Network Security Fundamentals - Report Example

CSI3207/4207: NETWORK SECURITY FUNDAMENTALS CSI3207/4207: Network Security Fundamentals Author Author’s Affiliation Date Table of Contents Retrenchment and Initial Security Plan 4 1- Introduction 4 2- Security Plan Scope 5 3- Security Issues 6 4- Target Application 7 5- Retrenchment and Security Plan Initiatives 8 5.1- Microsoft Windows Access Controls Policies 8 5.2- Protecting Organizational Online Network 10 6- Tools and System for Security Management 13 6.1- Cryptography Methods 13 6.2- Encryption Software 14 6.3- Firewalls 15 6.4- Service packs 15 6.5- Account considerations 15 6.7- Antivirus Programs 16 6.8- Dial in access or Remote network access 16 6.9- Strong password practices 16 Part B 18 Audit Plan 18 7- Audit Plan Objective 18 8- Plan for Monitoring and Audit 18 8.1- Data Backups 19 8.2- Services installed 19 8.3- Install IIS on separate network segments 20 8.4- Security Guidelines 20 8.5- Lightweight Directory Access Protocol (LDAP) 20 Secure Solution Plan 22 9- Security Requirements 22 10- Security Controls 23 11- Requirements and methodology for activity auditing 24 12- Network Diagram 25 13- References 26 Part A Retrenchment and Initial Security Plan To secure the infrastructure from the external contractor both pre and post retrenchment 1- Introduction Information security plays a fundamental role in these days’ rapidly changing technology infrastructures and business environments. In this scenario, secure and steady communication infrastructure is required for both end users and companies in an attempt to get a number of advantages from the enhancements and developments that the Internet has provided them. Additionally, the significance of this fact needs to be visibly highlighted in view of the fact that sufficient procedures will be applied, not simply to improve the business's daily measures as well as dealings, however there is need to make sure that a great deal of required safety procedures are implemented with a satisfactory level of security prospective (Danchev, 2003; Mscpaonline, 2010). Basically, the organizations implement information security plans to provide a set of guidelines and rules that promote standardized response to some information security issue that can be encountered. In this scenario, these rules and regulations facilitate a team of IT experts to instantly recognize what action should be taken in some situation. However, the information security plan should be placed into situation by an enterprise that has a computer and communication network. Though, these procedures and policies are tremendously complicated to plan as well as implement, however sound information security policies facilitate an operation to care-for its data with relative ease (Danchev, 2003; Mscpaonline, 2010). This part of report is about the retrenchment and initial security plan to secure the infrastructure from the external contractor both pre and post retrenchment. Our main objective is to restrict the external network intrusion, because the previous network technology contractor has not installed the network as specified and has installed a complex however secure solution in order to get employment after the contract ends through “maintenance”. This part of report is about the retrenchment and initial security plan that is aimed at offering a great deal of support and capability for the enhanced handling and management of security based issues at our non-profit organization. 2- Security Plan Scope The implementation of a retrenchment and initial security plan would be extremely secure, helpful, profitable and beneficial for our non-profit organization. The scope of this plan includes offering following capabilities: Cost reduction of present technology based network Security improvement Securing external intrusion Documenting whole network systems More enhanced interaction among staff members through network Backup and restore systems setup Improvement of remote communication security Effective data protection Disaster management and handling Application of suitable controls and authentication Enhanced data security Better data quality No breach of copyright Assessment of daily tasks Quality authentication Easy way of working Easy management of the data Less conflicts among data formats Easy data sharing among all division of the corporate 3- Security Issues Some of the major security issues that our non-profit organization can face are outline below: External contractor holding all licensing keys and rights Lack of suitable security policies No enhanced cryptographic modules No Backups No recording logs for users from external interaction No proper mechanism for employees to sign a statement confirming that they have read and understood the security policy of the company No facility of CCTV cameras in entry and exit points Have no suitable intrusion detection system No facility of backup snapshots Have no multiple internet providers Have no Secure File Transfer Protocol (SFTP) Have no Secure Socket Layers (SSL) No suitable and updated anti-virus and anti-spyware software There is no documented list of accounts, rights or usernames There is no network map There is no documented policy There is no content filtering All of the clients now use the wireless networks at both sites instead of the installed CAT6E Ethernet. The network has been experiencing heavy usage on the weekend. There is no documentation for any of