ABC Network Setup Security

UNIVERSITY OF WALES NEWPORT
MSc. Computing
COM PUT ER NET WO RK

(CS C13 07)
Network design & network hardening

policies
for
ABC BROADCASTING CORPORATION

(A SATELLITE TV COMPANY)
Wr it ten B y
Sina Rahati
Tan Kok Chee
Swipeng Tay
Onwuegbuzie Innocent U.
Yao Zhen Wei
DATE SUBMITTED: May 11, 2009

RECEIVED BY: Mr. Christopher Lim (Course Lecturer)
_______________________Network Infrastructure, Network Security and Management Policies
TABLE OF CONTENT
LIST OF FIGURES
Figure i: Diagram of Asian Countries Where ABC Broadcasting Corps Operates…………………….7
Figure ii: Diagram Showing a Simplified Form of ABC Corps VPN and Leased Line Connections....9
Figure iii: A Detailed Diagram of ABC Broadcasting Corporations Network………………………..15
Fig iv: The Demilitarized Zone (DMZ)………………………………………………………….…….24
Fig v: Virtual Private Network (VPN)…………………………………………………………...…….25
ABSTRACT………………………………………………………………………………………....... 5
CHAPTER ONE
1.1.0 Purpose and Scope……………………………………………………………………………...…6
1.2.0 Introduction………………………………………………………………………………………..6
1.3.0 Company Profile of ABC Broadcasting Corporation……………………………………………..6
1.4.0 Linking ABC Broadcasting Corporation to Its Various Branches……………………….….……7
1.5.0 The Virtual Private Network (VPN)……………………………………….......................……….8
1.5.1 How VPN Work…………………………………………………………………….……...….…..8
1.5.2 Security Measures Used In IP-VPN………………………………………………………….…...9
1.5.3 Tunnel……………………………………………………………………………………………..9
1.5.4 Firewall……………………………………………………………………...…………………….9
1.5.5 Encryption…………………………………………………………………….……………….…..9
1.5.6 Point to point Tunneling Protocol…………………………………………………………......…10
1.5.7 Internet Protocol Security (IPSec)…………………………...…………………………………..10
1.5.8 AAA Servers…………………………………………………………….....……………….…....10
CHAPTER TWO
2.1.0 Point to Point Leased Line ………………………………………………………………………11
2.2.0 Point to Point Protocol…………………………………………………………………….…….11
2.3.0 CSU/DSU Device……………………………………………………………………………..…11
CHAPTER THREE
3.1.0 Analyzing ABC Corps Network Configuration Setup……………………..……………..……..12
3.2.0 Head Quarters and Branch Office VPN Connection……………………………...……………..13
3.3.0 Head Quarter and Branch Office Leased Line Connection………………………...................…14
CHAPTER FOUR
4.1.0 System/Security Hardening……………………………………………………..………...…….16
4.2.0 Network Hardening Measures……………………………...………………………………..…..16
4.3.0 Testing the Firewall………………………………………………..…………………………….18
4.4.0 Default Settings……………………………………………………………………………….….18
4.5.0 Rule Sets……………………………………………………………………………...………….19
4.6.0 Audit………………………………………………………………………………….………….19
4.7.0 Mandatory Requirements………………………………………………..…………………….…19
4.8.0 Consequences of Non-Conformance…………………………………………………………….20
4.9.0 Operating systems (OS) / Cisco IOS requirements……………………………..…….………….21
2
IT Security for ABC Broadcasting Corporation_______________________________________________
CHAPTER FIVE
5.1.0 Guidelines for Building Firewall Environments……………………………………………….23
5.2.0 DMZ Networks…………………………………………………………………………...…….23
5.3.0 Virtual Private Network…………………………………………………………………….…..25
5.4.0 Intranet………………………………………………………………………………………….26
5.5.0 Intrusion Detection System (IDS)…………………………………………………..…………..26
5.6.0 Intrusion Prevention System (IPS)…………………………………………….……………….27
5.7.0 Infrastructure Components………………………………………………………...……………28
CHAPTER SIX
6.1.0 General Security Measures……………………………………………………………………..29
6.2.0 Installation and Configuration……………………………………………………………….…30
6.3.0 Firewall Software………………………………………………………………………………30
6.4.0 Access to the Firewall…………………………………………………………………………..31
6.5.0 Testing the Firewall……………………………………………………………….……………31
CHAPTER SEVEN
7.1.0 General Settings and Defaults…………………………………………………..……………..32
7.1.1 Security Policy………………………………………………………………………..……….32
7.1.2 Enable Network Address Translation (Nat)…………………………………..……………….32
7.1.3 Specify Limits of Authentication Failures…………………………………………………….32
7.1.4 Reserve Enough Disk Space to Hold the Log File………………………………………..…..32
CHAPTER EIGHT
8.1.0 Managing Rule Sets……………………………………………………………………………33
8.2.0 Hardening the Rule Set………………………………………………………………………..34
8.2.1 Turn off Unused Rules………………………………………………………….……………..34
8.2.2 Deny "Spoofed Packets"………………………………………………………..……………..34
8.2.3 Rule Order Is Important………………………………………………………...……………..34
8.2.4 Performance of the Rule Set…………………………………………………..………………35
8.2.5 Browse and Edit the Default Rules……………………………………………………………35
8.2.6 Block Any Access to the Firewall Itself………………………………………………………35
8.2.7 Log All Packets Marked For Drop……………………………………………………………35
8.2.8 Drop Broadcast Traffic and Switch Logging Off…………………………….……………….35
8.2.9 Block the DMZ If Appropriate…………………………………………………………….…36
8.2.9.1 The DMZ Should Never Initiate Undesired Connections………………………………….36
8.2.9.2 Put Comments at the Rules…………………………………………………………………36
CHAPTER NINE
9.1.0 Audit……………………………………………………………………………………….…37
9.2.0 Auditable Events……………………………………………………………….……….….…37
9.3.0 Sample Traffic Rule Matrix………………………………….………….….……………..….39
9.4.0 Blocking Standards…………………………………………………..………………………40
9.5.0 Firewall Allow and Denial/Blocking Rules……………………………………………..….41
3
CHAPTER TEN
10.1.0 Management Security Hardening Policies………………………………………………...43
CHAPTER ELEVEN
11.1.0 Recommendations………………………………………………………………………....45
11.1.1 Opinions…………………………………………………………………………….……..45
11.2.0 Summary and Conclusion…………………………………………………………………45
11.3.0 Terms and Definition………………………………………………………….…………..46
References………………………………………………………………………………….……..48
4
ABSTRACT
Designing a network is not just about placing routers, firewalls, intrusion detection system, etc
in a network but it is about having good reasons for placing such hardware in its place. The world has
gone beyond just designing a network alone for the sake of achieving a functional inter-connected
LAN or WAN for doing business. The threat to organizational security has heightened to an extent that
a safe network design is not complete without having the necessary protective hardware’s in place as
well as spelling out appropriate rules and measures to counter the attack to organizational threats such
as malicious programs, Hackers and Social Engineers.
ABC Broadcasting Corporation is an organization that offers broadband satellite Television
Services to its numerous clients with excellent services. This document is aimed at explaining how to
designing a well protected and hack-proof network, both on the hardware/software side and the human
angle. Two Network link infrastructural methods is used to secure ABC broadcasting Corps network,
these are; IP-VPN and Point to Point Leased Line. Detailed explanation is given on how these
networks are being setup and protected with well descriptive diagrams.
The last phase of this document focuses on Network Security. Network Security is being sub-
divided into two parts which are Network hardware security, which centers on Firewall Configuration
Rules and secondly Management Security, which focuses on measure to thwart, prevent and annul
Hackers, Crackers and Social Engineering attacks.
5
CHAPTER ONE
1.1.0 PURPOSE AND SCOPE
This document is intended to be an accompaniment to ABC Broadcasting Corporation IT

Policy, “Network Security.” The policy describes the state’s overall requirements regarding the
acquisition of technologies and implementation of policies and practices related to network boundary
(perimeter) security. This document is designed to provide a deeper understanding of the principal
technological solutions described in ABC Broadcasting Corporation IT Policy and assist State of ABC
personnel who may be responsible for acquiring, implementing or monitoring boundary security.
1.2.0 INTRODUCTION
Information technology networks can be described in many ways, but the description that
seems to provide the best understanding of how to defend networks is to compare it to an onion. If you
think of a network as being composed of multiple layers, the outermost layer is the part that you touch,
the boundary between it and the world. As you peel back the layers, you move closer to the valuable
“core.” In network terms, the core most often represents our most valuable data and applications. Each
layer of the network provides a different level of functionality and requires its own unique set of
solutions to adequately secure the information traversing it between the core and the boundary.
The most effective security architectures incorporate security strategies at every layer of the
network. This makes it extremely difficult for someone attempting to compromise the network to
attack from the outside, because they must not only peel back the boundary (the first layer of defense),
but each layer beneath it to get to the most valuable data or infrastructure. This strategy is called
“Defense in Depth” and represents the most effective means of thwarting system compromise. Even
though some defenses may be defeated, it is much more difficult to penetrate all of the layers than just
one layer. Nevertheless, the perimeter or network boundary is critical as the first line in defense of the
network and is the focus of this paper.
1.3.0 COMPANY PROFILE OF ABC BROADCASTING CORPORATION
ABC Broadcasting Corporation is a private broadcasting company that broadcast satellite

