Network Security - Case Study Example

Note: All references can be found online. I will send separate page with links. Please just send a message if you need to change or add anything. Network Security Case Study Web Soul Ltd. Network Security Table of Contents 1. Introduction Web Soul Ltd., a small company specializing in website development is moving to a new office that was once a software house with existing computer network with a number of servers, hubs, switch, printers, personal computers, and cabling system. However, since the existing network infrastructure was meant for software development, set up in a manner appropriate for the previous owner, and was bought by Web Soul Ltd. In “as is” with no supporting documentation and clear administrative information, its capacity to serve the purpose of Web Soul Ltd, should be evaluated. These include identifying and assessing the functions and capacity of each network elements and physical devices, scale of the network, organizational scope, network performance and security, compatibility and others. Moreover, aside from evaluating the usefulness of the existing network, the research and solution for Web Soul Ltd. must take into account the business expansion that will take place in the future. These include accommodating future domain hosting requirements, SSL certificates issuance and validation system, Web design and applications, E-shops, and software development and testing requirements. 2. Identified Problems As mentioned in the case study, the existing Ethernet network has no clear documentation aside from the layout provided below and description of available hardware in the new office. However, inserting the hardware described in the case study into the layout of the new office (see Diagram 1) reveals some key problems in the network set up. 2.1 Problem 1 – Director Office near Recreation Area with 1 hub but no PC The hub in this Director’s office seems redundant but according to the case study, two new directors will be joining the Managing Director in running the company. For this reason, the layout of the new office must accommodate one more director and two PCs. Diagram 1- Existing Network Setup Director Meeting Room Sensitive Data Area Development Area Development Area Meeting Area Reception Corridor Recreation Server Room Director Note that the hub in this Director Office is connected to the Server Room switch that by design and indicated in the cabling system provide access to the Development Area switch which is connected to Reception Area hub, to the wireless router, and to the Internet. By analysis, this configuration suggests longer data transmission time and risky because Internet data will pass through the Server Room switch. Another is the fact that if a PC is available in this Director’s Office, it is more logical to connect to the Reception Area hub as other personal computers does. 2.2 Problem 2 –Wireless router and hub in reception area It is safe to assume that the wireless router in the reception area is there to access the Internet using broadband connection device but it as shown in Diagram 1; it is not clear whether this is being used by other computers in the network through the hub. If so then this report will assume that PCs from previous Software house has no wireless network adapters as their local and Internet connections are wire. For this reason, the wireless or remote capability of the wireless router is not being used despite the clear advantage of wireless computing particularly in cabling work and hub installation. Finally, the location of both wireless router and hub should be in secured locations (see discussion in Section 2.3), away from the reception area where many can easily access both devices. 2.3 Problem 3 – PCs in the Director’s office (near Meeting Room), Meeting Room, and Sensitive Data Area are directly link in the hub located in the reception area Another problem in this old network setup is the PCs directly connected to hub which is connected to the wireless router. It is important to note that unlike a switch, network hub does not filter or manage network traffic and for security reasons, this kind of configuration is risky. According to Kar & Syed (2011), many have moved away from hubs because they are not secured, they repeat traffic in every port, do not scale well due to collisions, and do not filter traffic. Since hubs broadcast almost all traffic to any node in the network, attackers can easily gain access to a network port (p.3). Note that PCs in the Director’s office, Meeting Rooms, and Sensitive Data Area are much safer if they are connected to switch in the Development Area or a new switch in the Sensitive Data Area as shown in Diagram 2. 2.4 Problem 4- More PCs and network devices are required in the development area for business expansion As described in the case study, the owner of Web Soul Limited intends to immediately expand the business and incorporate Domain Hosting, SSL Certificate Issuance and Validation, and others. For this reason, additional PCs and other devices must be connected to the new network. For instance, two more web developers and a graphic designer will require three additional PCs, a high resolution coloured printer or plotter, and additional switch if necessary. Moreover, the expansion will require two dedicated servers for Domain Hosting and SSL Certificate Issuance and Validation. Depending on the capability of existing Linux boxes, they can be use as dedicated servers for these purposes. Moreover, the existing SSH Server can be use for digital certificates authentication and encrypted connection to the servers. 3. Recommended Solutions These recommended solutions are divided by the number of identified problems discussed earlier. 