the setup There is no firewall in existence apart from a very basic NAT at the Internet 4- Target Application This section discusses the target application identification and description of security plan. This basic purpose of this section is to describe purpose of the information security and retrenchment plan. I have outlined below the target application with description: The first target application of this security plan is to secure business data (business dealing, processes, operational aspects and revenue details) and information Another target will include implementing the regulations and rules for predictable behaviors by system administrators, users, security personnel and management It will be applied for approving and verifying security workers to check, search, and investigate It will be used to describe as well as approve the outcomes of breaches It will be used to describe the business agreement baseline stance on corporate information security It will be applied for minimizing the impact of risk It will ensure compliance with regulations and legislation This retrenchment plan is aimed to reduce the overall network management costs This security plan is aimed to offer a great deal of security for remote communication and connection to network resources This retrenchment plan is aimed to reduce the external contractor intervention to system This security plan is aimed to enhance the overall security of corporate 5- Retrenchment and Security Plan Initiatives This section will outline some of main initiatives we are taking for the potential enhancement of security and confidently of our non-profit organization. This section will outline some of the main initiatives that we will keep in mind for the sake of enhanced and improved security and retrenchment management. 5.1- Microsoft Windows Access Controls Policies One of the initial initiatives we are going to formulate is about the application of the Microsoft Windows Access Control Polices. Our organizational network is making use of Windows 2003 based Servers. The external contractor is remotely accessing and communicating with system without management permission. There is great deal of need for the application and management of the Access Control to the system. There is need for application of the Access Control Polices to restrict illegal access and intrusion to system. Such kind of illegal intrusions to corporate systems leads to a great deal of issues and problem regarding less effective security and privacy (Microsoft2, 2012; Microsoft, 2012; Campbell, 2012). In order to develop a high-quality security policy for our non-profit organization; we need to offer the basics for flourishing application of security associated projects in the future. Without a doubt the primary assessments have to be made in an attempt to diminish the risk of improper use of some of the business information resources. In this scenario, the primary step that we will take for improving our non-profit organization security will be the implementation of an exact however enforceable corporate security strategy, informing staff members on a variety of aspects of their jobs, commonly making use of business resources and illustrating how secret and sensitive data have to be managed. In fact, this security policy will as well explain exhaustively the meaning of satisfactory usage of information, and identify forbidden activities carried out over the business network. Additionally, organization is currently making use of Windows based systems to run their business hence they need a Windows based security and privacy management policy. For this purpose I have proposed the Windows Domain structure security Policy for our organization’s technology based arrangement (Microsoft2, 2012; Microsoft, 2012; Campbell, 2012). In addition, the Windows Domain structure security policy will ensure the reliable security across all the computers in a Windows domain (as well as to Windows Server 2003). Basically, the Windows Domain structure security policy in Microsoft Windows contains a wide variety of policy objects that are used to establish safety policy and settings all through Windows domain. In fact, it is a most latest and an improved version of what was available in its forerunner, Windows NT Server 4.0. Additionally, the Windows Domain structure security policy also allows us to effectively deal with the performance of the different kinds of user account’s features at nonprofit organization. In this scenario, some of the key attributes of these accounts can include lockout, password and Kerberos that is a very well-known verification process for remote access. Also, the windows domain structure security mechanism contains a set of available local-level security measures. This set of measures includes auditing and user rights however as well expanded to granular choices like that the registry, a set of system services, and the file system and event log (Campbell, 2012; Microsoft, 2012; Microsoft2, 2012). Furthermore, a Group Policy Editor is responsible for dealing with and managing the Windows Domain structure security policy that will be used for all the group strategy objects. Also, it is manageable using the "Group Policy" tab of the characteristics of the particular domain object; in the "Active Directory Users as well as systems" that is a part of "Administrative Tools." Additionally, the Windows Domain structure security plan is given with the second maximum precedence in scenario of application priority. In fact, it is proffered over as well as can overwrite local as well as site strategies however can be superseded through corporate unit policies (Campbell, 2012; Microsoft, 2012; Microsoft2, 2012). 