Device Hardening and Secure Network Design - Term Paper Example

Device Hardening and Secure Network Design Table of Contents Table of Contents 1 Abstract 2 Thesis 2 Introduction 3 Main Network Security and Design Problems 4 New Hardening based Network design 5 Device Hardening and Secure Network Design 7 Effective Secure Network Design 7 Device Hardening 9 Desktop system Hardening 10 Device Password Hardening 11 Interwork Storage Device Hardening 11 Controller Hardening 12 Switch Security Practices 13 Routers Security Practices 14 Server Hardening 14 Concussion 15 Bibliography 16 Abstract The development of latest tools and techniques in the field of networking has brought a number of innovations. Since, at the present, communication and network technology are offering numerous advantages to the organizations, businesses and individuals. However, network security has turned out to be a most important concern in network designing and implementation. Additionally, the network security issues emerge with the emergence of new type of network technologies like that mobile networks, WiFi networks, wireless networks, etc. Thus, at the present, the network security has become a challenging issue and businesses, individuals, and corporations are struggling to successfully deal with this issue. In addition, organizations are facing lots of network technology assaults like that hackers attack, viruses, data theft, etc. This paper presents the hardening and secure network design analysis. The objective of this research is present a detailed analysis of the secure network design. In addition, this research will offer a comprehensive overview of the hardening and other security initiatives those can be taken to develop and implement a secure network design. Furthermore, the basic research point this paper is going to investigate is how “hardening" is an essential element of secure design. Thesis The thesis is about the analysis of the ‘hardening’ as a main and fundamental tool for the establishment of secure and more effective network design. This research will analyze the logical as well as physical areas to protect network and uphold privacy and integrity of the network structure. This research is intended to discuss all the potential levels of the network design that are essential to establish a secure network structure. Introduction Security encompasses the rules, guidelines, measures, and actions used to stop illegal access or modification, theft, and physical damage to a network (Laudon & Laudon, 1999, p. 502). Curtin (1998) outlines that network security can be defined as the set of procedures a business or individual can take to care for its network or computer system (s). In addition, it is a major concern of an individual or corporation that uses computers (Curtin, 1998; Kaminsky, 2010). In this scenario Kaminsky (2010) states that in case of compromised network security some data and network hackers or competitors could have access to business sensitive or critical data, that could be a cause of business destruction or data loss (Kaminsky, 2010). Thus, the protection of precious assets needs a comprehensive security model that is based on a well-established security measures and policies. Additionally, the network design strategy needs to recognize both security risks as well as potential mitigation methods to tackle these risks (Bhaiji, 2008; Forouzan & Fegan, 2003; Kurose & Ross, 2009). However, this paper focuses on hardening as a main and fundamental tool for the establishment of secure and more effective network design. Since, it is a new emerging security paradigm that offers more effective network security tools and techniques. In this scenario Mallery, Kelly, McMullin, Zann, & Love (2004) stated that in computing, hardening is typically the technique for protecting a system by minimizing its surface of vulnerability. Since, a computer structure that has a more vulnerability surface in network arrangement, however a single-function computing structure is more protected as compared to multipurpose one. Additionally, elimination of accessible vectors of society attack normally contains the elimination of needless software, needless logins, usernames, or/and the removing and disabling the needless services. There are numerous techniques of hardening for LINUX and UNIX systems. In addition, there are various hardening tools and scripts similar to JASS intended for Solaris systems, Bastille Linux plus Apache/PHP Hardener that could disable the unnecessary characteristics of designing files or carry out a variety of other defensive procedures (Mallery, Kelly, McMullin, Zann, & Love, 2005). This research will present a detailed analysis of Hardening, its overall operational and working structure, and its usefulness in protecting and managing the network security. This research will outline some of the main aspects of Hardening and its working areas for designing more secure network structure. Main Network Security and Design Problems At the present, organizations and individuals are facing lots of the security threats that could affect the whole business or loss of business or personal information and data. Thus, these security threats could create a huge business or personal loss (Cisco Systems Inc., 2010) & (Bogazici University Computer Center, n.d). This section outlines some security threats those could be critical for