Security Analysis and Redesign of a Network - Coursework Example

SECURITY ANALYSIS AND REDESIGN OF A NETWORK Security Analysis and Redesign of a Network Introduction XYZ Invitation Printing and ABC Invitation Design have merged into A2Z Invitations Company. Prior to the merger, ABC, a virtual firm, hosts a proprietary website that enables its customers to carry out some preliminary work on its website; it usually consulted with a third party designer to perform for the end product. On the other hand, XYZ Company has a system that enabled its clients to submit their designs and monitor the progress of their orders to completion. Additionally, its system incorporated invoicing and contact management system. Upon this merger, ABC’s application will be moved into XYZ’s data center so that it can be able to utilize its backend system. This merger, in addition to maximizing the potential of these two firms, aims at addressing the past security breaches that the two firms have experienced in the past. The new firm, A2Z Invitation and Design Company, headquartered at Googleplex located in Mountain View, California in the US. It expects to spend an estimated budget of $250,000 for both software and hardware, as well as an additional $25,000 each year for further security measures. A2Z employs more than 100 employees amongst them Glenn Irvine, Rhys Thomas, Julien Schleret, Yulianto Parulian, David Keene, and Rene Lansink. Currently, the IP it uses to connect to the Internet, the address that leads to its homepage is http://74.125.224.72/ , while its mail server IP address is http://74.125.224.150/. Its URLs are, http://www.A2Z.com, and http://mail.A2Z.com. There are a myriad of sites that link up to A2Z’s; approximately there are about 1,700 sites that link back to it. Currently, A2Z’s implements basic security measures on it Microsoft platforms as well as on its Web Servers, which it hopes will at a minimum reduce the company’s risk profile. Its systems run on Windows 2003 operating system, while its web application runs under Microsoft’s IIS, Internet information Services. This paper, therefore, reviews the current XYZ’s company network infrastructure, the network that will be the base of A2Z network since, ABC’s network infrastructure will be merged into it. Further, this report aims at analyzing the NMAP Port scan results of the servers that XYZ currently uses. The paper then proposes, both theoretically and diagrammatically/graphically, a redesign of the current network, offers recommendations of how or better procedures that the organization can harden both its Apache, and it IIS web servers. Further, the report presents a security policy write-up, which will guide the organization with regards to spyware, antivirus, and adware policies. Discussion Quantitative Analysis Both active and passive reconnaissance was carried out on A2Z’s computers and networks, in an attempt to gather more information and find whether any open ports existed. This also enabled determine the systems vulnerabilities so as to ensure that any existing vulnerabilities are taken care of before they are exploited by attackers. This was done using one of the most powerful network scanning tools, Nmap. Several interesting ports, including XYZDomainController at 192.168.0.1, XYZInviteDesign at 192.168.0.2, XYZ Acct at 192.160.0.3, XYZprinting at 192.168.0.4, XYZwebsrv at 192.169.0.5, and XYZChat at 192.168.0.6, were scanned; the results are as displayed in Figures 1, 2, 3, 4below. Port State Service Product Version Extra info 135 tcp open msrpc     139 tcp open netbios-ssn     427 tcp open svrloc     445 tcp open microsoft-ds     Figure 1: Nmap scan results for XYZDomainController at 192.168.0.1, XYZ Acct at 192.160.0.3, XYZ Acct at 192.160.0.3, XYZprinting at 192.168.0.4, XYZwebsrv at 192.169.0.5 Port State Service Product Version Extra info 22 tcp open ssh     80 tcp open Apache     111 tcp open rpcbind     6000 tcp open X11     32771 tcp open sometimes-rpc5     Figure 2: Nmap scan results for XYZChat at (192.168.0.6) NMAP Analysis It is clear from the Nmap port scan results that XYZ’ s network server configuration is now is, is somewhat vulnerable. For instance, port 445 is set to open, which is very risky and is vulnerability. This port, port 445, an MB port over IP is constantly being scanned by hackers, and if left open, they can easily gain remote access to the network and the contents in the organization’s computers; or even use certain tools to silently and easily upload and run malicious programs without the knowledge of XYZ. Thus, A2Z will not want to have port 445 exposed to the internet; this port however, just as port 135, is impossible or hard to safely close, although possible. Closing it however, is not ideal since other dependent services such as DHCP, frequently used for obtaining IP address from DHCP servers will stop functioning. Therefore, it is important for A2Z to ensure that port 445 is filtered, so that it becomes invisible to scans. Port 80 also seems to be open, which is usually the case when a there is a web server is running on a network or machine. Since there are a myriad of Trojans and other malicious software that always attempt to inhibit it, it is advisable that that port should never be opened, unless it is being actively and deliberately used to serve web pages. Further, A2Z should ensure that it proactively maintains and keeps current with the latest security patches to ensure that it is safe. Password Cracking Report During reconnaissance I found out that XYZ and ABC, now A2Z, was using MD5 password hashing; and found the following hashed passwords, which can easily be exploited. • 5f4dcc3b5aa765d61d8327deb882cf99 MD5: password • 200ceb26807d6bf99fd6f4f0d1ca54d4 MD5: administrator • 391d878fd5822858f49ddc3e891ad4b9 NTLM: devry • a2345375a47a92754e2505132aca194b NTLM: windows; It is a bad idea to use salted MD5 for passwords because it’s fast and easy to crack; a serious attacker can try a myriad of passwords, billions of them per second on just one GPU (Bidgoli, 2006). Further, MD5 hashes also have numerous cryptographic weaknesses. A2Z should consider using relatively slow hash constructions such as bcrypt, or crypt, and even PBKDF2. Simple hashed SHA-2, however, is not good enough, since, just as MD5 and other most general purpose hashes, it is fast. MD5 hash are prone to collision attacks as opposed to pre-image attacks; an attacker can easily produce two different files with the same hash, when he gains control and access over both of them (Bidgoli, 2006). Therefore, I recommend that A2Z considers migrating and opt for SHA-2 hashing. Network redesign The current official XYZ network diagram, prior to the merger looks like Figure 3 Figure 3: Official XYZ current Network Diagram A2Z’s network, post-merger of XYZ and ABC, should be based on a switched LAN architecture hierarchical design; this model or design logically subdivides or subnets the network into various discrete layers, which ensure and provide specific functions, and thus guarantee efficiency, reliability, and availability of the entire network. A switched LAN architecture hierarchical design will lead to a modular network that will enable scalability and enhance performance; it will enable A2Z Company to duplicate features as it grows and the network grows. The network will have some sort of consistency at every instance, which will make future expansion easy to plan and to implement. This design will also guarantee availability even as the network grows something that is currently not guaranteed. The network as currently exists, facilitates data transmission via intermediary, low-performing switches, which are also prone to security vulnerabilities. This network design will also guarantee security. Web Server Hardening Procedure IIS Microsoft’s IIS is prone attacks from hackers and as a result, it is important for administrators of IIS web server to ensure that they harden and lock it down. Default installations of IIS 6.0 and 8.0 are particularly vulnerable. There are several steps to harden and secure an IIS web server. The first thing to do when installing an IIS web server is not ensure that certain services that are not used or are not required are no installed; these include NNTP service, FT server, SMTP service, Visual InterDeve Remote Support, Microsoft Frontpage Server Extensions, and Internet Service Manager (Minasi, Gibson, Finn, Henry, & Hynes, 2010). This is because these components or services usually expose the server to security vulnerabilities, and disabling them significantly reduces the likelihood of a security breach. Secondly, when configuring a website on the IIS web server, it is important for an administrator to locate web root on NTFS volumes that are non-system. This will prevent traversal attacks and security breaches on the system. The use of parent paths should also be disabled. Further, dangerous virtual directories such as IISHelp, IISSamples, Scripts, and IISAdmin are completely removed. RDS-Remote Data Services should also be disabled. Directory browsing should also be disabled for all files within an IIS server; script source access should not be permitted so as to secure the code on the server (Minasi et al., 2010). Logging should be configured on the IIS server. Apart from helping in seeing top page hits, knowing and understanding who is logged into the system, or seeing the hours when the traffic volume is high; this will play a crucial role when it comes to installations. Most importantly, logging will enable and allow for a historic forensic and near-real-time toolkit (Minasi et al., 2010). The easiest way of doing this is to ensure that all the default locations for all the sites log files. Additionally, allow only full control access for System and Administrators, and enable Backup operators read-only access; otherwise deny all other access. Web Server Hardening Procedures Apache Apache by default might run as a daemon or nobody, which is bad in as far as security is concerned. It is therefore good to run apache on a separate non-privileged account (Nataraj, 2011). It is also important to ensure that all access to the root directory is restricted by editing the httpd.conf. Appropriate permissions should be set for the bin and conf directories such that they are only viewed by authorized users only (Bidgoli, 2006). This can be achieved by creating a unique group and adding all the users that are allowed to view or modify the configuration file. Directory browsing should also be disabled so that users do not view the files and directories under root directory or any other subdirectory in the server. .htaccess should not be allowed; in fact, .htaccess should not be used inside any sub-directory under the root folder or anywhere since users may overwrite the default directives of apache. All unnecessary modules in apache, such as autoindex, alias, cgi, filter, actions, setenvif, userdir, env, include, and status, should be disabled (Nataraj, 2011). Information Security Policies This is an internal IT security policy for a medium sized firm, which defines a spyware, anti-virus, and adware policies. It applies for every computer and includes details such as how often a virus scan for each computer in the organization is done. It details how often antivirus, anti-spyware detection programs are to be updated; most importantly, it recommends and states the programs that will be used to identify, thwart, and where possible remove adware and malware programs. This