Network Security Plan and Implementation Report for GB

Question: Network Security Plan and Implementation Report for GB. Answer: Introduction Banking sector is one popular area where computer networks and IT systems are extensively used. Banks make use of IT network capabilities to improve their business outcomes and ensure efficiency in all their operations. In this report the network security implementation is analyzed for The Golden Bank (GB). The network security aspects are explored for security planning and for ensuring robust and adequate security measures are implemented in their systems. GB network is wide and big and faces lot of issues in maintaining and managing their IT network infrastructure. This is because the existing network found in their HQ, operations and branch offices use different protocols which are viewed as a security challenge since some of the native protocols are more vulnerable to latest attacks and viruses. Company Overview GB Headquarters is based in Tivoli which has 80 employees. There are two remote branch offices, one at Greenland and the second one at Faroe. In addition to this the operations building is located 60 Kms away from Tivoli and a warm backup storage site located 100 Kms away from Tivoli. In addition to this, there are 28 branch offices all connecting to operations office using frame relay or DSL links. All these 28 branch offices are similar in spread. GB also has 28 ATM machines which use SNA protocols to communicate with operations. Some file servers still run primitive IPX/SPX protocols and some of them use TCP/IP. The HQ and operations office and warm backup site use T3 leased line, HQ connects with Greenland and Faroe with T1 leased line. The warm site backup office is used for off-site data storage and this is done regularly to ensure protection. The bank also provides connectivity to outside vendors. The bank uses CISCO 2600 multiservice platform routers, has network attached sto rage (NAS), a combination of windows and Linux servers and desktops running Windows 8 OS. Each branch office, the operations office, remote offices and warm backup site has a LAN running on 10Base-T Ethernet, the LAN in HQ runs on 100Base-T Ethernet. Frame relay networks are used by branch offices and vendor to connect to operations center. Problems faced by GB: GB network is dependent on IPX/SPX, SNA and frame relay networks which the board feels is a bottleneck for further business growth. Further, GB is already pending huge amount of money in maintaining existing IT network and infrastructure with very less room for expansion. The bank also plans to expand its existing branch offices by 30% in which case the network must be scalable and flexible to accommodate more data volumes efficiently. GB also desires to have an efficient and high performing WAN/LAN with zero problems during their business operations. The scope of this report is to explore traditional WAN based solutions for managing all systems and LANs in GB through IP addressing, and to plug vulnerabilities in their servers, network devices and to protect all systems IT network infrastructure of GB from attacks and hackers. The security plans are explored and discussed for their importance in securing data and customer services in GB. Security plans and security measures will be implemented across all areas of GB operations to, Protecting all servers - web servers and database servers, NAS, servers in other offices/branches which connect to the operations center. Protection will also include individual systems and LANs at warm backup site, two remote offices, operations office and the LANs and individual systems found in all the 28 branch offices. Securing the network links between offices using appropriate encryption, decryption methods as needed. Providing redundancy at warm backup site for ensuring latest data is available from all the other offices to ensure business continuity. Positioning firewalls, proxies, DMZ, IDS/IPS, for protecting individual network devices, routers, switches, etc. Develop security implementation planning and test security vulnerabilities in the network. Network Design and Assumptions made The GB network consists of different networks all of them connected through some common routers and protocols. In order to secure the network in GB, the following general aspects are analyzed (Daya, 2008). They include, Network architecture for each network, security aspects on internet and so on. Types of attacks on servers, computers, networks, applications and data While access is provided on internet, the security measures to be implemented Understand the existing security, hardware, software, etc. GB requires cost effective high speed WAN links with accuracy between their offices. The internet can be considered as a network carrier, but since it is an open public network, GBs network packets on the internet are vulnerable to attacks. The option of VPN connectivity between operations center and branch office is considered instead of frame relay, because VPN (Ferguson Huston, 1998) can establish a more secure network compared to fame relay nets. A WAN network is essential for GB to connect all their sites and branch offices, ATMs and remote sites. WAN has the ability to