5.2- Protecting Organizational Online Network Hacking is a process through which negative minded people break into network or computer systems, normally with the negative aims such as to change or alter present system settings. Occasionally malicious in nature, these gets-in can reason harm or disturbance to networks or computer systems. Additionally, people with malicious intention are frequently referred to as "crackers because in "cracking" into network or personal computer systems. In this scenario, various articles such as (Kent & Souppaya, 2006; Stallman, 2012; Campus Activism, 2012; Mitchell, 2012) discuss the issues related to hacking and viruses. Some of the important ideas and issues that are found in these articles are outlines below: The majority of business organizations make use of a number of kinds of network-based plus host-based safety software to identify malicious action, defend systems as well as data, and up-hold event response attempts. So, security software is a main foundation of computer safety log data. Common forms of network-based plus host-based security software are for computer security. The main ways and explanation of these ways is presented below: ­Antimalware Software: The majority of frequent outlines of antimalware software are antivirus application that normally records the entire examples of checking malware, file plus system disinfection efforts plus file quarantines. As well, antivirus software might furthermore record when malware examining was carried out plus when software updates or antivirus signature occurred. Intrusion Prevention and Intrusion Detection Systems is another most important way of ensuring computer security and privacy. Intrusion detection and intrusion prevention systems record comprehensive data and information on doubtful behavior plus check for attacks, plus some events intrusion anticipation systems carried out to prevent malicious action in progress. In addition, we can make use of a number of intrusion detection applications for our non-profit organization. These application include file reliability checking software, execute occasionally in its place of incessantly, consequently they produce log entries in batches in its place of on a continuing basis. We can also make use of Remote Access Software for our non-profit organization, this will be one main solution that is frequently aimed to approved and secured in the course of virtual private networking or VPN. Virtual private networking systems normally log effectively plus failed login attempts, in addition to the dates plus times every user linked and disconnected, along with the amount of data sent plus received in every user session. Virtual private networking systems that support effective access control, like that a lot of Secure Sockets Layer (or SSL) VPNs, can log detailed information regarding utilize of resources. ­Vulnerability Management Software is a high quality solution for the corporate network security management. Vulnerability management software, comprises patch management software plus vulnerability assessment application, normally logs the patch system history plus vulnerability status of every host, that comprises recognized vulnerabilities plus missing software updates. Authentication Servers is also one of main solution that is aimed to protect the computer security, comprising directory servers plus single sign-on servers, normally log every verification attempt, comprises its source, username, achievement or stoppage, as well as date and time. Firewalls are able to as well track the position of network traffic plus carry out content examination. Firewalls are inclined to encompass extra complex policies plus generate extra detailed logs of action than routers. 6- Tools and System for Security Management This section will outline some of the important aspects regarding application of a number of tools and systems for security management at our non-profit organization. This section will outline some preferred solutions regarding better handling of the corporate security operations management: 6.1- Cryptography Methods This section will outline our non-profit organization’s initiative for the allocation of cryptography method. For this purpose, I have carried out a lot of research and found a wide variety of techniques and tools for ensuring security and privacy of corporate data and information. For the sake of non-profit organization’s network and information management I have assessed company’s present technology based structure. In this scenario, I have found that our organization is based on Windows technology based structure. I have discovered that BitLocker is the most efficient solution for this kind of environment, for the reason that it is based on Windows operating system structure and compatible with the overall technology arrangement of the our organization (The University of Edinburgh, 2011; The University of Edinburgh, 2012). In addition, the BitLocker encryption technique is used to protect corporate network, data and information using high level encryption techniques, which are developed to ensure company’s data safety and privacy. BitLocker encompasses a variety of features such as data and information authenticity, confidentiality and non-repudiation, and the recovery of encrypted data in its real form (The University of Edinburgh, 2011; The University of Edinburgh, 2012). Moreover, BitLocker is an encryption technique that is used within Microsoft's new operating systems like Windows 7. In addition, BitLocker also offers full disk encryption (The University of Edinburgh, 2011; The University of Edinburgh, 2012). 