Sentinel Prescribes An Upgraded Collaboration Solution For A Healthcare Customer

Introduction

A healthcare organization was using older and unsupported communication and collaboration software within their environment, which left them vulnerable to security and other organizational risks. Out of an abundance of caution and a desire to expand the adoption and use of collaboration applications within the organization, they engaged with Sentinel on a project that consisted of upgrades to their Cisco Unified Communications platforms, upgrades to designated third-party applications, upgrades to their VMware host environments supporting the platforms & applications, integration with Microsoft Active Directory, and adoption of Cisco WebEx Meetings though a hybrid integration with the upgraded Cisco UC. These upgrades and enhancements took place on host systems located in an on premise data center, Sentinel’s CloudSelect C3 environment, and through integrations with Cisco’s cloud-based services. It impacted all handsets and connected devices throughout the organization’s entire Unified Communications & Collaboration network.

Solution

The components below were deployed by the Sentinel team to upgrade the healthcare organization’s Cisco Unified Communications platform to Version 12.5:

     + Upgrade Cisco CallManager (CUCM) environment to Version 12.5(1)SUx

     + Upgrade Cisco Instant Messaging and Presence (IM&P) environment to Version 12.5(1)SUx and add High Availability to the environment

     + Upgrade Cisco Unity Connection to Version 12.5(1)SUx

     + Upgrade Cisco Emergency Responder (CER) to Version 12.5(1)SUx

     + Upgrade Cisco Unified Contact Center Express (UCCX) to Version 12.5(1)

               + Migrate Agents to Finesse and Cisco Unified Intelligence Center

     + Upgrade Cisco / Calabrio Advanced Quality Management (AQM) to Version 11.5(1)

               + Upgrade Windows Servers to 2012 R2

               + Upgrade SQL Server to Version 2014

     + Upgrade Cisco Unified Attendant Console applications

               + Upgrade Servers to Microsoft Windows Server 2016

               + Upgrade Attendant Console Application to Version 12

     + Install Cisco Expressway Core and Edge Servers, Version 12.5.7 as new virtual servers

               + Implement Cisco Mobile Remote Access (MRA)

               + Implement Uniform Resource Identifier (URI) for B2B Calling

The Sentinel team performed the following upgrades to and Installation of supporting hardware components on the healthcare organization’s environment:

     + Upgrade Cisco IOS on ISR Voice Router Hardware

               + These devices support Local PSTN and SRST connections

               + Upgrade six (6) ISR Voice Routers latest version of Cisco IOS

               + Upgrade three (3) End-of-Life ISR Voice Routers to the latest version of IOS supported on these devices. These End-of-Life ISR Voice Routers were not replaced as part of this project, but Sentinel recommended they be replaced in the future.

     + Upgrade Cisco IOS on existing VG Analog Gateway Hardware

               + Upgrade sixty-one (61) VG Analog Gateway to latest version of Cisco IOS

     + Upgrade Singlewire InformaCast Paging System to Version 12

     + Upgrade Software/Firmware on all Cisco Phones to latest version supported by the Phone Model. Any phones that do not support the latest version will be targeted for replacement in the future.

     + Installation and configuration of two (2) Cisco DX80 video desktop units

     + Firmware / Application Upgrades to third-party devices registered to Cisco CallManager (as required to support connectivity to upgraded environment)

The items below were components deployed by Sentinel to help the healthcare organization expand their Cisco Meeting, Collaboration, and Mobility applications:

     + Initial Migration of Cisco WebEx Licensing

               + Configuration and On Boarding of Cisco WebEx Control Hub

               + Migration from legacy Cisco WebEx Administration to Cisco WebEx Control Hub

               + Migration of end-user devices to new Cisco WebEx subscription

     + Implementation of Context-Based User Integration into Cisco UCC Environments

               + Implementation of Microsoft Active Directory Integration to WebEx Hybrid Directory

               + Implementation of Microsoft Azure Active Directory Integration (ADFS) to WebEx Hybrid Directory

               + Implementation and configuration of Single Sign-On for WebEx Services

               + Implementation of Cisco CallManager LDAP Integration

               + Implementation of Cisco Unity Connection LDAP Integration

     + Implementation and deployment of Cisco Jabber Desktop and Mobile Application

     + Implementation and configuration of Cisco WebEx Applications

               + Implementation and configuration of Cisco WebEx Meetings

               + Implementation and configuration of Cisco WebEx Teams

               + Implementation and configuration of Hybrid Calling Service

               + Implementation and configuration of Hybrid Calendar Service

               + Implementation and configuration of Hybrid Directory Service

The project scope included a combination of user training and knowledge transfer between Sentinel and members of the healthcare organization at various times throughout the project, which were detailed as follows:

     + Contact Center Training

               + Sentinel conducts “Train-the-Trainer” services related to Contact Center components - Cisco Finesse and Calabrio

     + Cisco Jabber Training & Knowledge Transfer

               + Sentinel conducts training for the five (5) user pilot group for use on Cisco Jabber

               + Sentinel provides a documented procedure (knowledge transfer) for deployment of Cisco Jabber

     + Cisco WebEx Services Communications Plan

               + Sentinel supports customer’s development of end-user training materials and the communications plan detailing the use and enabling the adoption of Cisco WebEx Services

Conclusion

Once this project with Sentinel had been completed and deployed, the healthcare customer was able to:

     + Eliminate organizational risk associated with supporting older versions of software

     + Eliminate security risks associated with supporting the older versions of software

     + Expand the adoption and use of collaboration and mobility applications

A Financial Services Company Invests In A Security Upgrade With Sentinel

Introduction

A financial institution was using obsolete perimeter network firewalls in a pair of their data centers, which were in desperate need of an upgrade. In addition to the firewall refresh, the customer wanted to add other security capabilities to their data center locations, including advanced intrusion prevention (IPS), SSL decryption for inspection of traffic, DoS (denial of service) prevention, and web application firewalling.

The financial institution also had other network security products in production that were either end of life/end of support or in need of support renewals and/or upgrades. They decided to consolidate some of these products and capabilities to help improve the overall security and management of the organization.

