Network Security - Research Paper Example

? Full Paper Table of Contents Table of Contents 2 3 2 Research Methodology and Literature Review 3 3 Network Security Tools 13 4 Conclusion 17 1 Abstract By utilizing quantitative and qualitative research methods, we will analyze different aspects of organization wide information security. As network vulnerabilities are constantly at a rise, network security vulnerabilities are evaluated in three categories i.e. logical security, internal security and external security. The logical security domain will cover technical controls such as deployment of IDS, Virtual LAN, monitoring violation logs, auditing on domain environment, ISA server and VPN security as well. Secondly, internal and physical security will discuss human threats, physical access to server rooms and servers, sensors and sprinklers etc. Moreover, protecting accidently shutting down system will also be discussed. After evaluating vulnerabilities associated with these three domains, controls will be proposed and justified accordingly. Furthermore, incorporation of Scilly University network architecture will also be utilized for better insights. 2 Research Methodology and Literature Review We will utilize Scilly University in our research as a basis of our discussions. Moreover, we will focus on qualitative research on information security, tools, assessments and statistical data in some cases. It has been concluded by some experts that the year 2012 is considered to be the worst year in terms of computer network security breaches (Schirick, 2012). Likewise, the year that has not even passed the half year mark, some of the foremost companies were sufferers of network security breaches resulting in massive losses (Schirick, 2012). However, the news buzz only highlights Sony and Citibank to be victims of network security breaches, as these companies are popular among the public. The other sides of the picture highlights organizations of all sizes are affected by the consequences of network security breaches. Likewise, it can be concluded that network security risks are continuously evolving, modifying and growing at a rapid pace. Organizations normally install a firewall and even intrusion detection systems that triggers alerts of any suspicious activity, as these two components only covers the technical domain and not the human and physical domain. The current network scenario is utilizing a Virtual Private Connection that is connecting one or more sites. However, the VPN connection is also entitled to allow internet traffic on the same dedicated line from the Internet Service Provider. Moreover, the current network only utilizes a single firewall that is located at the main campus of the university. It concludes that the rest of the two remote sites are only protected via a simple Network address translation function that is incorporated in a DSL modem. Moreover, there are no advanced security appliances such as Intrusion detection systems for analyzing and monitoring any suspicious activity that may possibly become a threat to the University’s computer network. Moreover, there is no patch management for updating security patches in the workstations connected to the network. There are no indications of hardening servers for instance, email server, application server, centralized server and database server must be hardened and needs physical protection as well. The network security vulnerabilities will be accessed in three categories i.e. logical security, internal security and external security. As far as logical security is concerned, we can see that the fig 1.1 demonstrates a firewall, Microsoft Internet Security and Acceleration (ISA) server and a domain controller with Microsoft Active Directory. The three categories for network vulnerabilities are categorized as below: 2.1 Logical Vulnerabilities The current logical controls for protecting information assets within the network are Microsoft Active directory, ISA server and a Firewall. The Microsoft active directory is not primarily a security control, as it does not mitigate any risks associated with viruses, worms, Trojans, phishing, spam, denial of service attacks etc. however, it provides a secure administration of user profiles and File sharing features (Smith, 2010). File sharing threats are spreading on a rapid pace, as every now and then, new file sharing technologies are getting being developed and in demand. Controls will not only provide value from all network based services, but will also augment productivity for the organization in terms of revenue, customer loyalty and competitive advantage. Workgroup based environment is not centralized. For instance, users can only login, if they have account created on that specific computer. As far as security is concerned, there are no passwords, resulting in anyone to log on the network. Moreover, workgroup only recognize twenty to twenty five computers that are on the same subnet. For instance, we have application servers that are on the different subnet, users will not be able to access applications, as they are configured on a different subnet. On the other hand, Domain based environment provides centralized administration and access for users. All staff has to enter user credentials, in order to identify themselves on the network before doing