3.1 Solution to Problem 1 Considering the need for additional director’s office and associated computing hardware, the solution is to construct a room for 1 director, a PC, and network cabling. However, this PC and cabling will be connected to a new switch in the Sensitive Data Room. This new configuration will enable other PCs currently connected to the hub in the Reception Area to connect in a switch located in a more secure area as shown in Diagram 2. Note that use of network hub is completely discouraged while critical network components are concealed. Similarly, the Internet traffic will pass through a more secured switch. However, since there will be Domain Hosting, SSL, and requirements for authenticated access to various servers, in the Server Room, an alternative cabling configuration may be necessary (see green line leading to Server Room switch). Details of this configuration can be found in Section 3.5 onwards. Diagram 2 - New Network Configuration Director Meeting Room Sensitive Data Area Development Area Development Area Meeting Area Reception Corridor Recreation Server Room Director 3.2 Solution to Problem 2 The study’s description suggest that the wireless router is for broadband access while the hub in the reception area serve as unsecured access points for a number of PCs. Moreover, considering the business expansion, the location of these devices is undoubtedly not ideal for a large network with sensitive data to protect. The first solution is to relocate these devices and discourage the use of hubs as access points as implemented in Diagram 2 of Section 3.1. Another is to maximize use of wireless computing by relocating the wireless router at the centre of the building where signal from all points will be strong. However, if the owner will consider this option, wireless network adapters should be installed in selected PCs along with the reconfiguration of the router’s security protocol. 3.3 Solution to Problem 3 As discussed in Problem 3, replacing network hubs with switches add security to the network and shown in Diagram 2 in Section 3.1, PCs in offices are now connected to a switch located in a more convenient and secured location. Note that these problems are interrelated thus movement of network components affect other areas of the network as explained in Section 3.1. Notice the impact of moving network components in Diagram 3 below showing redundancy of the connection between switches in Sensitive Data Area and Development Area if the alternative cabling (green line) is implemented. By analysis, the green line connection can also provide the development area with Internet connection using the same line for file and print service at the same line. Diagram 3- Impact of Cabling and Movement of Components Director Meeting Room Sensitive Data Area Development Area Development Area Meeting Area Reception Corridor Recreation Server Room Director 3.4 Solution to Problem 4 Solutions to Problem 4 are entirely based on expansion requirements thus additional physical devices must be added to network. For this reason, as shown in Diagram 2 and 3, new PCs in the Development Area and new Director’s Office are added in the configuration along with a new switch in the Sensitive Data Area. However, the critical requirements of the expansion are not in the Local Area Network but in the access points and servers. For instance, Doman Hosting requires and SSL Certificate Issuance and Validation requires a separate server which in this case can use the Linux boxes (see details in the following sections). The existing File and Print server and Back-up server can do its previous task and serve all the nodes in the network. The SSH Server can provide authenticated access and TCP port-forwarding via secure channel that is useful for VPN applications (Dornbusch et al, 2003, p.12) while the Samba Server, a cross-platform server (Tis et al, 2003, p.9) can act as files and print server for both Windows and Unix. There seems no additional hardware required but it is critical to reconfigure these servers particularly the Linux boxes, Samba, and SSH server. 3.5 Network Type The recommended network type is the same (Ethernet) but with few modifications. Although FDDI or Fibre Distributed Data Interface enables high-speed computing through fibre optic transmission is not recommended for this application because of higher cost and distance limitations (Shinder, 2001, p.149). Moreover, the number of nodes and distances between these nodes does not warrant a costly cabling system. An Ethernet network is widely used for its scalability and IEEE 802.3 is the industry standard thus reliable and economical (Karris, 2009, p.4-7). 3.6 Network Technology Size, Speed, and Scale Requirements Network stability is an important consideration if one network is required to perform at high-speed without degradation (Chung, 2003, p.539). Since Web Soul Limited will expand its business to bandwidth-intensive applications such as Doman Hosting and SSL certificate validation, it is necessary to consider the most feasible network technology. Note that existing Ethernet LAN is not the problem here as it can transfer 10Mbps using 10BASE-T or 10BASE-5 cables (Testmy.net, 2012, Connection Chart) thus this report will only need to consider internet connection technologies suitable for Domain Hosting and SSL Certificate authentication. DSL is a broadband technology that can deliver 8 to 10 Mbps but it is only fast for receiving data which is not the primary concern of Domain Hosting and SSL that often require faster data uploads. Similarly, cable broadband technology can deliver data, voice, and video at 500 Kbps to 10 Mbps but with limited upstream bandwidth which in reality is not suitable for peer-to-peer applications and Web Servers (Pagani, 2005, p.326). For this reason, the owner should consider investing on fibre optic technology that can deliver 2 M to 100M bits per seconds without the usual magnetic interference (Network World, 2002, p.36). Note the scale requirements of this Ethernet LAN are limited to internal network which is geographically limited in the new office thus the purpose of fibre optic investment is reliable higher data transfer rate. This is actually a WAN extension of the Ethernet network that will use the transmission facilities a particular commercial carrier. 