MSc. Computing
Wr it ten B y
Sina Rahati
Tan Kok Chee
Swipeng Tay
Onwuegbuzie Innocent U.
Yao Zhen Wei
TABLE OF CONTENT
LIST OF FIGURES
Figure i: Diagram of Asian Countries Where ABC Broadcasting Corps Operates…………………….7
Figure ii: Diagram Showing a Simplified Form of ABC Corps VPN and Leased Line Connections....9
Figure iii: A Detailed Diagram of ABC Broadcasting Corporations Network………………………..15
Fig iv: The Demilitarized Zone (DMZ)………………………………………………………….…….24
Fig v: Virtual Private Network (VPN)…………………………………………………………...…….25
ABSTRACT………………………………………………………………………………………....... 5
CHAPTER ONE
1.1.0 Purpose and Scope……………………………………………………………………………...…6
1.2.0 Introduction………………………………………………………………………………………..6
1.3.0 Company Profile of ABC Broadcasting Corporation……………………………………………..6
1.4.0 Linking ABC Broadcasting Corporation to Its Various Branches……………………….….……7
1.5.0 The Virtual Private Network (VPN)……………………………………….......................……….8
1.5.1 How VPN Work…………………………………………………………………….……...….…..8
1.5.2 Security Measures Used In IP-VPN………………………………………………………….…...9
1.5.3 Tunnel……………………………………………………………………………………………..9
1.5.4 Firewall……………………………………………………………………...…………………….9
1.5.5 Encryption…………………………………………………………………….……………….…..9
1.5.6 Point to point Tunneling Protocol…………………………………………………………......…10
1.5.7 Internet Protocol Security (IPSec)…………………………...…………………………………..10
1.5.8 AAA Servers…………………………………………………………….....……………….…....10
CHAPTER TWO
2.1.0 Point to Point Leased Line ………………………………………………………………………11
2.2.0 Point to Point Protocol…………………………………………………………………….…….11
2.3.0 CSU/DSU Device……………………………………………………………………………..…11
CHAPTER THREE
3.1.0 Analyzing ABC Corps Network Configuration Setup……………………..……………..……..12
3.2.0 Head Quarters and Branch Office VPN Connection……………………………...……………..13
3.3.0 Head Quarter and Branch Office Leased Line Connection………………………...................…14
CHAPTER FOUR
4.1.0 System/Security Hardening……………………………………………………..………...…….16
4.2.0 Network Hardening Measures……………………………...………………………………..…..16
4.3.0 Testing the Firewall………………………………………………..…………………………….18
4.4.0 Default Settings……………………………………………………………………………….….18
4.5.0 Rule Sets……………………………………………………………………………...………….19
4.6.0 Audit………………………………………………………………………………….………….19
4.7.0 Mandatory Requirements………………………………………………..…………………….…19
4.8.0 Consequences of Non-Conformance…………………………………………………………….20
4.9.0 Operating systems (OS) / Cisco IOS requirements……………………………..…….………….21
2
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER FIVE
5.1.0 Guidelines for Building Firewall Environments……………………………………………….23
5.2.0 DMZ Networks…………………………………………………………………………...…….23
5.3.0 Virtual Private Network…………………………………………………………………….…..25
5.4.0 Intranet………………………………………………………………………………………….26
5.5.0 Intrusion Detection System (IDS)…………………………………………………..…………..26
5.6.0 Intrusion Prevention System (IPS)…………………………………………….……………….27
5.7.0 Infrastructure Components………………………………………………………...……………28
CHAPTER SIX
6.1.0 General Security Measures……………………………………………………………………..29
6.2.0 Installation and Configuration……………………………………………………………….…30
6.3.0 Firewall Software………………………………………………………………………………30
6.4.0 Access to the Firewall…………………………………………………………………………..31
6.5.0 Testing the Firewall……………………………………………………………….……………31
CHAPTER SEVEN
7.1.0 General Settings and Defaults…………………………………………………..……………..32
7.1.1 Security Policy………………………………………………………………………..……….32
7.1.2 Enable Network Address Translation (Nat)…………………………………..……………….32
7.1.3 Specify Limits of Authentication Failures…………………………………………………….32
7.1.4 Reserve Enough Disk Space to Hold the Log File………………………………………..…..32
CHAPTER EIGHT
8.1.0 Managing Rule Sets……………………………………………………………………………33
8.2.0 Hardening the Rule Set………………………………………………………………………..34
8.2.1 Turn off Unused Rules………………………………………………………….……………..34
8.2.2 Deny "Spoofed Packets"………………………………………………………..……………..34
8.2.3 Rule Order Is Important………………………………………………………...……………..34
8.2.4 Performance of the Rule Set…………………………………………………..………………35
8.2.5 Browse and Edit the Default Rules……………………………………………………………35
8.2.6 Block Any Access to the Firewall Itself………………………………………………………35
8.2.7 Log All Packets Marked For Drop……………………………………………………………35
8.2.8 Drop Broadcast Traffic and Switch Logging Off…………………………….……………….35
8.2.9 Block the DMZ If Appropriate…………………………………………………………….…36
8.2.9.1 The DMZ Should Never Initiate Undesired Connections………………………………….36
8.2.9.2 Put Comments at the Rules…………………………………………………………………36
CHAPTER NINE
9.1.0 Audit……………………………………………………………………………………….…37
9.2.0 Auditable Events……………………………………………………………….……….….…37
9.3.0 Sample Traffic Rule Matrix………………………………….………….….……………..….39
9.4.0 Blocking Standards…………………………………………………..………………………40
9.5.0 Firewall Allow and Denial/Blocking Rules……………………………………………..….41
3
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER TEN
10.1.0 Management Security Hardening Policies………………………………………………...43
CHAPTER ELEVEN
11.1.0 Recommendations………………………………………………………………………....45
11.1.1 Opinions…………………………………………………………………………….……..45
11.2.0 Summary and Conclusion…………………………………………………………………45
11.3.0 Terms and Definition………………………………………………………….…………..46
References………………………………………………………………………………….……..48
4
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
ABSTRACT
Designing a network is not just about placing routers, firewalls, intrusion detection system, etc
in a network but it is about having good reasons for placing such hardware in its place. The world has
gone beyond just designing a network alone for the sake of achieving a functional inter-connected
LAN or WAN for doing business. The threat to organizational security has heightened to an extent that
a safe network design is not complete without having the necessary protective hardware’s in place as
well as spelling out appropriate rules and measures to counter the attack to organizational threats such
as malicious programs, Hackers and Social Engineers.