any work. Moreover, computers with different subnet are supported and thousands of computers can be connected on the domain based environment. For instance, if a computer stops responding, employees or users can log on from some other computer and no work is halted. Therefore, Domain based network environments are more effective and are compatible to the current network scenario. Moreover, if security auditing features are enabled, user activity and system logs are saved and monitored. Likewise, the lightweight directory access protocol ensures encryption all the way from the domain controller to the workstations via Kerberos. However, network or system security specialist will not be able to monitor, analyze or examine threats from a domain environment. Active directory prevents unauthorized access because users have to provide login credentials for accessing personal file settings, data and customized permitted objects in the operating system. Secondly, the ISA server that can be considered as a firewall and a proxy server as well due to support of cache management functions. As per the current scenario, the suspicious packets are handled by the firewall, as it is separately installed. (Internet security and acceleration server.2007) The ISA server is only implemented to enable access management to different services associated with Internet, file sharing etc. ISA server will only prevent unauthorized access to different network services, for example, Internet access. We have covered two logical controls in the current network scenario up till now. The third security control that we have identified is a hardware based firewall. The firewall operates on chain of rules that are defined by the security specialist, consultant or a vendor. The configuration is carried out for restricting or dropping unwanted packets and suspicious packets. However, legitimate packets are allowed for entering tin the network. The firewall only operates on rules and if any suspicious packet hides itself within other packet may enter in the network. Logical vulnerabilities include no additional security controls on firewall, critical servers, and network devices. If any suspicious packet bypasses the firewall, there are no mechanisms to track and monitor the probe of a hacker trying to breach into the core systems. Moreover, building B and building C have not a single security control. This concludes that only Network address translation (NAT) is the only logical security control, whose main purpose is to hide private IP addresses of the local area network and relay the traffic via a global IP address. Suppose, if a threat bypasses a firewall that is located at the main site, there is a high probability and risk that the data residing at the two buildings i.e. building B and building D will also be compromised. Moreover, if any employee or personnel plugs in the suspicious USB drive in one of the system, there is no mechanism or tools to monitor internal network threats, as it has been proved that internal threats are relatively more probable than external threats. Furthermore, there are no tools for demonstrating events and alerts associated with violation logs. In addition, there are no logical controls linked with the database, as SQL injection techniques have proven to exploit data from the database. Furthermore, for logical vulnerability there is an absence of Virtual local area networks. VLAN’s provide adequate security, “Virtual LAN (VLAN) refers to a logical network in which a group of devices on one or more LANs that are con?gured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical, instead of physical, connections, they are very ?exible for user/host management, bandwidth allocation and resource optimization” (Virtual LAN, 2007). VLAN’s separates traffic for each department an also prevent denial of service attacks and unwanted traffic broadcast that may result in network congestion and degradation of network services. 2.2 Internal and Physical Security The internal security is associated with adequate protection from internal threats i.e. humans. It has been evaluated that organizations emphasize only on physical and logical security and often skips adequate protection of internal human controls from threats such as unauthorized access, theft, espionage etc. In the current scenario, there are no security controls addressing human security. Likewise, there are no mounted racks for locking up servers, network components and Ethernet wires. As Ethernet wires can be tapped, an appropriate way is to install patch panels for CAT 5 cables. Moreover, theft of any critical hardware or software component is easy, as there are no biometric systems available in the premises. Biometric identification systems are considered to be the best physical security control till date. Moreover, there are no surveillance cameras installed on critical locations, as they prevent physical theft of systems as well as identify disasters. For instance, if fire occurs due to any short circuit in one of the critical information assets, it can be controlled in an early stage. However, sensors, water sprinklers and fire extinguishers are considered to be ideal controls in this scenario. 