connect multiple LANs (Rouse, 2007). The sites of GB are distributed however their database is centrally maintained and managed. At the same time, the data available on remote servers are also secured by real time backup at the warm backup site. In order to implement security measures at all LANs and WAN links along with devices, servers and individual computers, the top-down network design approach (Oppenheimer, 2011) is considered. The top-down approach begins with upper layers of the OSI model and moves down to further layers. In this approach the sessions layer and data transport layer is considered. The approach also takes into account GBs group structure, organization structure along with user and service authentication principles in order to fulfill certain controls in the network are fulfilled. The secured network for GB is designed to fulfill business goals that include, Improve productivity and communications along with providing data security to the organization. Reduce operational costs incurred for telecommunications and maximize business outputs Ensure information in the organization is highly protected for all employees in all locations of GB The network must also fulfill future information needs (Wen, 2001) and technical goals which is summarized as, Scalability: Scalability refers to the ability of the network to continue to function efficiently in spite of drastic changes in data flow volume or size. For good network performance in peak loads, scalability is important. Availability: Services and the network must be available at all time to users. Performance: Performance of a network is highly important to ensure GBs transactions are made efficiently and the network is able to work in its full capacity. Security: In enterprise networks, security is highly crucial particularly in enterprise networks because the computers keep connecting with other sites and also to the internet. Concerns related to security must be integrated in network design stages itself. It is important to devise a security plan and policies for the company to address the risks in deploying a secure project. The security plan must determine the consequences of an attack and make plans accordingly. The performance, availability and scalability are handled by the redundancy provided by T1 and T3 links between GBs offices and remote branches. Security is planned by establishing firewall and IDS at the periphery of the network and in internal LAN respectively. Security measures for user authentication and data encryption, establishing VPNs for connecting branch offices are considered in ensuring network security. Network Design and Architecture GB has one headquarters, two remote offices, an operations office, a warm site for offsite backup, remote offices and branches. Each office has a LAN with multiple users, routers for transferring packets and firewalls for authentication. The main router is located at operations site and warm site backup. This is the CISCO Immersive Tele-presence system as it can manage multiple protocols. The WAN plan for GB is shown in figure 1 with routers, firewalls and LAN at each location. All data passes through the main router in operations and routed to respective offices. For example, if any one branch office sends a packet to HQ, it is routed through main router. Figure 1: The WAN plan for GB Since, the entire LAN and WAN for GB is a TCP network, the router uses RIP protocol (Hendrick 1988) for routing packets from any one LAN to other LAN or subnet. For routing correctly RIP must be enabled in all routers. In the figure, the network addresses must be included in routing and interfaces participating in the WAN must be specified. This is done using the RIP command. RIP Version 2 is used to define routing tables in router. The network command is used to define connected subnets on routers. Subnets are included in routing updates because HQ has four subnets namely Finance, Accounting, Management and Administrative users. In addition to this each branch, remote offices, operations office and warm backup site, ATMs, outside support vendors are also available. RIP command must specify all IPs in each office and must also include network devices. In the GB networks, classful networks are also available in the form of outside support vendors. Classful network refer to IPs that use the GB network in addition to their existing IPs. Certain default routing updates are summarized in the network (Antoniou 2007) perimeter to establish a DMZ. RIP is used mainly to update routing tables automatically which is done as below: A router for example at remote office 1 (Faroe) may experience changes to an entry update in its routing table to include a new route. When the table in Faroe router is updated, this information is sent to other routers in the WAN to update tables automatically for this change In this way data packets across different locations in WAN is routed to their respective destinations Therefore RIP is used to define routing tables in routers in GB. IP addressing Network address in CIDR format is used for GB as it is a private IP. The private address 10.0.0.0 for GB will be subnetted across its locations by taking 3-bits as below: Number of subnets = 8 (23) Total