ABC Broadcasting Corporation is an organization that offers broadband satellite Television
Services to its numerous clients with excellent services. This document is aimed at explaining how to
designing a well protected and hack-proof network, both on the hardware/software side and the human
angle. Two Network link infrastructural methods is used to secure ABC broadcasting Corps network,
these are; IP-VPN and Point to Point Leased Line. Detailed explanation is given on how these
networks are being setup and protected with well descriptive diagrams.
The last phase of this document focuses on Network Security. Network Security is being sub-
divided into two parts which are Network hardware security, which centers on Firewall Configuration
Rules and secondly Management Security, which focuses on measure to thwart, prevent and annul
Hackers, Crackers and Social Engineering attacks.
5
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER ONE
1.1.0 PURPOSE AND SCOPE
1.2.0 INTRODUCTION
Information technology networks can be described in many ways, but the description that
seems to provide the best understanding of how to defend networks is to compare it to an onion. If you
think of a network as being composed of multiple layers, the outermost layer is the part that you touch,
the boundary between it and the world. As you peel back the layers, you move closer to the valuable
“core.” In network terms, the core most often represents our most valuable data and applications. Each
layer of the network provides a different level of functionality and requires its own unique set of
solutions to adequately secure the information traversing it between the core and the boundary.
The most effective security architectures incorporate security strategies at every layer of the
network. This makes it extremely difficult for someone attempting to compromise the network to
attack from the outside, because they must not only peel back the boundary (the first layer of defense),
but each layer beneath it to get to the most valuable data or infrastructure. This strategy is called
“Defense in Depth” and represents the most effective means of thwarting system compromise. Even
though some defenses may be defeated, it is much more difficult to penetrate all of the layers than just
one layer. Nevertheless, the perimeter or network boundary is critical as the first line in defense of the
network and is the focus of this paper.
6
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
ABC Corporation has it’s headquarter in Kuala Lumpur which is the capital of Malaysia and
spreads its branches in the countries that are shown in the above diagram. This is where the products
and services are developed and the management sets its policies and strategies. There are seven branch
offices; Singapore (Singapore), Jakarta (Indonesia), Bangkok (Thailand), Vientiane (Laos), Phnom
Penh (Cambodia), Hanoi (Vietnam) and Manila (Philippines). These branches receive their policies
and guidelines from the Kuala Lumpur. The sales of the satellite dish and decoder and access are
through the company’s outlets which are located in different parts of the region. Renewal of access to
the broadcast news and movies is through these outlets or through the internet by visiting the
company’s website.
There are various possible modes of linking a company’s branches to its Head Quarters (HQ),
amongst these are the Internet Protocol Virtual Private Network (IP-VPN), Frame Relay, Point to Point
Leased lines, X.25, and Broadband Integrated Service Digital Network (B-ISDN)-Asynchronous
Transfer Mode (ATM). Analyzing these various network link methods take into consideration the
dynamics of the technological advancement with respect to IT in general which may directly or
indirectly affect the chosen network type. The network configuration that is chosen must have the
following features:
• Scalable geographic connectivity
• Improve security
• Low operational costs
7
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
• Reduce transmission time and operational costs for customers
• Enhance productivity
• Simple network topology
• Support future global expansion
• Provide telecommuter support?
• Support broadband networking compatibility
• In line with the management’s objectives
Having studied the available network connectivity methods, it was concluded to choose and
implements the IP-VPN and the Point to Point Leased Line methods for linking ABC Broadcasting
Corporation to its various branches. The IP-VPN is to link the distant branches of the company to the
Head Quarters in Kuala Lumpur while the Point to Point Leased Line it to link closer branches to the
Head Quarter. Let’s talk first about the IP-VPN.
A VPN is a private network that uses a public network (usually the Internet) to connect remote
sites/branches together. Instead of using a dedicated, real-world connection such as leased line, a VPN
uses "virtual" connections routed through the Internet from the company's private network to its
remote sites or employees.
When making a VPN connection, there are two connections. The first connection is made to
the Internet Service Provider. In connecting to the service provider, TCP/IP (Transmission Control
Protocol/Internet Protocol) and PPP (Point-to-Point Protocol) are used to communicate to the ISP. The
remote user is assigned an IP address by the ISP. The user logs into the company login. This second
connection establishes the VPN connection and a tunnel are created with the use of PPTP (for
example) after the user is authorized. The IP datagram’s containing encapsulated PPP packets are sent.
