Private Network Extranet - Thesis Example

Extranet The first option, which needs to be considered, is an Extranet. As per the network dictionary it is defined as “An extranet is a private network that uses Internet technology and the public telecommunication system to securely share part of a business’s information or operations with suppliers, vendors, partners, customers, or other businesses”. Extranet will facilitate the University to automate business functions that are performed manually currently. Moreover, the automation of business procedures minimizes the probability the risk of making errors. Likewise, extranet provides information regarding the University to the students and employees, suppliers, business partners and business customers. Consequently, sharing of information may minimize cost and time of meetings and conferences. Furthermore, the dynamic modification of data is possible, it means who ever connects to the extranet, will receive updated information. As the University interacts with the customers, Extranet will improve relationships with customers and is a plus for competitive advantage. However, extranet requires a significant cost for implementation and maintenance afterwards. In order to become a PCI DSS complaint, University must adhere to the required accepted level of security. In order to synchronize and manage customer data within the business processes of the internal staff, ‘customer relationship management’ system is required. In addition, for processing order online, an e-commerce system is required with strict compliance and security measures. Proposed Measures Implementing Firewall and IDS As new innovative technologies are inventing in the Information Technology domain, possibilities of new hacking methods are also originating with new approaches. The threats consisting of virus, malicious codes, unauthorized remote access, unauthorized access to domains and classified data, intrudes in the network from a security loophole. The most common security prevention from these attacks is firewall. Firewall can be hardware based or software based. Firewall is the first point of contact for data packets that pass through or from the network. Moreover, there are service disruptions attacks including software bugs and buffer overflows on the information systems, which may downgrade their performance resulting in network congestion and complete system or network failure. The University is facing severe issues related to viruses. In order to prevent these issues, intrusion detection system (IDS) is essential. The more advanced form of attacks involves Denial of Service (DOS) attacks. These attacks create a broadcast storm within the inbound network, resulting in a complete failure of the network and service associated with it. However, these attacks are countered by ingress filtering techniques and IDS. Domain Environment The University is facing issues related to improper usage of IT hardware and software that is also effecting organization’s overall performance. In order to prevent these issues, a domain environment is required. The domain environment will certainly aid the University to authenticate employees along with the authentication of network resources and services to each employee. Moreover, domain environment provides accurate utilization of resources on the network. Likewise, correct utilization of resources will decrease network traffic, resulting in efficient network response. Furthermore, the human resource department can audit activities via domain services for every employee, which may affect the overall performance and activities during working hours. However, the structure for users is multifaceted, and intelligent planning is required for administration of network resources and services. Implementing Advanced File Security (AFS) Currently, the University does not have any prevention against classified data. In order to protect mission critical data from unauthorized access, advanced file security implementation is mandatory. AFS encrypt all the contents by AES encryption algorithm in a 256-bit format. Moreover, AFS is relatively easy to use, as only user credentials, consisting of user name and password, is required to access AFS. The AFS will eliminate unauthorized access for servers, workstations and data. Securing Wireless Connectivity The wireless network of the University construction’ is vulnerable to all types of threats. The SSID is not configured neither encryption is enables on the wireless sessions. Computer desktop encyclopedia defines SSID as “The name assigned to a wireless Wi-Fi network. All devices must use this same, case-sensitive name to communicate, which is a text string up to 32 bytes long. Typically set to the equipment vendor's name, such as "linksys," it can be manually changed by going into the configuration settings of the access point with a Web browser. The client machines will identify all the wireless networks they find when they boot up, unless the networks are hidden”. In order to secure wireless connectivity, SSID must be defined. Likewise, Wireless Encryption Protocol (WEP) configuration is required for encrypting data transmission. WEP is configured by accessing the wireless router. Implementing VLAN For providing security mechanism to the internal data communication, Virtual local area network (VLAN) will be implemented. The VLAN will separate the domain of the lecturers with the other. VLAN uses encryption techniques for transmitting data over the network. Access policy list will be created in the VLAN supported Cisco switches for defining the routes. The router processes the data packets on parameters. Internet protocol and subnet is the parameter for the router to process the routes on the destination. The definition of virtual LAN is available on network dictionary which states as “Virtual LAN (VLAN) refers to a logical network in which a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments”. The VLAN is considered as a broadcast domain. It concludes that the broadcast generates from one computer can only be received to the destination which is defined by some criteria in the broadcast domain. The advantage of VLAN implementation includes an efficient way of bandwidth utilization and eliminating the network from possible broadcast storms, which results in denial of service. By using VLANs, the capacity of switching technology is utilized to its full potential. VLAN also supports VLAN trunking protocol. The VLAN trunking protocol will significantly reduce administration for the switched network. Considering the future network expansion considerations of EOB Manufacturing, the requirement for creating new VLAN will be eliminated by using VLAN trunking protocol. Upgrading Operating Systems and Replacing Hubs In order to provide standardized features and network performance in the University’s network environment, some old operating systems are replaced with Microsoft Windows XP and Microsoft Windows 7. Moreover, Microsoft Windows 7 has replaced Windows XP because it provides enhanced security and administrative features for the higher management. The departments that