Secure Corporate Network Infrastructure Development

Published Date: 02 Mar 2018

Pop Quiz!

VPN stands for…

A.1

VPN stands for "Virtual Private Network" or "Virtual Private Networking." A VPN is a private network in the sense that it carries controlled information, protected by various security mechanisms, between known parties. VPNs are only "virtually" private, however, because this data actually travels over shared public networks instead of fully dedicated private connections.

Introduction

I have a strong point of view that MCC has been fostering is dear students from all computing courses since its establishment. With the intention of uplifting the education standard in Computer Technology, MCC has collaborated with NCC of Greenwich College in London to set up the Joint Program of International Diploma in Computer Studies (IDCS).

I have given my best effort and attention and I also obtained priceless knowledge and experience in developing and implementing the cost-effective VPN extranet infrastructure for National Bank for Rural Development.

Overview

The construction of the Rural National Development Bank brought great prosperity to an area where previously had tremendous hardship in making monetary transaction. Being in a rural area like this, we can't have hefty load of budgets invest in for the normal operation of the bank. The bank has currently been using Microsoft Windows operating system as client machines and also the network is window-based. The bank wants to create a corporate network infrastructure to connect their agents and branches securely. The bank preferred to use NOS for Ubuntu Linux for they will reduce the overall cost dramatically when compared to Microsoft Server Version.

All of these multi-functioned organisations and personnel need to have a medium to communicate for the smooth flow of their work. As the new networking advisor for this project, I have thought out the plan to implement such medium on less costly basis.

The aim of this project is to investigate the currently favourable means for building a secure corporate network infrastructure that consists of servers, extranet, preferred form of internet connection and clients. This report will contain recommended methods and a sample of a network security design with a clearly labeled diagram. Also, the source and references of information and excerpts in this report will be acknowledged and can be found at the end of this documentation.

Prototype for the Extranet VPN for NBRD

There are altogether 500 computers and 100 peripheral devices in the main office bank. There are tens of departments and hundreds of staff ranging from front-office to auditor. VPN actually is a private network for delivering of important data and facts within the organisation via the secure use of the public network like Internet or Wide Area Network. The internet source is coming from ISP which provides high-speed Asynchronous Digital Subscriber Line. The main office is a very sophisticated infrastructure and the daily normal operation of the bank is very much dependant on four servers-VPN Server which is a must in all VPN configured network, Print Server, File Server and Database Server. The computers and peripheral devices are connected from the four servers via multi-purpose switch (to regenerate signals). The outlet of the main office building has router in place for connecting separate logical networks to form an internetwork. And then comes the Gateway to convert Microsoft Mail to Simple Mail Transport Protocol (SMTP) for transmission over the Internet. Although routers work at the Network layer and can route packets of the same protocol (such as TCP/IP) over networks with dissimilar architectures (such as Ethernet to token ring), gateways can route packets over networks with different protocols. And then comes a firewall. A firewall is a hardware device or software program that inspects packets going into or out of a network or computer and then discards or forwards those packets based on a set of rules. The data then travels on the VPN tunnel by using IPSec Protocol. It is the most popular method for encrypting data as it travels through network media. IPSec works by establishing an association between two communicating devices. An association is formed by two devices authenticating their identities via a preshared key, Kerberos authentication, or digital certificates. Suburban branch has 300 computers and 50 peripheral devices and has varieties of departments and large numbers of staff for its daily normal operation and performs the same task mentioned above. National Bank for Rural Development has 50 computers and 5 peripheral devices. It also has departments and staffs but it depends on VPN server for its normal operation. Business partners and agents are connected to the VPN via remote access.

Brief biography of Ubuntu

is an open source (can change the source computer code at your desire) operating system

version is upgraded every six months

desktop, server and ultimate editions are available

Can be used wih wide ranges of computers and hardwares:-(Intel x86 (IBM-compatible PC), AMD64 (Hammer) and PowerPC (Apple iBook and Powerbook, G4 and G5) architectures)

Supported by Canonical Ltd.

is GNU/Linux (comprises of many programs and most essential one is ‘kernel' which is linux in (GNU/Linux) and it combines with other GNU programs to boot up the system) and if an error occurs and the Kernel becomes corrupted, a different copy can then be used instead.

debian-based

Linux is the system descended from Unix

GNU/Linux was put into existence by Free Software Foundation in 1984

is free-of-charge and totally aimed at programmers and developers

The first Linux kernel was invented by Finland-national Computer Science student ‘Linus Torvalds'

Because of its alluring advantages such as being free of charge, compatible with many software programs, not easily hanged or freezed, multi-tasking, and more safer than other OS make Linux more popular among business partners and individual person

hide the user from browsing the registry keys that have important information

more effective in hindering the spread of viruses and executing of malicious programs and threats

Ubuntu can be downloaded from this site: http://www.ubuntu.com/getubuntu

is compatible with ‘Intel and AMD' and the compatibility with hardware parts can be checked in this site: http://www.tldp.org/HOWTO/Hardware-HOWTO/

http://www.linux-laptop.net/ (For laptops)

The minimum requirements for Ubuntu

700 MHz x86 processor

384 MB of system memory (RAM)

8 GB of disk space

Graphics card capable of 1024x768 resolution

Sound card

A network or Internet connection

CD/DVD Drive

For visual effects and graphic

1.2 GHz x86 processor

512 MB of system memory (RAM)

Supported graphics card

Note: the above descriptions are only minimum requirements and better processor and system memory will certainly enhance the performance of Ubuntu.