In normal connections, the company’s firewall does not allow PPP packets from entering the network;
thus, Internet users are not able to access a private network. However, VPN services allow users who
meet security criteria to be admitted. The VPN server disassembles the packet and transfers the packet
to the destination computer located in the private network (Microsoft TechNet 2009).
Note: It should also be noted that it is possible for the organization to host its own private Internet
Service Providing (ISP) Stations, most especially at its HQ and its local and overseas branches. This is
to boost security measures since total trust cannot be banked on the public ISP’s, as they might sniff
into the organizations VPN tunnel for selfish reasons.
Below is a simplified network diagram of ABC Broadcasting Corporations VPN network
8
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
ABC'S BRANCH
OFFICE WITH
FIBRE OPTICS LEASED LINE
LEASED LINE
VPN Tunnel
TeleWorker
Figure ii: Diagram Showing a Simplified Form of ABC Corps VPN and Leased Line Connections
A well-designed and secured VPN uses several methods for keeping connection and data
secure and these are explained below.
1.5.3 TUNNEL
A tunnel is a virtual point-to-point connection made through a public network. Once there is a
connection, information can be exchanged on this virtual link. In addition, tunneling allows senders to
encapsulate packets with their IP packets, which prevents data from being altered.
1.5.4 FIREWALL
A firewall provides a strong barrier between your private network and the Internet. You can set
firewalls to restrict the number of open ports, what types of packets are passed through and which
protocols are allowed through.
1.5.5 ENCRYPTION
Encryption is the process of taking all the data that one computer is sending to another and encoding it
into a form that only the other computer will be able to decode. Most computer encryption systems
belong in one of two categories:
• Symmetric-key encryption
• Asymmetric Key or Public-key encryption
9
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer
of data from a remote client to a private enterprise server by creating a virtual private network (VPN)
across TCP/IP-based data networks (i.e. the Public Internet). PPTP supports on-demand, multi-
protocol, virtual private networking over public networks, such as the Internet.
The Internet Protocol Security(IPSec) is a suite of protocol for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes
protocols for establishing mutual authentication between agents at the beginning of the session and
negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data
flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways
(e.g. routers or firewalls), or between a security gateway and a host (Wikipedia 2009).
AAA (Authentication, Authorization and Accounting) servers are used for more secure access
in a remote-access VPN environment. When a request to establish a session comes in from a dial-up
client, the request is proxied to the AAA server. AAA then checks for the following:
• Who you are (authentication)
• What you are allowed to do (authorization)
• What you actually do (accounting)
The accounting information is especially useful for tracking client use, for security auditing, billing
or reporting purposes (How Stuff Works 2009).
10
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER TWO
2.1.0 POINT TO POINT LEASED LINE
A point-to-point leased line is a dedicated pair, or pairs, of copper wire connecting two end
users through a network rented from a telecommunications provider. Unlike normal dial-up
connections, leased lines are always active and deliver guaranteed bandwidth.
Point to point leased line is a cost effective, resilient and secure solution for connecting multiple
offices or remote workers with guaranteed uptime and bandwidth. Leased line offers a number of
significant advantages over traditional dial-up connections and these advantages are:
• Non-contention - A Leased line is 100% dedicated to the companys’ exclusive use.
• Security - A dedicated leased line is private, and therefore secure.
• Reliability and resilience – A leased line is backed by Service Level Agreements and is
monitored by the service provider at all time performance.
• Symmetric – Upload and download speeds are the same.
• Cost control – The monthly rental charge is fixed and does not vary with variable usage.
• Permanence – The connection is always on.
Channel Service Unit (CSU) is a device that connects a terminal to a digital line, while Data
Service Unit (DSU) is a device that performs protective and diagnostic functions for a
telecommunications line. Typically, the two devices are packaged together as a single unit. We can
think of CSU and DSU as a very high-powered and expensive modem. This device is required for both
ends of a T-1 or E-1 connection. The units at both ends of the connection must be from the same
manufacturer, their configurations must be set to be similar and the routers at both ends must be
configured to be in the same subnet (Robert et al 2005) .
11
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER THREE
3.1.0 ANALYSING ABC CORPS NETWORK CONFIGURATION SETUP
For ABC Broadcasting Corporation to survive it must consider network security as critical
function of its success. Appropriate measures are taken to tighten the security of ABC Corp’s Network
infrastructure to prevent breach of security and yet be in line with the companys’ objectives which aim
for flexibility, scalability and affordable cost for consumers. Below is the analysis of ABC Corps
Network infrastructure;
ABC Corp’s Network infrastructure is made up of three (3) layers;
1. The Outer-Layer which accommodates the Web server, FTP server, and E-mail server. This
layer is the general public layer and is enclosed in the External DMZ. The employees’ and the
public including the clients and partners have access to this layer.
2. The Middle-Layer is a more protected layer than the outer layer. This layer is strictly for the
employees, whether they connect from within, branch office or from remote location. This
layer is where most of the operational departments are found, e.g. Sales, Accounting,
Broadcasting, and Customer relations departments. Access into this layer requires
authentication.
3. The Inner-Layer is the most protected of all the three layers; hence it is referred to as the
“Core” of the network. This layer is where the Research and Development, Human Relations
and IT departments are located.
Note: All the Routers used in this setup are Cisco’s 3800 series routers, and the Core Switches are
Cisco’s catalyst 4500 series Switches. D-Links’ DES-3028 Series Switches are use as Access
Switches. The Boundary Firewalls are Cisco’s PIX 500 series appliance firewalls. The IDS used is
12
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
Cisco Threat Defense IDS 4250 series. Cisco’s VPN concentrator 3000 Series is also used. All the
servers in the External DMZ are Unix-Based Linux platform servers
ABC Corps network has being segmented into several Virtual Local Area Networks (VLANs).
