StudyDaddy Computer Science network Security

network Security

Case%1%Network%Design%Abstract%%The%company%in%this%case%is%a%small%consulting%firm%whose%specialty%is%providing%their%customers%with%Microsoft%Windows%and%Citrix%networked%business%solutions.%%They%believed%their%internal%servers%are%secure%due%to%their%diligence%in%keeping%the%Operating%Systems%up%to%date%with%the%latest%service%packs,%hotfixes%and%patches.%Virus%signatures%and%scanning%software%is%also%kept%current.%Your%security%company%has%been%given%the%task%of%evaluating%the%security%of%the%network%perimeter%and%to%make%recommendations%for%securing%our%network%perimeter%and%Internet%connection.%%Examination%of%the%perimeter%infrastructure%showed%the%network%to%be%virtually%defenseless.%There%is%no%Firewall%installed%and%very%little%filtering%of%inbound%or%outbound%Internet%traffic%on%either%the%router%at%the%corporate%office%or%the%router%at%the%branch%office.%The%Linux,%Help%Desk,%Mail%server%and%the%two%Active%Directory%servers%had%direct%network%links%to%both%the%internal%network%and%the%Internet%making%them%prime%targets%for%intruders.%Your%proposal%is%to%completely%redesign%the%network%perimeter%to%provide%a%layered%Defense%in%Depth.%%%Current%Network%design%%%The%original%perimeter%network%design%included%two%Cisco%routers%and%five%publicly%addressed%servers,%four%of%which%were%Windows%based%and%the%fifth,%RedHat%Linux.%As%stated,%the%network%did%not%have%a%Firewall%device%and%the%perimeter%routers%performed%extremely%limited%inbound%packet%filtering.%The%corporate%router%is%configured%with%a%serial%interface%for%connection%to%the%Internet,%an%Ethernet%interface%for%the%public%network,%and%an%Ethernet%interface%for%the%internal%(private)%network.%The%branch%office%router%had%a%serial%interface%to%the%Internet%and%an%Ethernet%interface%to%their%internal%network%(diagram%1).%%%The%branch%and%corporate%routers%were%connected%by%VPN%tunnel%over%the%Internet.%The%various%network%devices%at%the%corporate%office,%both%internal%and%external,%were%connected%via%three%cascaded%switches.%Each%of%the%external%(public)%servers%had%a%direct%link%to%the%internal%network%and%represented%a%significant%danger%if%they%were%compromised.%The%branch%office%network%consisted%of%four%PCs%on%a%hub%connected%to%the%router.%A%brief%description%of%each%network%device%follows.%%%% %%Routers%%%Corporate%Router%%%The%Cisco%router%at%the%corporate%office%provided%Network%Address%Translation%(NAT)%for%outbound%Internet%connections.%The%five%public%servers%were%assigned%static%NAT%addresses.%All%other%traffic%is%given%the%public%address%of%the%serial%interface%by%the%NAT%“overload”%feature%of%the%Cisco%Internetwork%Operating%System%(IOS).%The%router%also%acted%as%one%end%of%a%pointRtoRpoint%VPN%tunnel%to%the%branch%office%router.%This%provided%secure%access%to%the%corporate%Microsoft%Active%Directory%servers%and%other%network%resources.%The%serial%interface%had%an%inbound%access%list%to%block%port%1433%(SQL%Server)%traffic%to%a%single%internal%server.%All%other%traffic,%inbound%and%outbound%is%permitted.%%Branch%Office%Router%%%The%Branch%office%router%is%configured%to%provide%NAT%for%outgoing%Internet%traffic,%in%addition%to%a%VPN%tunnel%to%the%corporate%router.%An%inbound%access%list%is%applied%to%the%serial%interface%making%it%somewhat%more%secure.%The%access%list%is%designed%to%block%packets%with%spoofed%private%network%addresses.%No%other%security%measures%were%in%place.%%Public%Servers%%Help%Desk%Server.