News and Movies to different countries in Asian region. The News is outsourced from local and
overseas News agencies and Movies are outsourced from movies distribution companies. These news
and movies are transmitted to a satellite and broadcast back to the peoples in Malaysia, Singapore,
Indonesia, Philippines, Thailand, Laos, Cambodia and Vietnam. The customers will need to purchase a
small satellite dish, a decoder and subscribe to ABC Broadcasting Corporation to have access to the
broadcast news and movies.
6
Figure i: Diagram of Asian Countries Where ABC Broadcasting Corps Operates
ABC Corporation has it’s headquarter in Kuala Lumpur which is the capital of Malaysia and
spreads its branches in the countries that are shown in the above diagram. This is where the products
and services are developed and the management sets its policies and strategies. There are seven branch
offices; Singapore (Singapore), Jakarta (Indonesia), Bangkok (Thailand), Vientiane (Laos), Phnom
Penh (Cambodia), Hanoi (Vietnam) and Manila (Philippines). These branches receive their policies
and guidelines from the Kuala Lumpur. The sales of the satellite dish and decoder and access are
through the company’s outlets which are located in different parts of the region. Renewal of access to
the broadcast news and movies is through these outlets or through the internet by visiting the
company’s website.
1.4.0 LINKING ABC BROADCASTING CORPORATION TO ITS VARIOUS BRANCHES
There are various possible modes of linking a company’s branches to its Head Quarters (HQ),
amongst these are the Internet Protocol Virtual Private Network (IP-VPN), Frame Relay, Point to Point
Leased lines, X.25, and Broadband Integrated Service Digital Network (B-ISDN)-Asynchronous
Transfer Mode (ATM). Analyzing these various network link methods take into consideration the
dynamics of the technological advancement with respect to IT in general which may directly or
indirectly affect the chosen network type. The network configuration that is chosen must have the
following features:
• Scalable geographic connectivity
• Improve security
• Low operational costs
7
• Reduce transmission time and operational costs for customers
• Enhance productivity
• Simple network topology
• Support future global expansion
• Provide telecommuter support?
• Support broadband networking compatibility
• In line with the management’s objectives
Having studied the available network connectivity methods, it was concluded to choose and
implements the IP-VPN and the Point to Point Leased Line methods for linking ABC Broadcasting
Corporation to its various branches. The IP-VPN is to link the distant branches of the company to the
Head Quarters in Kuala Lumpur while the Point to Point Leased Line it to link closer branches to the
Head Quarter. Let’s talk first about the IP-VPN.
1.5.0 THE VIRTUAL PRIVATE NETWORK (VPN)
A VPN is a private network that uses a public network (usually the Internet) to connect remote
sites/branches together. Instead of using a dedicated, real-world connection such as leased line, a VPN
uses "virtual" connections routed through the Internet from the company's private network to its
remote sites or employees.
1.5.1 HOW VPNS WORK
When making a VPN connection, there are two connections. The first connection is made to
the Internet Service Provider. In connecting to the service provider, TCP/IP (Transmission Control
Protocol/Internet Protocol) and PPP (Point-to-Point Protocol) are used to communicate to the ISP. The
remote user is assigned an IP address by the ISP. The user logs into the company login. This second
connection establishes the VPN connection and a tunnel are created with the use of PPTP (for
example) after the user is authorized. The IP datagram’s containing encapsulated PPP packets are sent.
In normal connections, the company’s firewall does not allow PPP packets from entering the network;
thus, Internet users are not able to access a private network. However, VPN services allow users who
meet security criteria to be admitted. The VPN server disassembles the packet and transfers the packet
to the destination computer located in the private network (Microsoft TechNet 2009).
Note: It should also be noted that it is possible for the organization to host its own private Internet
Service Providing (ISP) Stations, most especially at its HQ and its local and overseas branches. This is
to boost security measures since total trust cannot be banked on the public ISP’s, as they might sniff
into the organizations VPN tunnel for selfish reasons.
Below is a simplified network diagram of ABC Broadcasting Corporations VPN network
8
ABC'S BRANCH
OFFICE WITH
FIBRE OPTICS LEASED LINE
LEASED LINE
VPN Tunnel
IP-VPN Internet Cloud

ABC's Branch Office
ABC's Head Quarters
TeleWorker
Figure ii: Diagram Showing a Simplified Form of ABC Corps VPN and Leased Line Connections
1.5.2 SECURITY MEASURES USED IN IP-VPN
A well-designed and secured VPN uses several methods for keeping connection and data
secure and these are explained below.
1.5.3 TUNNEL
A tunnel is a virtual point-to-point connection made through a public network. Once there is a
connection, information can be exchanged on this virtual link. In addition, tunneling allows senders to
encapsulate packets with their IP packets, which prevents data from being altered.
1.5.4 FIREWALL
A firewall provides a strong barrier between your private network and the Internet. You can set
firewalls to restrict the number of open ports, what types of packets are passed through and which
protocols are allowed through.
1.5.5 ENCRYPTION
Encryption is the process of taking all the data that one computer is sending to another and encoding it
into a form that only the other computer will be able to decode. Most computer encryption systems
belong in one of two categories:
• Symmetric-key encryption
• Asymmetric Key or Public-key encryption
9
1.5.6 POINT TO POINT TUNNELING PROTCOL (PPTP)
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer
of data from a remote client to a private enterprise server by creating a virtual private network (VPN)
across TCP/IP-based data networks (i.e. the Public Internet). PPTP supports on-demand, multi-
protocol, virtual private networking over public networks, such as the Internet.
1.5.7 INTERNET PROTOCOL SECURITY (IPSEC)
The Internet Protocol Security(IPSec) is a suite of protocol for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes
protocols for establishing mutual authentication between agents at the beginning of the session and
negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data
flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways
(e.g. routers or firewalls), or between a security gateway and a host (Wikipedia 2009).
1.5.8 AAA SERVERS
AAA (Authentication, Authorization and Accounting) servers are used for more secure access
in a remote-access VPN environment. When a request to establish a session comes in from a dial-up
client, the request is proxied to the AAA server. AAA then checks for the following:
• Who you are (authentication)
• What you are allowed to do (authorization)
• What you actually do (accounting)
The accounting information is especially useful for tracking client use, for security auditing, billing
or reporting purposes (How Stuff Works 2009).
10
CHAPTER TWO
2.1.0 POINT TO POINT LEASED LINE
A point-to-point leased line is a dedicated pair, or pairs, of copper wire connecting two end
users through a network rented from a telecommunications provider. Unlike normal dial-up
connections, leased lines are always active and deliver guaranteed bandwidth.
Point to point leased line is a cost effective, resilient and secure solution for connecting multiple
offices or remote workers with guaranteed uptime and bandwidth. Leased line offers a number of
significant advantages over traditional dial-up connections and these advantages are:
• Non-contention - A Leased line is 100% dedicated to the companys’ exclusive use.
• Security - A dedicated leased line is private, and therefore secure.
• Reliability and resilience – A leased line is backed by Service Level Agreements and is
monitored by the service provider at all time performance.
• Symmetric – Upload and download speeds are the same.
• Cost control – The monthly rental charge is fixed and does not vary with variable usage.
• Permanence – The connection is always on.
2.2.0 POINT TO POINT PROTOCOL
The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for

transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and
management of IP addresses asynchronous (start/stop) and bit-oriented synchronous encapsulation,
network protocol multiplexing, link configuration, link quality testing, error detection, and option
negotiation for such capabilities as network layer address negotiation and data-compression
negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and
a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and
facilities. In addition to IP, PPP supports other protocols, including Novell's Internetwork Packet
Exchange (IPX) and DECnet (James & Keith 2009).
2.3.0 CSU/DSU DEVICE
Channel Service Unit (CSU) is a device that connects a terminal to a digital line, while Data
Service Unit (DSU) is a device that performs protective and diagnostic functions for a
telecommunications line. Typically, the two devices are packaged together as a single unit. We can
think of CSU and DSU as a very high-powered and expensive modem. This device is required for both
ends of a T-1 or E-1 connection. The units at both ends of the connection must be from the same
manufacturer, their configurations must be set to be similar and the routers at both ends must be
configured to be in the same subnet (Robert et al 2005) .
11
CHAPTER THREE
3.1.0 ANALYSING ABC CORPS NETWORK CONFIGURATION SETUP
For ABC Broadcasting Corporation to survive it must consider network security as critical
function of its success. Appropriate measures are taken to tighten the security of ABC Corp’s Network
infrastructure to prevent breach of security and yet be in line with the companys’ objectives which aim
for flexibility, scalability and affordable cost for consumers. Below is the analysis of ABC Corps
Network infrastructure;
ABC Corp’s Network infrastructure is made up of three (3) layers;
1. The Outer-Layer which accommodates the Web server, FTP server, and E-mail server. This
layer is the general public layer and is enclosed in the External DMZ. The employees’ and the
public including the clients and partners have access to this layer.
2. The Middle-Layer is a more protected layer than the outer layer. This layer is strictly for the
employees, whether they connect from within, branch office or from remote location. This
layer is where most of the operational departments are found, e.g. Sales, Accounting,
Broadcasting, and Customer relations departments. Access into this layer requires
authentication.
3. The Inner-Layer is the most protected of all the three layers; hence it is referred to as the
“Core” of the network. This layer is where the Research and Development, Human Relations
and IT departments are located.
Lists of hardwares used in setting up ABC’s network:

1. Firewalls
2. Switches
3. Intrusion Detection Systems (IDS)
4. Routers
5. Leased Line Routers
6. Fiber Optics Cable
7. Work Stations
8. Web server
9. Proxy server
10. FTP server
11. E-Mail server
12. VPN/AAA server
13. Active Directory server
14. CSU/DSU Modem
15. Departmental servers
16. Digital Transmission Satellite Dish
17. Digital Video Broadcasting (DVB) System
18. Clients/Subscribers
19. Printers
Note: All the Routers used in this setup are Cisco’s 3800 series routers, and the Core Switches are
Cisco’s catalyst 4500 series Switches. D-Links’ DES-3028 Series Switches are use as Access
Switches. The Boundary Firewalls are Cisco’s PIX 500 series appliance firewalls. The IDS used is
12
Cisco Threat Defense IDS 4250 series. Cisco’s VPN concentrator 3000 Series is also used. All the
servers in the External DMZ are Unix-Based Linux platform servers
ABC Corps network has being segmented into several Virtual Local Area Networks (VLANs).
This VLAN architecture is to help isolate uncontrolled broadcast of packets (Broadcast Storm) which
might lead to network jam and consequently shutting down the network function. Secondly, the VLAN
implementation is to ensure that the information meant for one department is contained within that
department without unauthorized access to other departments.
The range of IP addresses for the VLANs are;
• 192.168.1.x/24 range (VLAN 1)
• 192.168.2.x/24 range (VLAN 2)
• 192.168.3.x/24 range (VLAN 3)
• 192.168.4.x/24 range (VLAN 4)
• 192.168.5.x/24 range (VLAN 5)
3.2.0 HEAD QUARTERS AND BRANCH OFFICE VPN CONNECTION
The initiator (employee or dealer) logs into the company’s secured VPN interface on his
computer by providing user ID and password or pass-phrase, depending on how the configuration is
being set up. The log-in is authenticated by the VPN server at his own end, which is hosted either by
the Branch office or an external ISP. Upon fulfillment the log-in requirements, access to the HQ are
granted through a secured VPN tunneled which travel through the public internet cloud. The packet
then meets up with the HQ’s router, and then the Boundary Firewall. At the router end, Network
Address Translation (NAT) is implemented which masquerades ABC internal IP addresses from the
public.
The Boundary Firewall is a Stateless hardware Appliance Firewall; hence it inspects the
transiting packet up to the Network layer of the Internet Protocol Stack before forwarding it to the
Intrusion Detection System/Switch. This piece of hardware screens the frame against some laid down
security parameters. If the frame is found to contain malicious codes, the IDS triggers an alarm and
notifies the IT personnel and employees that an attack is about to take place or has already taking
place. On the other hand if the frame is “clean”, it is allowed into the network. The level of access into
the network depends on the person who logs into the network. The access is spelt out based on the
rules on the Internal Firewall 1 and this will grant the frame to reach the VPN concentrator /AAA
server.
The Internal Firewall 1 is a State-full Firewall, in other words, it carries out inspection on the
packet up to the Application layer of the Internet Protocol Stack. It ensures that the packet meets the
standards of the policies that are set in the firewall before allowing it to transmit further into the
network.
The VPN concentrator/AAA server analyses the packet, by decrypting the packet to reveal its
content, while processing Authentication, Accounting and Authority. This Authentication, Accounting
and Authority on the packet are to ensure that the employee is an authenticated member the
organization and has the authority to be in the network. The authorized packet then transmits to the
destination department which its request has been originally made. These departments include
Broadcasting Department, Accounting Department, Sales Department or Customer Relations
Department. The Research and Development (R&D) Department, Humans Relations (HR) Department
and Information Technology (IT) Department are situated in the Network Core which is highly
13
restricted from the employees. This inner layer is restricted to a few employees who have the authority
as defined in the organizations policies.
The function of the Active Directory server which is controlled by the System Administrator
from the IT department is to oversee the entire access rule, with respect to passwords, log-ins, printing,
emailing, and other security and instructional issues initiated by the employees and non-employees.
3.3.0 HEAD QUARTER AND BRANCH OFFICE LEASED LINE CONNECTION
The second means of linking to ABC’s HQ office is through Leased Line. The Leased Line is
used for the branch offices whose country share boundary with the HQ’s country, e.g. Singapore and
Thailand. This dedicated Leased Line is provided by a third party Leased Line provider. For an
employee to have access to the HQ through Leased Line, he initiates a connection from his office. The
frame travels through the Boundary Firewall 1, Router, CSU/DSU Modem, and then through the E1
Fiber Optics leased line which spans several kilometers and then to the Headquarters CSU/DSU
Modem, Router and the Boundary Firewall. The frame meets up with the External IDS, if found clean,
moves to the Internal Firewall 1, and then to the AAA Server which authenticates the request. After
fulfilling the set rules, it is then allowed into the internal network.
For ABC’s customers, subscribers or dealers, who desires to have access to ABC’s network
for the purpose of enquiry on broadcasting services and online subscription, their access is limited and
routed to the Web, FTP and E-mail servers, which is controlled by the External DMZ and regulated by
the Boundary Firewall.
The main function of the Internal DMZ is to contain and confine the various departments
within their regions and limits, it restricts them from accessing other part of the network which they
should not have access to. The internal DMZ is regulated by the Internal Firewall 2.
Below is the overall network diagram of ABC Broadcasting Corps
14
SPACE
SATELLITE
LEASED BOUNDA
LEASED LINE CSU/DSU LINE RYFIREW
DIGITAL TRANSMISION SAT OPERATOR MODEM ROUTER
DISH ALL 1
CLIENTS/SUBSCRIBER REDUNDA
DVB/ENCODER
S FIBRE NTBACKUP
OPTICS LEASED
LINE
(E1) PUBLIC INTERNET
LEASED
LINE ABC'S BRANCH WITH
PROXY FTP E-MAIL
SERVER SERVER SERVER LEASED LINE
CONNECTION
PUBLIC
CSU/DSU INTERNET
INTERNAL WEB MODEM CLOUD
SERVER BROADCASTING EXTERNAL
DEPT (VLAN 4) DMZ VPN
SERVER
CENTRAL LEASED LINE BOUNDARYFIR
INTERNAL
INTERNAL E-MAIL ROUTER EWALL 2
FIREWALL 1
SERVER
VPN INTERNET
ACTIVE CLOUD/TUNNEL
DIRECTORY/DNS EXTERNAL BOUNDARY INTERNET
SERVER VPN IDS
SERVER
DHCP FIREWALL ROUTER
FARM CONCENTRATOR/
SERVER ABC'S BRANCH
SWITCH AAA SERVER
OFFICE WITH VPN
CONNECTION
LOCAL ISP/NETWORK
CORE INTERNAL ACCESS SERVER
SWITCH FIREWALL 2 R&D DEPT
HUMAN
SALES
RELATIONS
DEPT (VLAN
DEPT
1)
ABC's
IT TELEWORKER/STAFF WITH
DEPT VPN CLIENT SOFTWARE
CUSTOMER
RELATIONS HIGHLY SECURED INTERIOR
DEPT (VLAN 2)
INTERNAL
ACCOUNTING DEPT (VLAN 3) DMZ
ABC BROADCASTING CORPORATION NETWORK INFRASTUCTURE
Figure iii: A Detailed Diagram of ABC Broadcasting Corporations Network
CHAPTER FOUR
15
4.1.0 SYSTEM/SECURITY HARDENING
In the section we shall consider the Network Hardening Policies and Management Hardening
Policies. The Network Hardening Policies addresses security issues and procedures applicable to ABC
Corps network, while the Management Hardening Policies addresses security issues and procedures
applicable to the human resources (employees, dealers and customers), managing and running ABC
Corps.
In this discussion, the term “system” refers to a computers, laptop, server, router, switches and
firewalls that may connect to the network. System hardening is a systematic process of securing the
network by configuring the computer, laptop, server, router, switches and firewalls on the network to
protect it from unauthorized access, or from being used to compromise the network. System hardening
will make the system more secure without affecting its efficiency and reliability. All these hardwares
that produced in the factory and sold to ABC Corporation as a “out of the box” device are usually by
default designed for the convenience of the end user in mind. Security is a secondary. Whichever the
operating system that is used be it Windows, Solaris, or Linux, the default configuration is frequently
less secure than the one that is required by ABC Corp.
Systems hardening is done by enabling the correct set of security features and at the same time
disabling features that are not required that will compromise the network. For example, the initial
security configuration could include enabling auditing of specific system events, requiring the use of
strong passwords that contain both alphanumeric and symbolic characters, allowing administrative log
in only from the physical console of the system, disabling processes such as file sharing and Web
server processes if those functions are not required, and blocking inbound attempts to connect over the
network to critical system ports such as the Remote Procedure Call (RPC) port. In the case of ABC
Corp, further security measures to increase security from hackers includes deletion of any operating
system files that are not required and could be misused by hackers and the source code compilers
frequently included on UNIX and Linux systems.
By hardening the system administrators and users can have more confidence in the integrity of
the data that are processed by the system. In addition, the performance of the system will improve
from the turning off and disabling unnecessary ports, protocols, and services in the host.
4.2.0 NETWORK HARDENING MEASURES
4.2.1 BASIC FIREWALL REQUIREMENTS
This section provides best practice security measures for firewall (including Management
Console and Policy Server), described in more or less general terms. More detailed background
information is provided in the next chapters.
(a). Mandatory Requirements

• Network documentation
• Change control
• Firewall documentation
• Physical security
• Patches
• Backup procedure
• Alert procedure
16
• Management Protocols
(b). Recommended Requirements

• Testing procedure
• User names/passwords for managing the Firewall
• Management stations that can access and configure the Firewall
(c). Prerequisite Operating System (OS) and Appliance OS

