IT support for MoD, Government etc

Discussion in 'Employment & Jobs' started by steve_f, Mar 6, 2010.

  1. steve_f

    steve_f Byte Poster

    133
    2
    22
    Has anyone here worked IT support in such an environment?

    I'm trying to put a report together (for a job application) about IT support in these environments, where security is at its highest, and data is highly classified.

    I'm not asking you to do my homework for me, but I would appreciate any suggestions and advice.

    Some challenges I can think of:

    • Tough to provide secure internet access for software updates etc
    • need to lock down USB ports and CDRW drives
    • block websites that allow file upload/transfer
    • strict security on network ports
    • encrypt data keys and hard drives
    • remotely track and kill stolen/lost laptops etc

    I am looking up vendors like Cisco, Juniper etc to look for case studies in the military/government areas for ideas. Getting some good info there.



    If anyone has more suggestions/advice/ideas it would be much appreciated. Especially about how the day to day IT support differs from working somewhere less strictly controlled.
     
    Certifications: MCDST, MCSA 2003+Messaging, MCITP:SA, MCSA 2008, ITIL v3 Foundation, Comptia Server+ 2009, CCA Xenapp 6.5, VCP5-DV
    WIP: CCENT, CCNA, CCSA
  2. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    whilst an interesting topic and best of luck with it, most of the things that would be of use to you will be covered by the Official Secrets Act - and so you won't be able to find out the "actual" truth, just want people/companies/organisations want you to think.

    The OSA works retrospectively as well - so someone who used to work for such a department can't tell you what went on 5, 10, 20 years ago.
     
    Last edited: Mar 6, 2010
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  3. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    Actually, not entirely correct. I work for a Government department and whilst I do have a signed OSA paper it wasn't a requirement of the work I do.

    These days it's fairly easy to provide software updates via 3rd party applications, even if you don't want to use the likes of WSUS you can utilise System Center Configuration Manager or Symantec Altiris to deploy your software updates, with the likes of the SCUP utility from MS you are no longer restricted to just MS updates being deployed via WSUS\SCCM.

    There are a number of ways of either black or white listing USB\CDRW devices, for the most part if you don't want people to use a CDRW device you would just order the machine with a plain dvd device instead. As far as USB devices go, you can utilise Group Policy to restrict access to USB devices and monitor it, again fairly easy and straight forward.

    Website blocking can be done out of the box with products like ClearSwifts Web Appliance or Sophos' offering, again this is all fairly straight forward but like most things are only as good as the ruleset put in place.

    Firewalling can be carried out on your internal LAN, this can be done either via the Windows Firewall (via GPO) or more usually via something like a Cisco ASA or something from the likes of Checkpoint or happen to be about the best out there with regards to Firewalling products.

    As far as Disk Encryption goes, the worlds your oyster. You have BitLocker, SafeGuard Easy (now owned by Sophos). There really is a plethora of products out there for you to choose from.

    Finally there is LoJack for Laptops, this is offered by the likes of Dell, HP and Lenovo.

    None of the information I have given you here is covered under the OSA, it's all freely available and some\all of it can and is used in various government departments\agencies in one form or another.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
  4. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    I stand corrected then :)

    My assumption was that all Government IT system-workers had to sign the OSA - I assumed wrong 8)

    I just read the OPs
    and assumed he was more fielding the question at info that would fall under these.

    Good explanation!
     
    Last edited: Mar 6, 2010
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  5. Asterix

    Asterix Megabyte Poster

    515
    11
    52
    multiple networks for different classifications! We now have over 10 networks to support!
     
  6. steve_f

    steve_f Byte Poster

    133
    2
    22
    Thanks everyone, this is great stuff!!

    SimonD, your information has been invaluable, thanks.

    Birdcr, I'm intrigued by the logistics you must face. i would love to ask you a few questions if that is OK.

    Can you tell if someone inadvertedly (or on purpose) connects 2 networks that need to be kept separate?
    Do you need to remember about a million passwords compared to just running one network?
    It it fun?? sounds cool :)
     
    Certifications: MCDST, MCSA 2003+Messaging, MCITP:SA, MCSA 2008, ITIL v3 Foundation, Comptia Server+ 2009, CCA Xenapp 6.5, VCP5-DV
    WIP: CCENT, CCNA, CCSA
  7. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    I support multiple, independent, not-connected networks.
    15 different accounts and passwords at last count.

    A pain in the bum remembering them all :)
     
    Last edited: Mar 6, 2010
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  8. steve_f

    steve_f Byte Poster

    133
    2
    22
    Sounds like a cool scenario to work with, Derkit.

    Are the networks physically separate, to prevent then being joined? Was thinking some rogue admin or someone trying to take a shortcut could put a router between them or connect a PC to both networks and bridge the connections.
     
