Virtual Private Network as an Appropriate Control - Case Study Example

Full Paper Microsoft Windows Access Controls As per the scenario, the district offices incorporate employees connecting remotely via mobile devices and smart phones. For establishing a secure channel, Virtual private network is an appropriate control. VPN will encrypt the data before sending and it establishes a secure channel protected from hackers of cyber criminals. However, user credentials are required for authorization and authentication on the VPN server. Furthermore, for configuring multiple operating system environments on active directory, a domain server must be placed in Georgia, India, California, Canada and New York. As all applications are hosted on the Phoenix site, they should be configured on HTTPS and must use a VPN tunnel for exchanging data with the other 4 sites. Moreover, for adding an extra layer of security, MAC addresses should be linked with WAN IP addresses requesting access to one of the hosted applications. Access Control policy should be drafted that will address access to whom and why. A responsible, Accountable, Consulted and Informed (RACI) chart should be developed, as it will define roles and responsibilities for each user permitted to access web based applications. 2 Blowfish Encryption Algorithm for NextGuard As per computer desktop encyclopedia Blowfish encryption algorithm is defined as “A secret key cryptography method that uses a variable length key from 32 to 448 bits long. It uses the block cipher method, which breaks the text into 64-bit blocks before encrypting them. Written by Bruce Schneier, as a free replacement for DES or IDEA, it is considered very fast and secure” and as per network dictionary, it is defined as “Blowfish is an encryption algorithm that can be used as a replacement for the DES or IDEA algorithms. It is a symmetric (that is, a secret or private key) block cipher that uses a variable-length key, from 32 bits to 448 bits, making it useful for both domestic and exportable use”. Blowfish is an encryption algorithm that was invented by Bruce Schneier in 1993 (Pachghare, 2009). It is constructed on a variable length key ranging from 32 buts to 448 bits that is considered to be perfect for both local and international use along with a solid encryption algorithm. After its recognition to be relatively solid encryption algorithm, it is gradually gaining acceptance. Some of the core features of blowfish algorithm include (Pachghare, 2009): Blowfish has a block cipher of block consisted of 64 bit The length of the key can be up to 448 bits BladeCenter web interface: MM Control, Login Profiles page. (n.d.) On 32 bit microprocessor architecture, data encryption is supported at a rate of 18 clock cycles on every byte that is much quicker than DES and IDEA encryption. It is still free to use and is not patented Memory requirements for blowfish are less than 5 kilobytes of memory The semantics are simplified and is relatively easy to deploy The design requirements for a blowfish encryption algorithm incorporates robust, simple to code, compact, easily modifiable and flat key space features (Anderson, 1994). Likewise, flat key space facilitates random strings to be considered as a possible key from a required length. Moreover, it deploys data in massive byte size blocks and incorporates 32 bits blocks where applicable (Anderson, 1994). Key ranges, as mentioned earlier are from 32 to 448 bits and operations are common that are supported by microprocessors such as XOR, table lookup etc. furthermore, pre-computable sub keys are applicable with variable iterative numbers. These sub keys are massive and must be pre-calculated prior to encryption or decryption process carries out. In an example below, let’s assume that P is pre-calculated array consisting of 18, 32 bit sub keys from P1, P2… till P 18. In addition, there are S boxes (32 Bit) indicated by S with entries equal to 256 each (John Rittinghouse & Hancock, 2003). S1, 0, S1, 1…S1, 255; S2, 0, S2, 1….S2, 255; S3, 0, S3, 1…S3, 255; S4, 0, S4, 1….S4, 255; The sub key calculation process is calculated by deploying the following algorithm (John Rittinghouse & Hancock, 2003): Step1: Nextguard Technologies can prepare the P array along with four S-boxes in direction with a static string containing hexadecimal digits. Step 2: XOR P1 with the leading 32 bits from the key and XOR P2 with the next 32 bits of the key Step 3: By using the blow fish algorithm, Nextguard Technologies can encrypt all strings equal to zero by incorporating the sub keys mentioned in step 1 and step 2. Step 4: This step is associated with swapping P1 and P2 with the result of step 3. Step 5: In this step, the result of step 3 will be encrypted by utilizing the blow fish algorithm along with the modified sub keys. Step 6: Now P3 and P4 will be swapped with the result of step 5. Step 7: There is a requirement of making process to continue for swapping all the entries in order from the P array along with all four S-boxes. The result will be the blow fish algorithm that is changing on a continuous basis. Step 8: Lastly, a total of 521 are essential and mandatory to develop all the sub keys that are required. Applications can save the sub keys instead of executing them on a continuous basis along with the process of sub-key generation. 3 Plan for Countermeasures For Nextguard Technologies, a single domain model would be sufficient to establish a forest root domain. Once the domain is created, the DNS configuration is needed. Moreover, type of DNS versions, names for the domains, servers and Active Directory services, names of the forest and forest root domains are configured. In order to generate trust plan that is comparable to forest and domain plans. The outlines related to trust plan are manually designed additionally. In order to enhance the performance surrounded by single or separate forest, trust can be applied for several rationales. 1.1 Limited Access In order to limit the access for the sales department and other employees, configuration is carried out in “Active directory users and computers” console. Click Start menuAdministrative Tools,  Active Directory Users and Computers. In the console, click user account Right-click the user accounts, and then click Properties. Click Account , Next, click the option Logon Hours. Click Logon Denied after clicking All to select all available times. Select the time blocks as per the requirements to allow the specific user to log on to the domain, and then click Logon Permitted. A status line provides the options to edit logon times including days of the week, and timings. 