Addressing Security Issues and Deployment Approach for WAN - Tyrell Corporation - Case Study Example

? Table of Contents Introduction 2 2 Addressing Deployment Approach for Departments 3 3 Addressing Security Issues and Deployment Approach for WAN 5 4 Security Policy Development 10 5 Disaster Recovery 14 6 References 16 1 Introduction For designing a network for the second building of the company requires a fit for purpose scalable network that will address future goals of the company. Currently we have two buildings and in the future there may be three buildings, i.e. more risk exposure. Moreover, critical assets of the company are located at the ground floor, as the company is located near river banks, there is a high probability of natural disasters i.e. floods etc. Furthermore, the distance between the two buildings is 120 meters that is manageable for connecting the sites physically. However, in case of configuring a wireless network, IEEE-802.11g Compliant will be recommended for covering the distance of 250 meters. Figure 1.1 demonstrates the current architecture and Figure 1.2 illustrates the network architecture for Tyrell Corporation Figure 1.1 Figure 1.2 2 Addressing Deployment Approach for Departments Star topology is recommended for the wired local area network. It is the most widely adopted topology. The star topology supports the centralized provision of network resources and services. The support staff can manage the network administrative and troubleshooting tasks centrally. Star topology helps to implement centralized security architecture for improved and enhanced security of the network. The network implementation cost can be saved by provisioning the core systems located centrally. The security controls and backup systems are also located centrally for better troubleshooting and management. For deploying the local network for Tyrell Corporation, CAT 5 cable is the best option. It supports both voice and data transmission. CAT-5 is in the form of twisted pairs. This cable consists of 4 copper wire pairs, connecting the network node with RJ 45 connectors.CAT-5 supports up to 100 to 1000 MHz speeds in a ‘full duplex’ mode (Category 5 Cable. 2007). The Tyrell Corporation enterprise network will corresponds to request related to internet applications, online transactions, requests by sale contractors, file transfer protocol and Emails. CAT 5 can support these features with ease. However, CAT 5 cable can support up to 300 feet equal to 100 meters in distance. A requirement of the switch is mandatory for every 300 feet. Data switches perform packet distribution tasks within the local area network. Acting as a core backbone, Tyrell Corporation network requires fast Ethernet switches to support the internet and external communication. The Cisco Catalyst 3750 v2 series switch is recommended to cater the requirements for the current scenario as well as for the future. The deployment of switches will be carried out by disconnecting one department at a time on a non-working day, as the installation will be conducted by the vendors or the staff available at Tyrell Corporation. From each of these available departments, human resource department will be the first one to be replaced with the new switch supporting VLAN and addressing security issues. The next department will be the technology department itself for enabling compatibility with the human resource department switch, as proper configuration and testing is required. Each department follows the similar approach with finance department to be the last one. Cisco Catalyst 3750 is the OSI layer 3 stackable switch, supporting the energy efficiency factor. Stackable means that more switches can be added to the current switch configuration for providing more network nodes. This switch supports the Cisco Energy Wise technology, which assist in the provision of power management of the big switch network. At the same time, the Cisco energy wise technology reduces the cost and carbon foot prints. The latest invention to the energy wise technology is the ‘Cisco Energy Wise’ Orchestrator which is a dedicated turnkey power management solution for the network and information systems. The Cisco Energy Wise Orchestrator enables to administer the energy requirements of Power over Ethernet (POE) enabled devices. It also extends the enterprise power management to workstations and laptops (Newswire 2012). Some of the enhanced features for the Cisco catalyst 3750 v2 series incorporate efficiency for remote sites environments. The switch consumes less power and enhances productivity for the local area network. It protects the network investment by supporting the unified network for data, voice and video streaming. The switch supports two software versions, which are also called the input / output system (IOS). One is the Internet Protocol IOS which includes enhanced quality of service (QoS), frame rate limiting, access control list (ACL), Open Shortest Path First (OSPF) to support the routing features and IP v6 support which will definitely support the future IP v6 compatible network devices in the future. The second IOS support the enterprise network level functionality. It includes hardware based Internet Protocol Unicast, Internet Protocol Multicast routing, and policy based routing (PBR) (Rist 2003). 