For downloading software for disk partition by using disk management of windows:

http://www.partition-tool.com/personal.htm

Task 1- 50 Marks

Your Bank currently has network client machines based on the Microsoft Windows Operating System. The Bank decides to evaluate the benefits of the open source Linux operating system, preferably the latest Ubuntu Linux distribution version 9.10 server edition (freely downloadable from http://www.ubuntu.com)

Evaluate the benefit of Linux operating system as Interoperable and alternative NOS for the company in the form of a feasibility report to include the following:

1.1) The comparative Networking features of Windows and Linux. (10 Marks)

Comparative Networking Features of Windows and Linux

Windows Operating System

Internet Connection Firewall (ICF)

acts as a shield from unauthorized access to home networks and computers. It had come with the window installation package and it enables automatically in its default settings when the Network Setup Wizard is run and is compatible with most networks. ICF has manual switch on-off modes which can be done through the Network Connections folder.

Wireless LAN

provides Ethernet and Wireless Security with its improved standard IEEE 802.1X which has been developed with the combined effort of Microsoft, Wireless LAN dealers and PC dealers. Former version is highly inefficient in lacking security control with a key management system. The IEEE 802.1X is a port-based network access control and can be used with Windows XP via access points.

Network Setup Wizard

acts as a novice guideline in setting up the network

can be utilised to configure the Internet Connection in networked computers, and also network adapters (NIC Card)

can be used to enable Internet Connection Firewall (ICF), Network Bridge if appropriate, sharing resources such as files and printers and naming of computers.

Network Diagnostics Features

Diagnosing network features by using the following tools:

The Network Diagnostics Web Page and NetSh helper

Network Connections Support Tab

Network Connection Repair Link

Task Manager Networking Tab

Updated Command Line Network Diagnostics Tool

Internet Connection Sharing (ICS)

A single internet connection from the source computer can be shared to all the other computers in a home or small office network. ICS is enabled in the source computer and gives out all the physical and IP addresses and translates these for all the networked computers in the organisation.

Linux Operating System

acts as a forbidder for all incoming connections but opens up for outgoing connections. When in ‘high' mode, it allows for all outgoing connections and restricts to limited number of high ports for point-to-point applications. When switch to ‘medium' mode, still permits outgoing connections, selected applications for incoming ports plus point-to-point application. When change to ‘none' mode (“get out of my face”), it denies all incoming and outgoing connections. Only in the ‘laptop' mode, the firewall does activate without giving any alert to an Interface (GUI).

Protocols

Linux supports IPv6 and SSH but Windows is not.

1.2) Interoperability features of Ubuntu with the existing Microsoft Windows Workstations. (10 Marks)

Interoperability

refers to the capability of the system ranging from hardware and OS to work in multi-platforms. Windows and Linux are both OS and of x386 architecture. Open Office in Linux which is similar to MS Office in Windows is java based application. All of us know java -based applications will work in any platform. OpenOffice.org can be used to open and save Microsoft Office formats, such as PowerPoint, Word and Excel documents.

Ubuntu can share files with Windows with ease, and can connect with current e-mail servers even Microsoft Exchange. Ubuntu support plug-n-play hardware, wireless networking, printing and other graphical and multimedia software.

Connecting from Linux to Windows

With the use of network, we can control Windows computer from Linux:

enable “remote administration” on the Windows host

make sure you reach the computer from your Linux box

ping windows_computer

connect to the computer

rdesktop windows_computer

Connecting from Windows to Linux

The following can be used to have control over Linux computer from a Windows box:

Vnc

Xdmcp

NX

X-Servers for Windows

puTTy (command-line only)

Exchanging files between Linux and Windows

When having two hard disk partitions but running on one OS, in case want to access a Linux partition when running Windows and vice versa, the following can be done:

When on a Linux host and want to access a Windows drive

Winhost has been assumed as Windows computer's hostname in this case (the hostname can be checked by right clicking on My Computer Icon and select Properties). Open the Explorer windows on Windows computer. Right-click on the folder and choose “Sharing and security” from the drop-down box. Name it “share1”. Then, on Linux computer, open the file explorer either Konqueror or Nautilus and type smb: //winhost/share1 in the address bar. All the files and folders can be seen in that share. With just double-click, you can open and view them.

Want to share

When on a Linux computer and want to make the folder accessible on Windows machines over the network, need to run SAMBA service on Linux computer. Right-click on a folder in favourite file explorer like Nautilus and choose “Sharing Options”. Click and name the share. Nautilus will require a password without prior enabling of the Windows folder sharing and after that install the service. It now requires you to log out and log in again. Windows computer should be available with the share.

When on a Windows host and want to access a Linux drive

WinSCP is used and SFTP protocol should be chosen. The login procedure and password are same as when log in locally. Firewall should be shut down and openssh service should be installed on Linux computer.

Want to share a folder

By using normal Windows sharing procedures can share files with Linux. By using samba, the Linux host can access these files.
NTFS (New Technology File System)
is the Microsoft Window default file system. It is readable as well with Linux and more than 2GB of files can be stored.