• The OS involved are non-betas and up-to-date.
• The OS version is qualified / certified for the Firewall version.
• The OS involved must be 'hardened'.
• Select the Firewall platform CPU speed and memory size to match the expected network load.
• The Firewall must be delivered, installed, administered, and operated in a manner that
maintains security.
• Information cannot flow among the internal (trusted) and external (untrusted) networks unless
it passes through the firewall.
Note: that a, b, c are only applicable to software based firewall.
4.2.2 PROCEDURES AND RESPONSIBILITIES
Separation of roles and responsibilities for managing the Firewall and Network is recommended.
• Manages the Operating System – System Administrator.
• Manages the Firewall Software – Firewall Administrator or Network Engineer.
• Manages the accounts on the Firewall – Security Administrator or Helpdesk.
• Scanning of the log files – Security.
• Check whether firewall is deployed according to procedures
• Auditor or Security.
• Administrators of the Firewall must be informed about the most recent security threats.
4.2.3 FIREWALL ENVIRONMENT
4.2.3.1 GUIDELINES FOR BUILDING FIREWALL ENVIRONMENTS

• Keep it simple (KISS)
• Use devices as they intended to be used
• Create defense in depth
• Pay attention to internal treats
4.2.3.2 GENERAL SECURITY MEASURES

17
• Place the Firewall (and other directly connected devices) in a physical secured area.
• No test rule set should ever be tested on a production system. Use firewall system solely as a
firewall.
• The Firewall system runs no other services.
• The host system running the Firewall does not host any public data.
• There will be no trusted relations on OS level from the Firewall with other systems.
• Interruption of an individual firewall service may not compromise data or network. In this case
the Firewall must not leave the opportunity for an open connection between the external
(untrusted) and internal (trusted) network.
• Ensure that backup procedures exist for the Firewall configuration and the log files.
4.2.3.3 INSTALLATION AND CONFIGURATION

• The system should boot only from the primary hard disk.
• Only system administrators can change date and/or time in the BIOS.
• System must be physically labeled with a reference.
• Offline installation and configuration. The Firewall has to be physically disconnected from the
external networks during installation or changes in configuration.
4.2.3.4 FIREWALL SOFTWARE

• Only vendor-authorized production release versions of firewall must be used.
• All configuration parameters must be considered when installing the Firewall for the first time.
4.2.3.5 ACCESS TO THE FIREWALL

• Remote administration is only allowed under strict conditions.
• Login via generic Firewall Administrator accounts must be disabled. Use user traceable
accounts instead.
• Only an authorized administrator may change user data.
4.3.0 TESTING THE FIREWALL

Every configuration must be thoroughly tested.
4.4.0 DEFAULT SETTINGS

• Security policy may only be changed by authorized administrators. Enable Network Address
Translation wherever possible.
• Only authorized administrators may change date and time.
• Only authorized administrators may specify limits of authentication failures (if Security
Servers are used).
• Reserve enough disk space to hold the log file.
4.5.0 RULE SETS
4.5.1MANAGING THE RULE SETS
18
• Make the standard rule set visible and remove unused rules. Also ensure that there are no
disabled rules within Production rule bases.
• Before activating a new or changed rule set, a back-up of the old rule set must be made.
• Keep the rule base simple and short.
• Perform periodic checks on the rule set.
• The rule set is documented properly and stored away in a safe place.
4.5.2 HARDENING THE RULE SETS

• The rule set shall explicitly deny an information flow from manipulated origins, so called
'spoofed packets'.
• Rule order is important. Evaluating of rules is sequential. First rule that matches is applied to
packet.
• Browse and edit the default rules.
• Block any client access to the Firewall itself except permitted administration flows. Admit
only authorized Administrators to access the Firewall itself.
• Log ALL packets marked for drop (including implicit deny at end of rule list).
• Drop broadcast traffic without logging.
• Block the DMZ if appropriate. Grant access to the DMZ based only on specific rules.
• The DMZ may never initiate undesired connections.
• Maximize the performance of the rule set.
• Put comments on every rule.
4.6.0 AUDIT
• Firewalls should be regularly audited.
• Examination of the log files shall be done at least once a month by the holder of the
Monitoring account.
• Audit trail properties. Audit trail will contain at least: date and time of the event, type of event,
subject identity, outcome (success or failure) of the event.
4.7.0 MANDATORY REQUIREMENTS
These requirements are mandatory to ensure a secure firewall system.
a. Network Documentation
All network related documentation must be updated and currency of content maintained.
Network related documentation should be appropriately identified with date, version number, and
commentary as to what changes have been made to the content. All such changes should be managed
via a formal change control mechanism. In order to ensure that the Firewall is securing the required
section of the network a detailed diagram of the network may be required. This can be used to ensure
that the Firewall is protecting what it should be protecting and will help in identifying any weaknesses
that may exist within the
Firewall setup.
b. Change Control
19
Management should document a formal change control policy for amending the Firewall’s
configuration. This policy should describe the principles and objectives on which change control
process should operate. Having defined when changes should be performed, the objectives should
describe change requirements (that is key standards).
Change Control is required to ensure that Administrators of the Firewall are in fact performing the task
required. This is implemented to ensure:-
• Changes made reflect the change in policy; and
• The administrators do not perform changes without notification.
4.8.0 CONSEQUENCES OF NON-COMFORMANCE

Non-conformance may result in loss of control over changes to network devices resulting in
unauthorized access into a device and the potential for an unauthorized person to alter security
configuration parameters.
Personnel installing changes must be authorized to do so and held accountable for the change. If the
organization does not identify the authorized individuals who update the Firewall, the risk increases of
unauthorized changes to the configurations.
4.8.1 FIREWALL DOCUMENTATION

Firewall documentation should exist, and as a minimum detail the Firewall policy and the
rational for the inclusion of each individual rule. Documentations should also justify the exclusion of
specific rules, where the absence impacts on the security of the Firewall and/or the corporate network.
In order to design a rule base, it is important to have supporting documentation outlining the policies
required by the organization. These should be kept up to date to reflect the actual policies that are in
place on the Firewall.
4.8.2 PHYSICAL SECURITY

Ensure that the Firewall and the network cabling related to it are physically secured. Physical
access to the Firewall or the related network cabling provides opportunities for an intruder to bypass
the Firewall itself.
4.8.3 PATCHES
Ensure that patches to the base operating system (OS), appliance OS and the Firewall are
current. For a firewall to be successful, it must operate on a secure OS. If the Firewall is running on an
inferior OS, then it is open to attacks. It should be ensured that the OS and the Firewall is secure and
that all patches have been applied. If appliance base firewall is concern, IOS and firewall application
itself are duly patched.
4.8.4 BACKUP PROCEDURES

Ensure that backup procedures exist for the Firewall configuration and the log files. The
Firewall should be backed up to ensure quick recovery from data loss. The log files are recommended
to be archived separately to ensure a permanent record of transactions. The archived log files should
be removed from the Firewall as they will slowly consume all available space on the system and
potentially causing failures. There should be sufficient space for the log files to reduce the risk that the
partition will be deliberately filled by an attacker.
4.8.5 ALERT PROCEDURE

If Alerts are enabled, then there should be a documented procedure for handling the alert.
20
4.8.6 MANAGEMENT PROTOCOLS
Many environments are perfectly content with managing their network by the easiest and
quickest means available. Many management applications, such as remote shell (RSH) or telnet, send
all details between the management station and managed device in plain text. This allows anyone who
is in the same VLAN (either manually configured or through a compromised connection) to view all of
your commands and parameters with a simple protocol analyzer. For this reason, you should use
secure and efficient management protocols to connect to your enterprise devices.
4.8.7 RECOMMENDED REQUIREMENTS

These requirements are strongly recommended, however it is recognized that these are not
possible in all instances. Failure to comply with these requirements may degrade the security of the
firewall.
4.8.8 TESTING PROCEDURES

It is recommended that procedures exist for testing the Firewall before the actual changes are
installed on the Firewall. If the Firewall policy is altered then there need to be a process whereby the
new policy is tested before it is ‘burnt’ into the actual firewall. This is done to ensure that the changes
to the Firewall do not have a negative effect on its operation.
4.8.9.0 USER NAMES / PASSWORDS

Operating system (OS) is not considered secure when unauthorized people can get physical
access to the computer. This includes the ability to obtain usernames and passwords (using tools like
NTFSdos and L0phtcrack), and if such tools (i.e. PC anywhere etc) are being used for managing the
computer, others may watch the local console monitor to obtain and possibly also interrupt the remote
management session.
Only Network Administrator should have access to the Firewall. This includes physical access,
local logon and remote firewall logon. OS remote access should not be allowed. Hard-to-guess
usernames and password should be used. Each user with read or read/write access to the Firewall
configuration should be identified by unique usernames.
4.8.9.1 ACCESS AND CONFIGURE

During installation you must set DNS host names and/or IP addresses of those Management
Stations allowed to access the Firewall. We recommend using IP addresses instead of DNS host
names, as this may increases the risk of spoofed DNS attacks to the Firewall management ports.
4.9.0 OPERATING SYSTEMS (OS) / CISCO IOS REQUIREMENTS
4.9.1 NON-BETAS AND UP-TO-DATE

All versions of OS shall be made up-to-date with service packs or (security) patches. No beta
versions will be used in a production environment.
4.9.2 QUALIFIED FOR THE FIREWALL VERSION

It is important to keep OS and patches at a level supported by the Firewall. Sometimes the
latest version of the OS is not yet qualified or even correctly working with the expected firewall
version. Testing should be performed before applying to production.
4.9.3 HARDENED
21
Out-of-the-box OS are normally not prepared to perform security services. Measures must be
taken to tighten the security of these OS; this is called 'hardening'. Refer to the appropriate Operational
Security Guideline (OSG) to harden the OS.
4.9.4 CAPACITY MATCH THE EXPECTED NETWORK LOAD

As part of Capacity Management, the CPU and memory capacity should be sufficient enough
to endure peek moments on the network, to protect against some denial-of-service (DoS) attacks and
to support specific features such as cryptographic techniques or content filtering.
4.9.5 INSTALLED, ADMINISTERED, AND OPERATED THAT MAINTAINS SECURITY

