Data and Network Security - Essay Example

DATA AND NETWORK SECURITY ANALYSIS OF PROBLEM SCENARIO The company known as 'Enterprise Training Solutions' is involved in the primary activity of providing training services and is based in Leeds, England as well as in Edinburgh, Scotland. At present, the total workforce of the company at Leeds totals to around 400 personnel, who are involved in activities ranging from Administration and Sales to Training. In addition, the company's office at Leeds has around 20 networked computers that provide training to its customers. Incidentally, the company's web, email and database servers are located in the Leeds office. The Edinburgh office of the company currently employs 20 staff who are involved in Administration, training and sales staff. As far as the location of the company's office is concerned, 'enterprise Training solutions' offices are located in 4 adjacent rooms situated on the ground floor of a 4 storied building. In addition, the company also maintains a single office room in the first floor of the building. Under the existing situation, anyone is allowed access up to the reception area through a shared entrance. This point signifies the fact that there are no notable security measures at least for the ground floor. The fact that a large share of 'Enterprise training solutions' offices are located on the ground floor adds to the threat of a potential security breach. Of course, anyone who goes past beyond the reception area has to enter his/her details in a register, but past incidents have gone on to show that such measures have done little to stop any illegal access of assets of notable importance. Another interesting aspect that comes to light under the study of the existing scenario is that all employees are required only to carry ID cards, but even these can be forged with ease and used for unscrupulous purposes. Presently, the offices of Enterprise training solutions are accessible through the use of keypad system. Though such an approach has been known to prove effective in most situations, there are much better technologies in use today. The fact that the building is locked and alarmed during non-working hours is also evidence to the fact that the current security set up in the building under consideration can be regarded as obsolete in comparison to the security features that are in use today by almost all companies and businesses. It has also been mentioned that the changes to the passwords under the keypad system are notified by email, which is a very unsafe method of communicating passwords given the existing proficiency and skill of today's online hackers. As all wireless accesses to the company's data and resources are limited to within the hospitality suite, the security threat as far as this aspect is considered can be regarded to be minimal as any accesses through the wireless access point would always take place under the supervision of the network manager. In terms of future requirements, the company intends to provide access of all data, records, databases etc. to its sales staff in the near future thru a VPN (Virtual private network). Therefore, any possible solution towards suggesting the revamp of the existing network of the company has to take this future requirement into consideration under all circumstances. The answers to the questioned posed have been explained below: 1) USING VPN The general medium of communication between the office's servers and end users (Staff) through a VPN is as shown below: Fig: Remote access VPN through IPsec. A virtual private network or a VPN as it is known for short operates on an Internet backbone, wherein communication between registered entities (which belong to the VPN) are connected via a secure communication medium that is shielded from all forms of outside interference. As far as the proposed solution for Enterprise solutions is concerned, under VPN terminology, such a VPN framework is referred to as a Remote access VPN that allows mobile users such as sales staff who are constantly on the move to connect to the company's VPN through a secure medium for gaining access to the necessary data that pertains to the company. The first and foremost advantage of resorting to enabling remote data access is that it reduces the installation costs by a large margin owing to the elimination of physical cabling and connectors. The major threats that need to be dealt with as part of the wireless policy are listed below: Eavesdropping. Interception. Data manipulation. Unauthorized access. Denial of Service. To prevent all such attacks form taking place, the possible solutions are discussed below: Physical security: as a VPN operates over the Internet, physical interference is restricted to the communication medium alone, most of which is the responsibility of the Internet Service Provider (ISP). Therefore, physical threats have the least significance as far as the VPN is concerned. Confidentiality: the information that is transmitted through the wireless access points needs to be shielded from outside entities and this calls for the adoption of privacy features. For this, various security mechanisms are provided. Some of them are listed below. SSL: Secure socket Layer. Implemented by OpenVPN, which is an open source technology and can be used free of cost for any type of purpose. PPTP: Peer-to-peer tunneling protocol. Provides a stable tunneled communication medium that ensures secure communication. This has also been provided as part of the OpenVPN. L2TP: Layer 2 tunneling protocol. This was developed jointly by Microsoft and Cisco and has been implemented for similar purposes. Therefore, it can be seen that companies and ISPs alike are provided with an array of security products to choose from and the fact that many of them are available under the open source license adds to the advantage of the company in terms of its cost cutting strategies. Allow only registered users: every