Third, the Virtual Private Networks (VPNS) and the selection of security protocols needs to be audited (Westcott, 2007) to evaluate the performance of IPSec vs. SSL protocols on overall network performance (Rowan, 2007). Many smaller corporations vacillate between IPSec and SSL as the corporate standard for wireless connections, defining the advantages and disadvantages as the table below has captured. Table 1: Technical Analysis of Differences between IPSec and SSL

IPSec

SSL

Topology

Site-to-site VPN; mainly configured in a hub-and-spoke design

Remote-access VPN

Security

Session authentication

Authenticates through digital certificate or preshared key

Drops packets that do not conform to the security policy

Authenticate through the use of digital certificates; drops packets if a fatal alert is received

Confidentiality

Uses a flexible suite of encryption and tunneling mechanisms at the IP network layer

Encrypts traffic use the public key infrastructure (PKI)

QoS and SLAs

Does not address QoS and SLAs directly; yet the IPSec VPNs can be configured to preserve packet classification for QoS within an IPSec tunnel

Both QoS and SLAs do not apply to SSL deployments; the service providers network traffic is unaware of SSL traffic or its relative level

Scalability

Acceptable scalability in most hub-and-spoke configurations and deployments

Scalability for IPSec-based networks when there are large, meshed IPSec VPN deployments across a very large number of users (over 10,000); support for key management and peering configuration.

Entirely dependent on network traffic; SSL is not impacted by server provider network

Management

Site-to-Site support

Yes

No

Remote Access Support

Yes

Yes

Provisioning

Reduces operational expense through a centralized network-level provisioning

Does not apply; service provider traffic does not see SSL traffic

Service Deployment

Is a protocol compatible with other ones located through an existing IP network

Does not apply; service provider traffic does not see SSL traffic

VPN Client

Is required for client-initiated IPSec VPN deployment

Relies on a Web browser to complete sessions

Place in network

Local loop, edge and off-net

Local loop, edge and off-net

Transparency

Transparency to applications

Works only with applications coded for SSL

Wireless

Not easily accomplished as this protocol relies on point-to-point connections

Support for QoS, non-QoS and enterprise-wide connectivity through wireless

Sources: (Hickman, 2007) (Rowan, 2007) (OpenReach, 2002)

As many internal networks are based on VPNs due to the number of wireless networks overlapping in office and metro areas, the need for having secured connections even within ones' own company has become prevalent (Rowan, 2007). The use of SSL-based security technologies for connecting wireless and WiFi-enabled printers and remote storage equipment must also be included in the initial security audit (Westcott, 2007).

With these audits specifically defined, the need for defining security-based metrics of performance must next be accomplished (Frankland, 2008). The benchmarking of security levels will give the corporation an opportunity to see gradual process over time of their security efforts impacting overall system stability, up-time, and also track, log and analyze any patterns of external threats they can counter over time. This analysis of inbound threats through the use of analytics applications is also critically important for defining a corporation-wide security plan as well (Loew, Stengel, Bleimann, McDonald, 1999). A third rationale in addition to benchmarking security performance and defining a corporate-wide security strategy is the need for more effectively managing application-level threats. This is most prevalent in corporations within their e-mail systems (Zambroski, 2006) where viruses arrive via inbound e-mail, undetected by firewalls and other security measures. The need for creating auditability within e-mail systems (Westcott, 2007) is also critically important to ensure proper use guidelines are followed and that the corporation does not open itself up to lawsuits or viruses spread throughout their application servers via infected documents and e-mails. This also makes it critically important that the corporation have continual virus scanning strategy in place to protect its applications and servers, and in fact create a roadmap of continual updates as well (Lin, Chen, Lin, Lai, 2008). In conclusion the hacking of a WiFi network's most chilling example is how the terrorists responsible for the Mumbai, India attacks hacked into hotel networks to see which rooms held American and British visitors (Shastri, 2009). In addition the wireless networks around the hotel needed to have greater security to monitor the terrorists' communications in the midst of the hotel siege as well. There...