3 Addressing Security Issues and Deployment Approach for WAN A router is a core computing and packet processing devices in the Tyrell Corporation computer network. Router connects two or more networks with different subnets, enabling the networks to expand on an enterprise level. Logically the router builds a routing table, where it stores all the route addresses. For example, the data packet source and destination is stored in the routing table. The network administrator can statically define the network addresses which are called as ‘static routes’. The dynamic routing protocol is used for the automation of exchanging data packets with other routers located in campuses of Tyrell Corporation. The selection criterion of the router depends on the network requirements. The data transmission gauge, which is also called the maximum transmission unit (MTU), is also considered for optimal network efficiency. To support the current scenario, the router must support redundancy and security features for the Tyrell Corporation enterprise network. As the current network design incorporates a core backbone, it is essential for the network to be operational and efficient. Cisco 3845 integrated service router will fulfill all the network requirements. The Cisco 3845 Integrated Services Router provides optimal performance for parallel services on the local area network including security, voice and enhanced services. Improved speculation is achievable by increased performance and modularity. The Cisco 3845 ISR consist of robust ‘WAN’ slots to improve density. The router supports over 90 modules for enhanced and latest network functionality. The router supports both copper and fiber interface. Keeping in mind that the cost must be kept to a minimum, the router supports power over Ethernet (POE). It is the revolutionary technology integrating data, voice and power on a standard CAT 5 Ethernet infrastructure. This technology provides power to the devices connected on the network in parallel. The security aspect is attractive as the router has built in features for data encryption. The router also supports up to 2500 Virtual Private Network tunnels for creating connectivity with campuses of Tyrell Corporation enterprise network. However, the AIM-HPII-PLUS Module is required to support VPN capability in the router. VPN is further elaborates as it is created to improve security and productivity by combining Cisco VPN technology. Cisco VPN is considered a trustworthy name in the vendor industry to connect remote offices, remote users and remote sites in a secure way. VPN is most widely used for remote connectivity solutions in all sizes of organizations. It is affordable due to the provision of public switched telephone networks (PSTN) (Tiso, n.d.). The deployment of router will be carried out by connecting the hot site initially with the current operational network. After establishing connectivity with the hot site, router will be replaced by the vendors or the staff available at big Switch. Moreover, cost savings and productivity is also supported encryption and authentication techniques that defend data in transportation from unauthorized access and attacks. The Cisco based VPN server uses highly secure communication mechanism with integrated access rights to specific users. The network administrator can quickly add remote sites and users without expanding the current infrastructure. It will improve productivity by extending the current network, applications and collaborative tools. These features enable to reduce the communication cost by a significant level along with improving the efficiency of administrative tasks and configuration. The Tyrell Corporation can adopt VPN technologies. VLAN configuration is carried out in data switches and it is also configured in the ports of the router. In order to secure the network from threats associated with VLAN, for instance, VLAN hopping is a type of network attack in which the workstation of the end user broadcast data packets to another VLAN instead of the legitimate VLAN. As VLAN do not allow data packets to be send at another VLAN, the traffic is marked with another VLAN ID that belongs to the end user workstation. Similarly, in this scenario, an attacker may act like a data switch and can convey trunking for sending and receiving data from other VLANs. In order to mitigate attacks associated with VLAN, configuration is required within the router and the switch as well. The first primary objective is to dedicate VLAN identifications for all available trunk ports. Moreover, there is also a requirement of de activating all the unused switch ports and allocate port numbers in unused VLANs. Furthermore, all the ports already accessible by the users must be set to non-trunking mode by de activating DTP. For addressing Media Access Control (MAC) spoofing attacks, there is a requirement of analyzing the functionality and approach of the threat. MAC spoofing attack incorporates learning of a MAC address pertaining to another host for making an attempt to the target switch. The switch will forward the frames destined for the host connected remotely to the attacker. In process of sending frames with dissimilar source address, the attacker gets the chance to overwrite the Content Addressable Memory (CAM) table entry. The modification to the CAM table enables the attacker to forward destined data packets of the host to the attacker. Port security is incorporated to every layer 3 switch to eliminate or minimize MAC spoofing. Likewise, port security is capable of specifying the MAC address for workstations that are connected to a specific port. If there is any violation in terms of connecting other workstation other than the authentic one, logs are generated that can be viewed by the network administrators for rectification. The perimeter network demonstrates interior router that is connected to the internal network and exterior router is connected to the external network, i.e. Internet, campuses, sale contractors. The perimeter network provides