Sentinel engineers were engaged to refresh the firewalls at both the production and DR data centers. This included both externally facing firewalls as well as virtual internal firewall systems. 

Solution

Sentinel’s Advisory team worked with the customer’s security and IT teams to create a detailed blueprint design document and testing plan for the deployment. The initial blueprint was based on the financial institution’s existing firewall services. This engagement also added a number of new services not previously deployed that required complete planning and design.

     + Analyze the current environment to make sure it is ready for infrastructure implementation.

     + Engage with the customer’s team to collaborate on technical and policy requirements for the new security systems deployment, including:

          + Firewall policy requirements (Advisory)

          + Firewall services – based on existing

          + Intrusion Prevention Services (IPS) – new added capability

               + External IPS

               + Internal 3rd party virtual IPS

          + Denial of Services

          + URL filtering – using the existing filtering services, policy, and reporting as a baseline

          + Anti-malware prevention services (AMP) – new service

          + Web application firewall services (WAFS) – new service

               + Note that Sentinel required involvement of the application team to work with Sentinel and Radware for this component

          + Redundancy and DR of Firepower VMs and FMC

               + VMware redundancy and failover

               + Backup copy process/script or other means to protect the virtual FMC at the DR site

               + Develop specific requirements, design, and then use a case-specific blueprint document based upon customer discussion.

Advisory Services

Sentinel provided Advisory services consulting for the deployment. This included time to work with the customer’s security team on creating the optimal setup for existing and new services that closely adhered to the security policies and standards of the organization. Sentinel documented these standards for the project engineering team to set up during the deployment of these services. When applicable, existing systems were reviewed for configuration and formed a baseline for how the new services would be configured. Since many new services were included as part of this deployment, including web application firewalls, IPS, and anti-malware, Sentinel’s Advisory team collaborated with the customer’s security team to clearly define the policy and business outcome expectations for these enhanced security solutions.

Advisory services also performed a small assessment on the new perimeter and third party internal firewalls. This included testing the policy to check if enforcement functioned as expected, along with a brief summary report of the findings. Sentinel provided time for the final testing and report.

Firepower Threat Defense

Sentinel deployed Firepower Threat Defense (FTD) based on the Advisory policy recommendations and the design blueprint. The system planned for high compliance services and policy setup in support of these requirements where applicable. The following was deployed:

     + Firepower Management Center VMware

          + On customer’s VMware

          + Log integrated to either HP Arcsight or to Sentinel SECaaS Managed SIEM if contracted

          + Ready to manage firepower physical and virtual instances

     + Firepower Appliances

          + Production pair of FTD high-availability

          + DR single FTD with similar to same policy as production

          + Policy on perimeter firewalls in conjunction with Advisory recommended policies and in support of compliance services

          + (2) virtual appliances to protect each third party provider connected to the network

               + The above was planned on how to segment via VLAN and through the single FTDs using sub-interfaces

               + Sentinel assumed the same or very similar policies were applied to each of the third party providers

          + AMP anti-malware

               + Assure this is in place and operational

               + Setup AMP inspection policies per planning

               + Confirm AMP operations

     + URL Services

          + Based upon current URL and reporting

          + Setup for production and DR

     + SSL decryption policy

          + Deployment with hardware acceleration (newer version capability on FTD)

          + Setup of SSL policies for traffic inspection

          + Testing of SSL

          + Measurement of amount of SSL traffic and load on firewalls

     + VPN services

          + Setup of VPN services for remote access

          + Assumes multi-factor integration of Cisco Duo or other provided/compatible multi-factor solution

               + The deployment of a multi-factor authentication system was NOT part of this engagement and required additional deployment.

     + Automated copy or replication services to DR

     + VMware redundancy of FTDs and FMCs within the data center(s)

Conclusion

The customer significantly hardened their security posture by upgrading their firewalls, deploying new services within their environment, optimizing policies and settings, as well as taking advantage of the advanced features and management provided by Cisco’s Firepower solution.

Large School District Chalks Up A Major Security Upgrade With Sentinel

Introduction

One of the largest high school districts in the country worked with Sentinel to implement basic Network Admission Control services using Cisco Identity Services Engine (ISE) and a next-generation firewall (NGFW). These basic services included network device authentication (AAA), 802.1x/RADIUS authentication for Cisco wireless networks, a guest wireless portal and sponsor portal for the personal devices of students and staff, Cisco Umbrella with DNS-layer security, and remote access authentication using the Cisco AnyConnect Secure Mobility VPN Client.

The district had a myriad of different devices and users accessing their networks via switches, wireless access points, and VPN’s. They were looking to implement a 1 to 1 solution for all devices and provide secure access for all 30,000 students and staff within the district network.  They wanted to use Cisco ISE features to consolidate access policies across the district, while increasing security for both on premise and remote students/staff.

Cisco ISE enables organizations to set policies for controlling access to corporate network infrastructure through the use of contextual information such as device type, endpoint configuration (posture), location, media access control address, user role or user identity, and more. This contextual information is then used to establish post-connect controls on endpoints such as laptops, workstations, mobile phones, tablets, printers, cameras, and Internet of Things (IoT) devices.

Key features of Cisco ISE include (but are not limited to) the following:

     + Centralized Management – administrators can centrally configure and manage user profiles, posture, guests, authentication, and authorization services in a single web-based GUI console.

     + Contextual Identity and Business Policy - a rule-based, attribute-driven policy model for flexible and business-relevant access control policies. Includes attributes such as user and endpoint identity, posture validation, authentication protocols, device identity, and other external information.

     + Access Control - a range of access control options, including downloadable Access Control Lists (dACLs), virtual LAN (VLAN) assignments, URL redirections, named ACLs, and security group ACLs

     + AAA Services – standard RADIUS protocols for Authentication, Authorization, and Accounting. Supports a wide range of authentication protocols, including but not limited to PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible, Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled Transport Layer Security (TTLS).

     + Internal Certificate Authority – an internal certificate authority. Provides a single console to manage endpoints and certificates.