1.3) You need to install Ubuntu on a machine and configure network services for Windows and Linux mainly for file sharing and printing. Necessary screen shots have to be provided.

Installation of Ubuntu Server Edition 9.10

During the ongoing installation process of Ubuntu Server Edition, LAMP which is a combination of Linux, Apache, and MySQL and PHP servers can be used instead. It is excluded from the Ubuntu Server Installation Package and can easily be used during the time of installation. The LAMP option does not require individual installation and integration separately of each of these components which can take prolonged period of time and need a help from an expert who is skilled in this particular installation. The overall cost can be greatly reduced due to the enhanced security performance, requiring lesser amount of time to install and any possibility of misconfiguration can be reduced. Flexible installation can be carried out with the Ubuntu Server Cloud computing server as varieties of servers like Mail Server, Open SSH Server, Samba File Server, Print Server, Tomcat Java Server, Virtual Machine Host, Manual Package selection, LAMP and DNS options work jointly with cloud computing node and PostgreSQL Database options.

These versions can be installed by Ubuntu LAMP server.

Ubuntu 9.10 (Karmic)

Apache 2.2.12

Mysql 5.1.37

PHP 5.2.10

Ubuntu 9.10 (Karmic) LAMP Server Installation is successfully completed and all applications installed will support apache, mysql and php.

Ubuntu server 9.10 edition static ip address configuration

The command [sudo apt-get install vim-full] can be used to install vim editor

TCP/IP utilisation in a corporate or enterprise network needs the devices to be configured in detail, assigned addresses and the destined machines they were assigned need to be kept track of. Dynamic Host Configuration Protocol (DHCP) is used to make this process easier.

Through Dynamic Host Configuration Protocol Ubuntu installer has arranged our system to acquire its network settings. But we need to switch it to static IP address by editing setup:

Edit/etc/network/interfaces and the detail data of your ip address needs to be entered. For instance, IP address 173.20.9.10 is used in this case.

The command [sudo vi/etc/network/interfaces] is entered and the file is saved and exit by using the procedure “In vi, ESC, and then ZZ to save and exit”.

The chief network interface

auto eth0

iface eth0 inet static

address 173.20.9.10

netmask 255.255.255.0

network 189.18.9.3

broadcast 198.34.8.9

gateway 167.8.2.3

Now the command [sudo/tec/init.d/networking restart] is used to restart network services

When DHCP is not in use, manual setting up of DNS servers in resolv.conf file is needed with command [sudo vi/etc/resolv.conf]

In resolv.conf file the one similar to below should be added.

search domain.com

nameserver xxx.xxx.xxx.xxx

File Sharing configuration in Ubuntu server 9.10 edition

Sharing File by using NFS which is the *nix systems default networking protocol inclusive of Ubuntu Linux.

File sharing by using Samba protocol

Samba File Sharing

Samba client

permits easy and smooth networking with Windows-based networks except firewall is in place at the ports. Ubuntu Jaunty comes originally installed with Samba client.

Samba server

When Samba server is not installed by default, the instructions below can be used to configure a Samba server. In this way, files can be shared seamlessly between windows Samba network computers to other Samba clients.

Install Samba with the command [sudo apt-get install samba samba-tools system-config-samba]

Samba-tools and system-config-samba are not compulsory

Samba settings can be altered by:-

Method 1

System>Administration>Advanced>Samba

This method can only be performed only if system-config-samba is installed

Method 2

Needs User Authentication to connect to File Sharing Server and it is highly recommended because of its reliability

The instructions below should be carried out to share files on the machine.

Current user should be added to Samba by command [sudo smbpasswd- a username]

The login username should replace username.

Samba config file is opened by command [sudo nano/etc/samba/smb.conf]

The directories is to be added at the far end by using the format

Path=/home/username/<folder_to_be_shared> (The username is to be replaced with your own username and <folder-to-be_shared> with the folder to be shared)

CTRL+ X is pressed and later Y to save

Samba is restarted by the command[sudo/etc/init.d/samba restart]

The format[\\192.168.x.x] is used to access the folder in Windows Explorer. In this instance, \\192.168.x.x is used as a sample IP address and the actual IP address of the server in which folder exists should be replaced.

The format[smb://192.168.x.x] should be typed in Konqueror or Nautilus of Linux. In this instance also, 192.168.x.x should be replace with the actual IP address of the server in which the folder exists.

In case of bug when sharing in KDE's System Settings panel, erase out any situations concerning with these two lines (“case sensitive” and “msdfs proxy”) in /etc/smb.conf.

Workgroup changing in Windows network workgroup

Change your Windows network Samba workgroup by the command [sudo nano/etc/samba/smb.conf]

and search out for this line “workgroup= WORKGROUP”

change the setting according to your LAN workgroup's name.

Print sharing configuration in Ubuntu server 9.10 edition

Printers

Many printers can be recognized by the new CUPS interface. The Linux Foundation OpenPrinting database provides instructions to install particular types of unrecognized printers.

Printer configuration

System>Administration>Printing>New Printer>New Printer

Usually the printer connected and switched on will be detected automatically.

My network printer was configured with IP address at 192.168.10.23 and it was correctly installed at socker://192.168.10.23:9100.

Through Samba printers on a Windows system and on other networks can be chosen plus directly connected printers.

