I feel it's not more than a marketing gimmick to sell UTM device. I fully agree with Terence that vendor recommendations are biased. I would recommend adherence to a framework custom designed for your organization's business type. Take feeds from 'Cobit 5 for Information Security' and SANS Top 20 controls. Map your existing controls with layered DID 'Defense In Depth' approach. This will help in building your strategy & prioritizing control deployment. All popular solutions come with external connectors so integrating might not be that big a challenge. You can also get connectors developed to have a central dashboard.

My comments are based on my understanding of your problem. If you were expecting something else, let me know.

Regards,

Manish Dave|Chief Information Security Officer|Essar Services India Limited|
Essar House , 11 , K .K.Marg,Mahalaxmi,Mumbai|400034|Maharashtra|India|
T +91 9930134942|+91 22 66601100 VoIP: 7 21 1357|Blackberry PIN 28018A44|
E Manish.Dave (at) essar (dot) com [email concealed]|www.essar.com|

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Alex Creek
Sent: Sunday, November 04, 2012 6:24 AM
To: Terrence O'Connor
Cc: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: Security design methodology

Would a consolidated framework be a UTM device or something larger scale?

Alex

________________________________
From: Terrence O'Connor <terrence.oconnor (at) gmail (dot) com [email concealed]>
To: Alex Creek <acreek83 (at) yahoo (dot) com [email concealed]>
Cc: "security-basics (at) securityfocus (dot) com [email concealed]" <security-basics (at) securityfocus (dot) com [email concealed]>
Sent: Saturday, November 3, 2012 7:17 PM
Subject: Re: Security design methodology

Alex,

I think the goal of a security professional is to understand those needs of the business and recommendations from the industry to find the right mix of interoperable systems. There are many standards for various security needs and if one player in a space isn't compatible with the next they are crossed off the list.

Recommendations from vendors is biased. Even product agnostic companies have a natural bias towards high margins.

Keeping that in mind, I am a fan of consolidated frameworks that give the biggest bang for the buck. Even then you'll have a mix of providers and you need to understand capabilities and how they all work together.

Hit me up if you have specific questions .

On Nov 2, 2012, at 4:15 PM, Alex Creek <acreek83 (at) yahoo (dot) com [email concealed]> wrote:

> Finding requirements first makes sense. I can see how that would set
> the tone for what's needed. Say if a company has a lot of users who connect externally, then a VPN would probably be the main driver.
>
> For compatibility between security systems, would it be best to just
> follow vendor recommendations?
>
>
> Alex
> ________________________________
> From: Chris Stefan <chris.stefan1844 (at) gmail (dot) com [email concealed]>
> To: Alex Creek <acreek83 (at) yahoo (dot) com [email concealed]>
> Cc: "security-basics (at) securityfocus (dot) com [email concealed]"
> <security-basics (at) securityfocus (dot) com [email concealed]>
> Sent: Friday, November 2, 2012 3:40 PM
> Subject: Re: Security design methodology
>
>
> Get the client requirements and objectives out of the way first. Then decide on hardware/software.
> On Nov 2, 2012 3:26 PM, "Alex Creek" <acreek83 (at) yahoo (dot) com [email concealed]> wrote:
>
> Lately I've been doing some research into network security. For anyone with experience in network security design/build, is there a method for what to do first when planning? For example, should security be planned externally first then internally or vice versa? Which system is the most important? Does everything need to work with firewall xyz or does everything need to work with a monitoring system abc?
>>
>>
>> Alex
>>
>>
>> ---------------------------------------------------------------------
>> --- Securing Apache Web Server with thawte Digital Certificate In
>> this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be
>> 442f727d1
>> ---------------------------------------------------------------------
>> ---
>>
>>
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this
> guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --
>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

Please don't print this e-mail unless you really need to.

Disclaimer:
The information contained in this electronic message and in any attachments to this message is confidential, legally privileged and intended only for the person or entity to which this electronic message is addressed. If you are not the intended recipient, please notify the system manager and you are hereby notified that any distribution, copying, review, retransmission, dissemination or other use of this electronic transmission or the information contained in it is strictly prohibited. Please accordingly also note that any views or opinions presented in this email are solely those of the author and may not represent those of the Company or bind the Company. This message has been scanned for viruses and dangerous content by Mail Scanner, and is believed to be clean. The Company accepts no liability for any damage caused by any virus transmitted by this email. www.essar.com <http://www.essar.com/> .

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]