Enterprise Networking and Security - Report Example

? As network vulnerabilities are constantly at a rise, the current network security vulnerabilities are evaluated in three categories i.e. logical security, internal security and external security. The logical security domain will cover technical controls such as deployment of IDS, Virtual LAN, monitoring violation logs, auditing on domain environment, ISA server and VPN security as well. Secondly, internal and physical security will discuss human threats, physical access to server rooms and servers, sensors and sprinklers etc. Moreover, protecting accidently shutting down system will also be discussed. After evaluating vulnerabilities associated with these three domains, controls will be proposed and justified accordingly. 1 Introduction It has been concluded by some experts that the year 2012 is considered to be the worst year in terms of computer network security breaches (Schirick 2012). Likewise, the year that has not even passed the half year mark, some of the foremost companies were sufferers of network security breaches resulting in massive losses (Schirick 2012). However, the news buzz only highlights Sony and Citibank to be victims of network security breaches, as these companies are popular among the public. The other sides of the picture highlights organizations of all sizes are affected by the consequences of network security breaches. Likewise, it can be concluded that network security risks are continuously evolving, modifying and growing at a rapid pace. Organizations normally install a firewall and even intrusion detection systems that triggers alerts of any suspicious activity, as these two components only covers the technical domain and not the human and physical domain. The current network scenario is utilizing a Virtual Private Connection that is connecting one or more sites. However, the VPN connection is also entitled to allow internet traffic on the same dedicated line from the Internet Service Provider. Moreover, the current network only utilizes a single firewall that is located at the main campus of the university. It concludes that the rest of the two remote sites are only protected via a simple Network address translation function that is incorporated in a DSL modem. Moreover, there are no advanced security appliances such as Intrusion detection systems for analyzing and monitoring any suspicious activity that may possibly become a threat to the University’s computer network. Moreover, there is no patch management for updating security patches in the workstations connected to the network. There are no indications of hardening servers for instance, email server, application server, centralized server and database server must be hardened and needs physical protection as well. 2 Security Vulnerabilities The current network security vulnerabilities will be accessed in three categories i.e. logical security, internal security and external security. As far as logical security is concerned, we can see that the fig 1.1 demonstrates a firewall, Microsoft Internet Security and Acceleration (ISA) server and a domain controller with Microsoft Active Directory. The three categories for network vulnerabilities are categorized as below: 2.1 Logical Vulnerabilities The current logical controls for protecting information assets within the network are active Microsoft Active directory, ISA server and a Firewall. The Microsoft active directory is not primarily a security control, as it does not mitigate any risks associated with viruses, worms, Trojans, phishing, spam, denial of service attacks etc. however, it provides a secure administration of user profiles and File sharing features. File sharing threats are spreading on a rapid pace, as every now and then, new file sharing technologies are getting being developed and in demand. Controls will not only provide value from all network based services, but will also augment productivity for the organization in terms of revenue, customer loyalty and competitive advantage. Workgroup based environment is not centralized. For instance, users can only login, if they have account created on that specific computer. As far as security is concerned, there are no passwords, resulting in anyone to log on the network. Moreover, workgroup only recognize twenty to twenty five computers that are on the same subnet. For instance, we have application servers that are on the different subnet, users will not be able to access applications, as they are configured on a different subnet. On the other hand, Domain based environment provides centralized administration and access for users. All staff has to enter user credentials, in order to identify themselves on the network before doing any work. Moreover, computers with different subnet are supported and thousands of computers can be connected on the domain based environment. For instance, if a computer stops responding, employees or users can log on from some other computer and no work is halted. Therefore, Domain based network environments are more effective and are compatible to the current network scenario. Moreover, if security auditing features are enabled, user activity and system logs are saved and monitored. Likewise, the lightweight directory access protocol ensures encryption all the way from the domain controller to the workstations via Kerberos. However, network or system security specialist will not be able to monitor, analyze or examine threats from a domain environment. Active directory prevents unauthorized access because users have to provide login credentials for accessing personal file settings, data and customized permitted objects in the operating system. Secondly, the ISA server that can be considered as a firewall and a proxy server as well due to support of cache management functions. As per the current scenario, the suspicious packets are handled by the firewall, as it is separately installed. The ISA server is only implemented to enable access management to different services associated with Internet, file sharing etc. ISA server will only prevent unauthorized access to different network services, for example, Internet access. We have covered two logical controls in the current network scenario up till now. The third security control that we have identified