The systems that will run the Firewall software must be built from scratch. Hard disks must be
completely partitioned and formatted unconditionally (destructive). This also means that the
concerning OS must also be installed from scratch. This is important to ensure that the fundament of
the system is trusted.
4.9.6 NO BACKDOORS
When the network infrastructure is well designed, no backdoors (like through modems or RAS
servers) to systems should be available in the protected network which means that information cannot
flow among the internal and external networks unless it passes through the Firewall. When deviating
from the Security Policy this must be approved by IT Security and Risk Management or Senior
Management.
4.9.7 CHANGE MANAGEMENT (CM) PROCEDURE

Procedure concerning Change Management (CM) for the Operating System (OS) involved and
Firewall is in place. A CM procedure enforces changes to be done in a standard and auditable way.
Control over the perimeter of the networks is very important. At all times it must be clear what the
status of this perimeter is (before or after the change has been made).
4.9.8 SEPARATION OF ROLES FOR MANAGING

Several roles are needed for managing firewall in a secure and auditable way. The following roles
are determined:
• Who Manages the Operating System – System Administrator.
• Who Manages the Firewall Software – Firewall Administrator or Network Engineer.
• Who Manages the accounts on the Firewall – Security Administrator or Helpdesk.
• Scanning of the log files – Security.
• Who Checks whether firewall is deployed according to procedures -Auditor or Security.
It is recommended to have these roles separated from each other. In this way all actions performed on
OS and firewall can be traced back to a single person.
4.9.9 BE INFORMED OF RECENT ATTACKS

The secure firewall of today may not be secure tomorrow. It is important to react immediately
on alerts and problems or attacks in the field. Administrator of the Firewall must be informed about the
most recent attacks. This implies taking a subscription to an alerting service or mailing list.
22
CHAPTER FIVE
5.1.0 GUIDELINES FOR BUILDING FIREWALL ENVIRONMENTS
5.1.1 KEEP IT SIMPLE (KISS)

The KISS principle is something that should be first and foremost in the mind of a firewall
environment designer. Essentially, the more simple the firewall solution, the more secure it likely will
be and the easier it will be to manage. Complexity in design and function often leads to errors in
configuration.
5.1.2 USE DEVICES AS THEY WERE INTENDED TO BE USED

Using network devices as they were primarily intended in, this context means do not make
firewalls out of equipment not meant for firewall use.
For example: Routers are meant for routing. Their packet filtering capability is not their primary
purpose and the distinction should never be lost on those designing a firewall implementation.
Depending on routers alone to provide firewall capability is dangerous; they can be miss-configured
easily.
Network switches are another example. When it is used to switch firewall traffic outside of a
firewall environment, they are susceptible to attacks that could impede switch functionality.
In many cases, hybrid firewalls and firewall appliances are better choices simply because they are
optimized to be firewalls first and foremost.
5.1.3 CREATE DEFENSE IN DEPTH

Defense in depth involves creating layers of security as opposed to one layer. The infamous
‘Maginot line’ is, in hindsight, an excellent example of what not to do in firewall environments: place
all your protection at the Firewall. Where several firewalls can be used, they should be used. Where
routers can be configured to provide some access control or filtering, they should be. If a server
operating system can provide some firewall capability, use it.
5.1.4 PAY ATTENTION TO INTERNAL THREATS

Lastly, attention to external threats to the exclusion of internal threats leaves the network wide
open to attack from the inside. While it may be difficult to think of your work colleagues as posing a
potential threat, consider that an intruder who gets past the Firewall somehow could now have free
reign to attack internal or external systems. Therefore, important systems such as internal web and
email servers or financial systems should be placed behind internal firewalls or DMZ environments.
5.2.0 DMZ NETWORKS

The most common firewall environment implementation is known as a DMZ, or Demilitarized
Zone network. A DMZ network is created out of a network connecting two firewalls (i.e. when two or
more firewalls exist in an environment, the networks connecting the Firewalls can be DMZ networks).
DMZ networks serve as attachment points for computer systems and resources that need to be
accessible either externally or internally, but that should not be placed on internal protected networks.
Internally accessible servers can be located on the internal DMZ located between the two firewalls; the
Firewalls could provide protection and access control for the servers, protecting them both from
external and internal attack. This environment is represented in Figure 5.1.
23
FIG IV: THE DEMILITARIZED ZONE (DMZ)
DMZ networks are typically implemented as network switches that sit between two firewalls or
between a firewall and a boundary router. Given the special nature of DMZ networks, they typically
serve as attachment points for systems that require or foster external connectivity.
24
5.3.0 VIRTUAL PRIVATE NETWORK
Networks (VPN)
Another valuable use for firewalls is for enablement of VPNs. A VPN is constructed on top of
existing network media by using additional protocols and usually, encryption. If the VPN is encrypted,
it can be used as an extension of the protected network.
In most cases, VPNs are used to provide secure network links across networks that are not trusted.
VPN technology is often used to create secure networks between organizations or branches, as shown
in Figure 5.3.
FIG V: VIRTUAL PRIVATE NETWORK (VPN)
On the protocol level, there are several possible choices for a modern VPN. The first and
perhaps the most currently used is a set of protocols known as IPSec (Internet Protocol Security). The
IPSec standards consist of IPv6 security features ported over to IPv4, the version of IP in use today on
the Internet.
Other current VPN protocols include PPTP (Point-to-Point Tunneling Protocol), a Microsoft Standard
and the L2TP (Layer 2 Tunneling Protocol).
5.3.1 PLACEMENT OF VPN SERVERS

Placing the VPN server at the Firewall is the best location for this function and in most cases;
firewall would have integrated VPN function. However in certain case, it is NOT recommended to
place VPN server behind the Firewall which VPN traffic will be encrypted and the Firewall is then
unable to inspect the traffic, inbound or outbound, and perform access control, logging, or scanning for
viruses, etc.
5.3.2 VPN ARCHITECTURES

Although VPNs are designed to support confidentiality and integrity, they generally do not
improve availability, the ability for authorized users to access systems as needed. In fact, many VPN
implementations actually tend to decrease availability somewhat because they add more components
25
and services to the existing network infrastructure. This is highly dependent upon the chosen VPN
architecture model and the details of the implementation. The following are the three (3) primary VPN
architectures:-
5.3.2.1 HOST-TO-HOST
In this model, IPSec connections are created as needed for each individual VPN user. User’s
hosts have been configured to act as IPSec clients with the IPSec server. When a user wishes to use
resources on the IPSec server, the user’s host initiates communications with the IPSec server. The user
is asked by the IPSec server to authenticate before the connection can be established. The client and
server exchange information, and if the authentication is successful, the IPSec connection is
established. The user can now use the server, and the network traffic between the user’s host and the
server will be protected by the IPSec connection.
5.3.2.2 HOST-TO-GATEWAY
In this model, IPSec connections are created as needed for each individual VPN user. Remote
user’s hosts have been configured to act as IPSec clients with the organizations IPSec gateway. When
a remote user wishes to use computing resources through the VPN, the host initiates communications
with the VPN gateway. The user is typically asked by the VPN gateway to authenticate before the
connection can be established. The VPN gateway can perf innoslov@yahoo.comorm the
authentication itself or consult a dedicated authentication server. The client and gateway exchange
information, and the IPSec connection are established. The user can now use the organizations
computing resources, and the network traffic between the user’s host and the VPN gateway will be
protected by the IPSec connection. Traffic between the user and systems not controlled by the
organization can also be routed through the VPN gateway; this allows IPSec protection to be applied
to this traffic as well if desired.
5.3.2.3 GATEWAY-TO-GATEWAY
This model is relatively simple to understand. To facilitate VPN connections, one of the VPN
gateways issues a request to the other to establish an IPSec connection. The two VPN gateways
exchange information with each other and create an IPSec connection. Routing on each network is
configured so that as hosts on one network need to communicate with hosts on the other network, their
network traffic is automatically routed through the IPSec connection, protecting it appropriately. A
single IPSec connection establishing a tunnel between the gateways can support all communications
between the two networks, or multiple IPSec connections can each protect different types or classes of
traffic.
5.4.0 INTRANET
An Internal Network (intranet) is a network that employs the same types of services,
applications, and protocols present in an Internet implementation, without involving external
connectivity. Within intranet, many smaller intranets can be created by the use of internal firewalls.
Since intranet utilizes the same protocols and application services present on the Internet, many of the
security issues inherent in Internet implementations are also present in intranet implementations.
Therefore, intranets are typically implemented behind firewall environments.
5.5.0 INTRUSION DETECTION SYSTEM (IDS)

IDS are designed to notify and in some cases prevent unauthorized access to a networked
system or resource. Some IDS are also capable of interacting with firewalls in order to bring a
26
reactive element to the provision of network security services. Firewalls that interact with IDS are
capable of responding to perceived remote threats automatically, without the delays associated with a
human response. For example: If an IDS detects a denial-of-service (DoS) attack in progress, it can
instruct certain firewalls to automatically block the source of the attack. There are two (2) different
types of IDS generally available:-
5.5.1 HOST-BASED IDS

The first type, Host-Based IDS must be installed on each individual computer system that is to be
protected. Host-Based IDS is very closely integrated with the operating system (OS) it protects, so
each different OS will have a different Host- Based IDS module. Host-Based IDS, therefore, are
usually able to detect threats at a high level of granularity. Weaknesses associated with Host-Based
IDS include:
• Often, Host-Based IDS products have a negative impact on system performance. The larger the
number of parameters examined by the IDS, the greater the impact on system performance.
• Host-Based IDS do not always notice network-based attacks such as denial of service (DoS).
• Many Host-Based IDS have a negative impact on OS stability.
5.5.2 NETWORK-BASED IDS