     + Device Discovery and Profiling – determines device type, device manufacturer and operating system information by inspecting packets that are sent by these devices in the network.

     + Endpoint Posture Service – endpoint compliance security posture checks to determine OS versioning and patch level, anti-virus/endpoint protection version, and OS updates.

     + Guest Lifecycle Management – a streamlined experience for implementing and customizing guest network access. Support is built in for hotspot, sponsored, self-service, and other guest access options.

     + Security Product Integration – bi-directional integration with other security products.

Strategy / Approach

The rapid increase in the number of bring your own devices, guest access requirements, vendor access requirements, and IoT devices has significantly expanded the overall threat vector. This has fueled the demand for NAC products in medium-to-large organizations and is used to help them mitigate the greater risk. The effectiveness of NAC products has also grown through the integration with next-generation firewalls, threat detection software, endpoint protection software, SIEM, and mobile device management software.

The design and rollout of NAC products such as Cisco ISE can be a daunting task considering that the implementation of NAC technology touches virtually every element of a network, including switching, firewalls, endpoint protection, PKI, and user directory. Moreover, larger enterprise networks have significantly more devices and networks to secure. Because of these challenges, Sentinel worked with the client and their network security staff to design and implement these new ISE features in a multi-phased approach. This multi-phased approach allowed the school district and Sentinel to work through any Cisco ISE implementation-related issues and tuning before moving on to the next phase.

Resolution

At a high level, Sentinel broke this engagement up into three separate phases, as follows:

Phase I: Cisco ISE Software Install – During this phase, the district’s ISE nodes were installed by Sentinel.

The distributed deployment consisted of (9) Cisco Identity Services Engine nodes running as Virtual Machines in the district’s existing Hyper-V Virtualization environment. The Cisco ISE nodes and personas included the following:

     + (9) ISE Policy Service Nodes

     + (2) Primary ISE Administration Nodes

     + (2) Primary ISE Monitoring Nodes

Phase II: Discovery and Wireless True-up – During this phase, an overall access and security policy was developed jointly with the school district and Sentinel. Adjustments to consolidate the wireless access policies were made in accordance with the overall agreed-upon access policy and design.

Phase III: VPN Authorization and Client Posturing – During this phase, VPN authorization was added to leverage the existing Cisco ISE implementation. This modified policy included device posturing to ensure endpoints had appropriate characteristics such as antivirus/anti-malware, OS versions, etc.

Conclusion

As a result of this project, the district increased security for all on premise and remote users across their network by implementing consolidated, enterprise-wide access policies.

A Town Migrates Their Phone System to Cisco Voice

Introduction

As a suburban town was preparing to enter a new era of growth and innovation, they sought to upgrade their phone system to support their current and future needs. They wanted the ability to separate resources in a virtual environment, and to deploy third party applications for a variety of purposes. The increase in employees working remotely also led to a desire for single number reach so everyone would be easier to contact without being forced to call multiple numbers.

Challenge

The town had an aging digital and IP Avaya phone system located on two PRIs (Primary Rate Interfaces) that terminated in their main data center. Some of the phones had reached end of support and it was costly to replace them with IP phones, while other phones on the system required extensive infrastructure maintenance and support with software and security patches. In order to avoid further expenses to maintain an outdated system, the town decided to migrate their phones and three contact centers from the Avaya infrastructure to a new Cisco Unified Communications platform.

There were a number of features the town wanted to include with the migration to the new platform. Their existing PRIs needed to be shifted to a Session Initiation Protocol (SIP) system, with routers placed in the primary and secondary data centers to provide carrier redundancy. Additionally, the town sought to expand their remote work capabilities so employees could operate from just about any location, and use cell phones or other devices with applications to easily stay in communication with one another. They were also eager to deploy single number reach in their environment, which would simplify calling between employees by letting them dial one number and have it ring on all their devices. Lastly, the town aimed to reduce the number of applications in use by adopting one to manage both voice messages and emails.

Solution

Sentinel’s solution was a full Cisco VoIP deployment using industry standards to include the following Cisco software solutions:

     + Communication Manager – 1 Publisher, 2 Subscribers and 2 TFTP Servers

     + Unity Connection – 2 HA Servers

     + IM and Presence – 2 HA Servers

     + Unified Contact Center Express – 2 HA Servers

     + Cisco Expressway Servers – 2 Expressway-C servers and 2 Expressway- E Servers

     + Emergency Responder – 2 HA Servers

Cisco Unified Communications combines the flexibility and convenience of mobile communications with secure and managed benefits of Cisco IP communication. The proposed solution included:

     + Single number reach. This solution gives users the ability to direct incoming calls to ring on multiple devices as well as the Jabber phone or desk phone, thus providing a single number for callers to reach the user. This extends the call control of Cisco Communications Manager from a mobile worker’s primary workspace phones to any location or device.

     + Single Inbox. This solution gives the users the ability to have a single pane to see all digital communication, including email and voicemail messages. This also enables the mobile worker to check voicemail from a mobile device connected to the customer network without requiring additional applications on the phone.

     + Cisco Instant Messaging and Presence (Cisco Jabber). This solution is a desktop, laptop, and cell phone application that transparently integrates a wide variety of communications channels and services such as voice, instant messaging, voicemail, presence, web conferencing, and video from a single multimedia interface on your device in order to simplify communication and collaboration.

     + Dual-Mode Phones. These devices function as enterprise IP phones on campus or remotely connected through the Cisco Expressway. They typically provide a wide variety of smartphone capabilities, including group calling, call transfer, paging, and other personal digital assistant features.

     + Cisco Expressway. This solution allows remote workers to connect Cisco IP phones as well as Cisco Voice applications without using VPN. This enables employees to work in any location with WAN access. Expressway functions as a secure gateway, allowing access to the voice systems from anywhere without special software on the user’s devices.