robust security by deploying a bastion host between the two routers. Bastion host is similar to intrusion detection system and reports immediate whenever anomalies are detected within the network. However, Demilitarize Zone (DMZ) is also ideally placed at the perimeter network, when operating on a domain based computer network. The demilitarized zone operates as a part of a firewall configuration in order to secure the local area networks. If a DMZ is configured on the whole network or on specific workstations, they are known to be in a DMZ. Moreover, the zone also facilitates workstations that are configured behind the firewall to initialize request that are considered as outbound traffic to the DMZ. The functionality of DMZ is similar to a proxy server, as the workstations configured in DMZ interact with the public networks. Furthermore, the most significant advantage for a DMZ is that it protects the local area network domains by segregating the network layer. Likewise, the disadvantages associated with DMZ are not significant, but one issue can be highlighted, as the segregation may create a hassle for the network administration because DMZ requires frequent updates and maintenance. Moreover, the hardware cost is high and requires dedicated hardware in order to implement DMZ within the network. Deployment includes a switch, separate firewall and IDS etc. In order to protect the computer network of Tyrell Corporation, organizations emphasize on implementing hardware and software application as well as a framework in terms of surveillance security. Network security issues can lead to many different aspects. For example, if the server containing customer data is breached, organization will lose its credibility and trust among the customer and that will result in business loss. Similarly, if a critical system storage device is stolen by internal or external sources, organization’s financial data along with goals and objectives can be revealed to other competitors. In the proposed network design for Tyrell Corporation, surveillance security is incorporated for protecting unauthorized access to switches located at each department. The surveillance security will provide following features: It will track unauthorized access of employees to departments Monitor activities of employees related to physical interference with critical hardware components User activity on the network and unusual behaviors will be monitored User authentication and Authorization will be implemented IP cameras to monitor their critical information assets on the network. 4 Security Policy Development Purpose This policy demonstrates requirements for protecting or securing information for Tyrell Corporation information security and forensic laboratory to safeguard the Tyrell Corporation information that is classified and categorized as confidential cannot be conceded or breached and the services related to production and third party service providers security is safeguarded from the operations of the information security. 1. Scope This policy is pertinent to all departments of Tyrell Corporation that are internally connected, Tyrell Corporation, employees and third parties who have access to Tyrell Corporation information security. The scope of this policy will also cover all the legacy and future equipment that will be configured and tuned as per the reference documentations. If any other laboratories exist in the Tyrell Corporation will be exempted from the scope of this policy and will be treated as per the specific policy if available. 3. Policy 3.1. Ownership Responsibilities 3.1.1. First of all the ownership criteria needs to be addressed. Tyrell Corporation is responsible for recruiting or assigning an information security manager, a point of contact for communication along with alternate contact person in case of unavailability of the primary contact. Employees who are assigned as the owners of the department must organize and update the point of contact on regular basis in order to align with the information security and corporate enterprise management members or groups. Managers of the department must be available all the time i.e. round the clock, either via phone or on office hours. In case of absence, alternate manager must be functional to avoid hindrance to company operations. In case of any lack of mismanagement, legal action is applicable against the employee. 3.1.2. Moreover, department managers are also liable for the vital factor that is the security of the Tyrell Corporation information security posture and the impact of its operations on the production functions and operations that are functional on the network and any other associated network services. However, in a situation where no specific requirements are addressed in the policy, managers must do their best for safe guarding information security of Tyrell Corporation from security weaknesses and vulnerabilities. 3.1.3. Laboratory managers are also liable for aligning security policies of the Tyrell Corporation computer/data network security policies. The following policies are vital: Password policy of networking devices and hosts, wireless network security policy, Anti-Virus security policy and physical security policy. 3.1.4. The laboratory manager is the owner of Tyrell Corporation and Tyrell Corporation information security, and is responsible for granting and approving access to employees or students requiring access for information or business purpose. Access can be either short term or long term depending on the ongoing job description or responsibilities. Moreover, department manager will also ensure effective procedures for terminating unwanted access to the departmental resources. 