a business in managing its network. A virus is the biggest challenge for implementing network security. Additionally, a Trojan horse program is also a type of virus that could harm the network security and privacy. In addition, the vandals are new types of software applications or nasty applets that reason huge network data destruction. Also, spyware and some adware are hidden programs those transmit confidential business information through network. However, a hacker can also attack to hack and stop the whole business network. Furthermore, the identity theft is also a network security problem that is theft of personal and business information and identity for the illegal intention (Housley & Arbaugh, 2003; Idika, Marshall, & Bhargava, 2009; Neilforoshan, 2004; Turban, Rainer, & Potter, 2004). New Hardening based Network design According to Noonan (2004) like many other things the change is inevitable and vital in corporate network structure. Additionally, the modifications and upgrades to the corporation’s network architecture sometime create security holes. Thus, it is momentous for an organization to constantly assess the security and integrity of its network arrangement (Manzanares, 2007; Ray, 2004). However, the process of evaluating a network’s security software, hardware, processes and then developing the suitable adjustments to make them stronger is acknowledged as the "network hardening”. In addition, the hardening has to be carried out on the outside as well as the inside of a network. Furthermore, a lot of attacks take place internally consequently equivalent consideration has to be given to that likelihood. Since, the network structure grows and changes with the development of the business, external and internal threats are as well growing to oppose the security protocols organizations have established for the network (Chen, Wang, & Su, 2008). Kwon & Tilevich (2009) discuss about the network hardening, a company should be consistent in evaluating its network arrangement and configuration. Additionally, a corporation should make sure that it is never in a position where it is stressed to keep up the present security technologies or trends. Since, the security continuously augments with the development of the vulnerabilities, out-of-date software, and hardware and security protocols (Kwon & Tilevich, 2009). Wrigstad, Eugster, Field, Nystrom, & Vitek (2007) stated that hardening a network does not forever require quantities of capital. However, the investment will be necessary in a number of structures or fashions. Whether that outlines that spending money for hardening will need new software, hardware, or man hours actually dependent upon what requirements need to be addressed or fulfilled. Thus, it can comprise the entire of the above. Since, the establishment of the hardening at corporation’s network will enhance its network security and employees and customer’s confidence (Wrigstad, Eugster, Field, Nystrom, & Vitek, 2007). There are lots of new vulnerabilities and security threats in this scenario but this paper covers two security threats that are given below (Manzanares, 2007): 1. Flow control mechanisms 2. Vulnerabilities in the TCP-IP protocol These above given problems can lead toward lots of dreaded DDoS attacks as well as the TCP exploits. In this scenario hardening method offers a facility of incrementally upgrading the network working and operational infrastructure at the transport level that resolves the above mentioned problems as well as makes the network considerably more flexible to attacks, mainly the DDoS attack. However, the method that is used for this purpose is known as "hardened routers". Since, these routers are able to perform simple cryptographic tasks (signatures, encryption) on the entire packets moving into the network, as well as to contribute in a hierarchical control network (Mallery, Kelly, McMullin, Zann, & Love, 2005). This was a simple case where hardening is used. Device Hardening and Secure Network Design This section will discuss and purpose a more effective security design that will offer effective management of security and establish effective safety procedures. Here Device Hardening will be a main concern in establishing this new security design. Effective Secure Network Design Chen, Wang, & Su (2008) stated that more effectve secuity for the protection of the precious assets necessitates a “defense-in-depth” safety technique that tackles external and internal security threats. Additionally, this technique employs numerous layers of network security and defense (electronic and physical) at detach manufacturing levels through implementing procedures and policies that tackle different kinds of threats. For instance, numerous layers of network protection defend networked data, assets and end points, as well as various layers of physical security to facilitate protect high value assets (Chen, Wang, & Su, 2008). In this scenario I will discuss the device hardening based techniques to establish effective security procedures: To effectively design networks organizations need to establish a “defense-in-depth” technique that is an operational procedure required to set up and uphold the security capability. To implement a more secure network design there are following main areas of secure network design process. The basic need is to distinguish priorities (like that integrity, availability, and