     + Cisco Emergency Responder. This solution allows phones to be identified with location accuracy based on their IP address. This assists 911 dispatchers, first responders, and local personnel as they attempt to quickly respond to emergency events. In addition, it allows for record keeping of calls and gives authorized personnel the ability to add notes for a specific incident as needed (Note: this ability to update records is not a replacement for proper record keeping). 

     + Cisco Unified Contact Center Express. This solution helps organizations deliver a connected digital experience, enabling contextual, continuous, and capability-rich journeys across time and channels. This easy-to-deploy and easy-to-use solution supports up to 400 agents. Secure and highly available, it supports powerful agent-based services and fully integrated self-service applications, including Automatic Call Distributor (ACD), Interactive Voice Response (IVR), Computer Telephony Integration (CTI), digital channels including email and chat, as well as customer experience management tools.

     + Cisco Finesse Desktop. This solution is a next-generation agent and supervisor desktop embedded within Cisco Contact Center Express. It includes an intuitive, easy-to-use design to help improve the performance of customer care representatives and enhance customer service.

Conclusion

The Sentinel team was able to implement the solution, allowing the town to utilize remote workers more efficiently as well as provide a streamlined support structure for their phone system and unified communications platform.  

About Sentinel Collaboration Solutions

Sentinel’s Collaboration offerings are designed to handle today’s complex business and IT landscape, closely engaging with your organization to develop and implement a comprehensive voice strategy suited to your company’s unique needs. Our collaborations portfolio includes:

     + Unified Communications

     + Unified Contact Center

     + Mobility Solutions

     + Conferencing Solutions

     + Video Collaboration

     + Managed Services 24x7x365 Monitoring

     + Application Security

     + Identity Access & Endpoint Security

     + Network & Perimeter Security

     + Physical Security

Sentinel Gives A School District Extra Credit for Upgrading and Expanding Their Cisco UC Solution

Summary

A medium-sized school district had largely ignored their existing phone system and collaboration platform, not making any changes or upgrades for several years. As a result, those pieces of their environment became outdated and reached end of support. It was also discovered that two schools were operating on an antiquated Toshiba phone system. The district decided it was time to invest in a next generation solution that made communication and staff collaboration much more robust and could quickly alert staff and authorities during emergency situations.

In addition to an upgrade of the district’s phone system, Sentinel also deployed Cisco Unified Communications technologies including Presence and Expressway to further enhance their collaboration capabilities. The new phone system also enabled each school to connect with its overhead paging system as well as trigger emergency alerts with the push of a button. These features had not been available at any school in the district prior to the upgrade.

Challenge

The software and hardware of the district’s Cisco phone system had reached end of support, which meant new licenses and handsets could not be purchased and they were unable to expand the system to include additional schools. If a hardware issue were to occur involving the servers, it would be particularly difficult to obtain the parts necessary to restore service.

Furthermore, many schools in the district expressed frustration at the inability to access overhead paging systems from their phones. Each school only had a single paging station used by the front office.

The district also had no real E911 solution. Emergency dispatchers only received the main phone number and street address for the school that placed the 911 call, meaning there was no way to send responders to a specific location inside these large buildings or place a call back to the exact user that made the 911 call.

Lastly, the district needed a way to quickly and easily send broadcast alerts to school faculty and administration in the event of an emergency. 

Solution

Sentinel deployed a comprehensive Cisco Unified Communications system on a pair of medium density Business Edition 6000 servers. The solution included the following applications:

     +Communication Manager

     +Unity Connection

     +IM and Presence

     +Expressway Core and Edge

     +Emergency Responder

     +Singlewire InformaCast Fusion

Some of the features and technologies in the proposed solution included:

     +Cisco 7800 Series IP phones were deployed to the two schools still utilizing the ancient Toshiba phone system. This allowed all schools within the district to place calls using internal extensions. IP phones already in place at schools and integrated with the previous Cisco system were ultimately leveraged and left in place to cut costs.

     +Unity Connection was incorporated into their premise Microsoft Exchange server to enable Unified Messaging functionality. This allowed users to listen, respond, and delete voicemails from their PC or mobile device through their email client.

     +Cisco Instant Messaging and Presence servers were installed to provide instant messaging and presence status functionality to school staff via the Jabber client. The Jabber for Windows client was deployed to staff desktops. Users were also able to install Jabber for iPhone or Android to their mobile devices.

     +Cisco Expressway Edge and Core servers were added to provide phone registration, instant messaging, and presence functionality to Jabber and other Cisco endpoints over the internet without the need for a VPN connection. This allowed employees to collaborate from home or on the road just as if they were at their desk.

     +Cisco Emergency Responder was deployed for E911 services. It created zones within each building to provide more specific locations to the 911 dispatch center. Alerts also notified on-site security personnel whenever emergency calls were placed. A tracking feature was implemented so phones would be automatically placed in the most accurate zone when moved to a different location. This brought the schools into compliance with Kari’s Law and Ray Baum’s Act.

     +Singlewire InformaCast Fusion is a hybrid cloud-based mass notification system. It creates alerts for emergency situations such as active shooter, building evacuation, and severe weather. Alerts can be triggered via panic buttons on all IP phones, a web page, or mobile app. Mass notifications were sent as audio broadcasts to Cisco IP phones, SMS text messages to mobile devices, and emails on the network. A virtual Fusion appliance was installed to integrate with Unified Communications Manager, and InformaCast hardware appliances were deployed to each school for remote survivability.

     +Cisco ATAs were installed to integrate each school’s overhead paging system with the Unified Communications system. This allowed users to access the paging system from any Cisco IP phone. This also enabled the InformaCast system to broadcast alerts through the overheard paging systems.

     +Barionet 50 door controllers were installed and integrated with InformaCast. These controllers were connected to door sensors at each school, allowing district security staff to receive alerts whenever doors were opened and closed after hours.

Conclusion

The Sentinel team was able to deliver the exact solution the customer was looking for. Products such as Instant Messaging & Presence, along with Expressway, enhanced employee collaboration whether they were at school or at home.

Emergency Responder and InformaCast Fusion improved the district’s ability to alert staff and authorities to emergency situations, greatly increasing the safety of students, faculty, and staff.