device comes with a 6-byte hexadecimal MAC address that is unique for every machine. The network authentication mechanism can take this fact into consideration and use it to instruct the network to accept connection request from only those machines whose MAC addresses have been authorized on earlier instances for network access. In addition to this, one can use the services of a firewall that prevent unauthorized users from knowing the parameters of the wireless network such as the IP address of the access point or router etc. in addition, a firewall prevents any intruder from gaining access into the internal network (within the office) of the company's VPN backbone by filtering out all unauthorized packets. The advantages of using a VPN are as follows Allows users to connect to a system regardless of their geographical location. The presence of proven security features makes it a truly secure medium of communication. Allows users to access the network resources and data regardless of their location and even allows them to access via numerous routes such as laptops, PDAs etc. Handles scalability issues with relative ease and simplifies the addition of new members into the network, which additionally reduces the effort that needs to be put into maintenance of the same. Transfers the burden of maintaining the network backbone to the ISP, thereby allowing the company to cut down on the operating cost of the network. The advent of broadband technologies has allowed companies to deal with large volumes of data and amplified speeds. Allows for the network administrator to handle the job of maintaining the network with relative ease as it helps bring down the relative complexity of the network. Allows sales professionals to present important data to the clients by accessing them directly from the company's resources at an instantaneous pace. Therefore, it can be seen that the use of a virtual private network helps provide significant support to a company's networking needs and helps them to improve their efficiency along with helping them cut down both burden as also costs. 2) ENCRYPTION One of the first problems arises with the work of the sales personnel is that all such employees would always be constantly on the move and providing them access to the company's data that is stored in the office premises (in the form of online databases) would have to be provided over a secure data transmission framework. One of the best mechanisms that enable the provision of such security measures is the SSL (Secure socket Layer) framework that enables two entities spread across a network to communicate with one another without having to worry about any possible interception or eavesdropping as all data in transit is encrypted (John Viega, Matt Messier & Pravir Chandra, 2002 & Wikipedia, 2006). The processes involved in outlining the various risks under the given situation are as detailed below: Identification of the various entities that may be potential threats to the company's data. This includes competitors, hackers, pranksters etc. Prioritizing the various risks identified by assigning values to various parameters of the associated risk such as the cost and time involved in the risk prevention and identification, impact, domains likely to be affected, personnel required to identify and eliminate the risk etc. Developing a RMMM plan and proceeding according to it. (RMMM-Risk mitigation, Monitoring & Management-Pressman (2006)). As far as the access to data is concerned, it is a hard to truth that data theft is rampant in the present day and therefore, companies have had to lay special emphasis on preventing any form of data from falling into wrong hands. The confidentiality of the customer details that are stored in the company's database servers further strengthen the need for a concrete mechanism to be installed in place in order to prevent any data from slipping out of hands. For this two issues need to be addressed. The first is to avoid the interception of data in transit between the office and the outside world. The second is to prevent the physical access of data by unauthorized means (to prevent employees from gaining access to the data in the servers). For this, the simple solution is two fold. Firstly, as has been mentioned in a previous section, the migration to the Secure Socket layer framework (SSL) would ensure that all communication sessions are encrypted (Bruce Schneier, 2005). The extensive use of OpenSSL (open source implementation of the SSL framework) makes this a cost effective method (in fact, its free) (OpenSSL, 2006). Moreover, it is proposed to install additional software that will automatically maintain a log of all the data that is either transmitted/received or manipulated (i.e. various operations such as storing and deleting or changing records). This allows the company to keep track of all the data operations and prevent any unwanted access from occurring (William Stallings, 2002). 3) PHYSICAL SECURITY Though the companies is feeling the necessity of revamping the existing network and allow its sales personnel to access the company's servers, the real problem is that the security apparatus that is in place currently at the company's offices in Leeds and Edinburgh. It may as well sound right to say that the building which plays host to these offices are not up to mark in comparison to the either the security standards maintained above or the security devices that are in use today. Therefore, one needs to be able to provide a solution to all the deficiencies and shortcomings in the security apparatus of ETS most of which have already been identified in the previous section. The fact that 'Enterprise Training Solutions' offices are located on the ground floor makes it even more vulnerable to outside individuals. The present scenario that allows anyone to enter until the reception through a shared entrance are to be modified by ensuring that the route from the shared