This VLAN architecture is to help isolate uncontrolled broadcast of packets (Broadcast Storm) which
might lead to network jam and consequently shutting down the network function. Secondly, the VLAN
implementation is to ensure that the information meant for one department is contained within that
department without unauthorized access to other departments.
The range of IP addresses for the VLANs are;
• 192.168.1.x/24 range (VLAN 1)
• 192.168.2.x/24 range (VLAN 2)
• 192.168.3.x/24 range (VLAN 3)
• 192.168.4.x/24 range (VLAN 4)
• 192.168.5.x/24 range (VLAN 5)
The initiator (employee or dealer) logs into the company’s secured VPN interface on his
computer by providing user ID and password or pass-phrase, depending on how the configuration is
being set up. The log-in is authenticated by the VPN server at his own end, which is hosted either by
the Branch office or an external ISP. Upon fulfillment the log-in requirements, access to the HQ are
granted through a secured VPN tunneled which travel through the public internet cloud. The packet
then meets up with the HQ’s router, and then the Boundary Firewall. At the router end, Network
Address Translation (NAT) is implemented which masquerades ABC internal IP addresses from the
public.
The Boundary Firewall is a Stateless hardware Appliance Firewall; hence it inspects the
transiting packet up to the Network layer of the Internet Protocol Stack before forwarding it to the
Intrusion Detection System/Switch. This piece of hardware screens the frame against some laid down
security parameters. If the frame is found to contain malicious codes, the IDS triggers an alarm and
notifies the IT personnel and employees that an attack is about to take place or has already taking
place. On the other hand if the frame is “clean”, it is allowed into the network. The level of access into
the network depends on the person who logs into the network. The access is spelt out based on the
rules on the Internal Firewall 1 and this will grant the frame to reach the VPN concentrator /AAA
server.
The Internal Firewall 1 is a State-full Firewall, in other words, it carries out inspection on the
packet up to the Application layer of the Internet Protocol Stack. It ensures that the packet meets the
standards of the policies that are set in the firewall before allowing it to transmit further into the
network.
The VPN concentrator/AAA server analyses the packet, by decrypting the packet to reveal its
content, while processing Authentication, Accounting and Authority. This Authentication, Accounting
and Authority on the packet are to ensure that the employee is an authenticated member the
organization and has the authority to be in the network. The authorized packet then transmits to the
destination department which its request has been originally made. These departments include
Broadcasting Department, Accounting Department, Sales Department or Customer Relations
Department. The Research and Development (R&D) Department, Humans Relations (HR) Department
and Information Technology (IT) Department are situated in the Network Core which is highly
13
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
restricted from the employees. This inner layer is restricted to a few employees who have the authority
as defined in the organizations policies.
The function of the Active Directory server which is controlled by the System Administrator
from the IT department is to oversee the entire access rule, with respect to passwords, log-ins, printing,
emailing, and other security and instructional issues initiated by the employees and non-employees.
The second means of linking to ABC’s HQ office is through Leased Line. The Leased Line is
used for the branch offices whose country share boundary with the HQ’s country, e.g. Singapore and
Thailand. This dedicated Leased Line is provided by a third party Leased Line provider. For an
employee to have access to the HQ through Leased Line, he initiates a connection from his office. The
frame travels through the Boundary Firewall 1, Router, CSU/DSU Modem, and then through the E1
Fiber Optics leased line which spans several kilometers and then to the Headquarters CSU/DSU
Modem, Router and the Boundary Firewall. The frame meets up with the External IDS, if found clean,
moves to the Internal Firewall 1, and then to the AAA Server which authenticates the request. After
fulfilling the set rules, it is then allowed into the internal network.
For ABC’s customers, subscribers or dealers, who desires to have access to ABC’s network
for the purpose of enquiry on broadcasting services and online subscription, their access is limited and
routed to the Web, FTP and E-mail servers, which is controlled by the External DMZ and regulated by
the Boundary Firewall.
The main function of the Internal DMZ is to contain and confine the various departments
within their regions and limits, it restricts them from accessing other part of the network which they
should not have access to. The internal DMZ is regulated by the Internal Firewall 2.
Below is the overall network diagram of ABC Broadcasting Corps
14
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
SPACE
SATELLITE
LEASED BOUNDA
LEASED LINE CSU/DSU LINE RYFIREW
DIGITAL TRANSMISION SAT OPERATOR MODEM ROUTER
DISH ALL 1
CLIENTS/SUBSCRIBER REDUNDA
DVB/ENCODER
S FIBRE NTBACKUP
OPTICS LEASED
LINE
(E1) PUBLIC INTERNET
LEASED
LINE ABC'S BRANCH WITH
PROXY FTP E-MAIL
SERVER SERVER SERVER LEASED LINE
CONNECTION
PUBLIC
CSU/DSU INTERNET
INTERNAL WEB MODEM CLOUD
SERVER BROADCASTING EXTERNAL
DEPT (VLAN 4) DMZ VPN
SERVER
CENTRAL LEASED LINE BOUNDARYFIR
INTERNAL
INTERNAL E-MAIL ROUTER EWALL 2
FIREWALL 1
SERVER
VPN INTERNET
ACTIVE CLOUD/TUNNEL
DIRECTORY/DNS EXTERNAL BOUNDARY INTERNET
SERVER VPN IDS
SERVER
DHCP FIREWALL ROUTER
FARM CONCENTRATOR/
SERVER ABC'S BRANCH
SWITCH AAA SERVER
OFFICE WITH VPN
CONNECTION
LOCAL ISP/NETWORK
CORE INTERNAL ACCESS SERVER
SWITCH FIREWALL 2 R&D DEPT
HUMAN
SALES
RELATIONS
DEPT (VLAN
DEPT
1)
ABC's
IT TELEWORKER/STAFF WITH
DEPT VPN CLIENT SOFTWARE
CUSTOMER
RELATIONS HIGHLY SECURED INTERIOR
DEPT (VLAN 2)
INTERNAL
ACCOUNTING DEPT (VLAN 3) DMZ
CHAPTER FOUR
15
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
4.1.0 SYSTEM/SECURITY HARDENING
In the section we shall consider the Network Hardening Policies and Management Hardening
Policies. The Network Hardening Policies addresses security issues and procedures applicable to ABC
Corps network, while the Management Hardening Policies addresses security issues and procedures
applicable to the human resources (employees, dealers and customers), managing and running ABC
Corps.
