager.
 
Internet Usage
Internet usage is provided as a business service for the purpose of supporting <Company Name> business activities and occasional personal use as defined in the Acceptable Use Policy. Information found on the Internet may not be safe and should be considered suspect until confirmed by a reliable source. All Internet access is monitored and logged.
 
Messaging systems and Email Access
Corporate email access is provided as a business service for the purpose of supporting <Company Name> business activities as defined in the Acceptable Use Policy. Email is not a secure medium and care should be taken with regard to the information sent in email. Accessing personal email systems like Hotmail, Yahoo, or Gmail is prohibited.
 
Employees may have access to confidential information about the Company, our employees or clients. With approval of management, employees may use email to communicate confidential information to those with a need to know. Such email must be labeled "Confidential." When in doubt, do not use email to communicate confidential material. All email activity is monitored and logged.
 
Anti-virus
Viruses, worms and Trojan horses are examples of malware programs that can cause significant damage to <Company Name> data and resources. They can destroy, alter or disclose confidential information in a variety of ways and damage the reputation of <Company Name> as well as the reputation and credibility of <Company Name> employees. <Company Name> employs anti-virus controls for its computers and employees as defined in the Acceptable Use Policy.
 
These controls must be followed by all <Company Name> employees:
  • Ensure that the corporate standard anti-virus software is installed on desktop and laptop computers.
  • Employees will not use a computer without anti-virus software on <Company Name’s> network, nor will they disable the software.
  • Do not open any email attachments from an unknown, suspicious or untrustworthy source. Delete these attachments immediately. Then "double delete" them by emptying your Trash.
  • To avoid spreading a virus, do not create network file shares that allow the ‘everyone group’ to write to it, unless there is a business reason.
  • In the event of a virus, disconnect from the network and contact the Help Desk, InfoSec or your manager immediately.
  • Do not download files from questionable sources.
 
Unauthorized Networks
Wireless technology allows mobile access to <Company Name’s> internal network. Only wireless access points and modem connections installed and supported by <Company Name> IT personnel are permitted to connect to <Company Name> network. All other wireless access points and modems that connect to <Company Name> network are prohibited. Employees are prohibited from connecting modems or wireless access points on company property.
 
Remote Access
Remote Access is provided as a business service for the purpose of supporting <Company Name> business activities as defined in the Acceptable Use Policy. Access for remote users to the corporate network will be from an approved encrypted connection exclusively from corporate managed devices as described in the Acceptable Use Policy. <Company Name> will offer handheld devices for remote access to email.
 
System Access Passwords
Passwords are an important part of information security and are the primary control used to protect user accounts and sensitive corporate data. Intruders often gain access to a company's systems by stealing or cracking a password and account name and then posing as that user. Intruders often gain access by trying password combinations related to a person’s family, address or hobbies. As such, all employees and business partners with access to <Company Name> systems are responsible for selecting a strong password as defined in <Company Name> Password Policy.
 
Enforcement
Any employee found to have violated any part of this policy may be subject to disciplinary action, up to and including termination of employment.
 
Employee Acknowledgment
If you have questions or concerns about this policy, contact the Human Resources Department before signing this agreement.
 
I have read <Company Name’s> security policy and agree to abide by it. I understand violation of any of the above terms may result in discipline, up to and including my termination.
 
Employee Name: (Printed) ___________________________
 
Employee Signature:          ___________________________
 
Date:                                 ___________________________
 
The example Enterprise Security Policy was provided to show how policy is used to reduce risk associated with user access to information systems. An Enterprise Security Policy educates employees and business partners on appropriate system usage and explains the consequences of policy violation. In many cases, this type of policy may be the only security education an employee or business partner receives. Compliance with an Enterprise Security Policy will shore up the overall security posture of the Enterprise and provide a secure foundation for a Terminal Server environment.
 
Network topographies and infrastructure design play an important role with an Enterprise Architecture. Enterprise Security Architecture introduces Risk Management methodologies along with infrastructure design concepts, such as defense in depth, principle of least privilege, compartmentalization of information, security domains, trust levels and tiered networks. Enterprise Security Architecture design concepts allow organizations to implement the appropriate security controls from an infrastructure design perspective based on the sensitivity and criticality of users, information, applications and business processes.
 
The next section reviews defense in depth, principle of least privilege, compartmentalization of information and security domains.
 