1.4) Enumerate the various costs associated with the performance, security, support and maintenance of the Ubuntu within the bank.

Cost associated with security of the Ubuntu within the bank

A Linux-based operating system, Unix-like and open source make the Ubuntu more secure than any other OS. Translation into higher quality code makes it less prone to spyware and viruses than other OS. Rather strict and hyperactive security policy prevents the effects as a result of open ports or misconfigured software. It is truly multiuser operating system with it allowance in users to accomplish their tasks without giving any harm to the system. In Ubuntu, the user never logged in with an administrator account instead log in as a simple user and can change settings concern only with the user but for modifying settings that can somehow affect the system, the user required to type in administrator password.

Cost associated with maintenance of the Ubuntu within the bank

LTSP thin client technology makes Ubuntu deployment and management simpler and easier. With only a single server, over 50 workstations can be setup, manage and administrate. Ubuntu can therefore reduce the amount of time spend in administrating computers. Ubuntu is and will always be free to obtain, use and upgrade. No license fees or upgrades expenses are cost even if 100 or more machines are to be installed or can install on computers only having specific programs. Ubuntu also assist in saving hardware costs by allowing redeploying older machines as thin clients using LTSP technology.

Cost associated with support of Ubuntu within the bank

Ubuntu support can be getting from Ubuntu communities. Authors of the Ubuntu can get in touch directly through mailing lists and IRC channels including Ubuntu developers. Wide varieties are support are available, on mailing lists, wiki websites, IRC channels and bug trackers. Canonical who finances Ubuntu development can give help in any paid work. The community at the back of Ubuntu attracts people to the use of operating system. Linux community people are largely ex-Windows users and they have exact feelings the newness of an operating system and they are willing to help. In the Linux environment the best community support is offered by Ubuntu.

Cost associated with performance of Ubuntu within the bank

Program calls Synaptic offers access to most applications available to Ubuntu and by clicking the program wanted and it will install without needing to accept agreements several times pre-installation. Just select the program and click OK and it is finished. Ubuntu will download the installation files, install them and start the application on its own. That makes Ubuntu easier to install new programs. Ubuntu is fast and does not take up a lot of resources. Performance will not even slow down in prolonged use. Everything will be opened in a short time after clicking the icon and closes immediately when click the icon X. Ubuntu gets update every six months.

Everything about Ubuntu is free. Even they will dig their pockets to pay postal charges if you ask them a free copy of the operating system. The software installed is free including all the software that can be downloaded, any help and support is free.

Research and produce a comprehensive project plan for the implementation of a VPN within the company. This should include the following:

Performance of VPN within the bank

VPN has other indirect cost savings advantages over other communications methods such as lesser requirements in training and staff, flexibility and scalability has been greatly increased.

The largest benefit to utilising VPNs is money savings. The amount spent will be significantly reduced when compared to dedicated leased line options. Remote users can connect locally to an ISP and tunneling that connection to a VPN device on the destined network. Therefore, reduced technical help is required to install, configure, and manage networking equipment.

With the use of a single WAN interface, it can carry out multiple functions so the expenses on WAN equipment installation and maintenance is no longer needed.

Organisations can extend their network and capacitate their performance by setting up more accounts to control the increased demand. This will facilitate the answers to market demands or organizational challenges and is also time-saving. Therefore enterprises and corporate organisations can be linked from different locations into the network without the need of complex infrastructure, delays and tremendous expenses in joint with connection across borders. The wide area networking costs are cut down via telecommunication costs.

Support of Ubuntu within the bank

Technical help resources are sharply reduced with the emergence of VPNs. This is as a result of dependability on one type of Internet protocol (IP) from mobile users to an ISP's POP and security needs are standardised. If taking the help of the service providers to set up VPNs, they will take most of the support tasks for the network.

Security of Ubuntu within the bank

Fewer networking experts are required to control security features of the VPN as the ISP manages the WAN equipment.

Hidden costs associated with distribution of VPN client software.

Some adopters are finding that simple tasks not unique to VPNs, such as distributing and installing client software to remote users, pose a bigger challenge than ever imagined.

Managing security and authentication systems require realising that complex skill sets not available in-house.

Cost-VPN often requires a substantial up-front effort for configuration and software deployment.

2.1) A brief overview of current VPN technologies (both hardware and software).

Components needed with VPNs

With the effect of high security performance, VPNs are originally complicated.

Typical components needed for an effective VPN include:

Gateway devices

Routers

Dedicated servers

Firewalls

Client software

Public-Key infrastructures (PKI) and associated key-management strategies

Hardware-based encryption accelerators

X.509 digital certificates

Certificate Authority (ies)

Directory services

Servers with these features:

Load balancing

Failover

Redundancy

Network-transport communication mechanisms

Typically, VPN components connected to the Internet include these:

-Certificate Authority (CA) system

-Managed ISP to support remote employees

Corporate VPN gateway with these indispensables:

-LDAP server

-Registration Authority (RA) system

Firewalls help in accomplishing three goals:

Restrict accessing to certain segment of a network

Block services requests that are thought to be insecure or unnecessary

Interpret network addresses to conceal real device addresses from other segment of a network and is called Network Address Translation, or NAT

VPN evaluation

Certificate Authority (CA) support: If you'll be handling more than a handful of users who possess digital certificates for authentication, you'll need robust support for an external provider of CA services.

