1. Network Recommendations
1.1 Perimeter Firewall
Perimeter firewalls are required by NewCo in order to block unauthorised access to their network. PC and Network passwords are not sufficient protection against threats from the internet. A firewall achieves protection by restricting network access by using rules and only allowing curtain traffic to pass through into the network. Typically this is achieved by blocking ports and restricting open ports to specific devices.
The term perimeter in this instance refers to a firewall that resides on the outside of the network, rather than personal firewall software. The perimeter firewall will receive all inbound network traffic and behaviour accordingly.
1.2 Host based Firewall
Host based firewalls are used in accordance with a perimeter firewall because a perimeter firewall will not offer protection against malicious mobile code, such as worms and viruses that can make it into the internal network. Equally, perimeter firewalls do not protect against threats from inside NewCo’s local area network.
The term host based firewall refers to firewall software installed on each client machine and offers several additional advantages to a standalone perimeter based firewall:
Protection against perimeter firewall failure
Protection from internal threats
Protection over specific applications and services
Protection from perimeter firewall being configuration wrong
A disadvantage of host based firewalls is the specific configuration needed on each machine if NewCo wishes to configure network rights for each application.
1.3 Intrusion detection systems
Intrusion detection (ID) systems are used to monitor and gather information about areas of the network to identify possible security breaches. The security breaches can be intrusions from outside the network or misuse from within NewCo. The inclusion of ID will enable NewCo to monitor and analyse system activities, configurations and vulnerabilities.
Without an ID NewCo will be at risk from even novice hackers as proven past successful hacking methods are freely available on the web. An ID monitors these risks with system and file integrity checks, an ability to recognise patterns typical of attacks and the tracking of user policy violations.
1.4 Virtual Private Networks
A virtual private network is a network technology that enables the communication between computers over a public network, typically the internet.
NewCo have specified that they wish for mobile users and external offices to connect to their network. In order to achieve this securely an encrypted virtual private network will be suggested. This will enable remote users to connect from any location with internet access.
The two types of VPN available to NewCo are internet protocol security (IPSec) and Secure Socket Layer (SSL). Both these technologies will enable remote user’s access to network resources.
An IPsec VPN will enable the remote users to access the entire network by encrypting the data travelling between the router or firewall to the client’s laptop or smart phone. This approach gives the impression that the client is working from inside the network, with native access to all applications.
An SSL VPN will allow NewCo remote users to securely access only specific applications and services via a web browser. This would be beneficial to NewCo if they ever wished to change the way suppliers connect to the network. Currently, suppliers are required to connect via the engineering department. An SSL VPN would mean this requirement could be removed, as the suppliers could have a limed view of the entire network once connected to the VPN.
1.5 Encrypted networking
Networking encryption is a security process that uses cryptology services at the network transfer layer. The layer applies to the open systems interconnection reference model and resides between the data link layer and the application layer. The network transfer layer is responsible for the connection between the two end points and invisible to the end user. The encryption takes place only while the data is in transit between the two end points and once the data arrives it is viewed as plaintext.
As mentioned previously this type of encryption is implemented through the internet protocol security (IPSec) and used to create a framework for private communication over IP networks.
Alternatively, NewCo could benefit from layer 2 encryption, performed at the data link layer. If NewCo was to choose this option they would see improved latency and far less CPU utilisation, when compared to using IPSec protocol. Layer 2 encryption is achieved by encrypting the entire data line not just the packets. This type of encryption also offers client independence because the client systems do not need special software or hardware to manage the routes.
I would suggest that NewCo use layer 2 encryption for all static routes, due to hardware requirements and layer 3 for mobile connections to the network because a VPN has already been proposed and no special encryption hardware is required .
Anti-virus software is a program that will detect, prevent and remove malicious software i.e. viruses and worms. NewCo’s window based client machines will come with Microsoft security essentials but it is also possible to purchase third party anti-virus software.