The second type of IDS is Network-Based IDS. Network- Based IDS are implemented as
protocol analyzers with intelligence. These devices monitor network traffic that passes by on the wire
looking for attack signatures that indicate certain types of attacks are in progress. Attack signatures are
simply strings of characters that are often present during an attack. Network-Based IDS is normally
more effective than Host-Based IDS due to the fact that a single system can monitor multiple systems
and resources. Issues associated with
Network-Based IDS include:
• Many Network-Based IDS miss attack signatures that are spread across multiple packets. Most
Network-Based IDS do not have the capability of reassembling all fragmented network traffic.
This can be used to bypass Network-Based IDS. This shortcoming can be addressed through
implementation of Network traffic Analysis System e.g. Niksun and Mazu Network.
• Network-Based IDS rely on promiscuous mode network interfaces to examine all network
traffic on a given wire. If proper network security guidelines are followed, Network- Based
IDS cannot function without special switch configurations (i.e. port mirroring, etc.). Many
network switches lack such functionality. Most Network-Based IDS can be detected using tools
designed to locate/identify promiscuous mode interfaces. Once the promiscuous mode interface
has been detected, it is not normally difficult to crash the IDS or to flood it with useless
network traffic. To overcome this problem, IPS is recommended.
• Many IDS lack the functionality necessary to identify network-layer attacks. Basically, not all
attacks will have a predictable attack signature. To overcome this problem, use of IPS is
recommended. In the context of denial-of-service (DoS) attacks, many IDS are disabled by the
every event they are supposed to monitor.
5.6.0 INTRUSION PREVENTION SYSTEM (IPS)

IPS has many advantages over their legacy counterparts, IDS. One advantage is they are
designed to sit in-line with traffic flows and prevent attacks in real-time. In addition, most IPS
solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP which
provides greater awareness.
27
When deploying NIPS however, consideration should be given to whether the network segment is
encrypted or not as many products are unable to support inspection of such traffic. There are two (2)
different types of IPS generally available:-
5.6.1 HOST-BASED IPS (HIPS)

A HIPS is one where the intrusion prevention application is resident on that specific IP address
(e.g. PC system). The HIPS relies on agents installed directly on the system being protected. It binds
closely with the operating system (OS) kernel and services, monitoring and intercepting system calls
to the kernel or APIs in order to prevent attacks as well as log them. It may also monitor data streams
and the environment specific to a particular application in order to protect that application from
generic attacks.
5.6.2 NETWORK-BASED IPS (NIPS)

A NIPS is one where the IPS application/hardware and any actions taken to prevent an
intrusion on a specific network host(s) is done from a host with another IP address on the network.
NIPS are designed to analyze, detect, and report on security related events. NIPS are designed to
inspect traffic and based on their configuration or security policy, they can drop malicious traffic.
The NIPS has at least two network interfaces, one designated as internal and one as external. As
packets appear at the either interface they are passed to the detection engine, at which point the IPS
device functions much as any IDS would in determining whether or not the packet being examined
poses a threat.
5.7 INFRASTRUCTURE COMPONENTS
5.7.1 HUBS
The most simple of these connection devices is the network concentrator, or hub. Hubs are
devices that function at Layer 1 of the OSI model. In other words, there is no real intelligence in
network hubs; they exist only to provide physical attachment points for networked systems or
resources. There is weakness associated with network hubs. Network hubs allow any device connected
to them to see the network traffic destined for, or originating from, any other device connected to that
same network hub. For this reason, network hubs should not be used at all in networking including
building the DMZ networks or firewall environments.
5.7.2 SWITCHES
A more advanced infrastructure device is the network switch. Network switches are Layer 2
devices, which mean that they actually employ basic intelligence in providing attachment points for
networked systems or components. Network switches are essentially multi-port bridges, so they are
also capable of delivering the full network bandwidth to each physical port. Another effect of the
bridging nature of switches is that systems connected to a switch cannot eavesdrop on each other.
These anti-eavesdrop capabilities inherent in network switches make them useful for implementing
DMZ networks and firewall environments. It is important to note that switches should not be used to
provide any firewall or traffic isolation capability outside of a firewall environment, due to denial of
service-like attacks that can cause switches to flood connected networks with packets.
28
CHAPTER SIX
6.1.0 GENERAL SECURITY MEASURES
6.1.1 PLACE IN A PHYSICAL SECURED AREA

Physical access to a firewall can always lead to compromising the system and therefore should
be secured against unauthorized physical access. The same rule applies to devices such as local
consoles that are directly connected to the Firewall. It is recommended that Administrative task via the
Management Console (GUI) to be done from dedicated workstations. These workstations should be
placed in a secure office environment. Although general office space is considered to be secure, these
dedicated workstations must be placed in a room with an extra layer of access control (i.e. access card
or a physical lock). If remote management is required, a restricted access (i.e. only selected IP address)
is recommended.
6.1.2 NO TEST ON A PRODUCTION SYSTEM

Testing rule sets is very important, but activating a corrupt rule set during normal operation can
be considered as a security risk. Tests should be done on a system dedicated to testing. No test rule set
should ever be tested on a Production system.
6.1.3 SYSTEM SOLELY AS A FIREWALL

Firewall is a complicated piece of software. The manufacturer has developed it to be able to
perform many additional functions like Intrusion Detection (IDS) or proxy/gateway. Additionally,
function like IDS or application level proxy should be implemented on separate and dedicated
systems. The routing function can be configured as static or dynamic. Only static routing should be
done to the next router. The Firewall may also be used for bandwidth allocation. Bandwidth allocation
however is recommended to perform on routers, if possible.
6.1.4 RUNS NO OTHER SERVICES

Services such as web servers should not run on the system, as this might give an attacker the
possibilities to compromise the system as a whole. All unnecessary daemons should therefore be
removed from the system (e.g. telnetd, ftpd, etc). Another scenario: Tracing the attacker during or after
an attack (by doing a reverse DNS for example) must not be done on the Firewall system. Services not
directly related to the Firewall should be disabled.
6.1.5 HOST NO PUBLIC DATA

The system running the Firewall does not host any public data. There is no reason for normal
users to connect to the Firewall system to obtain any data.
6.1.6 NO AUTOMATIC TRUSTED RELATIONS ON OS LEVEL

Trusted relations imply that systems may for example, log in the Firewall with a pre-defined
authentication, giving immediately the rights that belong to that specific account. Authentication and
authorization must be done by every system individually.
29
6.1.7 INTERRUPTION WILL NOT COMPROMISE DATA OR NETWORK
Interruption of firewall service may not compromise data or network. Upon initial start-up of
the firewall or recovery from an interruption in firewall service, the firewall must not compromise its
resources or those of any connected network.
6.1.8 BACKUP AND RECOVERY PROCEDURES

Ensure that backup procedures exist for the Firewall configuration and the log files. The
Firewall should be backed up to ensure quick recovery from data loss. The log files should be archived
separately to ensure a permanent record of transactions. The archived log files should be removed
from the Firewall as they will slowly consume all available space on the system and potentially
causing system failures. There should be sufficient space for the log files to reduce the risk that the
partition will be deliberately filled by an attacker.
6.2.0 INSTALLATION AND CONFIGURATION
6.2.1 ENABLE NETWORK TIME PROTOCOL (NTP)

If possible, enable Network Time Protocol (NTP) to synchronize time and date. Only
administrator can manually change system date and/or time. Time and date are important for stamping
events that are logged and for synchronizing across the security infrastructure. Ensure NTP updates are
only possible via trusted time servers within the internal network. If possible, NTP should be enabled
with MD5 authentication. If date and time has to be set manually, it is important that only authorized
personnel can change the date and time of the system. This function must be protected by a password.
System must be physically labeled with a reference. When problems with the Firewall occur it is
important to k
6.2.2 PHYSICALLY LABELED (INVENTORY)

now the exact configuration of the complete system and the physical location of the hardware.
For this purpose make a configuration list of both software and hardware. Store the information in a
safe place, but within reach.
6.2.3 OFFLINE INSTALLATION AND CONFIGURATION

The Firewall has to be physically disconnected from the external networks during installation
or changes in configuration.
6.3.0 FIREWALL SOFTWARE
6.3.1 VENDOR-AUTHORIZED PRODUCTION RELEASE VERSIONS USED

All versions of firewall must be the official production versions. No beta-versions are allowed
as they may not be stable and will not have been tested in depth.
6.3.2 CONFIGURATION PARAMETERS

There are many settings that are important. By default many parameters are set to ON,
although that might not be correct in some cases. Therefore, all configuration parameters must be
considered when installing the Firewall for the first time. For example:
SYNDefender
This complex of parameters protects against SYN-attacks (like SYN-flooding). There are 3 defends
scenario possible; the firewall documentation may gives a detail explanation and advice how to handle
in the event of an attack.
30
• Security Server
The use of Security Servers should be restricted to the minimum.
• VoIP
Voice over IP should be switched off.
• VPN-1 Net
If no VPN community is defined, then Block all connections.
6.4.0 ACCESS TO THE FIREWALL
6.4.1 REMOTE ADMINISTRATION

Administrators are allowed to manage firewalls remotely. However, additional security settings
should be implemented:
• Using a dedicated management LAN accessing the Firewall via a discrete network adapter;
• Using network encryption (SSH or IPSEC) between the Firewall and the administrative
systems (i.e. workstation or server);
• Implementing IP filtering on the discrete network adapter allowing only access from dedicated
IP addresses and using only management protocols.
• A list of allowed workstations and their IP addresses is maintained. Also a list is maintained of
people that may use these dedicated workstations.
6.4.2 LOGIN VIA THE ADMINISTRATOR OR ROOT ACCOUNTS