3.7 Cabling Requirements The recommended cabling requirements for the new Ethernet network is CAT 5e as it is well suited for Fast Ethernet Networks and compatible for Gigabit Ethernet Networks (see Diagram 2 or 3 for cable route). CAT5e is recognized by ANSI/TIA/EIA-A cabling standard and provides better and reliable transmission rates (Mueller, 2003, p.1095). The new cable system requires RJ-45 connectors on both ends, an RJ-45 female coupler if joining two lengths which should not exceed 100 metres (Fehily, 2009, p.471). 3.8 Network Interfaces and Protocols The each node and devices in new network will use a network interface adapter (card) or compliant interface card (printer for example). Since this a Fast Ethernet Network, these NICs should support 100BASE-TX;s 100Mbps speed, PCI compliant, and can carry different kinds of protocols such as data link protocol, TCIP/IP, Novel IPX or Apple Talk protocols (Mueller, 2003, p.1081). 3.9 Data and Network Security Requirements The level of security should match the security requirements of the wired Ethernet Network and must be capable of defeating the administrative and security risks posed by internal and external access (McLean, 1993, p.597). Another consideration is confidentiality, authentication, and integrity requirements of the data that will be transfer from nodes to nodes. The network security police should therefore include data encryption, user authentication, IP packet filtering, and installation of firewall system between corporate network and the Internet, and maintenance of network segmentation. The SLL, Samba, and SSH should figured to provide session encryption and integrity for packets transmitted over the network or secure server-to-server transactions. 3.10 Network Performance Considerations Although the recommended network configuration take into account the reliability and performance, it is still necessary to monitor network activity for bottlenecks that can significantly affect its performance. These include ensuring that the flow of data between stations, servers, routers, switches, are within its designed capacity (Held, 2003, p.543). The switches in the new network enable segmentation and at the same time reduce network contention by switching and proving several pairs of senders and receivers with separate communication channels at the same speed (Peng & Tsou, 2003, p.68). 3.11 Compatibility Issues and Requirements There is no clear information about the existing network servers but by analysis, their compatibility with the new network is merely a matter of configuration. The file and print servers such as Samba (running UNIX, Solaris, BSD, and other) will undoubtedly work with Microsoft Windows Clients as SMB (the other name for Samba) is standard protocol for Window network file system. Similarly, the File Server PC with secondary storage and the Back-up server are more likely Windows-based as evidenced by a number PCs running Windows XP. 4. Conclusion/Summary The new office will only require several modifications to meet the requirements of Web Soul Ltd. The different servers (re-configured and tested) in the Server Rooms are sufficient enough to accommodate the expansion requirements. Removal of network hubs increased security while installation of new switch enhances network segmentation, traffic filtering, and congestion avoidance. The recommended solutions are based on the current business requirements thus subject to future modifications. Similarly, the proposed network configuration may be modified such as router upgrade and further network segmentation. In terms of security, integrity, reliability and confidentiality, the network should be configured to use data encryption, user authentication, and data signing. Finally, since Doman Hosting and SSL authentication is a demanding task, Web Soul management should consider upgrading the Linux servers particularly when their speed and reliability is declining. 5. References Chung C, (2003), Web and Communication Technologies and Internet-related Social Issues, Springer, Germany Dombusch P, Ller M, & Butterman A, (2003), IT-Security in Global Corporate Networks: Trend Report 2002, BoD Books on Demand, UK Fehily C, (2009), Microsoft Windows 7: Visual QuickStart Guide, Peachpit Press, US Held G, (2003), Ethernet Networks: Design, Implementation, Operation, Management, John Wiley & Sons, US Kar D. & Syed M, (2011), Network Security, Administration and Management: Advancing Technology and Practice, Idea Group Inc., US Karris S, (2009), Networks: Design and Management, Orchard Publications, US McLean H, (1993), Protection Critical Information and Technology, DIANE Publishing, US Mueller S, (2003), Scott Mueller’s Upgrading and Repairing PCs, Que Publishing, US Network World, (2002), Fibre to the home market in gear, available online at http://books.google.com.ph/books?id=PRgEAAAAMBAJ&pg=PT24&dq=network+technology+fiber+internet&hl=fil&sa=X&ei=68LpUJPVC8iJlAWF8YHgBg&ved=0CDQQ6AEwADgK Pagani M, (2005), Encyclopaedia of Multimedia Technology and Networking, Idea Group, US Peng Z. & Tsou M, (2003), Internet GIS: Distributed Geographic Information Services for the Internet and Wireless Networks, John Wiley & Sons, US Shinder D, (2001), Computer Networking Essentials, Cisco Press, US Testmy.net, (2012), Connection Chart, available online at http://testmy.net/tools/connection_chart.php Tis J, Eckstein R, & Collier-Brown D, (2003), Samba Pocket Reference: A Unix-to-Windows File and Print Server, O’Reilly Media, Inc, US Read More