number of hosts = 221 2 = 2097150 Subnet mask will be 255.254.0.0 The above is defined to expand the network in future. Table 1 shows the start and end IPs along with their broadcast address. Network Address First Address/n Last Address/n Broadcast Address 10.0.0.0 10.0.0.1/11 10.31.255.254/11 10.31.255.255 10.32.0.0 10.32.0.1/11 10.63.255.254/11 10.63.255.255 10.64.0.0 10.64.0.1/11 10.95.255.254/11 10.95.255.255 10.96.0.0 10.96.0.1/11 10.127.255.254/11 10.127.255.255 10.128.0.0 10.128.0.1/11 10.159.255.254/11 10.159.255.255 10.160.0.0 10.160.0.1/11 10.243.255.254/11 10.191.255.255 Table 1: GBs IP addressing scheme followed for their locations In the above table since HQ needs 80 IPs, the start address will be 10.160.1.1 and end with10.243.255.254. The router steps are given below: Router Network Address = 10.160.0.0/11 Password: gbwan Router Configuration Steps hostname hq hq(#) config t hq(config) interface fa0/1 hq(config-in) ip address 10.160.0.1 255.243.0.0 hq(config-in) no shutdown For VLAN Routing Branch office with Operations (one branch) operations(config) int fa0/0.1 operations(config-in) ip address 10.0.0.1 255.248.0.0 operations(config-in) no shutdown operations(config-in) encapsulation dot1q 2 VLAN Configuration for one branch vlan 2 name branch1 Likewise all 28 branch offices are defined, along with two remote offices at Faroe and Greenland. As each branch office, remote offices, and operations office have servers they must be defined in router. Similarly the warm back up site has network attached storage which must be taken into account in the routing table. Network Security Plan The main objective is to plan WAN security for GB due to increased threats and their use of old and obsolete protocols and systems. The network security plan is made by ensuring there is no disruption to their existing network and business operations. The following aspects are considered in GBs security plan: Identify all assets in GB along with the risks and vulnerabilities posed by each element Developing security policies and procedures for implementation Implement antivirus software in all systems (servers, PCs, etc) Testing and implementing security procedures in all GB locations Data confidentiality, privacy and integrity are highly important in WAN security. Confidentiality: In confidentiality, information contained in the network is private. The data stored in servers in GB networks is meant for private use and must be protected. Integrity: Data integrity is an important network security aspect as data is prevented from getting modified or corrupted by attackers. Non-repudiation: Ensures users will not deny using GB network. The above five aspects are highly important to be considered in order to have effective secured network system (Dowd, 1998). Physical security measures such as controlled user access by authentication process, establishing access levels in system and encryption are implemented (Oppenheimer 2011). User and access control measures will be implemented across all services, databases, servers and VPNs. The security aspects of RIPv2 protocol is also examined (Davis, 2006). Two authentication methods are available with this protocol namely plain-text and message digest 5 (MD5) (Khalid, et al., 2008). In routers plain-text is the default method, but they must be configured using MD5 because this method encrypts the password in router and secures the table. Hence, if a hacker is able to get access to physical environment the WAN can become unsecured (Parziale, et al., 2006). WAN authentication will occur when updates are received by a trusted source or router. Hence, in routers authentication ensures the entry of corrupt or malicious update, or denial of service (DoS) attacks (Rivest, 1992). Therefore, MD5 algorithm is used for authentication. From the above, the network security plan for GB network will consist of, A security plan consisting of standards, guidelines, policies, implementing IDS, procedures for managing incidents and so on are developed (Winkler, 2011). Security policies are defined for the entire GB network, which includes, accessing internet, user policies, privacy matters, etc (FCC, 2012). Developing the implementation strategy which outlines steps of the plan for action in GB. Gain support from management. Network security strategies and implementation is an organization wide activity. This must be supported by IT, business and all employees in GB. Training to staff, technical training to IT staff in managing the plan must be imparted. Finally the security systems are implemented. Implementing network security technology In the WAN firewalls are implemented in the periphery of the network to prevent outside attacks and when users access the internet. A general implementation of a firewall for GB is shown in figure 2. Firewalls are used in periphery of GB network and positioned at different places in the network to prevent IP address that do not meet the specified criteria in routing tables. Since GB network uses the internet for VPNs, security measures such as port address translation (PAT) are implemented to stop attacks from outside. Figure 2: An implementation of firewall Further, the main CISCO router will ensure packet filtering, and IDS is used