Login via the Administrator or Root accounts must be disabled. These accounts are often the
targets of attacks. Every administrator should use his own (unique and traceable) username and
password combination. Passwords should match IT Security password policies. Normal user accounts
are not allowed to exist on a firewall.
6.4.3 DEFINE ACCESS TO THE SECURITY DATABASES

Firewall may contain many security databases (i.e. Object database, user database, LDAP user
database, Security policy/rules, Log database, etc) and access to all these databases should be
restricted to authorized administrator only.
6.4.4 ONLY AUTHORIZED ADMINISTRATOR MAY CHANGE USER DATA

The Firewall software shall restrict the ability to query, modify, delete, and assign user
attributes as personal identification and account-id to Administrators.
6.5.0 TESTING THE FIREWALL
6.5.1 EVERY CONFIGURATION MUST BE THOROUGHLY TESTED

It is important to test the Firewall. Objective is to prove that the system is stable and acts as
predicted. It will stand up to known attacks.
Testing should be done in a methodological way. It includes the following aspects:
• The test documentation shall consist of test plans, test procedure descriptions, expected test
results and actual test results.
• The test plans shall identify the test detail and test scenarios.
• The expected test results shall show the anticipated outputs from a successful execution of the
tests;
• There will be a formal transfer of the firewall from test to production state.
31
CHAPTER SEVEN
7.1.0 GENERAL SETTINGS AND DEFAULTS
7.1.1 SECURITY POLICY

By default, the security policy rules deny all inbound and outbound information flows. Only an
authorized administrator has the authority to change the security policy rules.
7.1.2 ENABLE NETWORK ADDRESS TRANSLATION (NAT)

Although the use of private IP addresses is a part of network architecture, the use of NAT by
the Firewall is strongly recommended. Use of private ranges hides the structure of the inner network
for the outer world (e.g. the Internet).
Private ranges will never be transferred through the routing systems on the Internet, thus creating a
further level of security.
These are the ranges of private IP-addresses:
• 127.0.0.0 - 127.255.255.255
• 10.0.0.0 - 10.255.255.255
• 172.16.0.0 - 172.31.255.255
• 192.0.2.0 - 192.0.2.255
• 192.168.0.0 - 192.168.255.255
• 244.0.0.0 – 255.255.255.255
Note: If the above IP ranges are in use within ABC BROADCASTING CORPORATION internal
network, the routing configuration and spoofing rules on the Firewall device (especially one deployed
internally to ABC BROADCASTING CORPORATION) must be applied with care.
Note: If the Firewall has the facility to use 'Automatic NAT'. This is not a function that should be used.
NAT should always be manually configured in order to maintain better control of the configuration.
Note: If the Firewall has the facility to use 'Automatic NAT' however whenever possible NAT should
be performed by a separate device like a specific router. This improves the performance of the
Firewall, reduce rule set management and allow the Firewall to focus on traffic control.
7.1.3 SPECIFY LIMITS OF AUTHENTICATION FAILURES

Only authorized administrators may specify limits of authentication failures. The Firewall
software shall restrict the number of authentication failures for Administrators to three (3)
(recommended). A procedure must be in place to handle this event and unlock access to the Firewall.
7.1.4 RESERVE ENOUGH DISK SPACE TO HOLD THE LOG FILE

Make an estimation of the space required by the logging function of the rules in the rule set.
Information must be saved during several days to facilitate follow-up of attacks and breaches of
security. A minimum period of 90 days for storing log files is recommended.
32
CHAPTER EIGHT
8.1.0 MANAGING RULE SETS
8.1.1 REMOVE UNUSED RULES

Make the standard rule set visible and remove unused rules. Immediately after installation,
firewall will enforce a standard rule set. This rule set permits certain protocols to pass the Firewall.
This rule set is not visible by default.
Inspect this rule set thoroughly and remove the unused rules or better remove them all, as they might
give unexpected behavior to the Firewall when adding other rules.
8.1.2 BACK-UP THE OLD RULE SET

Before activating a new or changed rule set, a back-up of the old rule set must be made. It is
crucial that the Administrator can roll back immediately to the old rule set if the new one is not
working correctly. Of course one should test the new rule set properly.
Note: Sometimes the objects referenced by the rules are affected by the changes, so roll back is for
these objects also very important.
8.1.3 KEEP THE RULE BASE SIMPLE AND SHORT

An increasing number of rules can lead to an ineffective or wrongly configured rule set.
Recommended is to specify no more than 30 rules per rule set. More than 50 rules make a rule set
incomprehensible; instead one should reconsider the architecture of the network(s) involved.
The basic steps involved in creating a firewall policy:
• Identification of network applications;
• Identification of vulnerabilities associated with applications;
• Cost-benefits analysis of methods for securing the applications;
• If required, conduct a Risk Analysis through Traffic Rule Matrix as a guide which shows
protection method of the applications before creating firewall rules, and
• Creation of firewall rule set based on applications
Traffic Rule Matrix, IT Security Policies and Standards and best practices
8.1.4 PERFORM PERIODIC CHECKS ON THE RULE SET

Some rules can have a limited lifetime. Therefore, a rule set should be checked on a regular
basis and adjusted to reflect the current conditions. For those temporary rules, a remark should be
made in the "COMMENT" field as to when the rule shall be removed.
8.1.5 DOCUMENT AND STORED RULE SET

The rule set is documented properly and stored away in a safe place. Whenever there are problems
with the Firewall, it is important that the rule set, which might be part of the problem, is available and
understandable. Documentation per rule should at least include:
• Name firewall administrator and name firewall system;
• Entity requesting the rule and the reason;
• Description of the rule: source, destination, protocol and action;
• Name and color conventions of firewall objects used;
• Expected lifetime of a rule.
Note: The rule set is considered to be critical data. The document should also be part of Network
Operation Standard Operating Procedure (SOP).
33
8.2.0 HARDENING THE RULE SET
8.2.1 TURN OFF UNUSED RULES

Hardening the rule base involves quick and easy steps to turn off some default rules. These
rules allow certain communications that may be used for malicious intent. It is best practice to turn off
all rules and only allow services that are explicitly required.
8.2.2 DENY "SPOOFED PACKETS"

The rule set shall explicitly deny an information flow from manipulated origins, so called
"Spoofed Packets".
• The Firewall shall drop requests for access or services where the information arrives on an
external interface, and the presumed address of the source subject is an external entity on an
internal network. The Firewall shall drop requests for access or services where the information
arrives on an internal interface, and the presumed address of the source subject is an external
entity on the external network.
• Drop traffic arriving on the external interface with a source address of private IP.
• The Firewall shall drop requests for access or services where the information arrives on either
an internal or external interface, and the presumed address of the source subject is an external
entity on the loopback network.
• The Firewall shall drop requests where the subject specifies the path in which data should route
to its destination, so called "IP-source routing".
• For application protocols supported by firewall (e.g. DNS, HTTP, SMTP, and POP3), the
Firewall shall deny any access or service requests that do not conform to its associated
published protocol specification (RFC).
8.2.3 RULE ORDER IS IMPORTANT

The order of the rules in the rule set is critical. Having the same rules, but placing them in a
different order, can radically alter how the Firewall works. Firewall works by inspecting packets in a
sequential manner.
When the Firewall receives a packet, it compares it against the first rule, then the second, then the
third, etc. When it finds a rule that matches, it stops checking and applies that rule. If the packet goes
through each rule without finding a match, then that packet is denied. It is critical to understand that
the first rule that matches is applied to the packet, not the rule that best matches. Based on this, it is
strongly advised to keep the more specific rules first, the more general rules last. This prevents a
general rule being matched before hitting a more specific rule. The following lists the order in which
traffic is processed by a firewall enforcement module:
• Implied rules configured FIRST in the security rule base.
• Stealth rule (normally the first explicit rule).
• All explicit rules except the last rule.
• Implied rules configured BEFORE LAST in the security rule base.
• Cleanup rule (normally the last explicit rule).
• Implied rules configured LAST in the security rule base.
• Implicit drop rule.
• Anti-spoofing check.
34
• Address translation rule base.
Note: Example of good rule order:- Start:

• Rules that permit Administration of the Firewall - inbound.
• Block all other access to the Firewall (AND LOG/ALERT).
• Rules that permit Administration of the Firewall -outbound (if required, e.g. Management
Station echo replies).
• Block all other access from the Firewall (AND LOG/ALERT). Rules that affect performance
e.g. dropping multicast traffic.
• Rules actually allow applications through to DMZ.
• Rules that permit administration of DMZ devices (internal firewall of two-stage firewall
architecture). End:
• Catchall rule to drop and log everything else
8.2.4 PERFORMANCE OF THE RULE SET

Although rule order is most important, do a review of the complete rule base for performance.
When possible, move the most commonly used rules towards the top of the rule base, without
changing the effect of the complete rule set. This improves performance since the Firewall parses
fewer rules.
8.2.5 BROWSE AND EDIT THE DEFAULT RULES

The first step is to eliminate any rules (e.g. implicit) that permit data. It is important to be sure
to start with a clean slate and ensure that no packets are getting through. Unfortunately, most firewall
comes with a variety of services wide open, by default. The first step is to turn off these default
properties or being completely aware of the consequences when left open.
Note: Often the implicit rules controlled by the global properties of the security policy were not
reviewed for their appropriateness before implementation. Default applications and services settings
should be reviewed and enable or disable accordingly.
8.2.6 BLOCK ANY ACCESS TO THE FIREWALL ITSELF