6.2- Encryption Software In order to secure our non-profit organization’s database and network arrangement we need to think about and implement an encryption software that will offer us an encryption technique to protect the corporate sensitive data. For this purpose I have selected a very efficient application that is most appropriate for Windows based operating system. In this scenario, TrueCrypt is a free software application that makes an encrypted file on our system that allows us to access that encrypted data and information as if it was placed physically on hard disk in our system. In addition, TrueCrypt offers a great deal of security by encrypting a data file using keys that are secured through a different user defined password (The University of Edinburgh, 2011; TrueCrypt, 2012). This application of software at our non-profit organization will also facilitate us to reduce to potential cost of the corporate security management. 6.3- Firewalls A Windows based firewall is a most significant part of network that is linked to the Internet. In case of non-profit organization case the un-availability of firewall can cause a wide variety of security issues. On the other hand, the availability of a firewall constructs a bastion host; in fact many attacks can take place beside windows without the administrator’ knowledge. In addition, the majority of these security and privacy attacks are so serious that the systems will hang-up. In such cases at our non-profit organization firewall based security setup will provide effective protection and safety (Magalhaes, 2004; Danchev, 2003). 6.4- Service packs In case of our non-profit organization Windows systems service packs are systems, tools and applications that are released following the public release of a Windows product. In order to deal with possible security attacks Microsoft Corporation releases some specific service packs that need to be incorporated to ensure more enhanced security besides such attacks (Magalhaes, 2004; Danchev, 2003). 6.5- Account considerations We need to make sure that if we are using Windows and above that our system administrative account is protected. In this case for our non-profit organization we need to rename and update the account information to something normal is good practice then recreating some other system’s account name as well as offering that account all limiting rights will give some intruder a tough time if he does get right of entry to our “bait” administrative account (Magalhaes, 2004; Danchev, 2003). 6.7- Antivirus Programs For our non-profit organization technology based arrangement Antivirus systems will play a very important role for the reason that Antivirus systems are very commonly used tools for Windows operating systems. In this case these systems offer high level security against any inside or outside security attack and present an effective way for security management against possible security attacks (Magalhaes, 2004; Danchev, 2003). 6.8- Dial in access or Remote network access For our non-profit organization’s technology based arrangement limited dial in access to reliable clients will be bound the functionality of the users working from remote locations. In this scenario, we need to build and implement strategies in a way that the user’s actions can be traced. In addition, when getting access to a network distantly a VPN (virtual private network) is protected technique that can be used and trusted. Moreover, the data that moves over a virtual private network connection is a great deal less vulnerable to interception than standard PPP connections over the PSTN networks (Magalhaes, 2004; Danchev, 2003). 6.9- Strong password practices In order to protect the system against outsiders’ attacks we need to establish more effective and strong passwords. In this scenario, we need to choose less frequents names and numbers so that some outsider cannot guess them and gain access to our systems (Magalhaes, 2004; Danchev, 2003). Part B Audit Plan This part of report is a about the deep and detailed analysis of some of main areas and aspects of application of Audit Plan for our current systems of non-profit organization. Here we are aimed to ensure the security and privacy of our corporate through enhanced application of new technology based solutions. This audit plan is aimed to ensure the corporate security and privacy of corporate through application of more enhanced security management and privacy handling solutions (Magalhaes, 2004; Danchev, 2003). 