Hewlett Packard - Vaulting and Pitting

Hewlett Packard has for many years held a leading position in the development of Unix based systems, they have many prestigious customers who put security and ease of use at the head of their requirements.

Project Requirements
One of HP's most prestigious banking customers required a means to simplify and yet strengthen their computing environment. Although mainly based on HP systems, there were also a number of other makes of Unix system including Sun, IBM and Linux based systems. There were a number of conflicting needs mainly revolving around controlling development systems, securing live servers, providing user access to test environments and providing proper administration access to servers.

The Solution
Layer3 systems designed a means by which a system could be automatically configured into a physical and virtual network environment that would provide the correct degree of required security and flexibility. The design provided a Vault and Pit approach that could be used to carefully trade off security and accessibility and yet was easy to operate and maintain. The "vault" environment provided a secure network area into which only carefully authorised users or systems could gain access. Live high security systems would operate from these environments. The "pit" environment is designed for developers and development systems, securing their access such that they could only access resources outside of the pit for which they had authorised access. This was further enhanced by designing templates for access controls between vaults and pits, this allowed administration users to be placed inside a "pit" which had some "vault" like features thus protecting them from attack whilst allowing them controlled access to specific systems.

• Increases defence in depth whilst simplifying operation and setup.
• Reduces costs by easing administration and automating network security.
• Implemented using standard switches and routers.
• Simple front end developed to run either as command line, web interface or XML config file.