security policy also outlines and describes the type of attachments that are specified to be blocked at the mail server; furthermore, it also defines the antivirus program that the firm will run on its mail server. Additionally, the policy specifies whether or not, the firm will use an anti-spam firewall in order to provide more protection at the mail server. The policy also specifies and outlines how files will be able to enter the firm’s trusted network, as well as, how these files will be tested for unwanted or hostile content. It specifies how files sent to the, or received by the firm from outside networks will be scanned for other malware or viruses (Kim & Solomon, 2012). This policy is designed to protect the resources of the firm against any kind of intrusion by adware, spyware, or by viruses and other malware. Further, it also defines user’s security policy, how users will handle the IT infrastructure. For instance, this policy states than no employee should be able to stop the updates of anti-virus program definitions or scheduled and required anti-virus scans; except for employees who are domain administrators. Anti-virus Policy This policy applies for every computer and includes details such as how often a virus scan for each computer in the organization is done. It details how often antivirus detection programs are to be updated, as well as which antivirus programs the firm will install and use. The firm will use just one antivirus definition program for protecting its network and computers against virus intrusion; this policy recommends the use of Symantec’s Norton Protection Suite Small Business Edition. This is because this anti-virus product will be able to protect the firm by offering an on-premise back-up and security management solution which will ensure that the business is protected against spyware and viruses, as well as keep emails safe from phishing and from spam threats. In addition, it quickly recovers laptops and desktops in the vent of device failures. The following requirements, however, shall remain enforced at all times. i. The anti-virus program shall at all times, especially in real time, remain operational on all client computers, servers, and on all other devices authorized to access the firm’s network. ii. All anti-virus program definition shall be updated at least twice each day; however on the server, which remain online or in real time 24/7, will be updated at least three times a day. iii. All anti-virus scans shall be at a minimum of once per day on all client workstations; however for the servers, which remain online or in real time 24/7, the scans will be done at least three times a day. iv. No on, no employee shall be able to stop the updates of anti-virus program definitions or scheduled and required anti-virus scans; except for employees who are domain administrators. File Exchange Policy This policy outlines and specifies the technique and methods that shall be used when files are received by the firm’s employees from outsider, the public or at time the firm’s employees, or sent into the network by employees or outsiders, the public. The policy specifies the following rues shall remain enforced at all times. i. Legitimate methods for file transfer that are allowed to be used include: a) File transfer to or from a web server with a file upload program that is considered legitimate b) FTP transfer to and from an FTP server ii. The type and method of software program to be used to scan the files being transferred for unwanted and hostile content before they completely enter the network shall be Symantec’s Norton Protection Suite Small Business Edition. iii. The update frequency for the file scanning software shall be at every moment that the network receives a file Email Server Policy This security serve policy specifies additional information regarding the protection against malware in order to protect the mail server and prevent malware from intruding and entering the firm’s network Scanning of Email Malware When malware, specifically a virus, is detected and found, this policy recommends that the email containing the malware shall be deleted without notifying either the recipient or the sender (Bradley, 2006). This is because most viruses usually fake the email sender; thus sending them a message that they have send an email containing a virus may unnecessarily alarm them because it is unlikely that they sent the email. Instead, it would unnecessarily cause additional call to the help desk by the notified individual and thus end up wasting the network administrator’s valuable time. Additionally, notifying the recipient of the email that someone attempted to send them an email with a virus will also alarm them unnecessarily. The Types of Blocked attachments The proxy server or the email server shall block all email with attachment types that this policy specifies. This is because these attachment types usually contain active content and are as such dangerous, in fact, they may be used to infect devices such as computers with hostile or unwanted software. The se attachment types include, but not limited to (Sullivan, 2005): .ade, .app, .asx, .adp, .bat , .bas, .com, .chm, .cpl, .csh, .crt, .dll, .fxp, .exe, .hta, .inf, .hlp, .ins, .isp, .jse, .js, .lnk, .ksh, .mdb, .mda, .mdz, .mdt, .mst, .mdw, .mde, .msp, .pcd, .prf, .ops, .prg, .pif. .reg, .scr, .scf, .sct, .shs, .shb, .vb, .vbs, .url, .vss, .vsw, .vst, .wsf, .wsc, .xls, .wsh, .zip. Usually, most viruses are contained and transmitted in zipped files to keep them from being detected during scans. They often have instruction that users can follow to run such attachments, instructions that many users still follow. Therefore, to protect a secure network, it is imperative that such files