7- Audit Plan Objective The major objective of application of the audit plan for our non-profit organization is to protect the corporate from external security breaches and implement and more secure and enhanced security audit plan. This audit plan basic objective is to ensure the corporate security policies application. There is also need to check and ensure the authentication of each user. There is need for conformation and recording each user details and proper logging (Magalhaes, 2004; Danchev, 2003) 8- Plan for Monitoring and Audit This section presents a plan for monitoring and audit for our non-profit organization’s access and an incident response plan for security breaches or events. In this scenario, I will present some of the important initiatives that we will adopt for the mitigation of issues regarding internal or external access: (Magalhaes, 2004; Danchev, 2003) 8.1- Data Backups For the sake of our non-profit organization’s disaster recovery and issues management we will take proper backups of database and data. It is admitted fact that in all the businesses the operational permanence should be an important element of the disaster recovery policy as well as backups will be a fraction of this policy. In this scenario, it is essential that all the data must be backed up and should be restored regularly. In addition, data backups are significant and it is very important that the network operational media is stored off-site. In view of the fact that the powerful backup media on-site will not facilitate in a circumstance where a physical disaster demolishes the website. Hence, the off-site storage space is required in circumstances that necessitate an additional level of data security (Magalhaes, 2004; Danchev, 2003). 8.2- Services installed For Windows based systems at our non-profit organization: the services run to registered processes. These services restrict the attackers who attempt to get illegal access and incorporate some vulnerability inside. In this scenario, immobilizing some idle services is high-quality practice as it leaves less for the intruders to discover exploits within. It as well places less strain on the hardware as well as necessitates less monitoring (Magalhaes, 2004; Danchev, 2003). 8.3- Install IIS on separate network segments In order to detect and deal with any breach at an early stage at our network and technology based system of non-profit organization; we need to install ISS on separate network segments. In this scenario, for Windows systems, Microsoft Corporation has released an IIS lock down tool and it is employed to lock down different recognized matters and vulnerabilities that can be there on the IIS box. Normally, the users can access IIS servers on the Internet and it makes the server mainly vulnerable. In addition, publishing an IIS server through an ISA server can ease some known vulnerabilities and will aid in adding an extra layer of protection to our IIS windows server. Moreover, the SQL servers that as well require to be accessed using the Internet should also be published through ISA (Magalhaes, 2004; Danchev, 2003). 8.4- Security Guidelines We will use two proxy servers and internet access control for our non-profit organization’s network. We will apply a network and information strategy for the organization. In addition, these initiatives will work as a disaster recovery plan for any eternal or external security based attack. Hence, the application of such security management mechanisms will offer a capability to effectively deal with security breaches and protection against any technology related disaster (Findlay, 2002; Oracle, 2010). 8.5- Lightweight Directory Access Protocol (LDAP) We are going to implement, Lightweight Directory Access Protocol at our non-profit organization’s network. Lightweight Directory Access Protocol service presents a variety of directory functionalities or services. Normally, it is used to store data and information of entities existing on a communication network; like that printers, diverse users, as well as systems, to network application design data. In this regard, all the LDAP network servers incorporate a number of structures prepared for supervision of who are authorized to revise as well as interpret the data and information in the network directory. For instance, some details in the directory may be openly understandable and accessible to all; however the majority of those details perhaps are not able to be reorganized or updated by all (Findlay, 2002; Oracle, 2010). In addition, further units of the network directory might be recognizable/ comprehensible simply by those to whom the directory manager has approved suitable access. Thus, a user needs to verify its details to network authentication service in order to access the LDAP service. Specifically, it has to inform the LDAP server that is typically contacting the data as a result those servers are able to make a decision what the user is permissible to view and carry out operations. On the other hand, if the user or client validates itself to the LDAP server, then the server gets a network request from the user, in order to make sure whether the network user is permitted to carry out the request. This procedure is recognized as security access control (Findlay, 2002; Oracle, 2010). Part C Secure Solution Plan This section will outline a plan to build a secure solution including software and hardware requirements, network diagrams and justification of solution. This section will present a number of areas and aspects regarding the application of more secure and better security management solution at our non-profit organization. 