Logging: If you're requiring information logs from the VPN, can they integrate into your existing logging mechanisms and reporting systems?

Selective encryption: If you're thinking about adding a VPN to an existing firewall, you may want to encrypt only certain traffic- or risk bringing your firewall to its knees with an overload of overkill.

VPN-management modules: Can you integrate your VPN into your existing enterprise network's monitoring system? If you can't, then how will you monitor its uptime?

In your evaluation of VPN gateway products, look for these features:

X.509 digital-certificate support

LDAP support

IPSec-compliant

Encryption types supported

Performance (Mbps)

Maximum number of interfaces

Maximum number of connections

Quality of Service support

Clustering (SMP) support

Custom-application support

Support for High-Availability (HA) features

EAL/ITSEC/TCSEC Level

In evaluation of VPN client products, look for these essentials:

Thin-client support

Fat-client support

Network-mapping support

Dynamic Host Configuration Protocol (DHCP) support

NT Domain logon support

2.2) Design a suitable VPN using appropriate Internet Service Provider (ISP) for the requirements of the bank.

2.3) Identify and list the hardware and software required to implement the bank's VPN.

The infrastructure of existing network should be supported by a server. A server should serve as a domain controller, DNS server, Certificate authority and DHCP - (Dynamic Host Configuration Protocol) server. The next step is to set up a certificate authority.

A VPN server should be kept separate for the sole purposes of security threats. A firewall should be placed at the outlet of VPN server to only permit flow of VPN traffic into this server. Two NICs cards are needed to connect to the internet and the private corporate network.

Identification of the remote users' identity when trying to access the private corporate network is also necessary. The Server operating system comes with RADIUS- Remote Authentication Dial In User Service and IAS- Internet Authentication Service to do authentication process. VPN hardware products also do the authentication process.

The Web Server (HTTP server) responds to HTTP requests for HTML pages that it delivers to customer browsers over the Internet. It's the only server that sits in front of the firewall and allows direct controlled access to the public internet. It's on this server you may want to store static Web page content and graphic images. All information processing that the Web server needs from applications or Database servers can only be accessed through the Firewall.

Application Servers store, manage, and operate those software components relevant to the business, including Merchant server software, back-office accounting systems, customer information systems, order entry and fulfillment systems. You many opt for multiple application servers as your needs dictate. Any links to other legacy systems (such as mainframe-based systems0 may be made through the application servers as well.

Database Servers store your product, purchase, and customer data in addition to all other distributed processing data already in place. They may use Object-Oriented Database Management products, traditional relational database products, or hybrids of the two. Choices of Database Server software include these:

Oracle

MS SQL Server

Sybase

DB/2

Informix

Firewalls control the access to the internal (back-office) corporate networks. They serve as the mechanism under which the Web server accesses applications and data that is found behind them. These Firewalls will typically run monitoring software to detect and thwart external attacks on the site, and are needed to protect internal corporate networks.

Common Firewall services are implemented as routers that sit in between two domains (subnets), and are selective about IP addresses from which it receives packets before it permits their routing to the other domain (subnet). These select IP addresses are considered as trusted hosts.

Mainframe systems, If you've got them, can also be useful in the distributed processing environment. All you have to do is use object wrappers (objects that act like miniature shells to preserve existing processing) to keep the work in a familiar form and place, where it may best be suited for operations or data storage.

2.4) Produce a schedule for the implementation of the VPN, detailing the installation of any necessary hardware, network operating system upgrades and associated applications software required.

No

Task

Date

14 Dec 2009

15 Dec 2009

16 Dec 2009

17 Dec 2009

18 Dec 2009

19 Dec 2009

20 Dec 2009

21 Dec 2009

22 Dec 2009

23 Dec 2009

7Jan 2010

8 Jan 2010

9 Jan 2010

10 Jan 2010

19 Jan 2010

20 Jan 2010

21 Jan 2010

25 Jan 2010

26 Jan 2010

27 Jan 2010

30 Jan 2010

31 Jan 2010

1

Doing research and gathering required information (research stage)

2

Suggesting possible layouts of designs

3

Technical and logical assumptions made on the prototypes (Feasibility Study Stage)

4

Setup installation and testing of real-time infrastructure (Project Plan stage)

Upgrading current Window based Network and clients machines to Ubuntu Server Edition 9.10, Existing hardware (Servers, workstations), VPN router or switch, Software to manage or create tunnels and Security device such as firewall

5

Operational Support including teamwork ,budgets and other necessary equipments

Finalising report with documentation (Presentation Stage)

2.5) Write a section of the report on the responsibilities and level of service required from an ISP in order to implement a successful VPN within the company.

Companies are significantly cutting down their networking costs- for equipment, public network services and even personnel upon their trustworthiness on VPNs.

Companies use VPNs mostly for the following works:

Sending safe e-mails

Providing in-touch accessibility to properties and assets by utilising web sites linked to an intranet

Sending and receiving of information and forms within personal and business organizations under extranet connectivity

Remote access through the use of Internet is enabled to employees and marketing and support representatives in the fields

Connecting branch offices from afar to main corporate networks without the use of costly leased communication lines

Can be used to send urgent, top-secret data between organisations in a matter of time

ISP Responsibilities

To use powerful IPSec protocols to create secure tunnels within the IP network,

Remote Technical Support (RTS)

Is an elementary level of technical support to solve the remote basis problem? This is in use when the customer depends on its own IT experts to cover daily maintenance tasks of the system.