In this discussion, the term “system” refers to a computers, laptop, server, router, switches and
firewalls that may connect to the network. System hardening is a systematic process of securing the
network by configuring the computer, laptop, server, router, switches and firewalls on the network to
protect it from unauthorized access, or from being used to compromise the network. System hardening
will make the system more secure without affecting its efficiency and reliability. All these hardwares
that produced in the factory and sold to ABC Corporation as a “out of the box” device are usually by
default designed for the convenience of the end user in mind. Security is a secondary. Whichever the
operating system that is used be it Windows, Solaris, or Linux, the default configuration is frequently
less secure than the one that is required by ABC Corp.
Systems hardening is done by enabling the correct set of security features and at the same time
disabling features that are not required that will compromise the network. For example, the initial
security configuration could include enabling auditing of specific system events, requiring the use of
strong passwords that contain both alphanumeric and symbolic characters, allowing administrative log
in only from the physical console of the system, disabling processes such as file sharing and Web
server processes if those functions are not required, and blocking inbound attempts to connect over the
network to critical system ports such as the Remote Procedure Call (RPC) port. In the case of ABC
Corp, further security measures to increase security from hackers includes deletion of any operating
system files that are not required and could be misused by hackers and the source code compilers
frequently included on UNIX and Linux systems.
By hardening the system administrators and users can have more confidence in the integrity of
the data that are processed by the system. In addition, the performance of the system will improve
from the turning off and disabling unnecessary ports, protocols, and services in the host.
This section provides best practice security measures for firewall (including Management
Console and Policy Server), described in more or less general terms. More detailed background
information is provided in the next chapters.
Separation of roles and responsibilities for managing the Firewall and Network is recommended.
• Manages the Operating System – System Administrator.
• Manages the Firewall Software – Firewall Administrator or Network Engineer.
• Manages the accounts on the Firewall – Security Administrator or Helpdesk.
• Scanning of the log files – Security.
• Check whether firewall is deployed according to procedures
• Auditor or Security.
• Administrators of the Firewall must be informed about the most recent security threats.
• Place the Firewall (and other directly connected devices) in a physical secured area.
• No test rule set should ever be tested on a production system. Use firewall system solely as a
firewall.
• The Firewall system runs no other services.
• The host system running the Firewall does not host any public data.
• There will be no trusted relations on OS level from the Firewall with other systems.
• Interruption of an individual firewall service may not compromise data or network. In this case
the Firewall must not leave the opportunity for an open connection between the external
(untrusted) and internal (trusted) network.
• Ensure that backup procedures exist for the Firewall configuration and the log files.
18
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
• Make the standard rule set visible and remove unused rules. Also ensure that there are no
disabled rules within Production rule bases.
• Before activating a new or changed rule set, a back-up of the old rule set must be made.
• Keep the rule base simple and short.
• Perform periodic checks on the rule set.
• The rule set is documented properly and stored away in a safe place.
4.6.0 AUDIT
• Firewalls should be regularly audited.
• Examination of the log files shall be done at least once a month by the holder of the
Monitoring account.
• Audit trail properties. Audit trail will contain at least: date and time of the event, type of event,
subject identity, outcome (success or failure) of the event.
a. Network Documentation
All network related documentation must be updated and currency of content maintained.
Network related documentation should be appropriately identified with date, version number, and
commentary as to what changes have been made to the content. All such changes should be managed
via a formal change control mechanism. In order to ensure that the Firewall is securing the required
section of the network a detailed diagram of the network may be required. This can be used to ensure
that the Firewall is protecting what it should be protecting and will help in identifying any weaknesses
that may exist within the
Firewall setup.
b. Change Control
19
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
Management should document a formal change control policy for amending the Firewall’s
configuration. This policy should describe the principles and objectives on which change control
process should operate. Having defined when changes should be performed, the objectives should
describe change requirements (that is key standards).
Change Control is required to ensure that Administrators of the Firewall are in fact performing the task
required. This is implemented to ensure:-
• Changes made reflect the change in policy; and
• The administrators do not perform changes without notification.
4.8.3 PATCHES
Ensure that patches to the base operating system (OS), appliance OS and the Firewall are
current. For a firewall to be successful, it must operate on a secure OS. If the Firewall is running on an
inferior OS, then it is open to attacks. It should be ensured that the OS and the Firewall is secure and
that all patches have been applied. If appliance base firewall is concern, IOS and firewall application
itself are duly patched.