1.2 User Login Restriction Active Directory Users and ComputersPropertiesAccounts Click the logon workstations dialog box by clicking the Log On To tab. Enter the name of a required workstation. Click Add. Replicate this procedure to identify additional workstations as per the organizations requirements. 1.3 User Restriction on Workstation In Windows 2003 Domain client’s restriction policy can be implemented by executing group policy. By executing group policy, the clients are restricted from logging onto different domains except their home domain. The aimed domain creates a new “domain wide group policy objects”. This can be activated by “Deny logon locally” to the client’s domain account. For the “deny logon locally” option, the check must be enabled. 1.4 Configuring mandatory file access By configuring the ‘User’s Environment Settings’, the compulsory file access is applied. Active Directory Users and Computers Users Properties  Profile tab. Click option named as local path. Insert the path to the home directory in the related field. Example C:\ NextGuard Technologies \ %UserName%. 1.5 Password Policy In the Active directory users and computer console, password policy is implemented. There are five core elements of password policy are implemented on all the created users. According to organizations need, the password history is applied. Maximum password age is applied i.e. 30 days. As per organizations need, minimum password age is defined. Minimum 10 characters password length is applied. Difficulty criteria must be assembled for passwords. According to organizations requirement. 1.6 Account Lockout Policy A group policy relieve is needed for the Account Lockout Configuration. On the right hand side expand the security optionsexpand computer configurations select Windows settings  click security settings click local Policies select security options. By double clicking properties of automatically log off users when login time expires opens a dialog for defining policy. Clicks define this policy setting and click on enabled tab. In fact, the restrictions regarding policy insist for logon an hour that is activated. 4 Incident Management /Disaster Recovery Plan for Next Guard Technologies The disaster recovery plan covering all the issues and counter measures is demonstrated below (Sandhu, 2002): Threats Counter Measures Power Failure Alternate power distribution link Database Failure Backing up data on 3 different locations at the same time by disk mirroring, ciphering, DLT or manual backup on a daily basis. System Failure Alternate system to replace the affected system Theft Lock Cabinets IP cameras, biometric fingerprint identification, Vandalism Hard steel box for Servers and Databases Flood Relocating or replicating the network room Create a duplicate or replica of crucial data servers that are geographically located away Fire water sprinklers, Fire extinguishers Earthquake Relocating data with data centers that are geographically located away The initial step is to identity the information assets of NextGuard Technologies on the network along with the services associated with it. The next consideration must be given to the replication of these services that can be implemented on other systems. For NextGuard Technologies, there were two issues contributing to each other i.e. application system failure, database failure and power failure. After identifying information assets on the network, Application server, Database, and power supply are considered as the critical services. In order to determine the cost associated with these three services, following factors are indicated. 4.1 Application Server An image of the primary application server can be replicated to the secondary machine in order to switch to other system, if a system failure arises. If both of the systems the primary and the secondary application server crashes, there must also be a third system that can be connected to the network. The cost can be determined by installing applications on three servers. 4.2 Database Database is a critical asset for every organization, which needs to be protected from system failure, hackers, viruses, intruders, physical theft etc. In order to determine the cost, database must be replicated to two separate points, i.e. Secondary system backup and data center backup. If both primary and secondary systems crashes, data is still secure in the third location i.e. data centers. The cost is linked with primary and secondary systems along with the cost associated with maintaining regular backups with secure data centers. 4.3 Floods Power is a crucial source for a network to be operational. Uninterruptable Power Supply must be connected to the critical assets on the network, as floods may disrupt power sources to critical assets. Moreover, alternate power source is also a requirement. It is useful when a primary source of power goes down. The cost is associated with UPS and alternate power source. 4.4 Internet Server / Proxy Server If WAN becomes unavailable on the Phoenix site, none of the remote branches or district offices can access the hosted applications. A primary link along with secondary link should be configured for replication. The configuration setting can be defined in the router so than they can switch instantly if one of the links are down. However, both links should not be from the same ISP. 5 Best Practices / Summary & Recommendations The recommended solution should be to define the scope i.e. the phoenix site should be ISO /IEC 27001 certified. As all critical assets are located on this site, a warm or hot site is also recommended for ensuring business continuity in case of a disaster. Similarly, after getting 27001/IEC certified, appropriate controls should be applied and regular audits will be conducted to identify non compliance issues. Currently, we have implemented VPN for a secure access to applications Blowfish encryption algorithm on emails and VPN tunnels for accessing hosted applications We have also implemented Disaster Recovery Plan that will be activated in case of a disaster References Anderson, R. (1994). Fast software encryption: Cambridge security workshop, cambridge, U.K., december 9-11, 1993 : Proceedings Springer-Verlag. Blowfish. (2007). Network Dictionary, , 71-71. BladeCenter web interface: MM Control, Login Profiles page. (n.d.). Retrieved from http://publib.boulder.ibm.com/infocenter/bladectr/documentation/topic/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_mmloginprofilepage.html John Rittinghouse, P. D. C., & Hancock, W. M. (2003). Cybersecurity operations handbook Elsevier Science. Pachghare, V. K. (2009). Cryptography and information security Prentice-Hall Of India Pvt. Limited. Sandhu, R. J. (2002). Disaster recovery planning Premier Press. Read More