are blocked. Depending on the antivirus software in client computers and servers as the sole protection against malware is not ideal. This because viruses change from time to time and at times spread undetected by the anti-virus program. As a result, blocking this file attachment types will prevent such undetected intrusions. Some of them the give the users a way around the network on how they can get some of the files they have sent to the networks of other firms. Usually, this solution depends on the firm’s network design and the software that the firm uses to block such file attachments (Kim & Solomon, 2012). In the event that an email fails to adhere to the conditions or rules enforced by this policy and intrude the network containing an illegal and unwanted file attachment, this policy proposes that in such a case the following should be done. i. The email containing the illegal attachment shall be deleted without notifying either the recipient or the sender. This however, may have its own drawbacks especially in circumstances where people may be trying to send legitimate and legal files and may not realize that their sending attempts are failing. Thus, it is important to train users and letting know why their files are block. This way they can help remedy this problem. ii. The email containing the illegal or unwanted attachment shall be deleted and the sender notified. This is ideal since it will notify and explain to the senders why their email did not go through; this however will also notify senders who did not actually send the email that they had sent an email with illegal attachments , which may result in unnecessary, additional calls to the help desk by the spoofed sender. iii. The email containing the illegal or unwanted attachment shall be deleted the recipient or the sender notified iv. The email containing the illegal or unwanted attachment shall be allowed to go through and the attachment will be deleted before it is allowed to pass. This will alert the receiver that the person sending the email had sent it with an illegal attachment; thus in the event that the attempt was legitimate they will be able to notify the sender and advise them what not to do while sending emails with attachments. This may also result in unnecessary, additional calls to the help desk by users, All the policies outline here all seem ideal, but at the same time have their own drawbacks; thus, this policy recommends that the system administers must choose the best method that will suit each situation based on their judgment. However, the first option which involves training user is recommended. Anti-spam and proxy server In order to ensure increased security of emails, it is important for the firm to add an additional proxy mail or anti-spam server onto its network. This will reduce the threats of intrusion to the mail server, as well as significantly reduce the mail server’s load, and spam reduction. It is upon the firm’s network administrator to choose which of these two servers to add, or even whether to use a third-party service for spam prevention (McNab, 2004). Periodic scheduled updates shall be performed and defined intervals, the person of contact who will manage these additional servers shall also be defined. Other malware policy This policy covers and defines security measures for preventing spyware and adware. It also outlines the methods for preventing and removing such malware. An acceptable detection, prevention, and removal software or program is specified. Detecting, preventing, and removing adware, spyware, and other malware In order to keep computers and other devices on the network free from spyware, adware and other malware, the specified acceptable detection, prevention, and removal software or program, shall be kept up-to-date (Kim & Solomon, 2012). It shall be scheduled to check for definition updates at least once per day. Additionally, it shall be set to perform scheduled virus scans. Conclusion Failing to use anti-spyware or anti-virus software may result in repeated intrusions and infections that could result in poor network and computer performance, and in extreme cases, costly repairs and even complete shutdown or denial of service. Security tools that shall be used to ensure that the firm’s network and computers are malware free and to set u schedules for scans shall include: i. Symantec’s Norton Protection Suite Small Business Edition ii. Spybot Search and Destroy and AdAware and Spy Doctor, which are adware and spyware detection, prevention and removal tools iii. Startup monitor shall be used keep adware and spyware from replicating or adding themselves to the startup process of systems iv. HiJack, an advanced tool shall also be used to monitor the computers and server registry changes, such as self-installing spyware. References Bidgoli, H. (2006). Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, NJ: John Wiley & Sons. Bradley, T. (2006). Essential Computer Security: Everyone’s Guide to Email, Internet, and Wireless Security. (H. Carvey, Ed.). Rockland, MA: Syngress Publishing, Inc. Kim, D., & Solomon, M. (2012). Fundamentals of Information Systems Security. Mississauga, Ontario: Jones & Bartlett Learning. McNab, C. (2004). Network Security Assessment: Know Your Network. New York: O’Reilly Media, Inc. Minasi, M., Gibson, D., Finn, A., Henry, W., & Hynes, B. (2010). Mastering Microsoft Windows Server 2008 R2. Hoboken, New Jersey: John Wiley & Sons. Nataraj, R. (2011). 10 Tips to Secure Your Apache Web Server on UNIX / Linux. The Geek Stuff. Retrieved April 20, 2014, from http://www.thegeekstuff.com/2011/03/apache-hardening/ Sullivan, D. (2005). The Definitive Guide to Controlling Malware, Spyware, Phishing, and Spam. New York: Realtime Publishers. Read More