confidentiality) (Idika, Marshall, & Bhargava, 2009; Mallery, Kelly, McMullin, Zann, & Love, 2005): Set up requirements (like that remote access would not influence control traffic, etc.) Recognize assets Recognize potential internal as well as external risks and threats Recognize capabilities necessary Build up architecture Expand and implement policies Idika, Marshall, & Bhargava (2009) outlined that implementing and designing a complete network security model are considered as a natural addition to the business working procedures. Additionally, the network clients should not put into operation the security as a bolt-on component to the develop procedures. In scenario of more secure network design there are following security areas: (Idika, Marshall, & Bhargava, 2009; Housley & Arbaugh, 2003; Cisco, 2009) Physical Security: This security is about establishing the physical limits and controlled access of areas, devices, control panels, cabling, the control rooms as well as additional locations to allow personnel, escorts and other visitors. Network Security: At this level of security organizations need to establish security at network infrastructure, like that firewalls through intrusion detection and intrusion prevention systems (IPS or IDS), and incorporated protection of networking equipment like that switches and routers. Computer Hardening: At this level of network security design network structure needs to comprise patch management as well as antivirus software in addition to remove the idle applications, services and protocols. Application Security: At this level of network security organizations need to implement the effective network authentication, audit software and authorization. Device Hardening: This is the main area of our research that handles restrictive access and change management. Figure 1: Defense-in-Depth Multiple Layers Source: (Cisco, 2009, p. 2) The above given security procedures lead an organization towards the effective and more enhanced network safety management aspects. However, the present research will concentrate only on the device hardening and related areas for establishing enhanced security mechanisms. Device Hardening Before discussing the concept of device hardening we need to assess and manipulate the network devices which are necessary for the establishment of network security and privacy procedures. In this scenario, Bragg, Rhodes-Ousley, & Strassberg (2009) stated that another significant step when hardening network devices is to build a banner that is shown when a link is recognized as a part of the login procedure. In addition to eliminate significant information that can recognize the category and operating system on the device, it is premium practice to illustrate a warning message concerning illegal utilization of the device. Since, this makes certain that an individual is not able to dispute that they didn’t identify that their utilization was prohibited (Rhodes-Ousley, Bragg, & Strassberg, 2003). Desktop system Hardening Desktop systems are most important devices in a network structure. Thus, it is vital to discuss them in scenario of device hardening. Additionally, the IT best practices and functions to corporate computers should as well concern to establish new effective security measures for the computers. A number of most excellent practices and general recommendations comprise in desktop systems hardening are (Mallery, J., Kelly, P., McMullin, R., Zann, J., & Love, P, 2005): Maintain computers up-to-date on service packs as well as hot fixes, however hinder automatic updates. As well, users have to test patches previous to establishing them and schedule normal network maintenance and patching all through manufacturing downtime. Maintain and deploy antivirus software, however disable automatic scanning and automatic updates. Additional recommendations comprise testing definition updates previous to establishing them as well as scheduling physically initiated scanning throughout manufacturing downtime for the reason that antivirus scanning be able to disrupt real-time network operations. In case of network system users have to examine definition updates previous to establishing them plus schedule manually started scanning all through manufacturing downtime. Restrict straight internet access. Establishing Demilitarized Zone (DMZ) that offers a barrier between the enterprise and manufacturing zones however permits users to securely share data and services. The entire network traffic from any area of the DMZ stops in the DMZ. No traffic navigates the DMZ, outlines that that traffic does not straightly travel among the manufacturing and enterprise zones. Establish a detached active directory domain/forest intended for the manufacturing zone. This facilitates in making sure the accessibility to modern assets if the connection to the enterprise zone is disrupted. Device Password Hardening In devices password hardening we need to take following initiatives, also establish and implement the below given password policy settings (Chen, Wang, & Su, 2008): Utmost password age Implement password history Complex password needs Maximum password length Don’t allow the guest to enter into servers and clients. Interwork Storage Device Hardening In network storage hardening organizations need to implement some of the main storage device hardening initiatives those are (Cisco, 