 
 
Defense in Depth (DiD) was originally a military strategy used to delay rather than prevent an attack by using multiple layers of protection. The defense in depth strategy has been widely adopted in non-military applications, such as Enterprise security, by implementing multiple layers of techniques and technologies to secure assets. An example of using defense in depth in IT security is to use administrative and technical security controls, each of which utilizes layers of techniques and technologies to provide security.
 
One important aspect of defense in depth is a balanced focus on three primary elements:
  • People
  • Technology
  • Operations
 
The people element of Defense in Depth focuses on the endorsement and understanding of the importance of information security by executive management and the value of an information security program. The technology element of Defense in Depth focuses on the technologies used to meet corporate security requirements. The operations element of Defense in Depth focuses on the processes used to ensure the security of information assets of the organization.
 
Previous chapters haveexplained how Enterprise security starts with the commitment of executive management and is followed by the development of policies that define roles,   responsibilities and personal accountability. Enterprise Architecture and Enterprise Security Architecture used with a control framework encompass the people, technology and operations element of the defense in depth strategy by providing multiple layers of security techniques and technologies.
 
 
The principle of least privilege was originally described 30 years ago as a design principle in a paper named “The Protection of Information in Computer Systems” by Jerry Saltzer and Mike Schroeder:
“f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of "need-to-know" is an example of this principle.”
 
In terms of IT security, the principle of least privilege applies to users, applications and systems. Users should be granted the least privilege required to accomplish their jobs.
 
Applications should be granted the least privilege needed to perform their functions, and systems should be granted the least privilege necessary to fulfill their role in a larger network. The principle of least privilege is important for meeting integrity objectives. In spy and war movies, following the principle of least privilege is equivalent to operating on a “need to know” basis.
 
 
Compartmentalization of information is actually a subset of the principle of least privilege that focuses on information. Compartmentalization of information limits access to information to people with the “need to know” in order to perform certain tasks. With regard to infrastructure design with Terminal Server, compartmentalization of information is used to compartmentalize users, applications, data and information based on its sensitivity and criticality.
 
The principle of least privilege and compartmentalization of information are security controls that are used together with infrastructure design and Terminal Server to control access to applications, data and information based on its sensitivity, criticality and value.
 
Security Domains
 
Security domains allow organizations to segment their Enterprise network into discrete units. Each security domain will have its own policies that apply security controls based on the sensitivity, criticality and value of the information and systems in a security domain. Policies within the data/information architecture domain, specifically the Data/information Classification and Categorization Policy, can provide guidance to determine the placement of systems, information and data into their respected security domain.
 
Tip: FIPS PUB 199, which is the “Standards for Security Categorization of Federal Information and Information Systems,” provides a formula to determine the security category of systems and can be used to determine within which security domain systems should reside.
 
Security Domain Classifications:
The classification of security domains is very similar to data classifications. Each infrastructure component will be classified and placed in its respective security domain. The majority of Enterprise networks can be separated into the following four security domains:
  • Controlled: A controlled security domain is used to restrict access between security domains. A controlled security domain could contain groups of users with their network equipment or a demilitarized zone (DMZ) with a VPN, proxy and web servers.
  • Uncontrolled: An uncontrolled security domain refers to any network not in control of an organization, such as the Internet.
  • Restricted: A restricted security domain can represent an organization’s production network. Access is restricted to authorized personnel, and there is no direct access from the Internet.
  • Secured: A secured security domain is a network that isonly accessible to a small group of highly trusted users, such as administrators and auditors.
 
Figure 5.2 shows an Enterprise network divided into four separate security domains.
 
Figure 5.2
 
 
Note: The space between each security domain specifies a firewall that clearly delineates each perimeter from the next.
 
 
Example Network Topologies
 
This section highlights the pros and cons of two network topologies that use the Enterprise Security Architecture design concepts just reviewed. The first example shows a segmented network connected to the Internet with a firewall. The second example differs from the first by using additional segmentation within the controlled and restricted security domains. These examples show how infrastructure design concepts with Terminal Server allow organizations to meet information security and regulatory requirements.
 
The network topology examples in this chapter do not include all possible situations. There are organizations that extensively segment their networks to meet business objectives and regulatory requirements. However, the design concepts discussed here can be translated to include other architectures and environments.
 
Example 1 shows a segmented network with three security domains connected to the Internet with a firewall. A firewall separates a controlled (DMZ) security domain from a restricted (production) security domain, and a router separates a controlled (intranet) security domain from the restricted security domain. Each security domain is a separate network segment. A firewall and router are used to filter network traffic between security domains.
 
Figure 5.3 shows Example 1.
 