On-Site Support (OSS)

This support level includes RTS and allows customer to ask for problem solution both hardware and software at their location.

Dedicated Technical Support (DTS)

Engineer is constantly present at the customer location with the readily to be use RTS and OSS in active.

VPN Network System, installation and setup

Positioning of active equipment at the client side or at server side

VPN hardware and software of High-quality from well-known brand like Cisco

Managing system by engineers or client

Firewall setting up and its upkeep

Controlled services for authentication

Connectivity options of great flexibility

Service level Agreement (SLA)

24/7 Technical support

Network management responsibilities

An enterprise network manager who extends a network with VPN technologies must meet a strict set of business needs that include these:

Minimized risk- Moving from a dedicated infrastructure to a shared infrastructure that incorporates the Internet as the transport medium presents new security and auditing challenges. While opening the network to unite remote users, suppliers, and partners, you must be able to maintain the integrity of your corporate data resources.

Maximum scalability- Rapidly adding mobile users and new business partners means you must be able to expand the network- upgrading your hardware, software, bandwidth, and services- with unprecedented speed and precision.

Lowest cost- To benefit from the savings of a shared VPN infrastructure, you must be able to implement new VPN service and support additional network users-without ballooning your operational staff.

Highest reliability- Moving to a shared infrastructure presents new challenges in delivering and monitoring the reliability of the network.

Cisco points out those network managers must face at least these thorny issues of supporting a VPN:

Coordinating the potentially complex range of configuration environments across multiple service providers

Ensuring the security and integrity of the network and the corporate resources of the enterprise

Delivering-and monitoring-the service levels promised to customers

2.3) Prepare a short report on Network Security covering:

a) Trojan horses, Worms, Viruses and the major network security issues. (10 Marks)

A computer virus modifies the way a computer functions without the acknowledgement of the user. To be able to name it as a virus, it must be in accordance with these two conditions:

Execution is carried out by self. The viral code is mixed maliciously with uninfected file.

Replication can be done by self. Replacement of other executable files with a copy of the virus infected file. Desktop computers and network servers both are prone to virus infection.

Damaging programs, deleting files or reformatting the hard disk are some of the potential hazards of malicious viruses. Some types of viruses just want to get attention and awareness of users by showing text and multimedia messages. Viruses such as these can even be problems. They occupy memory space usually taken by normal operation. As a consequence, the system often hanged or freezed and the computer seem to be operating without normality. Bugs often attached to viruses can lead to destruction of data and system crashes.

Five well-known viruses

File infector viruses

infect program files especially .com and .exe files. When infected program is run from floppy, hard drive, or from the network they can infect other files. These viruses can reside in memory. If memory gets infected, all the executables that run become will also get infected.

Boot sector viruses

infect the boot record on floppy disks and hard disks. These viruses attach to the small program to be run at the start-up and start working when the user use the boot disk to boot the operating system of computer. Naturally, they live in memory and are the potential threat to all types of PCs. All floppy disks that are not write-protected will be infected when trying to access the data from the infected computer.

Master boot record viruses

are also residing in memory and viral infection is in the same way as boot sector viruses. The location of viral code is the main difference between these two. Master boot record is saved in a different location. Windows NT will not boot under infected circumstances. With hard disk formatted with FAT partitions, by booting to DOS and using antivirus software, the virus can usually be removed. If in NTFS boot partition, the system is to be recovered by using the three Windows NT Setup disks.

Multipartite viruses

infect both boot records and program files. Hard to repair as both areas must be cleaned or otherwise it will get re-infected.

Macro viruses

infect data files. Most abundant form of viruses, it is very costly and time consuming to repair. The emergence of Visual Basic in Microsoft's Office 97 had brought about the type that also can infect Microsoft Office Word, Excel, and PowerPoint and Access files.

Now it is becoming more spreading in other programs. The viral codes are based on the internal programming language which was invented for the ease in performance of some tasks for the user. It can be as many as thousands in existence.

Trojan horse

Trojan horses are indeed malicious program but they disguise themselves as something which is beneficial to the user. They are not self-replicating. They contain malicious code that when start off can cause theft and loss of data. Trojan horse needs human help in spreading. It will act as a backdoor to the user's computer and send important information from the user computer to Internet servers designed by the developer of the virus. These things can result in the performance of the computer becoming too slow or pop-up windows appear unexpectedly and finally can cause a crash to computer. Email attachments are the most common spamming techniques to give out the virus to unsuspecting users. When the user opens the attachment file, the above mentioned task is performed. Chat software is another preferred area for the spread of Trojan horse. It sends a copy of itself to the people in address book via the infected computer.

Worms

do not need help from host file to spread from system to system. It can stay attached to Word or Excel a document which has the worm macro inside the document. The whole document is worm as it can travel from computer to computer.

Basic threats to computer resources

Accidental use: misuse of a Web site or Internet service

Data destruction: loss of data accidentally or intentionally on Web site or other Internet-based service and the stealing and eavesdropping of data from the Internet and other service whether in encryption or not

Interference: diverting data or overloading data so the Web sites or Internet services are derailed or the server crippled.