20
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
4.8.6 MANAGEMENT PROTOCOLS
Many environments are perfectly content with managing their network by the easiest and
quickest means available. Many management applications, such as remote shell (RSH) or telnet, send
all details between the management station and managed device in plain text. This allows anyone who
is in the same VLAN (either manually configured or through a compromised connection) to view all of
your commands and parameters with a simple protocol analyzer. For this reason, you should use
secure and efficient management protocols to connect to your enterprise devices.
4.9.3 HARDENED
21
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
Out-of-the-box OS are normally not prepared to perform security services. Measures must be
taken to tighten the security of these OS; this is called 'hardening'. Refer to the appropriate Operational
Security Guideline (OSG) to harden the OS.
4.9.6 NO BACKDOORS
When the network infrastructure is well designed, no backdoors (like through modems or RAS
servers) to systems should be available in the protected network which means that information cannot
flow among the internal and external networks unless it passes through the Firewall. When deviating
from the Security Policy this must be approved by IT Security and Risk Management or Senior
Management.
22
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER FIVE
23
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
DMZ networks are typically implemented as network switches that sit between two firewalls or
between a firewall and a boundary router. Given the special nature of DMZ networks, they typically
serve as attachment points for systems that require or foster external connectivity.
24
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
5.3.0 VIRTUAL PRIVATE NETWORK
Networks (VPN)
Another valuable use for firewalls is for enablement of VPNs. A VPN is constructed on top of
existing network media by using additional protocols and usually, encryption. If the VPN is encrypted,
it can be used as an extension of the protected network.
In most cases, VPNs are used to provide secure network links across networks that are not trusted.
VPN technology is often used to create secure networks between organizations or branches, as shown
in Figure 5.3.
On the protocol level, there are several possible choices for a modern VPN. The first and
perhaps the most currently used is a set of protocols known as IPSec (Internet Protocol Security). The
IPSec standards consist of IPv6 security features ported over to IPv4, the version of IP in use today on
the Internet.
Other current VPN protocols include PPTP (Point-to-Point Tunneling Protocol), a Microsoft Standard
and the L2TP (Layer 2 Tunneling Protocol).
5.3.2.1 HOST-TO-HOST
In this model, IPSec connections are created as needed for each individual VPN user. User’s
hosts have been configured to act as IPSec clients with the IPSec server. When a user wishes to use
resources on the IPSec server, the user’s host initiates communications with the IPSec server. The user
is asked by the IPSec server to authenticate before the connection can be established. The client and
server exchange information, and if the authentication is successful, the IPSec connection is
established. The user can now use the server, and the network traffic between the user’s host and the
server will be protected by the IPSec connection.
5.3.2.2 HOST-TO-GATEWAY
In this model, IPSec connections are created as needed for each individual VPN user. Remote
user’s hosts have been configured to act as IPSec clients with the organizations IPSec gateway. When
a remote user wishes to use computing resources through the VPN, the host initiates communications
with the VPN gateway. The user is typically asked by the VPN gateway to authenticate before the
connection can be established. The VPN gateway can perf innoslov@yahoo.comorm the
authentication itself or consult a dedicated authentication server. The client and gateway exchange
information, and the IPSec connection are established. The user can now use the organizations
computing resources, and the network traffic between the user’s host and the VPN gateway will be
protected by the IPSec connection. Traffic between the user and systems not controlled by the
organization can also be routed through the VPN gateway; this allows IPSec protection to be applied
to this traffic as well if desired.
5.3.2.3 GATEWAY-TO-GATEWAY
This model is relatively simple to understand. To facilitate VPN connections, one of the VPN
gateways issues a request to the other to establish an IPSec connection. The two VPN gateways
exchange information with each other and create an IPSec connection. Routing on each network is
configured so that as hosts on one network need to communicate with hosts on the other network, their
network traffic is automatically routed through the IPSec connection, protecting it appropriately. A
single IPSec connection establishing a tunnel between the gateways can support all communications
between the two networks, or multiple IPSec connections can each protect different types or classes of
traffic.
5.4.0 INTRANET
An Internal Network (intranet) is a network that employs the same types of services,
applications, and protocols present in an Internet implementation, without involving external
connectivity. Within intranet, many smaller intranets can be created by the use of internal firewalls.
Since intranet utilizes the same protocols and application services present on the Internet, many of the
security issues inherent in Internet implementations are also present in intranet implementations.
Therefore, intranets are typically implemented behind firewall environments.
27
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
When deploying NIPS however, consideration should be given to whether the network segment is
encrypted or not as many products are unable to support inspection of such traffic. There are two (2)
different types of IPS generally available:-
5.7.1 HUBS
The most simple of these connection devices is the network concentrator, or hub. Hubs are
devices that function at Layer 1 of the OSI model. In other words, there is no real intelligence in
network hubs; they exist only to provide physical attachment points for networked systems or
resources. There is weakness associated with network hubs. Network hubs allow any device connected
to them to see the network traffic destined for, or originating from, any other device connected to that
same network hub. For this reason, network hubs should not be used at all in networking including
building the DMZ networks or firewall environments.
5.7.2 SWITCHES
A more advanced infrastructure device is the network switch. Network switches are Layer 2
devices, which mean that they actually employ basic intelligence in providing attachment points for
networked systems or components. Network switches are essentially multi-port bridges, so they are
also capable of delivering the full network bandwidth to each physical port. Another effect of the
bridging nature of switches is that systems connected to a switch cannot eavesdrop on each other.
