School of Computing - Report Example

? School of Computing Module and 6CC513 Security Protocols Assignment No. and Security Report for EEC Assessment Shao Ying ZhuHand-In Deadline Date 08/05/2013 Abdallah Alkhanbashi 100181705 1 Introduction In this report, we will address security loop holes for EEC, as it is comprised of Birmingham, Glasgow and Derby. As per the scenario, Birmingham is considered to be the head office consisting of IT, Human Resource, Research and Development, Management, Marketing, Sales, operations and Finance. The other two branch sites have IT, sales, operations and manufacturing departments. Currently, all company servers (file, email, data, web, radius and FTP servers etc.) are located in the server farm at its head office in Birmingham. The other two sites are connected to the head office through leased lines. We will address identified security threats to the current network by categorizing them in to two categories: External Threats: Virus, Trojan, Worms, Spyware, Cyber-attack, Denial of Service Attack, Distributed Denial of Service Attack Residual Threats: Vulnerabilities within the RADIUS server. Only Firewall is implemented on the edge router with packet filtering enabled. 2 Feasibility for the Cloud The Cloud computing helps to provide advantages in terms of reducing cost related to the hardware, software and human resource. On the other hand, various controversial issues such as individual’s privacy, security control risks and data sharing are still in need for a better solution. Similarly, in order to provide cost benefit analysis while practicing risk assessment, better development techniques, less cost, high scalability with next generation architecture will be utilized for EEC. However, the open source is considered in providing core facilities in cloud computing in order to enable the cost reduction input or cost free structure for cloud service providers. In fact, the cloud computing service can use the open source in order to gain power and control to launch next generation proprietary platforms which can be similar to Web 2.0. The Linux operating systems are also utilized for cloud computing, as company’s ecommerce site is run on a UNIX based web server. Moreover, if there is no license cost such as Microsoft operating system than Linux operating system is likely to use cloud computing services. In fact, it is visibly stated by IBM in the economics of scale that “one of the primary drivers for expanding the cloud is open source.” The application or the software in any computing environment is believed as a core element, however it is expensive. The open source is not all the time successful because they are partially present in some organizations. A number of open source applications are related with the cloud and is accessed through a variety of obligations. These obligations include open source license and other relevant stuff. Similarly, an efficient compliance procedure related to address issues and diminish risk, a software license is required. Moreover, new risks are not initiated by the cloud computing. However, the services that are linked with cloud computing generates risk. The applications that are associated with the operational tasks along with cloud computing are distributed as compared to other software applications. In fact, reduced visibility along with no evaluation or calculation of the industry is present. Therefore, it cannot be characterized as the obligations incorporating copy license. In order to access cloud computing online services through web browser, you need an updated computer that can support all the necessary features regarding current Web browsers. Moreover, fast Internet connection is also required in order to experience sheer clod computing features. Including an updated workstation along with all the needed updates are installed. An old workstation is update to Windows 7 will cost about $70 but on the other hand, Windows 7 or Vista does not support all the VGA drivers and there are hardware compatibility issues are also present. In addition, the chipsets that are present in old workstations are also not supported by Window 7 or Vista. In a “Business Cloud”, the websites are based on text as no particular multimedia capture or editing is needed. For this reason a nominal Internet connection is compulsory. Furthermore, all the documents, important files and other critical stuff can be stored online. This solution can help to save the cost related to maintaining as, well as installing cost is also reduced. 3 Proposed Security Solution It has been concluded by some experts that the year 2012 is considered to be the worst year in terms of computer network security breaches (Schirick, 2012). Likewise, the year that has not even passed the half year mark, some of the foremost companies were sufferers of network security breaches resulting in massive losses (Schirick, 2012). However, the news buzz only highlights Sony and Citibank to be victims of network security breaches, as these companies are popular among the public. The other sides of the picture highlights organizations of all sizes are affected by the consequences of network security breaches. Likewise, it can be concluded that network security risks are continuously evolving, modifying and growing at a rapid pace. Organizations normally install a firewall and even intrusion detection systems that triggers alerts of any suspicious activity, as these two components only covers the technical domain and not the human and physical domain. The current network scenario is utilizing a Virtual Private Connection that is connecting one or more sites. However, the VPN connection is also entitled to allow internet traffic on the same dedicated line from the Internet Service Provider. Moreover, the current network only utilizes a single firewall that is located at the main campus of the university. It concludes that the rest of the two remote sites are only protected via a simple Network address translation function that is incorporated in a DSL modem. Moreover, there are no advanced security appliances such as Intrusion detection systems for analyzing and monitoring any suspicious activity that may possibly become a threat to the University’s computer network. Moreover, there is no patch management for updating security patches in the workstations connected to the network. There are no indications of hardening servers for instance, email server, application server, centralized server and database server must be hardened and needs physical protection as well. The network security vulnerabilities will be accessed in three categories i.e. logical security, internal security and external security. 