For this reason, the wireless or remote capability of the wireless router is not being used despite the clear advantage of wireless computing particularly in cabling work and hub installation. Finally, the location of both wireless router and hub should be in secured locations (see discussion in Section 2.3), away from the reception area where many can easily access both devices. 2.3 Problem 3 – PCs in the Director’s office (near Meeting Room), Meeting Room, and Sensitive Data Area are directly link in the hub located in the reception area Another problem in this old network setup is the PCs directly connected to hub which is connected to the wireless router.

It is important to note that unlike a switch, network hub does not filter or manage network traffic and for security reasons, this kind of configuration is risky. According to Kar & Syed (2011), many have moved away from hubs because they are not secured, they repeat traffic in every port, do not scale well due to collisions, and do not filter traffic. Since hubs broadcast almost all traffic to any node in the network, attackers can easily gain access to a network port (p.3). Note that PCs in the Director’s office, Meeting Rooms, and Sensitive Data Area are much safer if they are connected to switch in the Development Area or a new switch in the Sensitive Data Area as shown in Diagram 2. 2.4 Problem 4- More PCs and network devices are required in the development area for business expansion As described in the case study, the owner of Web Soul Limited intends to immediately expand the business and incorporate Domain Hosting, SSL Certificate Issuance and Validation, and others.

For this reason, additional PCs and other devices must be connected to the new network. For instance, two more web developers and a graphic designer will require three additional PCs, a high resolution coloured printer or plotter, and additional switch if necessary. Moreover, the expansion will require two dedicated servers for Domain Hosting and SSL Certificate Issuance and Validation. Depending on the capability of existing Linux boxes, they can be use as dedicated servers for these purposes.

Moreover, the existing SSH Server can be use for digital certificates authentication and encrypted connection to the servers. 3. Recommended Solutions These recommended solutions are divided by the number of identified problems discussed earlier. 3.1 Solution to Problem 1 Considering the need for additional director’s office and associated computing hardware, the solution is to construct a room for 1 director, a PC, and network cabling. However, this PC and cabling will be connected to a new switch in the Sensitive Data Room.

This new configuration will enable other PCs currently connected to the hub in the Reception Area to connect in a switch located in a more secure area as shown in Diagram 2. Note that use of network hub is completely discouraged while critical network components are concealed. Similarly, the Internet traffic will pass through a more secured switch. However, since there will be Domain Hosting, SSL, and requirements for authenticated access to various servers, in the Server Room, an alternative cabling configuration may be necessary (see green line leading to Server Room switch).

Details of this configuration can be found in Section 3.5 onwards. Diagram 2 - New Network Configuration Director Meeting Room Sensitive Data Area Development Area Development Area Meeting Area Reception Corridor Recreation Server Room Director 3.2 Solution to Problem 2 The study’s description suggest that the wireless router is for broadband access while the hub in the reception area serve as unsecured access points for a number of PCs. Moreover, considering the business expansion, the location of these devices is undoubtedly not ideal for a large network with sensitive data to protect.

The first solution is to relocate these devices and discourage the use of hubs as access points as implemented in Diagram 2 of Section 3.1.

Read More