Project Network Design
Project Network Design
The best network design to ensure the security of Corporation Techs internal access while retaining public Web site availability consists of several layers of defense in order to protect the corporation’s data and provide accessibility to employees and the public. The private-public network edge is considered particularly vulnerable to intrusions, because the Internet is a publicly accessible network and falls under the management purview of multiple network operators. For these reasons, the Internet is considered an untrusted network. So are wireless LANs, which-without the proper security measures in place-can be hijacked from outside the corporation when radio signals penetrate interior walls and spill outdoors. The network infrastructure is the first line of defense between the Internet and public facing web servers. Firewalls provide the first line of defense in network security infrastructures. They accomplish this by comparing corporate policies about users’ network access rights to the connection information surrounding each access attempt.
User policies and connection information must match up, or the firewall does not grant access to network resources; this helps avert break-ins. Network firewalls keep communications between internal network segments in check so that internal employees cannot access network and data resources that corporate policy dictates are off-limits to them. By partitioning the corporate intranet with firewalls, departments within an organization are offered additional defenses against threats originating from other departments. In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well. Security is the heart of internetworking.
The world has moved from an Internet of implicit trust to an Internet of pervasive distrust. In network security, no packet can be trusted; all packets must earn that trust through a network device’s ability to inspect and enforce policy. Clear text (unencrypted data) services represent a great weakness in networks. Clear text services transmit all information or packets, including user names and passwords, in unencrypted format. Services such as file transfer protocol (FTP), email, telnet and basic HTTP authentication all transmit communications in clear text. A hacker with a sniffer could easily capture user names and passwords from the network without anyone’s knowledge and gain administrator access to the system. Clear text services should be avoided; instead secure services that encrypt communications, such as Secure Shell (SSH) and Secure Socket Layer (SSL), should be used.
The use of routers and switches will allow for network segmentation and help defend against sniffing Corporation Tech may want to have their own web or email server that is accessible to Internet users without having to go to the expense and complexity of building a DMZ or other network for the sole purpose of hosting these services. At the same time they may want to host their own server instead of outsourcing to an ISP (Internet Service Provider) or hosting company. Corporation Tech can use NAT (Network Address Translation) to direct inbound traffic that matches pre-defined protocols to a specific server on the internal or private LAN. This would allow Corporation Tech to have a single fixed public IP address to the Internet and use private IP addresses for the web and email server on the LAN.
Network Diagram and Vulnerabilities
Network infrastructure using Class C network address 192.168.1.0. The Main Servers using Virtual Machine software was configured with a static IP address of 192.168.50.1. This server controls DHCP, DNS and Active Directory. The Web Server is located outside the network in the DMZ. Internal network is configured on separate VLAN’s to separate department traffic and manage data access. Cisco Internal firewall was installed and configured to manage the internal network on the LAN. The Cisco firewall 2 implemented to manage remote traffic entering the LAN.
This provides layered security to the network. Several ports have been identified as vulnerabilities in the Corporation Techs network that allowed information to be transferred via clear text and as such they have been closed. Additional ports that could be used for gaming, streaming and Peer to Peer have been blocked or closed to reduce unauthorized access to the network. All ports known to be used for malicious purposes have been closed as a matter of best practices. All standard ports that do not have specific applications requiring access have been closed. The ports listed below are standard ports that have been blocked to minimize unauthorized packet transfer of clear text:
Port 21 – FTP
Port 23 -Telnet
Port 110 – POP3
Port 80 – Basic HTTP
Develop a baseline
Close all unused Ports
Redirect traffic to secure ports example HTTPS (443) or higher Configure Firewall to allow or deny secure traffic
Install IDS and IPS
Review monitor logs on the network and compare to baseline for any intrusions Policies
Develop and Implement network Acceptable User policy (AUP) which must be signed before using the network Assign Permissions and Rights
Password Policy must be in place on all devices and enforce
End Users must be trained about the different threats faced on the network Back Up must be done weekly and notify users
Maintain Bandwidth speed and monitor peak hours
Network Security realignment done using Class C network address 192.168.1.0.
The Servers was configured on network address 192.168.1.216 static and 192.168.1.218 for simplicity. DHCP, DNS and Active Directory were install and configured on one of the server. The second server was use for the Application. Both PC’s were also configured on the same network address 192.168.1.0 for easy management on the switch. The switch was configured with 192.168.1.200 static IP address. Router network address was changed to avoid conflicting addresses and easy management. Cisco Internal firewall 1 was installed and configured to manage the internal network on the LAN. The Cisco firewall 2 implemented to manage remote traffic entering the LAN. This provides layered security to the network.
Cisco. (n.d.). (Cicso) Retrieved 10 26, 2014, from Cisco ASA 5500-X Series Next-Generation Firewalls: http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html HP Support document – HP Support Center. (n.d.). Retrieved October 10, 2014, from http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=412144&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c02480766-2%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HP Support document – HP Support Center. (n.d.). Retrieved October 10, 2014, from http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?docId=bps53634&ac.admitted=1413144875821.876444892.199480143 Network Access Control. (n.d.). Retrieved 10 26, 2014, from Wikipedia: http://en.wikipedia.org/wiki/Network_Access_Control Pascucci, M. (2013, August 06). Security Management at the Speed of Business. Retrieved October 25, 2014, from algosec.com: http://blog.algosec.com/2013/08/the-ideal-network-security-perimeter-design-part-1-of-3.html Vaughan-Nichols, S. (2013, January 30). How to fix the UPnP security holes | ZDNet. Retrieved from http://www.zdnet.com/how-to-fix-the-upnp-security-holes-7000010584/ Wodrich, M. (2009, November 10). Vulnerability in Web Services on Devices (WSD) API – Security Research & Defense – Site Home – TechNet Blogs. Retrieved from http://blogs.technet.com/b/srd/archive/2009/11/10/vulnerability-in-web-services-on-devices-wsd-api.aspx