in GB to enhance security of data because this is an additional layer of security to prevent attacks that pass through perimeter firewall. The positioning of IDS for GB is illustrated in figure 3. Figure 3: Use of IDS along with firewall for network security Network services in GB must be analyzed for its implications for users (Zwicky, 2001). For instance, if a user has database server access, the user must be examined for web server and access to file server. Security areas are classified as trust and untrusted areas. For instance, the internet is an untrust area. In GB network DMZ zones are defined to show if the network is fully secure or insecure. The DMZ zone will provide access to untrusted users, i.e., users gaining access from internet. Normally, web and mail servers fall in DMZ zone. Database servers, authentication servers, file servers and storage systems fall in the protected zone for GB. Virtual LANs (VLAN) are implemented to ensure protection of servers. The protocols implemented in GB for network management are ICMP, RCP, TCP/IP and SNMP for monitoring availability, utilization and latency in WAN (Leskiw, 2005). In addition to this the other protocols used in configuring network security and consistency include WMI, HTTP, UDP MD5, RIP v2. The next step is to define ACLs. For example, In ACL Administration is not allowed to access Management and Accounting Using extended list ip access-list extended vlan_administration deny ip 10.8.0.0 0.7.255.255 10.64.0.2 0.31.255.255 deny ip 10.8.0.0 0.7.255.255 10.64.0.3 0.31.255.255 int fa0/0.2 ip access-group vlan_administration out Faroe not allowed to access warm site ip access-list extended vlan_faroe deny ip 10.32.0.0 0.7.255.255 10.64.0.2 0.31.255.255 permit ip 10.32.0.0 0.7.255.255 10.64.0.3 0.31.255.255 int fa0/0.4 ip access-group vlan_faroe out The ACL is configured in GB for all the sites. The deny ip command will ensure the hosts belonging to administration and Faroe fulfill the access conditions as required by GB. Testing The next stage is testing. The network and system configurations are considered in testing (Thai, 2012). In addition to this network penetration tests are done to prevent malicious IP from entering the network. The entire security technology is tested using Universal Threat Management System (UTMS) and software tool named Endian FW is used to monitor network traffic and view malicious behaviour. Testing can also be done using tool named CISCO flow, which is also sued for trouble-shooting (Kunth, 2011). The final implementation for network security is illustrated in figure 4. Figure 4: Network security implementation in GB To test packet transfer from any user IP to another remote IP on the network, ping command is used. The remote IP will respond as shown in screenshotfigure 5. Figure 5: Ping command and response from staff IP The network packet flow is illustrated in figure 6 for GB. Figure 6: Network packet flow in GB The intrusions are monitored from packet flows using UTMS and monitoring software. Conclusions In this report, the redesign of GB enterprise network is explored for ensuring network security to protect their systems and infrastructure. The security solution is achieved through the implementation of network planning, security planning and implementation of secured network to connect their offices with the enterprise network. The existing infrastructure for GB is examined for threats, attacks and performance impact on the network. The redesign of the network is explored by considering different aspects of business and IT operations. The aspects of implementing a security policy and operating procedures are emphasized. The security solution is shown in figure 1 to show the positioning of firewalls, routers and connectivity between different locations. The secured network is implemented using standard protocols with adequate scope for expansion in future. The security implementation is demonstrated using UTMS and Endian FW monitoring and network management software to test the des igned network. References Antoniou, Stelios (2007). How to configure RIP Version 2. Daya, B., (2008), Network Security: History, Importance, and Future. Florida, USA: University of Florida Department of Electrical and Computer Engineering. Davis, David (2006). Cisco administration 101: Know the basics about RIPv2. Dowd, P.W., (1998), Network security: it's time to take it seriously. Computer , 24-28. FCC (2012), Cyber Security Planning Guide. Federal Communications Commission. Ferguson, P. G. Huston, (1998), What is a VPN? Cisco Systems. Hedrick, C. (1988). Routing Information Protocol RFC1058. Network Working Group, Rutgers University. Khalid, S., T. Hatim, A. Elzoghabi and S. Mohammad (2008), Performance Evaluation of Secured Versus non-secured EIGRP Routing Protocol. Proceedings of SAM. pp.174-178. Kunath, A. (2011), Enterprise Network Testing . Indianapolis : Cisco press. Leskiw, Aaron (2015), Techniques for Monitoring WAN Links. Oppenheimer, Priscilla, (2011), Top-Down Network Design. 3rd ed. IN, USA: Cisco Systems Inc. Parziale, Lydia, David T. Britt, Chuck Davis, Jason Forrester, Wei Liu, Carolyn Matthews and Nicholas Rosselot (2006). TCP/IP Tutorial and Technical Overview. 8th ed. USA: IBM Corporation.