3.1 External Vulnerabilities A common IT infrastructure incorporates logical controls for protecting information assets within the network such as Microsoft Active directory, ISA server and a Firewall. The Microsoft active directory is not primarily a security control, as it does not mitigate any risks associated with viruses, worms, Trojans, phishing, spam, denial of service attacks etc. however, it provides a secure administration of user profiles and File sharing features (Smith, 2010). File sharing threats are spreading on a rapid pace, as every now and then, new file sharing technologies are getting being developed and in demand. Controls will not only provide value from all network based services, but will also augment productivity for the organization in terms of revenue, customer loyalty and competitive advantage. Workgroup based environment is not centralized. For instance, users can only login, if they have account created on that specific computer. As far as security is concerned, there are no passwords, resulting in anyone to log on the network. Moreover, workgroup only recognize twenty to twenty five computers that are on the same subnet. For instance, we have application servers that are on the different subnet, users will not be able to access applications, as they are configured on a different subnet. On the other hand, Domain based environment provides centralized administration and access for users. All staff has to enter user credentials, in order to identify themselves on the network before doing any work. Moreover, computers with different subnet are supported and thousands of computers can be connected on the domain based environment. For instance, if a computer stops responding, employees or users can log on from some other computer and no work is halted. Therefore, Domain based network environments are more effective and are compatible to the current network scenario. Moreover, if security auditing features are enabled, user activity and system logs are saved and monitored. Likewise, the lightweight directory access protocol ensures encryption all the way from the domain controller to the workstations via Kerberos. However, network or system security specialist will not be able to monitor, analyze or examine threats from a domain environment. Active directory prevents unauthorized access because users have to provide login credentials for accessing personal file settings, data and customized permitted objects in the operating system. Secondly, the ISA server that can be considered as a firewall and a proxy server as well due to support of cache management functions. As per the current scenario, the suspicious packets are handled by the firewall, as it is separately installed. (Internet security and acceleration server.2007) The ISA server is only implemented to enable access management to different services associated with Internet, file sharing etc. ISA server will only prevent unauthorized access to different network services, for example, Internet access. We have covered two logical controls in the current network scenario up till now. The third security control that we have identified is a hardware based firewall. The firewall operates on chain of rules that are defined by the security specialist, consultant or a vendor. The configuration is carried out for restricting or dropping unwanted packets and suspicious packets. However, legitimate packets are allowed for entering tin the network. The firewall only operates on rules and if any suspicious packet hides itself within other packet may enter in the network. Logical vulnerabilities include no additional security controls on firewall, critical servers, and network devices. If any suspicious packet bypasses the firewall, there are no mechanisms to track and monitor the probe of a hacker trying to breach into the core systems. Moreover, Birmingham, Glasgow and Derby have not a single security control, instead of a firewall with packet filtering enabled. This concludes that only Network address translation (NAT) is the only logical security control, whose main purpose is to hide private IP addresses of the local area network and relay the traffic via a global IP address. Suppose, if a threat bypasses a firewall that is located at Birmingham, there is a high probability and risk that the data residing at the two buildings i.e. Glasgow and Derby will also be compromised. Moreover, if any employee or personnel plugs in the suspicious USB drive in one of the system, there is no mechanism or tools to monitor internal network threats, as it has been proved that internal threats are relatively more probable than external threats. Furthermore, there are no tools for demonstrating events and alerts associated with violation logs. In addition, there are no logical controls linked with the database, as SQL injection techniques have proven to exploit data from the database. Furthermore, for logical vulnerability there is an absence of Virtual local area networks. VLAN’s provide adequate security, “Virtual LAN (VLAN) refers to a logical network in which a group of devices on one or more LANs that are con?gured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical, instead of physical, connections, they are very ?exible for user/host management, bandwidth allocation and resource optimization” (Virtual LAN, 2007). VLAN’s separates traffic for each department an also prevent denial of service attacks and unwanted traffic broadcast that may result in network congestion and degradation of network services. 