    Certifications: MCDST, MCSA 2003+Messaging, MCITP:SA, MCSA 2008, ITIL v3 Foundation, Comptia Server+ 2009, CCA Xenapp 6.5, VCP5-DV
    WIP: CCENT, CCNA, CCSA
  9. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Bit crazy after a while, but you pick up the nuances

    That's the best way of keeping any environment secure.

    Put it another way, having a firewall is a good way of stopping unwanted traffic between your network and the interweb, a better firewall is not to have a connection to the interweb at all, isn't it?

    The difference I have seen between a classified IT setup and a "normal" (for me, normal is anything that doesn't hold classified data - banks, any private company, charity etc.) is how hard you want the security to be.

    An analogy:
    For a local volunteer group, you'll have the teacher watching over you.
    For a national charity, you'll have a security guard on the door
    For a private company, you'll have the an armed guard on the door with radios and dogs
    For a government or big company, you'll have a platoon of armed guards on the door with radios and dogs.
    For a top secret system, it'll be in a locked EMP safe, within a locked room, within an undisclosed location, not connected to the outside world, surrounded by a battalion of armed SAS soldiers with guns, and radio and dogs and some tanks for good measure. Oh, and every user has an extremely locked down account to boot.

    I suppose, again this is for any environment, don't give one person too many rights to do things - similar to the ITIL model - have one team to do the networks, one for port-security, one to do software deployment, one for monitoring (MOM logs or IDS role), one team for the hands-on physical movement, one for exchange, one for web interfaces, for the internet connection settings etc. - if no-one has access to all the pie, then no-one should be able to eat it all.
     
    Last edited: Mar 6, 2010
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  10. westernkings

    westernkings Gigabyte Poster

    1,432
    60
    107
    +Repped for great post.
     
    Certifications: MCITP:VA, MCITP:EA, MCDST, MCTS, MCITP:EST7, MCITP:SA, PRINCE2, ITILv3
  11. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    One more point to add - Secure Internet = GSI
     
  12. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Thanks for reminding my of my first job tomorrow morning :dry
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  13. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Just checked for something - page doesn't help, but it is information in the public domain - TEMPEST
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  14. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    That takes me back, ensuring cables are cut to exact lengths and routed just right to ensure no excess bleed thru of any kind of wave (monitors, rfi etc).
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
  15. steve_f

    steve_f Byte Poster

    133
    2
    22
    Are there any common support tasks that take a lot longer in such an enviromnment?

    Eg: Encrypting hard drives adds a lot of time to the desktop/laptop setup job
    Setting up a new user: Need to liaise with exchange, AD, Network, file server teams just to get them set up, whereas in my current job I would do all of that myself.
    There must be a lot of authorisation related paperwork as well.
     
    Certifications: MCDST, MCSA 2003+Messaging, MCITP:SA, MCSA 2008, ITIL v3 Foundation, Comptia Server+ 2009, CCA Xenapp 6.5, VCP5-DV
    WIP: CCENT, CCNA, CCSA
  16. Asterix

    Asterix Megabyte Poster

    515
    11
    52
    Sorry would not like to disclose further info on company process\procedure\policies! I dont mind personal questions!
    Put it this way! its not fun, just restrictive!

    Edit: sorry if that was a little harsh, networks are completely separate, never joined (although machines are sometimes accidently joined to different networks without approval) and yes lots of passwords, door entry codes etc.
     
    Last edited: Mar 8, 2010
  17. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Everything takes longer - as I said above, give too much responsibility to one person and you increase the risk of someone doing something they shouldn't.

    Paperwork - its the government - its full of paperwork!
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  18. JK2447
    Highly Decorated Member Award 500 Likes Award

    JK2447 Petabyte Poster Administrator Premium Member

    Top Poster
    of the Month

    7,191
    945
    318
    Tell me about it! :disguise
     
    Certifications: VCP4, 5, 6, 6.5, 6.7, 7, 8, VCAP DCV Design, VMConAWS Skill, Google Cloud Digital Leader, BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, CCA (XenApp6.5), MCSA 2012, VSP, VTSP
    WIP: Google Cloud Certs
  19. Colloghi

    Colloghi Kilobyte Poster

    303
    7
    54
    The encryption used for our users laptops, means it takes around 8 hours of more to build a laptop for a user.

    And there is lots of lovely forms to fill:) Which adds to the time for a user to get a laptop, account etc.

    which usually go something like this .....

    User:hi i want a pen

    Desk:erm do you have form A version 1.2 for that?

    USer:Ive got form A version 1.2.1

    Desk: It has to be form A version 1.2 , unfortunately,before we can process it


    User: But they are the same

    Desk: not quite, as form A version 1.2 has an extra box for a mobile number that needs filling inand we also need your managers, uncles roomate bob to authorise it.:blink
     
    Certifications: A+, MCP 270, 271, MCDST
    WIP: 290
  20. Asterix

    Asterix Megabyte Poster

    515
    11
    52

    This is so accurate!
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.