Figure 5.3
 
In Example 1, a router is placed between the intranet and production security domain to filter traffic between domains. From a design perspective, there are many considerations with regard to traffic filtering between the intranet and production security domains. We will review two different approaches, one wherethe router allows a wide variety of traffic between security domains and the other using Terminal Server to limit traffic between security domains to a single port. The latter example illustrates how Terminal Server can be leveraged to reduce the number of open ports between security zones.
 
In Example 1, users access resources in the production security domain from domain member PCs. This approach requires a wide variety of ports to be open between security domains, allowing PCs to communicate with and receive resources from servers in the production security domain. In the example, services and resources, such as domain authentication, file, print, web, email and Terminal Server, are the services that require communication and open ports between security domains.
 
Table 5.1 shows the ports and services used in the first example.
 
Table 5.1 
Protocol
Service
Port
Description
TCP
RPC
135
Microsoft's RPC implementation runs over TCP port 135. RPC is used by a number of higher level protocols for their transport layer, such as by DCOM.
UDP 
Domain        
53
Domain Name Server (DNS). DNS servers offer different services on TCP and UDP. TCP is used for "zone transfers" of full name record databases, while UDP is used for individual lookups. Zone Transfers will provide an entire network map.
TCP
Domain
53
UDP               
Kerberos
88
Kerberos traffic uses UDP/TCP protocol source and destination port 88. It’s a default authentication protocol.
TCP
Kerberos
88
UDP 
netbios-ns   
137
NetBIOS Name Service (NBNS) is also known as Windows Internet Name Service (WINS).
TCP 
netbios-ssn  
139
NetBIOS Session Service. The Session Service is used to handle NBT sessions.
TCP 
microsoft-ds 
445
SMB Direct. Since Windows 2000 Microsoft added the ability to run SMB directly over TCP/IP, without the extra layer of NBT.
TCP 
LDAP
389
Lightweight Directory Access Protocol (LDAP), used by Active Directory, Active Directory Connector, and the Microsoft Exchange Server directory.
UDP
LDAP
389
TCP 
LDAP to Global Catalog   
3268
LDAP to Global Catalog search communication.  
TCP
POP3
110
POP (Post Office Protocol) is used by mail clients to retrieve email.
TCP
HTTP
80
World Wide Web HTTP. Port 80 is the primary port used by the world wide web (www) system.
TCP
HTTPS
443
HTTP protocol over TLS/SSL. This port is used for secure web browser communication.
TCP
RDP
3389
Microsoft Remote Display Protocol. This port is used by Microsoft Terminal Services.
 
This first example is a common topology in a Windows domain environment in which PCs are domain members, centrally managed by Active Directory and have locally installed client-server applications. This scenario adds risk because of the amount of open ports between the production and intranet security domains, which could be used by viruses, worms or an intruder to compromise systems in either security domain. With this topology, most organizations run similar PC operating systems as their servers. A monolithic operating system approach, together with a wide range of open ports between network segments, introduces the risk that a PC virus or worm that isintroduced in one security domain could spread to similar operating systems in other security domains.
 
The second example as shown in Figure 5.4 uses Terminal Server as the primary application and data access solution. In this scenario, a router is used to filter network traffic between security domains and Terminal Server, which is used to filter and monitor all application and data access. This configuration reduces the amount of open ports between the intranet and production security domains to port “3389” for RDP traffic. Limiting the open ports to 3389 between the intranet and production security domains is an ideal solution in a thin client or unmanaged PC environment because the thin clients or PCs communicate directly with the Terminal Servers on port 3389. All access to applications and data can be rigorously audited from router and Terminal Server logs. Leveraging this configuration with Terminal Server reduces the number of open ports between security domains which reduces the attack surface between security domains. This model is commonly referred to as a data center enclave through which the production security domain classification is secured, not restricted. This model considers the intranet security domain as uncontrolled and treats all user access as remote access, similar to an Application Service Provider (ASP) or Software as a Service (SAAS) model.
 
Typically, organizations use a configuration somewhere in the middle of these the two examples. They support managed domain member PCs in the intranet security domain with the minimum number open ports between security domains to meet business requirements. Organizations that adopt a thin client model are able to limit traffic between the intranet and production domain to 3389 effectively, creating a data center enclave.
 