3.2 Intrusion detection system Security in terms of computer networks has marked its significance. Senior management address security issues to an optimal level and enforces strict security procedures in order to protect strategic and financial assets. Likewise, new and improved sensing technologies are now mandatory for EEC for maintaining the security of network. Consequently, an intrusion detection system is required for continuously monitor threats and vulnerabilities within the EEC network. IDS/IPS derived from the traditional security appliances and is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse” (Intrusion Detection System, 2007). The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. However, if a threat is trying to gain access to the confidential data of the organization, signature based IDS will detect this particular threat and generate alerts for corrective actions. Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. Moreover, these systems are categorized in to various sub categories including data mining, statistical methodologies, artificial neural networks, immune systems and genetic algorithms. Among all of these, statistical methods are more commonly used for detecting intrusions by finding out any anomaly that has initiated within the network ((Ayd?n, Zaim et al. 2009). By combining these two types of IDS, network administrators eliminate or fill vulnerabilities within the network. Anomaly based intrusion detection system will be recommended for EEC computer network, as the signature based IDS only works on the given signatures and will not sense any unusual activity if it is not defined in the signature. Anomaly based IDS will detect every threat that is referred as anomaly within the network. 3.3 RADIUS Server Users located at Glasgow and Derby will establish connectivity with the VPN and RADIUS server for authentication and authentication. Figure 1.1, demonstrates the functionality of a RADIUS server. Figure 1.1 Data related to security will be distributed on the network and may include several devices that may interact with the security data. RADIUS server will cater all the security data within the network and stores it on one location or workstation or on a storage device. In this way, risks and vulnerabilities associated with the security data will be mitigated. Moreover, the host that will store the security data will be considered as the RADIUS server. Moreover, RADIUS can also be integrated with Microsoft operating system environment, as EEC is already operating on Microsoft operating systems they will support RADIUS functionality. Furthermore, Information related to security is stored on text files at a central location i.e. the RADIUS server. If there is a requirement of adding new students or staff for EEC, network administrator will only update the text file for updating new user information to the database? In addition, RADIUS server also facilities auditors by providing a comprehensive audit trails that may support RADIUS accounting features. Moreover, log files can be analyzed for security aspects or can be utilized for billing purposes. As Glasgow and Derby are vulnerable to any type of attacks via VPN + Internet connection, one firewall each will be behind the router on Glasgow and Derby. Consequently, firewall will add a layer of security on these remote sites. 4 Proposed Network Security Tools EEC has to address many challenges in order to secure the information residing on the network assets i.e. workstations and servers. For mitigating these issues, certified and skilled staff employment is required, as they will contribute significantly for safeguarding and identifying potential threats and vulnerabilities that may lead to a backdoor for cyber criminals. Moreover, there are specialized and certified tools available that will be utilized by the certified staff in a crises situation. Furthermore, in case of a security breach, network administrator employed in EEC will not be able to trace the attack, as the attack spreads in the distributed network of the three sites i.e. Birmingham network, Glasgow network and Derby network. Distributed network comprises of a merger of two or more than two networks that are operational on a wide area network, as in the case of EEC network. The existing scenario for EEC does not have adequate security controls for addressing advance persistent threats (APT), as they construct complex patterns or anomalies. The merger of different networks may broadcast infinite unwanted traffic that can degrade network performance and all three sites may be affected. For resolving this issue, a certified vulnerability assessment tools is required that will be compatible on more than one network interfaces/ distributed networks. Conclusion Initially, cloud computing feasibility for EEC has been presented. As per the current scenario, we have secured three sites connected to each other over WAN. However, the primary focus is on external attacks. Our core topic for improving security incorporates: Network Security Tools Firewall must be installed on three sites Configuring RADIUS with best practices Selection of Intrusion Detection System References AYDIN, M.A., ZAIM, A.H. and CEYLAN, K.G., 2009. A hybrid intrusion detection system design for computer network security Computers & Electrical Engineering, 35(3), pp. 517 526. Internet Security and Acceleration Server. 2007. Network Dictionary, , pp. 255-255. SCHIRICK, E.A., 2012. Computer Network Security — Evolving Risks. Camping Magazine, 85(2), pp. 16. SMITH, R., 2010. Advanced Active Directory Security. Windows IT Pro, 16(10), pp. 28-31. Virtual LAN. 2007. Network Dictionary, , pp. 515-515. Read More