2009; Mallery, Kelly, McMullin, Zann, & Love, 2005): Build up, and then install, disaster recovery, backup, policies and procedures. Clients should examine backups on a standard schedule. Execute a network change management system to record network, controller and computer strategic assets (like that servers, clients as well as applications). Stop unnecessary or infrequently utilization of USB ports, serial, and parallel interfaces to stop unlawful hardware accompaniments (printers, modems, USB devices, etc.). Build up and apply a policy intended for guest access inside the enterprise zone. Build up and put into practice a policy for partner access inside the network security zone. Controller Hardening Clients could be protected through physical processes, electronic design, authorization and authentication software and change management using disaster recovery network system and software. However, most exceptional practices and general recommendations regarding controller hardening comprise (Chen, Wang, & Su, 2008; Mallery, Kelly, McMullin, Zann, & Love, 2005): Physical processes: This confines control panel access simply to authorized personnel. However, the clients could achieve this by applying to the access events. To let program configuration transforms this necessitates a physical key transformation at the PAC. Furthermore, the Illegal entry (unintentional or intentional) could not change the PAC. Electronic design: Putting into practice the PAC CPU Lock characteristics rejects front port entry to the PAC that stops configuration modifications. Security: Verification confirms a client’s individuality as well as whether service required created by that user. And approval confirms a user’s demand to access a characteristic or PAC next to a set of described access permissions. Change Management with network disaster recovery: Software constantly checks PAC assets through automatic backup and disaster recovery, version control, device configuration confirmation, and real-time auditing of client actions. Switch Security Practices Farris & Nicol (2004) stated that network nodes are not openly responsive that switches manage the traffic they transmit and accept, formulating switches the silent workhouse of a corporate network. Additionally, other than presenting an administrative interface, switches do not uphold layer 3 IP addresses; consequently hosts are not able to transfer traffic to them openly. The main attack beside a switch is the ARP fatal attack. Though the likelihood of an ARP attack does not mean switches could not be employed as security control devices. MAC addresses are exclusive and intended for each network interface card, as well as switches could be configured to permit simply specific MAC addresses to transmit traffic in the course of a precise port on the switch. This task is acknowledged as port security, as well as it is helpful where physical access in excess of the network port is could not be relied upon, like that in public kiosks. Thus, by means of port safety, a malicious individual would not be able to unplug the kiosk, plug in a laptop, in addition to utilize the switch port, for the reason that the laptop MAC will not be equal to the kiosk’s MAC and the switch would refute the traffic. As it is probable to send-up a MAC address, locking a port to a precise MAC produces a problem intended for a would-be intruder. In this scenario Hardening switches could be employed to produce VLANs or virtual local area networks. Additionally, the virtual local areas networks are layer two transmission domains and they are employed to additional segment LANs. ARP broadcasts are transmitters among all hosts inside the similar VLAN. To correspond to a host that is not in VLAN, a switch has to transmit the host’s packets in the course of a layer three device as well as routed to the suitable VLAN (Farris & Nicol, 2004). Routers Security Practices Bragg, Rhodes-Ousley, & Strassberg (2009) stated that routers have the capability to carry out IP packet check and filter. Access control lists (ACLs) could be configured to authorize or refute UDP and TCP network traffic. These factors are foundational upon the destination or source address, or together, and on the UDP or TCP port numbers enclosed in a packet. Additionally, the firewalls are implemented for additional in-depth examination; tactically positioned router ACLs thus they augment network security. For instance, access control lists could be employed on border routers to drop visibly not needed traffic, eliminating the burden from the border firewalls. Access control lists can as well be employed on WAN links to drop broadcast and additional needless traffic (Bragg, Rhodes-Ousley, & Strassberg, 2009). Server Hardening Servers are intended to bring data in a protected and dependable style for the web based users. Thus, they need to make sure that data confidentiality, integrity, and accessibility are maintained. However, one of the main steps to attain this guarantee is to make sure that the servers are maintained and installed in a way that they could stop illegal access, illegal utilization, and disturbances in service. Additionally, reason for establishing the server hardening policy is to express the requirements for installing a new server in a secure fashion and maintaining the security integrity of the server and application software. In addition, the