3.1.5. The network support staff or administration must monitor and maintain a firewall between the network that connects the production functions, processes and operations from the network or network appliance / equipment / device. 3.1.6. The network support staff or administration must be entitled to have full rights for interrupting network connections of the departments that may impose impact or security risk on processes, functions and operation on the production network 3.1.7. The network support and administration staff must maintain and record all the IP addresses that are operational in the Tyrell Corporation networks, any database associated with routing information from these IP addresses. 3.1.8. Any department requires external connection to or from the department must provide a business case including justification of access with network diagrams and equipment to the information security management who will review the requirements for security issues and concerns and give approval prior to the deployment of the connection. 3.1.9. User passwords must meet the requirements of the access management or password policy of Tyrell Corporation password policy. Moreover, any inactive account must be deleted within 2 days from the access list and any device that involves critical and sensitive information of Tyrell Corporation, passwords of group based accounts from the group membership modules must be modified within 24 hours. 3.1.10. The customized information security will not facilitate other Tyrell Corporation services apart from network and data transmission, storage, modification, monitoring and protection. All the other Tyrell Corporation departments will be facilitated by their respective support functions. 3.1.11. In case of non-compliance, information security management must consider business justifications and allow waivers accordingly. 3.2. Universal Configuration Necessities 3.2.1. The network traffic between the Tyrell Corporation network and other networks all data will be transmitted via a firewall monitored and maintained by the support staff. However, in case of a wireless network transmission, connection to other networks will be prohibited. 3.2.2. In order to configure or modify any configuration settings on the firewall must be reviewed and approved by the information security personnel. 3.2.3. Tools associated with port scanning, network sniffing, auto discovery of registered / unregistered ports and other scanning tools must be prohibited within the company, as they can trigger information security risks and disrupt the Tyrell Corporation computer network or any other network that may be operational. 3.2.4. Right to audit for all inbound and outbound activities of the company is applicable to the information security personnel anytime. 3.2.5. For ensuring physical access, every employee or student must identify themselves via physical security controls before entering in the laboratory is mandatory. 3.2.6. Accessing mobile phones, PDA’s, smart phones, laptops and any other communication device must be according to the open area security policy. 3.2.7. Encryption must be applicable to stored password files, VPN connections and connections to the third party service providers where applicable. 3.3. Enforcement If any violation of this policy is found, the matter maybe subjected to disciplinary action including termination of employment and students of the campus maybe expelled. 4. Revision History Version 1.0 5 Disaster Recovery The Disaster Recovery Plan (DRP) establishes procedures to recover the IT systems of ABC Inc. following a disruption. Tyrell Corporation has recognized their operational dependency on IT systems, and the probable loss of income and operational control that may take place in the event of a disaster. Moreover, authorization of preparing disaster recovery and execution and maintenance of a comprehensive disaster recovery plan. The intent of a Disaster Recovery Plan is to provide a written and tested plan directing the computer system recovery process in the event of an interruption in continuous service resulting from an unplanned and unexpected disaster (Omar, Alijani et al. 2011). 5.1 Incident Response Procedure For Category ‘A’ Incident (Security Breach, Theft, Embezzlement) When identified, person should report incident to any member of Incident Management Group. Incident Management Group call meeting as early as possible to determine action plan. Incident Management Group forwards action plan to BCP coordinator or Head of Departments for implementation. For Category ‘B’ Incident i.e. Natural Disasters or total total outage of systems, networks and facility, following are the procedure to response incident of type ‘B’ category that requires relocation. Normal Business Hours Response An emergency that happens during normal business hours, ERT follow emergency procedures available in Appendix ‘A’ to ensure the life and safety of all employees. ERT report incident to IMG IMG call emergency meeting to determine action plan. After Normal Business Hours Response Duty officer or night watchman identify incident should call BCP coordinator or/and ERT leader and report event 6 References Category 5 Cable. 2007. Network Dictionary, , pp. 88-88. NEWSWIRE, P., 2012. Server Technology's Intelligent Rack Mount Power Distribution Units Now Cisco® EnergyWise™ Certified. PR Newswire US, . OMAR, A., ALIJANI, D. and MASON, R., 2011. Information Technology Disaster Recovery Plan: Case Study. Academy of Strategic Management Journal, 10(2), pp. 127-141. RIST, O., 2003. Catalyst 3750 Stacks Up Well. InfoWorld, 25(28), pp. 34-34. Read More