References

Cisco Business Edition 6000

https://www.cisco.com/c/en/us/products/unified-communications/business-edition-6000/index.html

Singlewire InformaCast Fusion

https://www.singlewire.com/informacast-fusion

The Benefits of AWS Route 53

Sentinel Technologies focuses on providing valuable solutions to our customers that optimize their technology environments. Recently Sentinel has helped several customers with the consolidation and simplification of their public domain name system (DNS) resolver functionality utilizing Amazon Web Services (AWS) Route 53. Organizations often have multiple domain names to facilitate access to their services. Each domain name must be registered and includes records that need to be maintained. For example, Sentinel has registered the sentinel.com domain and there are a number of additional records associated with it. Route 53 handles user requests to an organization’s infrastructure elements running both inside and outside of the AWS cloud.

MJ Holding Company is the largest North American distributor of trading cards. They maintain multiple public domain zones for internal and client services. Sentinel worked with MJ Holding to facilitate the consolidation and migration of multiple resolver and registrar services to AWS Route 53. It created a simplified experience for the ongoing management of their public DNS functions, and enabled them to take advantage of numerous integrations with other AWS products.

AWS Route 53 is a foundational component for all other AWS products. It’s such an essential AWS product, Amazon makes every effort to ensure it remains 100% Available as part of the service level agreement (SLA). Route 53 is also a fantastic way to integrate with other AWS products for additional benefits. Static web pages can be hosted in Simple Storage Service (S3) and secured with included Transport Layer Security (TLS) certificates through the CloudFront Content Delivery Network (CDN). Dynamic web services like WordPress can be hosted in the AWS Virtual Private Server (VPS) product Lightsail.

The AWS product catalog is so large it can initially be quite daunting to work through and identify applicable products with valuable benefits, but the rewards for doing so are worth the effort. As an AWS Consulting Services Partner, Sentinel focuses on building innovative and beneficial solutions for customers that leverage these products. Route 53 is an excellent product with a low barrier of entry that can help all types of organizations achieve more and improve the operation of their IT environment.

If you are interested in learning more about AWS Route 53 or other AWS products, please contact us or reach out to your Sentinel Account Manager.

Sentinel Assists an Insurance Company Enhance Security for Employees Working From Home Due to the COVID-19 Pandemic

Sentinel Assists an Insurance Company Enhance Security for Employees Working From Home Due to the COVID-19 Pandemic

 

Introduction / Use Case

As the COVID-19 pandemic swept across the world, schools and workplaces closed and employers had to abruptly pivot to supporting a remote workforce. Organizations scrambled to send their employees home, while facing a significant shift in how a large segment of the workforce operates.  IT departments needed to securely support a remote workforce at a scale never seen before.

The COVID-19 pandemic has dramatically changed where we work.  According to a Pew Research Center study, employees who say their job responsibilities can mainly be done from home, 20% worked from home before the coronavirus outbreak.  Now 71% or respondents are currently working from home all or most of the time[1].

While IT assets such as compute, storage, networking, and security infrastructure remained in corporate or cloud data centers, users took their computers home.  Workforces required safe and secure remote access to organizational IT resources. To keep remote workers connected to the workplace the use of remote access technologies greatly expanded.

With the increased use of Virtual Private Networks (VPNs) and Virtual Desktop Infrastructure (VDI), these remote access technologies became a bigger target for cyber actors.  On April 1, 2020 the Federal Bureau of Investigations (FBI) released a Public Service Announcement warning of the increased security threat associated with the rapid migration to a remote workforce.

The FBI anticipates cyber actors will exploit increased use of virtual environments by government agencies, the private sector, private organizations, and individuals as a result of the COVID-19 pandemic. Computer systems and virtual environments provide essential communications services for telework and education, in addition to conducting regular business. [2]

 

Strategy / Approach

While employees working from home has been a tremendous success, this change has presented new security challenges.  Pre-COVID-19 security resources were centralized within company offices.  Firewall and other security appliances within the company’s walls protected users working in the office.  When employees transitioned to working from home some of the security solutions were no longer protecting them. This has left users vulnerable to different attack methods including phishing attacks are credential theft.

Single Factor Authentication

Previous to the pandemic, the customer had implemented a VDI solution. The VDI solution utilized single-factor authentication (username and password) to the back-end Active Directory infrastructure. This left the VDI infrastructure vulnerable passwords phished, stolen or guessed.

Users often recycle passwords easing the cyber actors’ burden in guessing authentication credentials.  A solution was needed to secure the VDI authentication process.

Employees Taking Their Computers Home

When employees went home, their company issued laptops were protected by the anti-virus and email security products however they were no longer protected by the rest organizations security infrastructure.  There was no visibility or restrictions into where they went on the Internet. This left them vulnerable phishing and drive-by malware downloads.

A solution was needed to protect employees from malicious Internet traffic.

 

Resolution / Remediation

A local insurance company’s network and communications and security requirements had dramatically changed and they needed a partner to provide the business innovation and agility to enable them to adapt.

Sentinel partners with industry-leading vendors to offer many options to help our customers connect and scale out fast. Sentinel’s Security as a Service (SECaaS) offers security solutions that are backed by a large team of some of the most knowledgeable experts in the field. As a Cisco Managed Security Services Provider (MSSP), Sentinel is able to quickly and securely provision and deploy Cisco DUO two-factor authentication and Umbrella DNS-layer protection.

Cisco DUO Two-Factor Authentication

Cisco DUO is a two-factor authentication (2FA) security solution. Two-factor authentication adds an extra layer of security to insure a person trying to gain access to a system are who they say they are.  Sentinel secured the VDI environment with Cisco DUO two-factor authentication (2FA). If a cyber-actor is able to authenticate to a VDI session, using hacked or stolen credentials, access is denied without the approval of the second factor.

The customer provisioned the DUO system, enabled and added the VDI application to the DUO administrative control panel. Using Active Directory Sync, users belonging to a specific AD group was selected and imported into DUO.  DUO enabled users were sent an Enrollment Email. Following the enrollment email, users were able to easily download the DUO smartphone app and enroll within minutes.