server hardening process offers the comprehensive information necessary to harden a server as well as have to be applied for UTEP IT official approval. A number of the wide-ranging steps incorporated in the server hardening process contain (Microsoft Press, 2005): Eliminating needless system services, software and drivers Installing the OS from an approved source Implementing vendor supplied patches Stopping or altering the password of default accounts Establishing security limitations, measures, allowing audit logging and file protections Concussion At the present, the network security has become a most important subject of discussion. Additionally, there are many networking security management and handling measures are available. Hardening is a new technique for implementing security. It is a set of procedures and measures those are used to protect and defend against the augmenting network security issues and vulnerabilities. This paper has presented a detailed analysis of hardening. In this scenario I have presented the multitier network arrangement that offers better and enhanced security and confidentiality. This research has also offered a comprehensive overview of the device hardening with respect to network systems, routers, switches and other system based security initiatives those can be taken to protect the network resources and security aspects. Bibliography 1. Bhaiji, Y. (2008). Network Security Technologies and Solutions (CCIE Professional Development Series), 1st Edition. New York: Cisco Press. 2. Bogazici University Computer Center. (n.d). What is Network Security? Retrieved March 16, 2010, from http://www.cc.boun.edu.tr/network_security.html 3. Bragg, R., Rhodes-Ousley, M., & Strassberg, K. E. (2009). Network Security. A complete reference. 4. Chen, F., Wang, L., & Su, J. (2008). An Efficient Approach to Minimum-Cost Network Hardening Using Attack Graphs. IAS, Proceedings of the 2008 The Fourth International Conference on Information Assurance and Security (pp. 209-212). Naples: IEEE Computer Society Washington, DC, USA. 5. Cisco. (2009). Securing Manufacturing Computing and Controller Assets. San Jose, CA: ENET-WP005A-EN-E. 6. Cisco Systems Inc. (2010). What Is Network Security? Retrieved March 16, 2010, from Cisco.com: http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/what_is_network_security/index.html 7. Curtin, M. (1998, July 16). Introduction to Network Security. Retrieved March 16, 2010, from InterHack.net: http://www.interhack.net/pubs/network-security/ 8. Farris, J. J., & Nicol, D. M. (2004). Evaluation of secure peer-to-peer overlay routing for survivable SCADA systems. Winter Simulation Conference, Proceedings of the 36th conference on Winter simulation (pp. 300-308). Washington, D.C.: Winter Simulation Conference. 9. Forouzan, B. A., & Fegan, S. C. (2003). Data Communications and Networking . New York: McGraw-Hill. 10. Housley, R., & Arbaugh, W. (2003). Security problems in 802.11-based networks. Communications of the ACM, Volume 46, Issue 5 (SPECIAL ISSUE: Wireless networking security) , 31-34. 11. Idika, N. C., Marshall, B. H., & Bhargava, B. K. (2009). Maximizing Network Security Given a Limited Budget. Richard Tapia Celebration Of Diversity In Computing, The Fifth Richard Tapia Celebration of Diversity in Computing Conference: Intellect, Initiatives, Insight, and Innovations (pp. 12-17). Portland, Oregon: Association for Computing Machinery,New York, USA. 12. Kaminsky, A. (2010). What is Network Security? Retrieved March 16, 2010, from WiseGeek.com: http://www.wisegeek.com/what-is-network-security.htm 13. Kurose, J. F., & Ross, K. W. (2009). Computer Networking: A Top-Down Approach. New York: Addison Wesley. 14. Kwon, Y.-W., & Tilevich, E. (2009). Systematic hardening of distributed component applications to improve their QoS. Middleware Conference, Proceedings of the 10th ACM/IFIP/USENIX International Conference on Middleware. Urbanna, Illinois: Springer-Verlag New York, Inc. New York, USA . 15. Laudon, K. C., & Laudon, J. P. (1999). Management Information Systems (Sixth ed.). New Jersey: Prentice Hall. 16. Mallery, J., Kelly, P., McMullin, R., Zann, J., & Love, P. (2005). Hardening Network Security, 1st edition. New York: McGraw-Hill Osborne Media. 17. Manzanares, A. I. (2007). Hardening Network Infrastructure: Not Suitable for Everyone. IEEE Distributed Systems Online, Volume 8, Issue 10 , 4. 18. Microsoft Press. (2005, November 22). Server hardening. Retrieved March 16, 2010, from TechTarget.com: http://searchwindowsserver.techtarget.com/generic/0,295582,sid68_gci1144685,00.html 19. Neilforoshan, M. R. (2004). Network security architecture. Journal of Computing Sciences in Colleges, Volume 19, Issue 4 , 307-313. 20. Ray, R. (2004). Technology Solutions for Growing Businesses. New York: American Management Association (AMACOM). 21. Rhodes-Ousley, M., Bragg, R., & Strassberg, K. (2003). Network Security: The Complete Reference, 1st edition. New York: McGraw-Hill Osborne Media. 22. Turban, E., Rainer, R. K., & Potter, R. E. (2004). Introduction to Information Technology (3rd ed.). New York: Wiley. 23. Wrigstad, T., Eugster, P., Field, J., Nystrom, N., & Vitek, J. (2007). Software Hardening: A Research Agenda. European Conference on Object-Oriented Programming, Proceedings for the 1st workshop on Script to Program Evolution (pp. 58-70). Genova, Italy: ACM New York, USA . Read More