are upgraded with operating systems are as follows: University Laboratories Hall 1 University Laboratories Hall 2 Faculty Rooms Digital Library Design Office Senior Management In order to deploy a secure digital communication mechanism, Cisco VLAN compatible switches for implementing VLAN replace hubs. VLAN is considered as an expandable configuration option. Future Considerations and Attack Analysis Virtual Private network are the most cost effective solution. VPN provides connectivity for users, to connect the organization’s internal network from remote locations. This saves significant cost, as previously organizations have to acquire expensive long distance leased lines. Moreover, VPN makes the network scalable and accessing from almost anywhere, by an Internet connection. The University can connect its remote offices in future by VPN. The transmission via VPN is encrypted by IP security (IPsec) tunnel. It operates on network layer 3 and secure every data session in the network. Furthermore, IPSec has the capability to access both web and non-web applications (IPsec. 2011). Analysis of Firewall and Intrusion Detection System Firewall is used globally by small, medium and corporate organization. Due to its low cost and easy configuration, it is the first security device that is recommended for almost every computer network. However, maintaining a firewall is challenging, as the firmware needs regular updating by the network engineers or network administrators. The best practice is to restrict unwanted links and connections that may allow hackers or viruses to breach in the network. Moreover, firewall is a single point of access means that if the firewall is bypassed, overall network security is compromised. In addition, firewall can be software based or hardware based. The advantage for hardware-based firewall do not required a system to function. On the other hand, software based firewall requires a system in order to function, if the system crashes, firewall becomes unavailable. Furthermore, firewalls are incorporated in high profile routers, which is a cost effective factor. Some operating systems have integrated firewall including windows XP and Mac OX. Firewall filters each packet that receives on the station, and decides whether to allow or deny the data packets as per criteria. Firewall analyzes headers of data packets associated with Internet protocol, Transmission Control Protocol and User Datagram Protocol. Firewall may use any combination of protocols in order to allow or deny packets. Moreover, IDS listens and monitor the network for any suspicious activity. As mentioned before, IDS protects from software exploits and buffer overflows. IDS implements ‘intrusion signatures’ consisting of ping sweeps, port scanning, operating system fingerprinting, DoS endeavor, web server indexing and port scanning. Analyzing Denial of Service Attacks The primary goal of DoS attacks is to overload the host with thousands of anonymous attacks from an unknown source. This results in network congestion and halting all the network services provided by the affected host or server. Moreover, there are different types of DoS attacks consisting of SMURF, Code Red and SYN flooding. SMURF involves an executor program that sends massive amount of ICMP (Ping) request to the broadcast IP address, effecting several computers in the affected network (, No Title ). Moreover, Code-Red allows a remote session from the victims system, in order to provide full access to the attacker using the Internet Information Services (IIS). In addition, in July 19 2001, 359,000 workstations were infected with Code Red in just 24 hours (Laganá). Furthermore, an attack was launched against ‘www1.whitehouse.gov’ by Code Red from 20th to 28th of every month (Serazzi, Zanero Chapter 2 2004).SYN flooding involves a false handshake, which is considered by the victim as an authentic source, although the appropriate source is ignored. Ingress filtering prevents DoS attacks. The criteria for denying DoS packets at the initial stage is: if the packet of the source IP shows its existence on the interface, not having a destination address, then the packet will be dropped. Furthermore, network administrators must update all the security patches of all network security devices. Analyzing TCP Attacks Whenever a packets travels from the source to the router, the router analyze parameters of data packets. After extracting the destination address from the data packet, the router sends it on its way to the destination available in the data packet. However, there are several other parameters in the data packet, where all the amendments take place. The data packets from the source workstation, except from the destination address, may lie regarding other parameters, and can trick the router easily. Moreover, the source may change the destination address in to consideration that the data packet is from a trusted source. In order to eliminate these kind of attacks, implementation of better authentication methods is recommended. Furthermore, architecture of a typical TCP packet contains port numbers, sequence numbers indicating serialization of the packet. An intruder can easily learn these values in order to construct an attack. In addition, if an intruder learns the state of the TCP data packet, which is associated with it, the TCP session will be hijacked. Moreover, hacker may inject malicious code in TCP session between two or more than two nodes. Victims can easily download and install a virus, assuming that it has come from a trusted source. If assuming, that the TCP session is created between a web server and a web client, and a malicious user replaces the authentic web server by intercepting the TCP session, client may provide all the personal details to the hacker rather than the authentic web server. IPSec ensures a reliable way of communication by providing source authentication and performs encryption on the data before transportation. Conclusion In order to standardize manual processes and most importantly network security, the proposed solution encompasses following upgrades for the current University Network: To secure and automate business functions and deployment of customer relationship management in order to fulfill PCI DSS complaint requirements along with global access to employees. Extranet Centralized and secure management of files, employ credentials, user audits and accurate utilization of resources Domain Environment (Active Directory) In order to secure the network environment by intelligent attacks, threats vulnerabilities and viruses IDS and Firewall along with Encryption. Providing more advanced security for classified data, encryption by AES encryption algorithm in a 256-bit format AFS Securing Wireless connectivity Configuring SSID and WEP In order to secure inbound digital transmission and for eliminating network congestion VLAN Future consideration for any potential threats in depth analysis for IDS, Firewall, DOS attacks and TCP attacks. In order to implement VLAN to enhance security and data transmission speed Hubs are replaced, by Cisco VLAN compatible switches. References Read More