2.3 Intrusion detection system Security in terms of computer networks has marked its significance. Senior management address security issues to an optimal level and enforces strict security procedures in order to protect strategic and financial assets. Likewise, new and improved sensing technologies are now mandatory for Scilly University for maintaining the security of network. Consequently, an intrusion detection system is required for continuously monitor threats and vulnerabilities within the Scilly University network. IDS/IPS derived from the traditional security appliances and is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse” (Intrusion Detection System, 2007). Figure 1.1, demonstrates the physical location of the IDS (indicated in Red) in Scilly University. Figure 1.1 The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. However, in the current scenario, a threat is detected that is trying to gain access to the confidential data of the organization. Probably, signature based IDS has detected this particular threat. Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. Moreover, these systems are categorized in to various sub categories including data mining, statistical methodologies, artificial neural networks, immune systems and genetic algorithms. Among all of these, statistical methods are more commonly used for detecting intrusions by finding out any anomaly that has initiated within the network (Ayd?n, Zaim, & Ceylan, 2009). By combining these two types of IDS, network administrators eliminate or fill vulnerabilities within the network. Anomaly based intrusion detection system will be recommended for Scilly university computer network, as the signature based IDS only works on the given signatures and will not sense any unusual activity if it is not defined in the signature. Anomaly based IDS will detect every threat that is referred as anomaly within the network. 2.4 RADIUS Server As per network dictionary, “Remote Authentication Dial In User Service (RADIUS) is a protocol for carrying authentication, authorization and con?guration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. RADIUS uses UDP as the transport protocol. RADIUS also carries accounting information between a Network Access Server and a shared Accounting Server. Likewise, the users located at building B and C will establish connectivity with the VPN and RADIUS server for authentication and authentication. Figure 1.2, demonstrates the functionality of a RADIUS server. Figure 1.2 Data related to security will be distributed on the network and may include several devices that may interact with the security data. RADIUS server will cater all the security data within the network and stores it on one location or workstation or on a storage device. In this way, risks and vulnerabilities associated with the security data will be mitigated. Moreover, the host that will store the security data will be considered as the RADIUS server. Moreover, RADIUS can also be integrated with Microsoft operating system environment, as Scilly University is already operating on Microsoft operating systems they will support RADIUS functionality. Furthermore, Information related to security is stored on text files at a central location i.e. the RADIUS server. If there is a requirement of adding new students or staff for Scilly University, network administrator will only update the text file for updating new user information to the database? In addition, RADIUS server also facilities auditors by providing a comprehensive audit trails that may support RADIUS accounting features. Moreover, log files can be analyzed for security aspects or can be utilized for billing purposes. As building B and C are vulnerable to any type of attacks via VPN + Internet connection, one firewall each will be behind the router on building B and C. Consequently, firewall will add a layer of security on these remote sites. 2.5 Physical Security A bio metric identification system is required prior to entrance in the Scilly University server room. Moreover, surveillance cameras must be installed for monitoring the server room. Furthermore, for addressing fire or electricity incidents, temperature sensors and water sprinklers must be installed near critical systems and applications. The bio metric system will restrict unauthorized personnel for entering in the server room and consequently, the risk of physical theft associated with computing devices or equipment will be minimized. In addition, a proper review of access logs for bio metric systems is also necessary, as it will identify how many times a particular employee is entering or exiting from the server room or any other department. Guards will provide adequate security for the building of Scilly University and will only allow relevant people enter in to the building. One more aspect that needs to be discussed is the power button of critical applications that are operational every second. For instance, personnel or support staff from the third party started working on the server and accidently his hand presses the power button will result in halting of educational operations. For this reason, protective covers must be deployed on power buttons of each server. If the server needs to be restarted, there is an approval process that will be accepted or rejected by the relevant system or application owner. After granting approval, server can be re booted. 