Misrepresentation: creating of false credentials by using a counterfeit Web site to delay traffic for an intended location.

Modification: changing incoming or outgoing data of a particular Web-site or service intentionally or accidentally. It is hard to detect when transmitted in large amount.

Repudiation: The refusal from the customer or consumer side that they have ever order goods online or received such goods

VPNs are a necessity in preventing from becoming a victim due to the following factors:

v Threats

v Vulnerabilities

v Attack methods

v Security-control mechanisms

Unauthorised altering or downloading: Updating or copying data without acknowledgement from the source

Unauthorised disclosure: looking-up data without consent

These threats are more prone to happen through the Internet when increasing the number and value of the data and service you offer to your employees and in the case of customers and business partners that goes double.

Organised attacks usually have known patterns and arrive through the Internet by different strategies. Five areas are favourites for hackers to attack:

Human gullibility: Using false credentials or outright imposture, hackers try to squeeze information out of unwitting or unsuspecting employees. Methods include these gambits:

Tricking someone to revealing an ID and password

Obtaining access to controlled areas for instance: phone, closets and network concentrators to bug the system

Obtaining access to modern phone numbers

Stealing authorized users' credentials such as badges and security tokens

Computer architectures: hackers look for loopholes or back doors into computer systems to gain access. Examples include:

Logging on using factory-default IDs

Acquiring and utilising passwords system administrators fail to get rid of from servers before product installation

More server-configuration principles

Make certain that your Application servers and Database servers are running on separate servers that are insulated from both the Internet and from other domains within your organisation.

Remove all unnecessary server software that is not specifically for operational purposes. This may include

Language compliers

Perl libraries

Administrative utilities

Factory-supplied log-ins and passwords

On any open ports not specifically configured for incoming requests, Firewalls should disallow

FTP

TFTP

Telnet

Requests

Don't operate software such as, FTP, tftp, telnet or e-mail systems on any special-purpose server or Web server hardware. Rather, dedicate a separate system for those uses that you can adequately control.

Whenever remote operations (such as telnet and xterm) are needed, make sure the Secured Socket Handler (SSH) and Secure Copy (SCP) are used.

Make sure your Web server software is protected against hostile browsers; apply patches to the software as rapidly as possible when you discover and correct new vulnerabilities.

As much as possible, set up your servers to provide unique functions and capitalize on the distributed nature of the network.

The three-tier client server architecture helps you keep out intruders trying to invade from the dark reaches of the Internet.

b) Why there should be a Network security policy in place in all the networked companies. (5 Marks)

A VPN can only help to implement a security policy- it can't create one for you. You have some complex decisions to make:

Access rights include these:

Who has permission to access what?

From where, when, how, and how often do you allow access?

Access-control rules include these:

IP source

Destination

Packet content

Available services

VPN management responsibilities include these:

Who administers the system?

Who administers-and enforces-security?

Who's authorised to authorise digital certificates?

Who performs Registration Authority (RA) activities?

Who administers your user's desktop systems?

Types and degrees of encryption required can include these:

Deciding IPSec settings and options

Managing private and public keys, including key-recovery procedures

Certificate practices

Length of time key material remains active

Control over exports of data

Authentication requirements include these:

Conversion of user IDs and passwords to digital-certificate processing

Security-access tokens

Smartcards and other forms of employee security

VPN endpoints determine where the system's electronic tunnels go:

Gateway to gateway

Gateway to desktop

Desktop to desktop

Data and network security

Do you have staff specifically assigned to data security?

Do staff members participate in regular training programs to keep abreast of technical and legal issues?

Do you restrict physical access to computer operations and paper/micrographic files that contain personally identifiable information?

Do you have procedures to prevent former employees from gaining access to computers and paper files?

Are sensitive files segregated in secure areas or computer systems and available only to qualified persons?

Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?

Do all employees follow strict password rules and virus-protection procedures?

Are employees required to change passwords often, using “foolproof” methods?

Is encryption used to protect extremely sensitive information (a particularly important measure when transmitting personally-identifiable information over public networks such as the Internet)?

Do you regularly conduct systems-penetration tests to determine whether your systems are hacker proof?

If your organisation is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information?

Policy controls are a must as reliance on IP networks and VPNs expand. As you migrate your legacy programs and systems to Web-based technology, you face the problems that were solved long ago on large enterprise networks. Given its shortcomings, TCP/IP alone can't meet the demands of these critical and security-minded applications. IP was never designed to priortise traffic based on the nature of the traffic itself.

Clearly, if mission-critical applications operate on your VPN without high degrees of network control, performance problems can sound the death knell-negating the reasons for migrating in the first place. If (for example) your corporate extranet is intended for external sales-order processing and fulfillment, you've got trouble if you don't specifically accommodate its traffic pattern. Internal users trying to move large files via FTP, trying to teleconference via the network, or watching video clips of your CEO's corporate briefing could degrade the performance of your revenue-generating applications from the outside. The response: Establish rules and policies that enable you to manage such traffic within the context of the traffic itself.

Policies govern decisions about whom and what will get priority over resources- and who and what won't. You'll need rules like these to determine the shifting of business priorities in response to time-of-day constraints:

During business hours, you'll want established customer traffic to have the highest priority.

During non-business hours, bulk file transfers that complete the day's order processing may need the highest priority.