All of these factors, from WiFi security, to the need for stabilizing and solidifying security for the servers and network, to the need for audits and the continual analysis of results to better security, need to be part of a broader upgrade strategy for enhancing security.
Part 4: Goals and Objectives for Upgrade it Security

The following are the key goals and objectives for the it Security Plan. Each of the goals has a corresponding series of objectives to lead to their fulfillment. At the end of this section there is a description of the Security Upgrade Phases as well.

First Goal: Create a Baseline Security Level and Manage to Real-Time Security Metrics

For many smaller corporations they have no idea just how in or out of compliance they are to specific security levels. This first goal and supporting objectives centers on creating this baseline level of security performance and then evaluating strategies for selectively improving performance over time.

The first objective is to define and executive a corporate-wide audit of security by OSI Model level, network access points including 10BaseT and WiFi, e-mail application security (Zambroski, 2006) and across database access processes and privileges (Westcott, 2007). This is critically important so that security strategies over time can be evaluated in terms of their effectiveness. As each corporation's security strategies must be aligned with their corporate strategic plans (Ciampa, 2005) there is also the need for ensuring the audit measures the most important areas relative supporting the corporations' business plans are also measured and improved. The need for ensuring that the audit provides scalability for the company's potential future growth as well is important as part of this goal (Gupta, Hammond, 2005)

A second objective is to evaluate the company's performance on its key security metrics relative to the industry standards or as they are often called, best practices in the industry. This is important as a goal due to the fact that the corporation over time needs to evaluate how its enterprise-wide security strategy is either enhancing or detracting its ability to remain competitive over time (Frankland, 2008). This type of data from a strategic planning standpoint can be very valuable in terms of planning how to deploy workers remotely or locally, the extent of access controls, role-based process workflows, and the development of entirely new approaches to creating virtual teams. All these strategic aspects of the corporations' growth are dependent on this goal being met.

The third objective to support this first goal is the development of sourcing and supplier criteria for purchasing new it products and services. This will be the result of a successful audit of the company's security levels and the quantification of its strengths and weaknesses (Frankland, 2008). With this information strategies can be created for purchasing only those products that support and strengthen the weakest areas.

Second Goal: Define and execute periodic assessments of application-based security

Strategically speaking the greatest potential threat to the corporation are the many areas where viruses both in files and in e-mails disrupt servers, bringing the company to a grinding halt. The need for e-mail especially to be secured over time and continually scanned is critical, in fact a strategic priority as this is the approach hackers take to gain access to company-wide systems and disrupt and damage them (Zambroski, 2006). The need for also having periodic updates to anti-virus applications at the server level is also critically important as well (Lin, Chen, Lin, Lai, 2008). The applications and website together form the weakest link in many corporations' security strategies (Gupta, Hammond, 2005). The objectives defined to ensure the attainment of this objective are provided below.

The first objective is to develop an e-mail monitoring policy that includes consistency of approaches for managing external e-mail traffic. While many organizations today choose to monitor and closely watch external traffic, some going as far as to prohibit it (Zambroski, 2006), for a corporation to grow it needs to have external communication with the outside world. The all-or-nothing proposition clearly is not scalable or feasible to work with, especially for corporation intent on growing over time. Instead the corporation needs to set the objective of creating an external e-mail filtering policy which will allow for greater control over potentially malicious e-mail attachments and the deletion of SPAM before it arrives on the company's servers. This objective an be attained by creating a series of rules-based constraints that can be applied to inbound e-mail from non-company accounts (Zambroski, 2006).

The second objective is to evaluate the security of hosted or Software-as-a-Service (SaaS) applications including Google Apps, Google Documents, and others that corporations have begun to adopt based on their cost and convenience advantages over licensed applications. As the corporation begins to grow over time it will need to have office…