3 Network Security Tools Information is lifeblood for any organization. As information is digitized, it is stored on information systems and travels to the inbound and outbound network. The storage and transmission of data is essential for business automation and business functions. However, there are many challenges that organizations have to overcome for securing the information on the network as well as in the servers. Certified skilled professionals, certified vulnerability assessment tools, incident response management teams and other relevant staff plays a significant role for protecting and detecting potential threats and vulnerabilities that may or have compromise the network to gain access to business critical information of the organization. There is a requirement of a powerful vulnerability assessment and management tool that will facilitate the network security team in crises situations. Moreover, there is one more challenge for the network administrators i.e. they are not able to find traces for the threat that has already penetrated into a distributed network environment. Likewise, distributed network is a merger of two or more networks and may be operational on a broad spectrum. Moreover, the existing network security controls are not capable to detect the worm, as the distributed network is connected to one or more networks; it is difficult to analyze specific anomalies and patterns of unknown activity on the distributed network. Furthermore, the combination of infinite data packets can construct a major impact on the network because they all have the same frequency and are associated with the same domain that is similar to the current scenario. For addressing this issue, powerful vulnerability detection and assessment tools are required for detecting threats on a distributed network. Tools supporting pattern detection for distributed network environment provides a network wide correlation analysis associated with instant parameters along with anomalous space extraction, instant amplitude and instant frequency. We will discuss tools that are available for vulnerability assessment and can be utilized by the network administrator for enabling instant amplitude and instant frequency so that transmission of data packets on the network can detect unknown activities or patterns on the network. Moreover, these tools will also facilitate to categorize data packets in to time and frequency domains distinctly. Furthermore, network administrators can also implement a methodology, subset of the current methodology, which is called as anomalous space extraction based on predictions of network traffic or transmission of data packets. Successful information security management involves an amalgamation of prevention, detection and response in order to deploy a strong security defense. Security has become an encircling issue for designers and developers of the digital world. A system should also be able to counter incidents and raise proper procedures in case an information security incident occurs. Information security incident handling takes a stride forward in the information security management procedure. The aim is to provide a reference for the management, administration and other technical operational staff. If considering the enterprise government, focus on executing management actions is required to support the strategic goals of the organization. It has been calculated approximately half of the breaches to the security of the information systems are made by the internal staff or employee of the organization. Security incident management facilitates the development of security incident handling and planning including preparation for detection and reply to information security issues. The standard of the incident management primarily relates to ensure the existence of processes rather than the contents of these procedures. The security incident of different computing systems will have dissimilar effects and escort to different consequences, bureau, departments the organization need to tailor the security incident handling plan according to specific operational requirements. In order to do so, the security staff must equip with tools for vulnerability detection and assessment. We will discuss and compare various features of two tools i.e. Dragonsoft Vulnerability Management and GFI LANguard. However, the criteria for comparing these two tools will be the ability to detect vulnerabilities, report and facilitate to mitigate threats and risks. 3.1 Functionality and Features DragonSoft Vulnerability Management tool is preferable for small medium enterprises to corporate enterprises. The primary tasks is scan the network for detecting vulnerabilities, evaluation of the detected vulnerabilities in order to provide the basis for performing risk assessment. Moreover, the tool also generates reports and performs centralized risk assessment along with risk mitigation options. Likewise, DragonSoft Vulnerability Management tool monitors and assess potential vulnerability details prior scanning assets defined on the network. Other features of DragonSoft Vulnerability Management tool incorporates security scanning with security audit that includes vulnerability audit, password audits and test incorporating Denial of Service (DoS) with the vulnerability database consisting of 4500 