Summary

Best Practices in Network Security

One of the side benefits of the Internet's growth, with the accompanying reports of computer and network break-ins and computer virus infections, is the increased awareness and acceptance of computer and network security policies, procedures and mechanisms. As our use of computers and networks expands, so does the list of things that can go wrong and ways our organisations can be hurt. Security policy, procedure and proper-use documents give system and network administrators something to fall back on in a crisis, as well as guidance for the mundane but essential day-to-day decisions and actions. They also provide approaches to problems that have been well-thought-out and tested over time. And though there is no magic in them, these policies bring an organisation closer to understanding its computer and network business requirements and risks.

At the same time, the policies provide a framework for re-evaluation as requirements and risks change. The work of instituting the best practices for network security can be daunting. The list of tasks seems limitless, and the possible procedural issues appear to touch on every aspect of every employee's interaction with the network. The correct framework built on the correct premises makes this easier to accomplish. Premises firmly grounded in reality that takes into account the needs for both usability and security; give us the freedom to thoughtfully and calmly provide the security we need, in a manageable way, while still delivering required services and enabling profitability. But dogma plus information is not enough. At every step, senior management support is critical.

From the assignment of responsibilities with authority, to the approval of purchasing, policies and plans, upper management makes or breaks the security program. Aside from the fact that in any organization senior management assigns and delegates authority, it is often the official or unofficial arbitrator should individuals or organisations disagree with policy. The right information, mind-set, and blueprint provide the foundation for security with usability for an enterprise.

Recommendation

Without security measures and controls in place, data might be subject to an attack.

These attacks can be passive, active, network based or Non-Network based attacks.

Using the following measures can help to prevent all these attacks: Consult with network experts before actually buying any network devices.

This not only can help the organization to choose the right network devices but also to save them a lot of money. Use the latest virus protection software on each computer in the network.

Also Anti-virus software should be frequently updated. Use a Firewall such as a network appliance or a personal firewall package.

Firewall software should be updated regularly. Also hardware Firewalls should be configured properly. Use the Internet only through Rooter firewalls and Proxies and don't connect the computers directly to broadband. It is also recommended the users such students and staff to be trained and well informed about virus and how to use the system safely. Disable java, JavaScript and ActiveX For web sites, use SSL. Always backup the necessary files, system files and configurations on the network.

These measures are the most recommended methods for network security. Using these methods will definitely help to reduce any potential attacks from the Internet.

Bibliography

Web sites:

1)http://staff.washington.edu/gray/papers/credo.html

2)http://www.ph.utexas.edu/security/network-security.html

3)3…http://publib.boulder.ibm.com/infocenter/eserver/v1r3s/index.jsp?topic=/iphae_web/networksecurity.htm

4)http://publib.boulder.ibm.com/infocenter/eserver/v1r3s/index.jsp?topic=/iphae_web/networksecurity.htm

A5) http://en.wikipedia.org/wiki/Broadband

Books

5) Chris Brenton, 1999”Mastering Network Security”, US, Sybex inc. William Stallings, 2000, “Network Security Essentials”, US, Prentice-Halting.

7) Fred Halshal, 1992,”Data Communication and Computer Network”, US, Addison-wesley.

8) Mike James, 1989, “Low Cost PC Network”, UK, Anchor Press ltd.

References

http://elias.decus.ch/presentations/ge_19970415_av/TSLD011.HTMGeneric Firewall Functions

A straightforward, simple outline of firewall functions, part of a sales presentation for the Alta Vista Firewall. http://www.ukiahsoft.com/securitywp.htmlNetRoad FireWALL White Paper

A sales piece for the NetRoad FireWALL from Ukiah Software, Inc., containing a Firewall Primer with excellent descriptions of firewall types. More technical but it defines terms and is well written.

Fire in the Hole http://www.infosecuritymag.com/fire.htm

An August 1998 article by Edward Skoudis. Written for savvy readers but with lots of good basic information about firewalls and the then-current state of the firewall art. http://mmm.wiwi.hu-berlin.de/IMI/s_firewalls.html Network Security and Firewalls

Another good reference, which though highly technical explains more about what those "layers" are and how security works in each layer. http://www.examcram2.com/articles/article.asp?p=101741&seqNum=3&rl=1

Resources

The following books and Web sites can provide insight into the development of sound security policies and procedures.

Books

Firewalls and Internet Security: Repelling the Wily Hacker, Bill Cheswick and Steve Bellovin. Addison-Wesley, June 1994

Designing Systems for Internet Commerce, Win Treese and Larry Stewart. Addison-Wesley, 1998

Web Security Sourcebook, Aviel Rubin, Daniel Geer and Marcus Ranum. Wiley Computer Publishing, 1997

Information Warfare and Security, Dorothy Denning. Addison-Wesley, 1999

+Information Security: Policies and Procedures: A Practitioner's Reference, Thomas R. Peltier. CRC Press, Auerbach Publications, December 1998

The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program, Gerald Kovacich. Butterworth-Heinemann, May 1998

Web Sites

> The SANS Institute, www.sans.org: Security policies, course notes The Computer Security Institute (CSI), www.gocsi.com: Various papers and editorials about security practices and products Project COAST (Computer Operations, Audit and Security Technology), Purdue University, www.cerias.purdue.edu/coast/: Software tools, information archives, research projects Page 62 of 66