Let’s shift focus from the router configurations between the intranet and production security domains and look at the overall design with regard to defense in depth, compartmentalization of information and network segmentation. The first example shows a segmented network with three security domains connected to the Internet with a firewall. From an infrastructure design perspective, the defense in depth strategy is implemented by using network segmentation. Network segmentation provides multiple layers of defense from a networking perspective, such as traffic filtering between security domains. With the addition of administrative and technical security controls, such as encryption, virus prevention and operating system hardening, defense in depth is demonstrated with multiple layers of security.
 
In terms of compartmentalization of information, the first example highlights design deficiencies to effectively compartmentalize users, applications, data, and information based on their sensitivity, criticality, and value within a security domain. A design deficiency exists when a necessary control is missing or an existing control is not properly designed. A security breach or virus outbreak on any system in the intranet or production security domains will be challenging to isolate from other systems on the same network segment. For example, if a server in the production security domains is compromised, it could be used as a hacking vector to other machines on the same network.
 
In terms of infrastructure designs, the first example requires additional segmentation within the intranet and production security domains in order to provide compartmentalization of information. The lack of segmentation within the intranet and production security domains can be of particular concern for organizations with must comply with regulatory mandates like Sarbanes-Oxley, Health Insurance Portability and Accountability and Gramm-Leach-Bliley.
 
Example 2 differs from the first by using additional segmentation within the intranet and production security domains. This strategy allows compartmentalization of users, applications and data based on their sensitivity, criticality and value within a security domain. Each segment is on a separate isolated network and governed by its own policies that describe the security requirements of the isolated network. If a security breach or virus outbreaks on a system in one segment occurs, it could be isolated within its security domain. Network segmentation is accomplished by using a firewall, router or VLAN to partition, control and monitor traffic between security domains.
 
Figure 5.4 shows Example 2. Each security domain is a separate network segment. A firewall and router are used to filter network traffic between security domains.
 
Figure 5.4
 
Figure 5.4 shows the intranet security domain with three isolated segments. One segment is dedicated for the general office productivity population, the second for developers, and a third for the finance department. This strategy supports compartmentalization of information. For example, if a security incident such as a virus occurs in the general office productivity population, it would be easier to isolate within its security domain.
 
The production security domain has five isolated segments, and each segment is a separate isolated network. It contains a dedicated segment for the Terminal Servers, email, mainframe, directory services, and one for web, database and file server. Segmentation allows for compartmentalization of resources along with the configuration of granular traffic and filtering rules between segmentsand security domains. The design strategy shown in Figure 5.4 allows the implementation of the appropriate security control such asencryption or logging to segmentsand security domains based on their sensitivity, criticality and value.
 
 
This chapter discussed Enterprise Security Architecture and introduced an example Risk Assessment Policy and Enterprise Security Policy. The chapter concluded with Enterprise Security Architecture infrastructure design concepts.
 
Enterprise Security Architecture
  • Enterprise Security Architecture introduces Risk Management techniques, methodologies and practices.
  • Enterprise Architecture provides the foundation to develop and deploy technologies while Enterprise Security Architecture is used as a guideline in making strategic, architectural security decisions.
  • Defense in Depth (DiD) was originally a military strategy used to delay rather than prevent an attack by using multiple layers of protection.
  • The principle of least privilege applies to users, applications and systems. Users should be granted the least privilege required to accomplish their jobs. Applications should be granted the least privilege to perform their functions, and systems should be granted the least privilege to fulfill their role in a larger network.
  • Compartmentalization of information limits access to information to thosepeople with the “need to know” in order to perform certain tasks.
  • In regards to infrastructure design with Terminal Server, compartmentalization of information is used to compartmentalize users, applications, data and information based on its sensitivity and criticality.
  • Security domains allow organizations to segment their Enterprise network into discrete units. Each security domain will have its own policies that apply security controls based on the sensitivity, criticality and value of the information and systems in a security domain.
 
The next chapter will provide an overview of physical and environmental security. Chapter 6 will explain the necessity of physical security in terms of protecting the confidentiality, integrity, and availability of an organization’s assets.
 
Resources:
The SANS Policy Project
Enclave STIG, V3R1
NSA Defense in Depth
http://www.nsa.gov/snac/support/defenseindepth.pdf#search=%22Defense%20in%20Depth%22
Needed: an Enterprise Security Architecture
http://www.networkworld.com/columnists/2006/050806minoli.html?prl
The Protection of Information in Computer Systems from Saltzer and Schroeder
http://www.cs.virginia.edu/~evans/cs551/saltzer/

 

‹ Chapter 4: Enterprise ArchitectureupChapter 6: Physical and Environmental Security ›