vulnerability definitions (DragonSoft Vulnerability Management, 2011). Moreover, the centralized risk assessment for vulnerabilities provides centralized administration and management for internal as well as external host remediation. The tool also support compliance and audit functions for International Organization for Standardization (ISO) 27001, HIPAA, government or federal regulations and Payment Card Industry Digital Security Standard (PCI-DSS). Furthermore, the graphical representation embedded in the tool identifies areas for deploying missing or updated security patches on the network (DragonSoft Vulnerability Management, 2011). GFI LANguard is a network vulnerability scanning and patch management tool. Likewise, the tool facilitates patch management functions, vulnerability management, application and network audit, simplifying asset inventory, change management, and analysis for risk and compliance. Moreover, the tool also scans all the assets on the network, identify them, categorize them as per security weaknesses based on their impact level and then suggest a remediation plan or action (GF LANguard, 2011). Throughout the GFI LANguard security review, greater than 15 thousand weaknesses per IP address were identified for the operating systems, virtual environments and installed software. GFI LANguard is a multi-platform supported tool that can scan Windows, Linux and Mac based machines. Moreover, the tool incorporates its own database for accessing vulnerabilities, as the database includes more than 2000 CVE and SANS top 20 identified vulnerabilities. The database can be regularly updated by retrieving information from Microsoft security updates, SANS, GFI resources and other information repositories. Moreover, GFI LANguard also provides a graphical indicator that shows levels of each associated threats in order to demonstrate a weighted assessment of the current vulnerability status of the computer. The GFI LANguard tool also provides the user to establish customized a specific vulnerability scan via a simple wizard. However, complex vulnerability assessment scans can also be established via a wizard based Visual Basic Scripted engine. Moreover, the wizard also empower users to configure different types of scans targeting various types if information. For instance, scanning public file sharing on the network, password policy and security audit scanning, detecting any missing security updates or patches on workstation connected to the network. Moreover, the tool can also be utilized to review the hardened servers for any open ports by scanning closed and opened ports, unnecessary ports for detecting port hijacking, disabling or identifying unnecessary local and group accounts, detecting adware, spyware or black listed software applications still running in hidden files. Furthermore, the powerful tool also scans the connected Universal Serial Bus devices that are connected to workstations at the time of scanning. The scanned results can be demonstrated by export options for Microsoft Excel. GFI LANguard website provides a free version of the tool that is only limited to scan five IP addresses within the network; however, all the features and functions are activated. 4 Conclusion We have identified vulnerabilities in logical, physical and internal security of the network. The logical security solutions include the acquisition of RADIUS server that will utilize VPN and provide added security features. Moreover, to add an extra layer of security and defense, we have considered IDS/IPS. Likewise, we have also discussed types of IDS and recommended the best one. Moreover, for addressing physical and internal security, Bio metric systems are recommended along with surveillance cameras monitoring server rooms. Furthermore, a deployment of firewall each is recommended for computer networks. Moreover, after comparing features for both of the tools, GFILANguard is relatively more powerful in detecting vulnerabilities ranging from facilitating to the asset inventory, change management, security audit, port scanning, server hardening, risk assessment and USB scanning. Moreover, platform support is a huge advantage for an environment running servers on multiple platforms. Whereas, Dragonsoft vulnerability management tool can serve better in small medium enterprises, as it incorporates features that may align with medium to small computing environment. References Ayd?n, M. A., Zaim, A. H., & Ceylan, K. G. (2009). A hybrid intrusion detection system design for computer network security. Computers & Electrical Engineering, 35(3), 517-526. doi: 10.1016/j.compeleceng.2008.12.005 DragonSoft Vulnerability Management. 2011. SC Magazine: For IT Security Professionals (15476693), 22(2), pp. 55-55. GF LANguard. 2011. SC Magazine: For IT Security Professionals (15476693), 22(2), pp. 56-56. Intrusion Detection System. 2007. Network Dictionary, , pp. 258-258. Internet security and acceleration server. (2007). Network Dictionary, , 255-255. Remote Authentication Dial In User Service Security. 2007. Network Dictionary, , pp. 409-409. SCHIRICK, E.A., 2012. Computer Network Security — Evolving Risks. Camping Magazine, 85(2), pp. 16. Smith, R. (2010). Advanced active directory security. Windows IT Pro, 16(10), 28-31. Virtual LAN. 2007. Network Dictionary, , pp. 515-515. Read More