%% %This%is%a%Windows%2003%server%providing%web%based%Help%Desk%services%to%clients%and%staff.%It%runs%Microsoft%Internet%Information%Server%(IIS)%and%Microsoft%SQL%to%support%the%Help%Desk%application.%There%were%two%network%interfaces%installed,%one%connected%to%the%public%network,%the%other%connected%to%the%private%network.%The%patch%levels%and%virus%signatures%on%this%server%were%kept%up%to%date.%%Mail%Server%%%The%second%server%is%also%Windows%2003%based.%It%acts%as%a%mail%server%using%Microsoft%Exchange%and%provides%file%and%print%services%to%the%internal%network%through%a%second%network%interface.%Mail%sent%to%this%server%is%forwarded%to%the%internal%Exchange%mail%server,%storing%it%if%the%internal%server%is%unavailable.%This%server%also%acted%as%a%public%NFuse%front%end%to%the%internal%Citrix%server.%%Linux%Server%%%The%Linux%server%runs%the%Redhat%9.2%operating%system%and%Apache%web%server%software.%This%server%has%a%total%of%five%network%interfaces.%One%public,%one%private,%and%three%others%used%to%provide%routing%and%Internet%gateway%services%to%other%companies%in%our%building%for%a%monthly%fee.%There%is%a%minimal%host%firewall%in%place,%allowing%the%three%companies%to%access%the%Internet,%but%preventing%them%from%accessing%the%other%networks%in%the%building.%All%Internet%traffic%inbound%or%outbound%is%permitted%to%their%networks%with%no%additional%filtering.%Our%service%agreement%with%these%clients%does%not%require%us%to%provide%any%additional%type%of%security%services.%The%Linux%machine%also%acts%as%a%web%server%providing%portal%access%to%our%internal%servers.%Clients%and%staff%can%access%each%portal%service%by%providing%their%name%and%password.%Credentials%are%passed%to%the%internal%Active%Directory%server%for%validation%using%LDAP.%%%Active%Directory%Servers%%%The%Primary%and%Secondary%Active%Directory%Servers%had%two%interfaces%each,%one%connected%to%the%internal%network%and%the%other%to%the%Internet.%The%reason%for%the%dual%attachment%is%to%provide%Active%Directory%services%to%the%PCs%in%the%branch%office%over%the%VPN.%Without%the%internal%interface,%the%branch%office%is%unable%to%browse%the%corporate%network.%%Vulnerability%Assessment%%The%network%does%not%have%a%Firewall%installed%for%protection%against%outside%probes%or%attacks.%This%is%a%critical%weakness%because%even%the%most%well%patched,%up%to%date%operating%system%is%vulnerable%to%a%determined%attack.%The%same%is%true%of%web%services%and%other%applications.%Compromised%resources%on%our%network%could%be%used%to% unknowingly%participate%in%a%Distributed%Denial%of%Service%(DDOS)%attack%launched%against%another%network.%%There%is%insufficient%filtering%on%the%routers.%As%with%the%lack%of%firewall,%this%leaves%the%network%wide%open%to%attack%and%exploitation.%%%Logs%are%not%kept%of%the%types%or%frequency%of%Internet%traffic.%Without%logs%there%is%no%way%to%determine%if%the%network%is%being%probed%or%attacked.%%Each%of%the%public%servers%also%had%links%to%the%company’s%internal%network.%If%any%of%these%machines%were%compromised,%they%could%act%as%gateways%to%the%rest%of%the%company’s%data%and%servers.%%The%Linux%server%is%built%and%is%maintained%by%one%of%the%consulting%engineers.%Patches,%bugfixes%and%other%administrative%tasks%were%performed%whenever%his%schedule%allowed.%There%is%no%one%else%in%the%company%familiar%enough%with%Linux%to%assume%this%responsibility.%%There%are%no%written%policies%concerning%the%frequency%or%responsibility%for%maintaining%the%security%levels%of%hardware%and%software.%%

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!