A user first enters a username and password. After the authentication server validates the username and password, users then validate the second factor authentication. Users can choose to affirm an authorization request through a DUO smartphone app push notification, DUO app generated passcode, or a phone call.

Cisco Umbrella

Cisco Umbrella is a DNS-layer security solution which blocks DNS requests to malicious domains.  Umbrella integrates with Active Directory to provide user level insight and control.  By blocking the DNS request for malicious and unwanted domains, traffic is blocked before a connection is even established.

Going above DNS-layer security, Umbrella is also a cloud based Secure Internet Gateway (SIG). The SIG functionality includes a selective intelligent proxy feature which is used to proxy users requests to “grey” domains.  “Grey” defines domains which may have to good and bad elements. They cannot be fully trusted, but completely blocking may not be appropriate. Umbrella routes traffic destined for a “gray” domain, from the user, through Cisco cloud-based proxy servers, to the final destination. This provides Umbrella additional visibility into the web traffic to scan for malicious files.[3]

To protect employees working remotely, Sentinel deployed the Umbrella roaming agents on all company-issued computers.  The Umbrella Roaming client protects employees when they are out of the office by blocking malicious DNS requests.  This also gave the It Department visibility into threats affecting their remote workforce. 

 

Conclusion

As COVID-19 forced this customer to close their office and employees transitioned to work from home, the IT department faced new security challenges.

Employees working from home were left relatively unprotected. Cisco Umbrella was providing DNS-layer security in the corporate offices. Cisco Umbrella Roaming Agent was deployed to company-owned computers to extend the same layer of protection to remote works.

The existing VDI solution became more of a target. To mitigate the threat posed by phishing attacks, and credential stealing, Cisco DUO was employed move from single-factor authentication to two-factor authentication.

 

[1] How the Coronavirus Outbreak Has – and Hasn’t – Changed the Way Americans Work

https://www.pewresearch.org/social-trends/2020/12/09/how-the-coronavirus-outbreak-has-and-hasnt-changed-the-way-americans-work/

[2] Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments, FBI Public Service Announcement I-040120-PSA

https://www.ic3.gov/Media/Y2020/PSA200401

[3]  What is Intelligent Proxy

https://docs.umbrella.com/deployment-umbrella/docs/what-is-the-intelligent-proxy

 

Sentinel Assists a Leading Provider Of Medical Waste Services And Compliance Based Solutions With The Implementation Of Robust Network Admission Control Features

Introduction / Use Case

A leading medical waste services provider has previously worked with Sentinel to implement basic Network Admission Control services using Cisco Identity Services Engine (ISE). These basic services included network device authentication (AAA), 802.1x/RADIUS authentication for their Meraki wireless networks, media access control bypass (MAB) for non-802.1x devices and remote access VPN authentication using the Cisco AnyConnect Secure Mobility VPN Client.

This organization has a myriad of different devices and users that access their corporate networks via network switches, wireless access points and remote access VPN’s. They are looking to implement additional Cisco Identity Services Engine features to consolidate access policies across the enterprise, while increasing security for both on premise and remote employees.

The Cisco Identity Services Engine enables organizations to implement policies for controlling access to corporate network infrastructure through the use of contextual information such as device type, endpoint configuration (posture), location, media access control address, user role or user identity, etc. This contextual information is then used to implement post connect controls on end station devices such as laptops and workstation as well as wireless mobile phones, tablets, printers, cameras and Internet of Things (IoT) devices.

Key features of many Cisco Identity Services Engine include but are not limited to the following:

• Centralized Management – administrators can centrally configure and manage profiler, posture, guest, authentication, and authorization services in a single web-based GUI console.
• Contextual Identity and Business Policy - provides a rule-based, attribute-driven policy model for flexible and business-relevant access control policies. Includes attributes such as user and endpoint identity, posture validation, authentication protocols, device identity, and other external attributes.
• Access Control - provides a range of access control options, including downloadable Access Control Lists (dACLs), Virtual LAN (VLAN) assignments, URL redirections, named ACLs, and Security Group ACLs
• AAA Services – supports standard RADIUS protocols for Authentication, Authorization, and Accounting.   Supports a wide range of authentication protocols, including, but not limited to PAP, MS- CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible, Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled Transport Layer Security (TTLS).
• Internal Certificate Authority – has an internal certificate authority. Provides a single console to manage endpoints and certificates.

• Device Discovery and Profiling – determine device type, device manufacturer and operating system information by inspecting packets that are sent by these devices in the network.
• Endpoint Posture Service – performs endpoint compliance security posture checks to determine OS versioning and patch level, anti-virus/endpoint protection version and OS updates, etc.
• Guest Lifecycle management – Provides a streamlined experience for implementing and customizing guest network access. Support is built in for hotspot, sponsored, self-service, ETC.
• Security Product Integration – provides bi-directional integration with other security products.

 

Strategy / Approach

The rapid increase in bring your own devices, guest access requirements, vendor access requirements and Internet of Things devices has significantly increased the overall threat vector. This increased threat vector has fueled the demand for NAC products in medium to large organizations and is used by these companies to help them mitigate the greater risk. The effectiveness of NAC products has also been expanded through the integration with next generation firewalls, threat detection software, endpoint protection software, SIEM and mobile device management software.

Enterprise organizations and financial institutions have higher risks due to a larger user populations, more contractor access requirements, compliance related user data and a broader threat vector due to a global network footprint. Additional a breach at an enterprise or financial organization can severely impact the company’s stock price and the overall financial health of the organization. However due to the high price of implementing NAC solutions, it is often one of the last security measures that an organization will implement in order to secure their networks, users and data.

The design and rollout of NAC products such as Cisco Identity Services Engine can be a daunting task considering that the implementation of NAC technology touches virtually every element of the client’s network including switching, firewalls, endpoint protection, PKI, user directory, etc. Moreover larger enterprise networks have significantly more devices and networks to secure. Because of these challenges Sentinel will be working with the client and their network security staff to begin designing and implementing these new Identity Services Engine features in a multi-phased approach.  This multi-phased approach will allow the client and Sentinel to work through any Cisco Identity Services Engine implementation related issues and tuning before moving on to the next phase.