These anti-eavesdrop capabilities inherent in network switches make them useful for implementing
DMZ networks and firewall environments. It is important to note that switches should not be used to
provide any firewall or traffic isolation capability outside of a firewall environment, due to denial of
service-like attacks that can cause switches to flood connected networks with packets.
28
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER SIX
29
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
6.1.7 INTERRUPTION WILL NOT COMPROMISE DATA OR NETWORK
Interruption of firewall service may not compromise data or network. Upon initial start-up of
the firewall or recovery from an interruption in firewall service, the firewall must not compromise its
resources or those of any connected network.
30
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
• Security Server
The use of Security Servers should be restricted to the minimum.
• VoIP
Voice over IP should be switched off.
• VPN-1 Net
If no VPN community is defined, then Block all connections.
CHAPTER SEVEN
Note: If the above IP ranges are in use within ABC BROADCASTING CORPORATION internal
network, the routing configuration and spoofing rules on the Firewall device (especially one deployed
internally to ABC BROADCASTING CORPORATION) must be applied with care.
Note: If the Firewall has the facility to use 'Automatic NAT'. This is not a function that should be used.
NAT should always be manually configured in order to maintain better control of the configuration.
Note: If the Firewall has the facility to use 'Automatic NAT' however whenever possible NAT should
be performed by a separate device like a specific router. This improves the performance of the
Firewall, reduce rule set management and allow the Firewall to focus on traffic control.
32
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER EIGHT
8.1.0 MANAGING RULE SETS
Note: Often the implicit rules controlled by the global properties of the security policy were not
reviewed for their appropriateness before implementation. Default applications and services settings
should be reviewed and enable or disable accordingly.
Note: Only exception to logging all dropped packets is the broadcast rule.
Note: This is a standard rule that every rule base should have.
35
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
Depending on the place in the infrastructure there might be a great deal of broadcast traffic on
the network that the Firewall drops and logs, which can quickly fill up the logs. If this is the case you
might create a rule that drops or rejects this traffic, but does not log it.
36
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER NINE
9.1.0 AUDIT
37
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
38
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
39
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
40
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
41
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
42
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
These rules should be implemented on all Firewalls, Routers and Managed Switches (Chow C 2006).
As earlier said, Network hardening policies will not be complete without Management policies.
This involves implementing policies which governs the employees that manage, operate, and
implement all the system hardware and software facilities in ABC Corporations’ network. Any
mismanagement on the human side of the network security could result in serious consequences and
hence these management policies are essential and should be strictly adhered to. In this case the
humans act as the first line of firewall in preventing intruders such as Social Engineers, Hackers,
Cyber thieves etc from breaking into the organizations internal network.
43
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER TEN
10.1.0 MANAGEMENT SECURITY HARDENING POLICIES
These Policies are strictly aim to avoid and prevent Social Engineering attacks.
Organizational security size should be the same as the size of the organization. In other words
all employees in an organization should be adequately informed and trained on organizational
security policies and implementations Mitnick and Simon (2002 p271),
45
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
CHAPTER ELEVEN
11.1.0 RECOMMENDATIONS
It is obvious that Network/Organizational Security should not be solely left in the hands of
Network administrators or System Administrators but should be in the hands of all the employees
working in an organization, since the threat to organizational security is not only on the networking
hardware or software, but also on the humans (i.e. employees) working in the organization. To the so-
called Social Engineers, the human loop-hole is the easiest way of attacking an organization as
Mitnick and Simon (2002 p3) commented: “Humans are security’s weakest link”.
So, it is recommended that for ABC Corporation to survive in this highly threatened and
competitive business environment, the organization should have all the necessary protective
networking hardwares/softwares in place, with competent Network and System Administrators
manning them as well as involving the entire staff of the organization in the security process by
educating them to take security as diligent as they handle their day to day tasks. This will be achieved
by training the entire staff about organizational security. Details of the issues that the staff is needed to
be trained about are discussed in this document under the caption “Management Security Hardening
Policies”.
11.1.1 OPINIONS
Designing and setting up of an organizational Network is not all about the beauty of the
network topology, which may appear in both logical and physical diagram, but it takes the
understanding of what the operations of such organization is and then designing a well secured
network that suits the nature of operations of that organization.
It is our (Group Members) opinion that a network such as that of ABC Broadcasting
Corporation should implement a two-way security measure in securing the perimeters of the
organization. This involves the security from the hardware angle, by employing the qualified
competent hands to man and run the network resources. The other security measure is to strictly
consider the “weakness of the human, which serves as a link to Social Engineering attack. Every staff
of ABC Corps must be involved in the training and awareness on how to recognize and mitigate the
attack of Social Engineers of any kind and degree.
Efforts has being made to spell out all that is require to set-up a well secured and befitting
network for ABC broadcasting Corps in this document. If well implemented strictly by the book then
ABC Broadcasting Corps can stand to firmly compete with any of its opponent in the business world
of broadcasting and its likes.
Authentication
Proof of identity (or source). An authentication scheme between two entities consists of a
proving party and a verifying party. Authentication can be provided in various ways like for example
username-password, keyed hash, MAC (symmetric encryption) or digital signature (asymmetric
encryption).
Authorization
A set of rules which determine who get access with what kind of privileges on a specific
resource. Authorization should be preceded by a strong form of authentication to be effective.
Cisco IOS (Internetwork Operating System)
Cisco IOS is the software used on the vast majority of Cisco Systems routers and all current Cisco
network switches. IOS is a package of routing, switching, internetworking and telecommunications
functions tightly integrated with a multitasking operating system.