is a hardware based firewall. The firewall operates on chain of rules that are defined by the security specialist, consultant or a vendor. The configuration is carried out for restricting or dropping unwanted packets and suspicious packets. However, legitimate packets are allowed for entering tin the network. The firewall only operates on rules and if any suspicious packet hides itself within other packet may enter in the network. Logical vulnerabilities in this current scenario include no additional security controls on firewall, critical servers, and network devices. If any suspicious packet bypasses the firewall, there are no mechanisms to track and monitor the probe of a hacker trying to breach into the core systems. Moreover, building B and building C have not a single security control. This concludes that only Network address translation (NAT) is the only logical security control, whose main purpose is to hide private IP addresses of the local area network and relay the traffic via a global IP address. Suppose, if a threat bypasses a firewall that is located at the main site, there is a high probability and risk that the data residing at the two buildings i.e. building B and building D will also be compromised. Moreover, if any employee or personnel plugs in the suspicious USB drive in one of the system, there is no mechanism or tools to monitor internal network threats, as it has been proved that internal threats are relatively more probable than external threats. Furthermore, there are no tools for demonstrating events and alerts associated with violation logs. In addition, there are no logical controls linked with the database, as SQL injection techniques have proven to exploit data from the database. Furthermore, for logical vulnerability there is an absence of Virtual local area networks. VLAN’s provide adequate security, “Virtual LAN (VLAN) refers to a logical network in which a group of devices on one or more LANs that are con?gured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical, instead of physical, connections, they are very ?exible for user/host management, bandwidth allocation and resource optimization” (Virtual LAN. 2007). VLAN’s separates traffic for each department an also prevent denial of service attacks and unwanted traffic broadcast that may result in network congestion and degradation of network services. 2.2 Internal and Physical Security The internal security is associated with adequate protection from internal threats i.e. humans. It has been evaluated that organizations emphasize only on physical and logical security and often skips adequate protection of internal human controls from threats such as unauthorized access, theft, espionage etc. In the current scenario, there are no security controls addressing human security. Likewise, there are no mounted racks for locking up servers, network components and Ethernet wires. As Ethernet wires can be tapped, an appropriate way is to install patch panels for CAT 5 cables. Moreover, theft of any critical hardware or software component is easy, as there are no biometric systems available in the premises. Biometric identification systems are considered to be the best physical security control till date. Moreover, there are no surveillance cameras installed on critical locations, as they prevent physical theft of systems as well as identify disasters. For instance, if fire occurs due to any short circuit in one of the critical information assets, it can be controlled in an early stage. However, sensors, water sprinklers and fire extinguishers are considered to be ideal controls in this scenario. 3 Suggested Solutions 3.1 Intrusion detection system Security in terms of computer networks has marked its significance. Senior management address security issues to an optimal level and enforces strict security procedures in order to protect strategic and financial assets. Likewise, new and improved sensing technologies are now mandatory for Scilly University for maintaining the security of network. Consequently, an intrusion detection system is required for continuously monitor threats and vulnerabilities within the Scilly University network. IDS/IPS derived from the traditional security appliances and is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse” (Intrusion Detection System. 2007). Figure 1.2, demonstrates the physical location of the IDS (indicated in Red) in Scilly University. IDS are currently available in different types ranging from different methods and techniques. However, security requirements of organizations must align with the IDS type and methodology. Likewise, some of the types incorporates network based IDS known as the Network Intrusion detection system (NIDS), Host Intrusion detection system (HIDS), Next generation IDS and many more. However, two of the popular methods associated with IDS are signature based IDS and anomaly based IDS. As per the current scenario, IT administrators have analyzed that an intruder from the internal and external premises of the organization is trying to bypass a corporate access point. Before demonstrating steps for capturing and eliminating the attack, we will compare the two types of IDS/IPS i.e. Signature based IDS and Anomaly based IDS. After discussing these two basic types of IDS, we will be able to select an appropriate type of IDS for this specific scenario. The methodology of the Signature based IDS works on predefined signatures that are installed within the IDS. Likewise, whenever a similar pattern of unknown activity is detected within the network, it is reported as threat or suspicious activity. However, if there are patterns apart from the predefined signatures, they can be undetected and may harm the network. As a result, new threats are not detected and identified by Signature based IDS. Besides, anomaly based IDS monitor and detect any unknown or suspicious activity within the network, as it does not comply to pre-defined signatures. These two IDS types comply with different types of methods, process, and various profiles. The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. However, in the current scenario, a threat is detected that is trying to gain access to the confidential data of the organization. Probably, signature based IDS has detected this particular threat. Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. Moreover, these systems are categorized in to various sub categories including data mining, statistical methodologies, artificial neural networks, immune systems and genetic algorithms. Among all of these, statistical methods are more commonly used for detecting intrusions by finding out any anomaly that has initiated within the network (Aydin, Zaim et al. 2009). By combining these two types of IDS, network administrators eliminate or fill vulnerabilities within the network. Anomaly based intrusion detection system will be recommended for Scilly university computer network, as the signature based IDS only works on the given signatures and will not sense any unusual activity if it is not defined in the signature. Anomaly based IDS will detect every threat that is referred as anomaly within the network. 3.2 RADIUS Server As per network dictionary, “Remote Authentication Dial In User Service (RADIUS) is a protocol for carrying authentication, authorization and con?guration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. RADIUS uses UDP as the transport protocol. RADIUS also carries accounting information between a Network Access Server and a shared Accounting Server. Likewise, the users located at building B and C will establish connectivity with the VPN and RADIUS server for authentication and authentication. Figure 1.1, demonstrates the functionality of a RADIUS server. Data related to security will be distributed on the network and may include several devices that may interact with the security data. RADIUS server will cater all the security data within the network and stores it on one location or workstation or on a storage device. In this way, risks and vulnerabilities associated with the security data will be mitigated. Moreover, the host that will store the security data will be considered as the RADIUS server. Moreover, RADIUS can also be integrated with Microsoft operating system environment, as Scilly University is already operating on Microsoft operating systems they will support RADIUS functionality. Furthermore, Information related to security is stored on text files at a central location i.e. the RADIUS server. If there is a requirement of adding new students or staff for Scilly University, network administrator will only update the text file for updating new user information to the database. In addition, RADIUS server also facilities auditors by providing a comprehensive audit trails that may support RADIUS accounting features. Moreover, log files can be analyzed for security aspects or can be utilized for billing purposes. As building B and C are vulnerable to any type of attacks via VPN + Internet connection, one firewall each will be behind the router on building B and C. Consequently, firewall will add a layer of security on these remote sites. 3.3 Physical Security A bio metric identification system is required prior to entrance in the Scilly University server room. Moreover, surveillance cameras must be installed for monitoring the server room. Furthermore, for addressing fire or electricity incidents, temperature sensors and water sprinklers must be installed near critical systems and applications. The bio metric system will restrict unauthorized personnel for entering in the server room and consequently, the risk of physical theft associated with computing devices or equipment will be minimized. In addition, a proper review of access logs for bio metric systems is also necessary, as it will identify how many times a particular employee is entering or exiting from the server room or any other department. Guards will provide adequate security for the building of Scilly University and will only allow relevant people enter in to the building. One more aspect that needs to be discussed is the power button of critical applications that are operational every second. For instance, personnel or support staff from the third party started working on the server and accidently his hand presses the power button will result in halting of educational operations. For this reason, protective covers must be deployed on power buttons of each server. If the server needs to be restarted, there is an approval process that will be accepted or rejected by the relevant system or application owner. After granting approval, server can be re booted. 4 Conclusion We have identified vulnerabilities in logical, physical and internal security of the network. The logical security solutions include the acquisition of RADIUS server that will utilize VPN and provide added security features. Moreover, to add an extra layer of security and defense, we have considered IDS/IPS. Likewise, we have also discussed types of IDS and recommended the best one. Moreover, for addressing physical and internal security, Bio metric systems are recommended along with surveillance cameras monitoring server rooms. Furthermore, a deployment of firewall each is recommended for computer networks available in building B and building C respectively. As the network of the university expands, Cisco adaptive appliance will be more effective as compare to this normal firewall. Moreover, next generation network compatible IDS that include social networking threat detection mechanisms might also be considered. Bibliography AYDIN, M.A., ZAIM, A.H. and CEYLAN, K.G., 2009. A hybrid intrusion detection system design for computer network security Computers & Electrical Engineering, 35(3), pp. 517 526. Intrusion Detection System. 2007. Network Dictionary, , pp. 258-258. Remote Authentication Dial In User Service Security. 2007. Network Dictionary, , pp. 409-409. SCHIRICK, E.A., 2012. Computer Network Security — Evolving Risks. Camping Magazine, 85(2), pp. 16. Virtual LAN. 2007. Network Dictionary, , pp. 515-515. Bibliography AYDIN, M.A., ZAIM, A.H. and CEYLAN, K.G., 2009. A hybrid intrusion detection system design for computer network security Computers & Electrical Engineering, 35(3), pp. 517 526. Intrusion Detection System. 2007. Network Dictionary, , pp. 258-258. Remote Authentication Dial In User Service Security. 2007. Network Dictionary, , pp. 409-409. SCHIRICK, E.A., 2012. Computer Network Security — Evolving Risks. Camping Magazine, 85(2), pp. 16. Virtual LAN. 2007. Network Dictionary, , pp. 515-515. Read More