 

Resolution / Remediation

At a high level, Sentinel has broken this engagement up into six separate phases, as follows:

Phase I:  Cisco Identity Service Engine Software Upgrades – During this phase, the client’s existing ISE nodes will be upgraded by Sentinel from Cisco ISE version 2.4 to Cisco ISE version 2.7, Patch 2. This is an important phase as the updated software will add new features as well as provide bug fixes for existing features. In addition to the software updates a new Policy Service Node will be added in the client’s United Kingdom Data Center.

The client’s existing distributed deployment is currently configured as (13) Cisco Identity Services Engine nodes running as Virtual Machines in the client’s existing VMware Virtualization environment. The client and Sentinel have already deployed the following Cisco ISE Nodes and Persona’s including a single ISE Policy Services Node per region:

 

• (9)  ISE Policy Service Nodes (Five Nodes have Tacacs Device Admin enabled)
• (2) Primary ISE Administration Nodes
• (2) Primary ISE Monitoring Nodes

 

In discussions between the client and Sentinel is was determined that the backup and restore method would be used to upgrade all (13) ISE Nodes to Release 2.7 Patch 2. Advantages of this upgrade method include the following; It is the fastest upgrade method and is recommended by Cisco, Configuration settings and the operational logs from the previous ISE deployment can be restored if needed preventing from data loss, new nodes can be staged outside of maintenance windows thereby reducing the time of the upgrade during the production, multiple Policy Service Nodes can be upgraded in parallel reducing the upgrade downtime. The client has already confirmed it has the compute and VMware resources to pre-stage the new Virtual Machines and join them immediately to the upgraded Policy Administration Node.

 

Upgrade tasks will include the following; re-number the three existing Policy Service Nodes from the PCI VLAN (DMZ) and move to the proper internal VLAN, pre-position new ISE Nodes as needed to facilitate faster upgrades, upgrade all of the ISE Nodes to Release 2.7 Patch 2 using the backup and restore method, add a new Policy Service Node at the Data Center at the Leeds, United Kingdom location. The following new software and support components have been included:

 

• (1) – Cisco ISE Virtual Machine Medium
• (1) – Cisco SWSS Upgrades Cisco ISE Virtual Machine Medium

 

Phase II: Discovery and Wireless True-up – During this phase, the existing ISE policies, network configurations, and access segments will be analyzed, documented, and any recommendations will be provided. An overall access and security policy will be developed jointly with Stericycle and Sentinel. Adjustments to consolidate the wireless access policies will be made, in accordance to the overall agreed-upon access policy and design

 

Phase III: VPN Authorization and Client Posturing – During this phase, VPN authorization will be added to leverage the existing Cisco ISE implementation. This modified policy will include device posturing, to ensure endpoints has appropriate characteristics, such as Anti-Virus/Anti-Malware, OS versions, etc.

 

Phase IV: Proof-of-Concept, Cisco ISE Wired/Wireless Authentication/Authorization and StealthWatch – During this phase, a Wired Authentication/Authorization and StealthWatch Proof of Concept (POC) will be designed, installed and configured. This POC will include a subset of existing compatible switches and firewall(s) located in IT, Cisco ISE updated 802.1x authentication/authorization policies and templates, rapid threat containment (adaptive network control), Cisco ISE pxGrid integration with StealthWatch, StealthWatch installation and Configuration including the Secure Network Analytics (StealthWatch) Management Console, Flow Collectors and device Netflow, IPFIX and nvzFlow configuration (Anyconnect).

 

Phase V (Future): Wired Authorization – During this phase, the wired segments of the enterprise network will be configured for authentication and authorization which will prevent unauthorized devices from joining the network as well as defining access to network segments. Posturing policy will be extended from the VPN engagement in Phase II to also apply to the wired segments. 

 

Conclusion

After all of the phases are complete, the client will have increased security for both on premise and remote employees across their enterprise network by implementing consolidated enterprise wide access policies.

Sentinel Helps A Manufacturer Modernize Their Wide Area Network To Support Cloud Services

Introduction

A manufacturer was looking to modernize their corporate wide area network (WAN) to support cloud services consumption. This included Infrastructure as a Service (IaaS) and Software as a Service (SaaS) delivered through the cloud. The cloud offers companies the opportunity to innovate, increase agility, as well as leverage new platforms for new services and/or to modernize existing services. In addition, PaaS (platform) and SaaS (software) provide the opportunity to rapidly deploy applications from various providers such as Salesforce, BOX, Microsoft O365 and more. The business innovation and agility provided by these platforms dramatically changes the requirements of network communications and security. 

Data centers, formerly the central choke point(s) of an organization, no longer provide most or all critical business services. Instead, public, private, and hybrid clouds host many of the services formerly relegated to centralized data centers. Some platforms also offer the opportunity for vendor independent connectivity and cost savings as well as bandwidth increases. 

Organizations previously backhauled traffic to data center(s) where a majority of IT services were delivered. This resulted in centralized security controls and simplified the security infrastructure to some degree. Cloud services distribute the data center to many locations optimally consumed over public and private internet connections. These multi-routed traffic patterns create new challenges when it comes to distributed security requirements. Security policies and governance become even more critical because the business is consuming services from a variety of providers. Modern SD-WAN (software defined WAN) solutions solve these challenges by providing centralized control and orchestration, making every network edge a highly secure next generation firewall capable of enterprise-class security functions.

Strategy / Approach

A 2018 study by Gartner showed how SD-WAN offers benefits over traditional WAN services:

     + Emergence of public cloud computing and SaaS has rendered traditional enterprise WAN architectures suboptimal from both a price and performance perspective

     + SD-WAN is a mainstream product category that provides branch office connectivity in a simplified and cost-effective manner compared to traditional routers

     + SD-WAN adoption is growing rapidly. Many network service providers and non-MSPs now offer managed SD-WAN services.

