SANS Technology Institute
Implementing and Automating
Critical Control 19: Secure Network Engineering
for
Next Generation Data Center Networks
SANS Joint Written Project
Project Charter
1/7/2012
Aron Warren
George Khalil
Michael Hoehl
Implementing and Automating Critical Control 19: Secure Network Engineering for Next Generation Data Center Networks
Project Charter
1.0 Background
Community Projects are required for students of the SANS Technology Institute (STI) Master of Science degree
program. This Community Project is a Joint Written Project (JWP) and the assigned topic is “Implementing and
Automating Critical Control 19: Secure Network Engineering”.
An assignment scenario has been created by Stephen Northcutt and is provided below:
GIAC Enterprises is a small to medium sized growing business (1,000 employees, two data centers, 200 people in
central business and IT) and is the largest supplier of Fortune Cookie sayings in the world. The CIO calls you in
for a special tiger team project. GIAC has recently decided to implement a 40G network to implement the capacity
to support mobile apps that deliver fortunes. A separate team is already working on acquiring the technology to
establish monitoring so that is outside the scope of this assignment. Your assignment is to design build the network
for the next generation network. The CIO wants this to be in alignment with the 20 Critical Controls, especially
control 19. GIAC does not want to add many people to the workforce, so solutions that can be automated are top
priority.
2.0 Objective
Present technical approaches to implement and automate safeguards which are consistent with control 19: “Secure
Network Engineering” of the SANS Twenty Critical Security Controls for Effective Cyber Defense.
3.0 Requirements
The following are requirements for this project:
 Create and present project plan for approval. (Project plan must describe who is going to do what part of
the work, how long tasks are expected to take and schedule. JWP team has 5 calendar days after they
receive the assignment to complete plan).
 Conduct research and identify technical approaches that automate as many of the safeguards as possible
for 40G Ethernet networks and be consistent with control 19 of the 20 critical controls.
 Obtain feedback from early adopters of 40G Ethernet networks to learn about practical pitfalls and
promising solutions.
 Author presentation (generally it is 10 PowerPoint content slides with Notes).
 Author white paper containing research and recommendations for areas assigned. The white paper must
detail the technical approaches and any additional techniques developed. The paper must be
comprehensive enough that organizations can use it as a reference to strongly lower their risk by
incorporating control 19.
JWP team has 30 days to complete assignment after project plan has been approved.
4.0 Approach and Milestones
The traditional waterfall model will be used to advance through the project phases provided below.s
Project milestones and target completion dates are provided below.
Project Charter
Page 2 of 4
Implementing and Automating Critical Control 19: Secure Network Engineering for Next Generation Data Center Networks
Milestone
Target Date
Initiation
Present Project Plan for Approval
Research and Analysis
Investigate technologies
Identify and interview Early Customer Adopters\VARs\Manufacturers of 40G
Investigate authoritative sources for secure networking (e.g., SANS, CIS, Vendors,
etc.)
Research infrastructure update/maintenance/HA impact and options
Develop Design/Build Technical Approaches
Finalize technical approaches in scope for whitepaper
Build (Author Documents)
First draft of white paper completed
QA
White paper feedback from Sponsor received
Production Implementation
Final version of white paper completed
Final version of presentation completed
Project Close
JWP administrative tasks completed and grading begins
1/9/2012
1/20/2012
1/20/2012
1/20/2012
1/20/2012
1/21/2012
1/23/2012
1/26/2012
1/29/2012
2/5/2012
2/10/2012
Recurring one hour checkpoint meetings are scheduled (10:30PM EDT Wednesday) in addition to weekend
collaborations.
5.0 Project Management Protocol
The project information system is Excel. Project artifacts will be stored in Drop Box. Project performance and
product deployment progress will be reported weekly via email to sponsor and stakeholders. Recurring weekly
checkpoint meetings will also be held with project team. Project sponsor and stakeholders will meet when there is
an issue requiring management attention. Issues having a material impact on project scope or progress will be
escalated to the project sponsor verbally and via email. No formal project risk management system will be used.
Project change control requests will be authorized by the project sponsor via email. No formal project change
management system will be used. Planned resources and level of effort to complete tasks will be identified during
initiation phase. Actual use of resources and associated level of effort will be tracked informally within the project
plan. No formal time reporting will be used.
6.0 Key Resources
A collaborative effort between multiple IT teams will be required to advance this project. Key resources to advance
the project are listed below.
Role
Sponsor – STI President
Stakeholder – Dean of Admissions & Student Services
Key Resource – Student
Key Resource – Student
Key Resource – Student
Key Resource – Early Adopter of 40G Network
Key Resource – Vendor of 40G Network Technology
Project Manager
Project Charter
Name
Stephen Northcutt
Debbie Svoboda
Aron Warren
George Khalil
Michael Hoehl
TBD
Grace Ng
Aron Warren
Page 3 of 4
Implementing and Automating Critical Control 19: Secure Network Engineering for Next Generation Data Center Networks
7.0 Risks and Assumptions















“40G network” refers to 40 Gigabit per second speed Ethernet networks intended for modern data centers.
Remaining critical security controls can be referenced in white paper, but no elaboration is required.
Actual commercial vendor products are to be part of research and included in technical discussion.
RFQ for system integrator consultant or consulting firm is not in scope.
Secure Network Engineering includes integration of security controls necessary to sustain infrastructure.
Common business processes (e.g., HR, Finance, Procurement, etc.) are not in scope. The primary focus is
to provide technical guidance associated with an infrastructure that services mobile applications over the
Internet.
Technical approaches are to include integration with: Managed Security Services Providers, B2B
connections, ands traditional infrastructure services (e.g., tape back-up, DNS, patching, configuration
management, etc.)
The statement: “GIAC does not want to add many people to the workforce, so solutions that can be
automated are top priority.”, is to be interpreted as including technology, outsourcing of recurring
operations duties (e.g., MSSP) and centralized management of infrastructure (e.g., patching, configuration
management, IDS signature updates, etc.).
“External partnerships” include customers of 40G technology or service providers that have recently
incorporated 40G technology.
E-commerce is in scope as GIAC Enterprises will need to accept payment from a variety of customers (e.g.,
food manufacturers, wholesalers, etc.).
E-fortune cookie service is available to retail customers to have a fortune sent to their smartphone daily.
Inter-site Data Center communication is out of scope.
Disaster Recovery is out of scope.
Delay in response to student questions/concerns
Unplanned absence due to employer or family obligations
8.0 Document Revision History
Document Name
Version
Date
Author
DRAFT - 40G Project Charter v.01.doc
DRAFT - 40G Project Charter v.02.doc
DRAFT - 40G Project Charter v.03.doc
DRAFT - 40G Project Charter v.04.doc
Renamed to FINAL - 40G Project Charter v 1.0.doc
Formatting
Draft 0.02
Draft 0.03
Draft 0.04
Final 1.0
1/6/2012
1/7/2012
1/7/2012
1/7/2012
1/7/2012
Michael Hoehl
Michael Hoehl
Michael Hoehl
Aron Warren
Aron Warren
Project Charter
Page 4 of 4