Case 1 Network Design Abstract The company in this case is a small consulting firm whose specialty is providing their customers with Microsoft Windows and Citrix networked business solutions. They believed their internal servers are secure due to their diligence in keeping the Operating Systems up to date with the latest service packs, hotfixes and patches. Virus signatures and scanning software is also kept current. Your security company has been given the task of evaluating the security of the network perimeter and to make recommendations for securing our network perimeter and Internet connection. Examination of the perimeter infrastructure showed the network to be virtually defenseless. There is no Firewall installed and very little filtering of inbound or outbound Internet traffic on either the router at the corporate office or the router at the branch office. The Linux, Help Desk, Mail server and the two Active Directory servers had direct network links to both the internal network and the Internet making them prime targets for intruders. Your proposal is to completely redesign the network perimeter to provide a layered Defense in Depth. Current Network design The original perimeter network design included two Cisco routers and five publicly addressed servers, four of which were Windows based and the fifth, RedHat Linux. As stated, the network did not have a Firewall device and the perimeter routers performed extremely limited inbound packet filtering. The corporate router is configured with a serial interface for connection to the Internet, an Ethernet interface for the public network, and an Ethernet interface for the internal (private) network. The branch office router had a serial interface to the Internet and an Ethernet interface to their internal network (diagram 1). The branch and corporate routers were connected by VPN tunnel over the Internet. The various network devices at the corporate office, both internal and external, were connected via three cascaded switches. Each of the external (public) servers had a direct link to the internal network and represented a significant danger if they were compromised. The branch office network consisted of four PCs on a hub connected to the router. A brief description of each network device follows.
We Write Essays for Students
Tell us about your assignment and we will find the best writer for your paper
Get Help Now!Routers Corporate Router The Cisco router at the corporate office provided Network Address Translation (NAT) for outbound Internet connections. The five public servers were assigned static NAT addresses. All other traffic is given the public address of the serial interface by the NAT “overload” feature of the Cisco Internetwork Operating System (IOS). The router also acted as one end of a point-‐to-‐point VPN tunnel to the branch office router. This provided secure access to the corporate Microsoft Active Directory servers and other network resources. The serial interface had an inbound access list to block port 1433 (SQL Server) traffic to a single internal server. All other traffic, inbound and outbound is permitted. Branch Office Router The Branch office router is configured to provide NAT for outgoing Internet traffic, in addition to a VPN tunnel to the corporate router. An inbound access list is applied to the serial interface making it somewhat more secure. The access list is designed to block packets with spoofed private network addresses. No other security measures were in place. Public Servers Help Desk Server.
This is a Windows 2003 server providing web based Help Desk services to clients and staff. It runs Microsoft Internet Information Server (IIS) and Microsoft SQL to support the Help Desk application. There were two network interfaces installed, one connected to the public network, the other connected to the private network. The patch levels and virus signatures on this server were kept up to date. Mail Server The second server is also Windows 2003 based. It acts as a mail server using Microsoft Exchange and provides file and print services to the internal network through a second network interface. Mail sent to this server is forwarded to the internal Exchange mail server, storing it if the internal server is unavailable. This server also acted as a public NFuse front end to the internal Citrix server. Linux Server The Linux server runs the Redhat 9.2 operating system and Apache web server software. This server has a total of five network interfaces. One public, one private, and three others used to provide routing and Internet gateway services to other companies in our building for a monthly fee. There is a minimal host firewall in place, allowing the three companies to access the Internet, but preventing them from accessing the other networks in the building. All Internet traffic inbound or outbound is permitted to their networks with no additional filtering. Our service agreement with these clients does not require us to provide any additional type of security services. The Linux machine also acts as a web server providing portal access to our internal servers. Clients and staff can access each portal service by providing their name and password. Credentials are passed to the internal Active Directory server for validation using LDAP. Active Directory Servers The Primary and Secondary Active Directory Servers had two interfaces each, one connected to the internal network and the other to the Internet. The reason for the dual attachment is to provide Active Directory services to the PCs in the branch office over the VPN. Without the internal interface, the branch office is unable to browse the corporate network. Vulnerability Assessment The network does not have a Firewall installed for protection against outside probes or attacks. This is a critical weakness because even the most well patched, up to date operating system is vulnerable to a determined attack. The same is true of web services and other applications. Compromised resources on our network could be used to
unknowingly participate in a Distributed Denial of Service (DDOS) attack launched against another network. There is insufficient filtering on the routers. As with the lack of firewall, this leaves the network wide open to attack and exploitation. Logs are not kept of the types or frequency of Internet traffic. Without logs there is no way to determine if the network is being probed or attacked. Each of the public servers also had links to the company’s internal network. If any of these machines were compromised, they could act as gateways to the rest of the company’s data and servers. The Linux server is built and is maintained by one of the consulting engineers. Patches, bugfixes and other administrative tasks were performed whenever his schedule allowed. There is no one else in the company familiar enough with Linux to assume this responsibility. There are no written policies concerning the frequency or responsibility for maintaining the security levels of hardware and software.
The post Case 1 Network Design Abstract The company in this case is a small consulting firm whose specialty is providing their customers with Microsoft Windows and Citrix networked business solutions. appeared first on Versed Writers.
Welcome to originalessaywriters.com, our friendly and experienced essay writers are available 24/7 to complete all your assignments. We offer high-quality academic essays written from scratch to guarantee top grades to all students. All our papers are 100% plagiarism-free and come with a plagiarism report, upon request
Tell Us “Write My Essay for Me” and Relax! You will get an original essay well before your submission deadline.