     + Independent MSPs also offer flexible services more customized to an organization’s needs, as well as advanced security monitoring and response options for organizations that transcend traditional router management of availability and capacity.

Sentinel and Gartner both recommend that organizations currently using or developing applications through the hybrid cloud migrate to an SD-WAN architecture. It creates multiple paths to connectivity and provides users with a more direct route to important Microsoft Office 365 applications. Connectivity via the internet is likely the best option, assuming it is reliable. If your service provider has a direct connection to one of the Oracle cloud points of presence, your network must adapt to use both services while maintaining the most expedient path to Office 365. Office 365 also requires a number of ports and protocols to be open on the network, which marks another benefit of SD-WAN solutions with SaaS awareness. While Office 365 has been the focus of this summary, the guidance here applies to most SaaS providers and ensures enough flexibility will remain in your environment to easily manage future deployments.

Sentinel advises that any SD-WAN architecture should support advanced security services, including: next generation firewall capabilities, URL & content filtering, centralized policy management, monitoring and log capabilities, and anti-malware services. In addition, a proper SD-WAN solution should provide visibility into cloud services in order to treat traffic appropriately, plus the ability to support internal data center services on an ongoing basis.

For these reasons, Sentinel recommended Cisco SD-WAN (based on Viptela technology) for the manufacturing customer. This solution leveraged existing investments in Cisco ISR routers by adding intelligent software on top of the ISR hardware platform. It allowed the manufacturer to extend their SD-WAN services to IaaS providers, Sentinel CloudSelect (voice and collaboration), as well as Oracle Cloud (IaaS). Cisco’s SD-WAN solution also supports a plethora of SaaS and PaaS providers, including but not limited to Office 365, which the manufacturer is planning to deploy in the near future. This platform will provide a wide area network that is adaptable, multi-cloud ready, and has distributed next generation security – all controlled via centralized management and orchestration.

Resolution / Remediation

The original scope of work requested both a legacy dynamic multipoint virtual private network (DMVPN) solution with centralized hub sites as well as a software-defined WAN solution. Sentinel recommended that the customer skip the DMVPN and focus on a cloud-ready architecture based on SD-WAN instead. DMVPN was an efficient solution for creating a private meshed network over the internet, but it has become a bit outdated in the modern world of cloud-ready architectures and distributed security needs. DMVPN does not satisfy the distributed security requirements, nor does it add the intelligence and centralized configuration needed for modern cloud consumption models. SD-WAN features all of those capabilities and more, which is why Sentinel encouraged the manufacturer to consider shifting their approach.

Sentinel optimized the architecture to support internet only, internet plus secondary internet, and internet plus private (MPLS) services. The technology makes intelligent decisions on the best paths for specific services, and by defining policy within the central manager, can continue to adapt to the enterprise needs. It’s no longer necessary for highly skilled individuals to manually define, distribute, and deploy configuration changes. In an effort to streamline operations, Sentinel ensured the central manager had the capability to control the entire network fabric, including application optimization, cloud services, intelligent routing, and security services.

While the customer initially requested the identification and placement of WAN services at edges and hub locations, Sentinel advised that any hub sites be replaced with a fully meshed solution featuring strong cybersecurity. Hub locations can still be used to deliver high speed or peering services if desired, however the intelligent and automatically distributed design presented by Sentinel gave the manufacturer greater adaptability and scalability to handle any current and future needs. New voice and collaboration services were deployed into the customer's environment via Sentinel CloudSelect data centers in Illinois and Arizona. The Sentinel team also coordinated with Oracle to establish IaaS, production, and disaster recovery services through their cloud data centers in Virginia and Arizona.

Oracle also offers direct connectivity to various carriers, including the customer's current service provider AT&T as well as CenturyLink, which the customer plans to use for private services in the future. If the manufacturer wants to deploy cloud-to-cloud services such as Azure ExpressRoute within their environment at some point, Oracle can easily provide any Microsoft and Azure connectivity. 

Conclusion

The Sentinel team deployed the SD-WAN solution into the manufacturer’s environment, which significantly increased their cloud capabilities and provided a centralized control for simplified management of services, applications, and security. This streamlined approach improved efficiency and made it easier than ever for the customer to scale out as they continued to grow.

Sentinel Develops An Omnichannel Solution for a Credit Union

Introduction

A Chicago area credit union sought to improve their operational efficiency and service levels across all communication channels. This was in response to its members, who advocated for more personalized, omnichannel assistance as they worked to achieve financial goals. In order to make this a reality, contact center agents required easier access to customer information and more descriptive context while interacting with multiple applications, including core banking, online banking, and authentication systems.

The credit union wanted to leverage and extend the value of its existing Cisco Communication and Collaboration systems, while simultaneously establishing a strong platform for future growth. They also aimed to provide additional survivability, redundancy, and resiliency for its data and communications environment, as well as improve secure remote worker capabilities to better address the new pandemic requirements of their employees.

Solution

The credit union chose to work with Sentinel Technologies because of its extensive expertise in Unified Communication, Collaboration, and Customer Service Centers. The Sentinel team took time to learn about the specific project requirements and began to outline possible solutions. Sentinel quickly determined that an omnichannel solution to complement the credit union’s existing environment was the best course of action.

The omnichannel solution seamlessly integrated with all existing applications, and gave agents instant visibility into critical information with application pop, click-to-dial, data exchange, and more. Credit union members received more personalized, consistent service as a result. The organization improved customer service levels and streamlined processes more efficiently than ever before, all while extending the value of their legacy investments and positioning the credit union for future growth.

Sentinel worked closely with the credit union to develop a secured access environment for remote knowledge workers and agents. Sentinel also migrated their critical data and voice applications to a strategically located secondary data center, which resulted in redundant survivable connectivity and routing.

Conclusion

Once their project with Sentinel had been completed and deployed, the credit union was able to deliver:

+     Personalized member experience

+     Improved service levels

+     Greater agent efficiency

+     Application redundancy/survivability

+     Secure remote worker capability