9- Security Requirements This section will outline a number of security requirements those were previously outline regarding details analysis of corporate needs and requirements for security management at our non-profit organization. Here number of such requirements those need to fulfill for enhanced corporate security management. These requirements are outlined below: Secure personal as well as business data and information Offering enhanced security for access for system administrators, users, security personnel and management Offering better database access security for business workers to check, search, as well as investigate Minimize danger of security breaches Offering international security standards for corporate information security management Ensuring minimum risk Facilitate to track fulfillment by regulations plus legislation Utilize only FIPS 140-2 certified cryptographic modules Must have an intrusion detection system Managed backup snapshots with at least two weeks retention are provided Install Secure File Transfer Protocol (SFTP) Must have Secure Socket Layers (SSL) Must have HIPAA and PCI compliance-ready configurations available Provide for server and application monitoring with immediate response Install anti-virus and anti-spyware software Increase the number of servers Install an internal firewall software 10- Security Controls In this section, I will outline number of areas and aspects regarding the application of security controls at our non-profit organizations. In this scenario, security plan will be maintained by the organization, and the System Owner for the security management applications will be corporate CEO. The main security Controls from 800-53 Rev 3 for the enhanced handling and management of corporate security for our organization’s web services. These controls are: Control from 800-53 Rev 3 (If using ISO, please refer to the specific ISO control) (SAS70Checklists, 2012; NIST, 2009) Awareness and Training Audit and Accountability Security Assessment and Authorization Contingency Planning Incident Response Planning Access Control Identification and Authentication Media Protection Personnel Security Physical and Environmental Protection System and Services Acquisition System and Information Integrity 11- Requirements and methodology for activity auditing For the sake of establishing requirements and methodology for activity auditing at our non-profit organization, we will make use of period security assessment reports. These reports will ensure the effective and enhanced handling and management of the auditing of information technology based systems usage and working. Here these reports will be complied at weekly level and will ensure the enhanced detection and management of security aspects. This will lead to a great deal of capability for the effective management and ensuring of security of corporate. 12- Network Diagram Figure 1 Network design 13- References Campbell, J. (2012). What Is the Windows 2008 Domain Security Policy? Retrieved October 14, 2012, from eHow.com: http://www.ehow.com/facts_7715614_windows-2008-domain-security-policy.html Campus Activism. (2012). What is Hacking? Retrieved October 10, 2012, from http://www.campusactivism.org/html-resource/hackers/section6.html Danchev, D. (2003). Building and Implementing a Successful Information Security Policy. Retrieved October 03, 2012, from WindowsSecurity.com: http://www.windowsecurity.com/pages/security-policy.pdf Findlay, A. (2002). Security with LDAP. Retrieved October 12, 2012, from http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html Kent, K., & Souppaya, M. (2006). Guide to Computer Security Log Management. Retrieved October 12, 2012, from NIST.Gov: http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf Magalhaes, R. M. (2004, July 23). Hardening Windows NT/2000/XP Information Systems. Retrieved October 13, 2012, from WindowsSecurity.com: http://www.windowsecurity.com/articles/Hardening_Windows_NT2000XP_Information_Systems.html Microsoft. (2012). Domain Security Policy. Retrieved October 14, 2012, from http://technet.microsoft.com/en-us/library/dd277396.aspx Microsoft2. (2012). Domain Security Policy in Windows 2000. Retrieved October 14, 2012, from http://support.microsoft.com/kb/221930 Mitchell, B. (2012). What is a Hacker? Retrieved October 12, 2012, from About.com: http://compnetworking.about.com/od/networksecurityprivacy/f/what-is-hacking.htm Mscpaonline. (2010). Sample Written Information Security Plan. Retrieved October 12, 2011, from http://www.mscpaonline.org/pdf/wisp.pdf NIST. (2009). Recommended Security Controls for Federal Information Systems and Organizations. Retrieved October 12, 2012, from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf Oracle. (2010). Security. Retrieved October 12, 2012, from http://docs.oracle.com/javase/jndi/tutorial/ldap/security/index.html SAS70Checklists. (2012). Information Security Plan Template. Retrieved October 10, 2012, from http://www.sas70checklists.com/information-security-plan-template Stallman, R. (2012). On Hacking. Retrieved October 10, 2012, from http://stallman.org/articles/on-hacking.html The University of Edinburgh. (2012). Configure the BIOS (Basic Input Output System). Retrieved October 12, 2012, from http://www.ed.ac.uk/schools-departments/information-services/services/computing/desktop-personal/security/encryption/windows/bitlocker-encryption The University of Edinburgh. (2011, July 08). Encryption in Windows. Retrieved October 12, 2012, from http://www.ed.ac.uk/schools-departments/information-services/services/computing/desktop-personal/security/encryption/windows TrueCrypt. (2012, June 17). F r e q u e n t l y A s k e d Q u e s t i o n s. Retrieved October 13, 2012, from http://www.truecrypt.org/faq Read More