The anti-virus software its self will search the client’s storage devices and seek for malicious behaviour, once located, the file will be removed or quarantined. The viruses are identified by comparing their behavioural patterns and signatures against a database of known threats. It is important to update the database frequently as new patterns are discovered daily.
That addressed, I wouldn’t recommend a host based anti-virus approach. My reasoning behind this is the lack of an IT department at NewCo and the reasonability of keeping each client machine up to date is far too risky.
A better choice for NewCo is application white listing and involves creating a list of known good programs. It’s highly likely that NewCo will require updating the white list in the future but it will happen less frequent than the need to update the virus definition database.
At this point I would also like to suggest that NewCo consider employing an IT team.
1.7 Encryption based authentication
Authentication is a security process used to determine whether a user or hardware is what it says it is. When a user on the network attempts to access the network resources and authentication is required, either a username and password or a request for an encrypted security token is sent and received. The later is more sophisticated and can be known as a Kerberos system.
The Kerberos system works by a user requesting a session key form the authentication server. This key is a ticket used for granting yet another key from a ticket granting server (they can be the same server). Once the ticket has either been rejected or accepted the service is either granted or declined. The session ticket is time stamped, so all future requests for services can be granted using the same key.
The authentication server is an application that deals with all authentication requests on that network and can be a dedicated computer, switch, router or a dedicated network authentication server.
Encryption and authentication can be used at NewCo to help ensure there data remains safe and secure by intertwining the two technologies during a communication session.
Without this technology it is possible that NewCo’s clear text protocols, that is, FTP, Telnet, SMTP, HTTP, IMAP and SNMP to be monitored by unauthorised users.
This can only occur from within the network, but a compromised computer could broadcast this information. An example of the type of information that can be gathered via clear text monitoring is usernames, passwords and emails.
Additionally, this information is gathered passively, making it very difficult for security software and hardware to notice. Encrypting IP traffic can help prevent the results gathered via passive monitoring being of any use.
1.8 Cloud services
Cloud services, specifically storage as a service (SaaS) can provide NewCo with remote file servers that can be accessed by the individuals and teams requiring company information.
The security available from a cloud vendor happens on many layers. Initially there is software checking and monitoring for security flaws, the logins are secured with SSL and websites run under the HTTPS security mode. The security performed on a cloud server will resemble most if not all of the above mentioned methods and technologies.
Some cloud vendors support OAuth, a protocol for connecting users to the cloud without revealing usernames and passwords. OAuth also enables NewCo to restrict certain users from certain resources i.e. sales departments cant access engineering data.
Most cloud service providers will allow NewCo to choose to upload encrypted files directly to the remote servers. Typically NewCo should expect to be using 256bit AES encryption and know that the private key to unlock such files will not be stored on any remote server, lost keys will result in files that NewCo will be unable to un-encrypt.
NewCo should understand that by using cloud services they can reduce hardware and software cost via out sourcing maintenance and upgrading.
Using cloud computing NewCo can have the majority of its applications provided over the internet and hardware will reside elsewhere. This results in hardware and software failures being somebody else’s problem. Also, upgrades to hardware and software will be provided free of charge and not require NewCo to change their own systems.
NewCo’s lack of an IT department makes cloud computing a sensible business option, as the proposed security system mentioned above should be managed by an onsite IT department due to its complexity. A smaller onsite network containing less sensitive information should enable NewCo’s IT manager to stay on top of things.
A cloud service provider also offers NewCo scalability. Cloud computing is easy to upscale and downscale based on NewCo’s changing requirements. Servers can be added or removed in less than 24 hours, without the need for NewCo to make any changes to their existing system.
It appears from the given spec that NewCo use heterogeneous severs, presumably to provide OS dependant application and a layer of security. This type of network configuration is possible from the cloud without the need for client machines to match the given servers operating system.
Created: 2014-10-06 15:14:09 Updated: 2014-10-06 15:14:09