Console
The console is an interface on the router which can communicate with a terminal or terminal
emulator via a serial port.
Daemon
A daemon is a computer program that runs in the background, rather than under the direct
control of a user; they are usually initiated as processes. Typically daemons have names that end with
the letter "d".
DMZ
Demilitarized Zone: a network segment between two networks of different security level. A
DMZ is used to\ create a secure and controlled environment to protect traffic between two networks.
DoS
Denial of Service: an abbreviation often used for network attacks that prevent a network
component from providing its operational functions.
External Interface
The interface on a router directly connected to the network that is not under control by the
owner of the router. In some cases internal and external interface on a router are merely pointed out by
definition.
FTP
File Transfer Protocol: Widely used TCP-based files transfer and file management protocol.
IDS
An Intrusion Detection System (IDS) generally detects unwanted manipulations to computer systems,
mainly through the Internet. The manipulations may take the form of attacks by crackers.
IPS
An Intrusion Prevention System (IPS) is a computer security device that exercises access
control to protect computers from exploitation. Intrusion prevention technology is considered by some
to be an extension of IDS technology but it is actually another form of access control, like an
application layer firewall.
IPSec
IPSec (IP security) is a suite of protocols for securing Internet Protocol (IP) communications by
authenticating and/or encrypting each IP packet in a data stream.
47
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
Promiscuous mode
Refers to a configuration of a network card wherein a setting is enabled so that the card passes
all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for
packet sniffing.
Protocol
A communications protocol is the set of standard rules for data representation, signaling,
authentication and error detection required to send information over a communications channel.
Proxy
A proxy is a server (a computer system or an application program) which services the requests
of its clients by making requests to other servers. A client connects to the proxy server, requesting a
file, connection, web page, or other resource available from a different server.
VPN
A Virtual Private Network (VPN) is a private communications network often used by companies or
organizations, to communicate confidentially over a public network. VPN traffic can be carried over a
public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service
provider's private network with a defined Service Level Agreement (SLA). A VPN can send data (e.g.,
voice, data or video, or a combination of these media) across secured and encrypted private channels
between two points. Before a firewall policy can be created, some form of risk analysis must be
performed on the applications that are necessary for accomplishment of the organization’s mission.
The results of this analysis will include a list of the applications and how those applications will be
secured. Risk analysis of the Information Technology infrastructure should be weighed based on an
evaluation of the following elements:
• Threats;
• Vulnerabilities;
• Countermeasures in place to mitigate vulnerabilities, and
• The impact if sensitive data is compromised.
The goal is to understand and evaluate these elements prior to establishing firewall policy.
The result of the risk analysis will dictate the manner in which the firewall system handles network
applications traffic. The details of which applications can traverse a firewall, and under what exact
circumstances such activities can take place, should be documented in the form of applications Traffic
Rule Matrix.
48
IT Security for ABC Broadcasting Corporation_______________________________________________
_______________________Network Infrastructure, Network Security and Management Policies
REFERENCE
• Mitnick, K & Simon , W, 2002, Art of Deception (Controlling the Human Element of
Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA.
• James, F K & Keith, W R, 2009, Computer Networking: A Top-Down Approach Featuring the
Internet, 3rd edn, Pearson Education South Asia, India.
• Chow C, 2006, Astro; Operational Security Guideline: Cisco Router, Version 1.0, Kuala
Lumpur.
• Gilbert, H 2004, Virtual Private Networking: A Construction, Operation and Utilization Guide,
2nd edn, John Wiley and Sons, USA.
• Todd, L 2007, CCNA: Cisco Certified Network Associate (CCNA), 3rd edition, John Wiley and
Sons USA.
• Larry, L P & Bruce, S D, 2007, Computer Networks: A System Approach, 4th edition, Morgan
Kaufmann Publications. Retrieved April 5, 2009 from;
http://books.google.com.my/books?id=fknMX18T40cC&printsec=frontcover&source=gbs_su
mmary_r&cad=0.
• Robert S, Michael C, & Laura, E, H, 2005, Network+ study guide & practice exams
(CSU/DSU chap 3, p.141), 3rd edn, Elsevier Publications. Retrieved April 6, 2009, from;
http://books.google.com.my/books?id=l8hU54ewGaYC&pg=PA141&dq=csu/dsu.
• Lemos, R 2000, “Mitnick teaches ‘Social Engineering’.” July 17, 2000. ZDNet News,
Retrieved April 1, 2009, from http://zdnet.com.com/2100-11-522261.html?legacy=zdnn.
• Wikipedia 2009, Internet Protocol Security (IPSec) Wikipedia: The Free Online Encyclopedia.
Retrieved April 6, 2009 from; http://en.wikipedia.org/wiki/IPsec.
• Spirent White Paper 2002, Broadband Architecture: Point-to-point Protocol Come of age.
Retrieved April 2, 2009 from; www.spirentcom.com/pdf.
• Simpson, W 1994 "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661 .Retrieved April 2,
2009 from; http://www.ietf.org/rfc/rfc2341.txt.
• How Stuff Works 2009, Virtual Private Network (VPN), How Stuff Works Inc. Retrieved April
5, 2009 from http://computer.howstuffworks.com/vpn.htm/printable.
• Microsoft TechNet 2009, Virtual Private Network, TechNet Magazines, Microsoft
Corporations. Retrieved April 5, 2009 from; http://technet.microsoft.com/en-
us/network/bb545442.aspx.
49
IT Security for ABC Broadcasting Corporation_______________________________________________