entrance to the reception is constantly under camera surveillance and that there are no entrances to other parts of the building within this area. This ensures that no one would be able to proceed without being noticed and anyone who enters would have no option but to proceed towards the reception. Another addition to the security framework at the reception (ground floor) could be to issue passes to visitors (some of whom will be the company's customers) (after they have provided requisite proof of identification). This will ensure that only genuine visitors can be allowed into any offices present in the building let alone Enterprise Training Solutions. But, there have also been numerous instances wherein employees have been impersonated by unscrupulous elements who have gained authorized entry into the company's premises thereafter (the company under study is not being referred here, but is more of a general case) through ID cards etc which can be forged easily. Therefore, one of the first steps that can be undertaken in this regard would be to do away with the ID cards and instead install security systems that are today referred to popularly as biometrics. Under this, the company may install a security and authentication system wherein employees would be required to authenticate themselves at appropriate points within the office by using their fingerprints or iris (eyes). The biometrics approach has proved to be a major advantage over the conventional identification systems as the authentication parameters that are used under it (fingerprints and the iris) cannot be duplicated by at least a million times. The establishment of the biometrics solution will eliminate the requirement on the part of the network administrator to rely on the creation and maintenance of passwords and removes the need for him/her to communicate the same over emails, which happen to be potential hunting grounds for hackers and eavesdroppers. The medium of authentication will remain constant, will remain unchanged and yet prove extremely effective. Further, it is advisable to install a camera surveillance system that can be monitored on a round the clock basis. This will ensure that any form of intrusion into the building can be quickly identified and notified to the concerned authorities (basically by the surveillance personnel who can send an alarm to the nearest police station at the press of a button). As has been mentioned before, the access to the building has to be converted into a regulated affair and moreover, it has to be converted into something that can allow for the creation of different access options to various categories of users. Basically, there would be three classes of people who would need to be considered while proposing the required access control options (this is with respect to ETS solutions in the present context): Employees of ETS Recruitment solutions. Employees who maintain the building (such as the receptionist, plumbers and electricians, security staff etc.). Visitors from outside. As far as the security issue of ETS is considered, all these classes of employees need to be considered for any upgradation of the security apparatus. For access to the building (in its entirety), it is proposed that only employees be allowed into the offices of the company through appropriate authentication. For this purpose, it is stressed that one must consider the biometrics option as the most suitable alternative in comparison to the existing one in place. An addition to this could also be the inclusion of voice recognition systems that allow access to anyone upon successful comparison of a person's voice with the existing samples that are stored in a database. In this aspect, one can argue that any one can easily mimic the voice of a different person, but such software that handle the task of voice recognition have been known to study the unseen features of human voice and are therefore, immune to any such form of malpractices. As far as the employees who are employed by the building are concerned (these are the employees who do not belong to ETS), the best option is to ensure that they are denied access to the company's offices at all times unless and until the need be. In such an instance, all the activities of these 'outside' employees must be performed under surveillance (or at least in the presence of a trusted employee of the company). Moreover, such security systems must also ensure that any form of unauthorized attempts do not go unnoticed. Instead, automated security features must be installed in these systems wherein such attempts are reported immediately to the concerned authority so that appropriate action can be taken at the earliest. As far as outside visitors are concerned, with the suggestions made in the preceding section in place, the chance of unauthorized intrusion would be minimized to a large extent. But again, it is advised that the company must additionally adopt further security measures for such visitors (usually clients). The best possible solution in this regard would be to issue temporary authentication to visitors and restrict any such form of accesses to the conference and rest rooms alone. Again, all the activity would have to be monitored round the clock. REFERENCES 1. Bruce Schneier (2005), Applied Cryptography. London: McGraw Hill. 2. William Stallings (2002), Cryptography and Network Security. New York: Prentice Hall. 3. John Viega, Matt Messier & Pravir Chandra (2002), Network Security with OpenSSL. London: O'Reilly. 4. Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg (2004), Network Security: the complete reference. California: McGraw Hill. 5. OpenSSL (2006), about OpenSSL. Found at: www.openSSL.org. 6. Wikipedia (2006), Information on SSL. Found at: www.wikipedia.org. 7. Pressman (2006), Software engineering. New York: McGraw Hill. 8. OpenVPN (2006), Information on VPN technologies under the VPN domain. Found at: http://openvpn.net/ Read More