No one should have access to the Firewall except authorized administrators. All traffic not
originating from predefined sources to the Firewall itself should not be allowed and these actions
should always be logged.
8.2.7 LOG ALL PACKETS MARKED FOR DROP

By default, firewall drops all packets that do not match any rules. However, these packets are
not logged by default. Change this rule by creating a Drop All and Log Rule; and add it to the end of
the rule base.
Note: Only exception to logging all dropped packets is the broadcast rule.
Note: This is a standard rule that every rule base should have.
8.2.8 DROP BROADCAST TRAFFIC AND SWITCH LOGGING OFF
35
Depending on the place in the infrastructure there might be a great deal of broadcast traffic on
the network that the Firewall drops and logs, which can quickly fill up the logs. If this is the case you
might create a rule that drops or rejects this traffic, but does not log it.
8.2.9 BLOCK THE DMZ IF APPROPRIATE

Depending on other rules consider that the internal users will possibly have open access to the
DMZ, which is undesirable. In that case make a rule that denies access. Grant access to the DMZ
based only on specific rules.
8.2.9.1 THE DMZ SHOULD NEVER INITIATE UNDESIRED CONNECTIONS

The DMZ should NEVER initiate traffic to your internal network, with the exception of
services that are specifically permitted. If unexpected traffic is noticed, then this may mean that the
DMZ was compromised. Add a rule that denies, logs, and alerts whenever there is any other traffic
from the DMZ to the internal network than permitted services.
8.2.9.2 PUT COMMENTS AT THE RULES

Comments help to keep track the purpose of the rules. By having a better understanding of the
rules, there is obviously less chance for error. Also, if available, put a review number.
36
CHAPTER NINE
9.1.0 AUDIT
9.1.1 FIREWALLS SHOULD BE REGULARLY AUDITED

On a regular base an independent party will test the Firewall. The goal is to identify
vulnerabilities in the Firewall on that very moment. An independent party, like Security vendor and
Corporate Assurance will do audits on the Firewall on a regular base. The goal is to assure that the
Firewall is well maintained and that procedures are followed. Penetration testing should not be
performed during production hours.
9.1.2 EXAMINATIONS OF LOG FILES

Audits will be done at least every day to examine the log files. There will be defined a separate
account for the person who checks the audit trail. This account has minimal rights; only the right to
read and copy the audit trail to a medium. It is recommended to make use of real time alert abilities (if
available).
9.1.3 AUDIT TRAIL PROPERTIES

Audit trail data is stamped with a dependable date and time when recorded. Audit events
include modifications to the group of users associated with the authorized administrator role, all use of
the identification and authentication mechanisms (including any attempted reuse of authentication
data), all information flow control decisions made by the Firewall, and the use of all security
functions. If the audit trail becomes filled, then the only auditable events that may be performed are
those performed by the authorized administrator.
9.1.4 LOG FILES SETTINGS

The Firewall software shall record within each audit record at least the following information:
Date and time of the event, type of event, subject identity, outcome (success or failure) of the event;
and for specific cases extra information as specified below.
9.2.0 AUDITABLE EVENTS

The Network Administrator is expected to provide an analysis of the maximum amount of audit data
that can be expected to be lost in the event of audit storage failure, exhaustion, and/or attack.
37
38
9.3.0 SAMPLE TRAFFIC RULE MATRIX:
39
9.4.0 BLOCKING STANDARDS
40
9.5.0 FIREWALL ALLOW AND DENIAL/BLOCKING RULES
41
42
These rules should be implemented on all Firewalls, Routers and Managed Switches (Chow C 2006).
As earlier said, Network hardening policies will not be complete without Management policies.
This involves implementing policies which governs the employees that manage, operate, and
implement all the system hardware and software facilities in ABC Corporations’ network. Any
mismanagement on the human side of the network security could result in serious consequences and
hence these management policies are essential and should be strictly adhered to. In this case the
humans act as the first line of firewall in preventing intruders such as Social Engineers, Hackers,
Cyber thieves etc from breaking into the organizations internal network.
43
CHAPTER TEN
10.1.0 MANAGEMENT SECURITY HARDENING POLICIES
These Policies are strictly aim to avoid and prevent Social Engineering attacks.
• An organization should ensure that it has a strong information security policy.

• The organization should conduct in-depth information security training for all the employees.
• The employees should be suspicious of unsolicited email messages, phone calls, or visits from
individuals asking about other employees or other internal information. When dealing with an
unknown person claiming to be from a legitimate organization, their identity need to be verify
directly with the company.
• The staff should be trained not to be afraid to question the credentials of someone posing to
work for ABC Corporation.
• The staff are be encourage to use strong password that has at least eight (8) characters long and
contains capital and small letters as well as numbers plus special characters. The password will
be changed, at a regular interval, depending on the organizations password policies.
• The passwords should not be written on computer chassis, under keyboards or pasted on office
wall or notice board which defies its purpose of confidentiality.
• Downloading of unsolicited email attachments should not be allowed because you might just
be downloading and installing malicious programs such as virus, Trojans, keystrokes loggers or
spyware.
• The staff should not download and install any software on their computer system or any other
system across any phone conversation. Installation of new software program(s) is the
responsibility of the IT staff.
• Backup should be done on important files, folder and softwares on regular bases.
• The firewall and IDS log files should be checked regularly to see if there is any security
vulnerability incidence that was not reported by the system, based on previous firewall rules
(This instruction is for System/Network Administrators).
• Install, maintain and update anti-virus software, anti-spyware software, Operating system
patches and email filters at regular intervals.
• All unused softwares, applications and programs should be uninstalled.
• User accounts of employees who have left ABC Corporation will be removed, and the Human
Relations Department should notify other departments about his complete absence from the
organization.
• The staff should be trained to pay attention to the Uniform Resource Locators (URLs) of a web
site they visits. Malicious web sites generally look identical to a legitimate site and the
different is the URL which will use a variation in spelling or a different domain.
• Employees must not send sensitive information over the Internet before checking a web sites
security.
• Employees should make sure that they deal with websites that has valid and non-expired
Certificates before sending confidential information across the internet.
• Staffs are not allowed to reveal personal or financial information in email, and they are not to
respond to email solicitations for this information. The information may be trivial but will be
used by social engineer to obtain vital information of ABC Corporation.
• All the organizational documents and information whether they are in print or electronic mode
are to be treated initially as classified and confidential. These information will later be
classified as private and public information as defined by the organizations policies
44
• Employees must not give out personal information or information about the organization to
anyone, including the structure of your networks, unless he is certain of a person’s authority to
have that information.
• Care should be taken in providing information in ABC Corporation’s web site. Posting of
organizational charts or lists of key people should be avoided.
• All documents that might contain sensitive data and are to be discarded should be cross
shredded.
• Organizations’ information that is in the possession of a laid-off, resigned or retired employee
should be retrieved from him/her (e.g. passwords, access keys and codes, etc) and the password
to computers and other electronic gadgets which he/she used to have access to should be
changed immediately.
• After the security management hardening plan has been established, it should be followed up to
ensure that the employees understands and complies with them.
• Any employee who believes to be under a social engineering attack should report the incident
immediately to the organizations Anti Social Engineering Department.
• All company personnel/employees should wear the company’s badge at all time and these
badges should be of different patterns which is a function of the department an employee is.
• Unidentified storage medias such as floppy disks, USB pen/flash drives, mini discs should not
be inserted into any organizations computer system even when it bears the label of the
company’s Logo and has “For Sales Department, etc,” labeled on it. Its source must be fully
verified before usage.
Organizational security size should be the same as the size of the organization. In other words
all employees in an organization should be adequately informed and trained on organizational
security policies and implementations Mitnick and Simon (2002 p271),
45
CHAPTER ELEVEN
11.1.0 RECOMMENDATIONS
It is obvious that Network/Organizational Security should not be solely left in the hands of
Network administrators or System Administrators but should be in the hands of all the employees
working in an organization, since the threat to organizational security is not only on the networking
hardware or software, but also on the humans (i.e. employees) working in the organization. To the so-
called Social Engineers, the human loop-hole is the easiest way of attacking an organization as
Mitnick and Simon (2002 p3) commented: “Humans are security’s weakest link”.
So, it is recommended that for ABC Corporation to survive in this highly threatened and
competitive business environment, the organization should have all the necessary protective
networking hardwares/softwares in place, with competent Network and System Administrators
manning them as well as involving the entire staff of the organization in the security process by
educating them to take security as diligent as they handle their day to day tasks. This will be achieved
by training the entire staff about organizational security. Details of the issues that the staff is needed to
be trained about are discussed in this document under the caption “Management Security Hardening
Policies”.
11.1.1 OPINIONS
Designing and setting up of an organizational Network is not all about the beauty of the
network topology, which may appear in both logical and physical diagram, but it takes the
understanding of what the operations of such organization is and then designing a well secured
network that suits the nature of operations of that organization.
It is our (Group Members) opinion that a network such as that of ABC Broadcasting
Corporation should implement a two-way security measure in securing the perimeters of the
organization. This involves the security from the hardware angle, by employing the qualified
competent hands to man and run the network resources. The other security measure is to strictly
consider the “weakness of the human, which serves as a link to Social Engineering attack. Every staff
of ABC Corps must be involved in the training and awareness on how to recognize and mitigate the
attack of Social Engineers of any kind and degree.
Efforts has being made to spell out all that is require to set-up a well secured and befitting
network for ABC broadcasting Corps in this document. If well implemented strictly by the book then
ABC Broadcasting Corps can stand to firmly compete with any of its opponent in the business world
of broadcasting and its likes.
11.2.0 SUMMARY AND CONCLUSION

Time has being taken to explain the entire Networking infrastructure that can be used to setup a
tight and proficient network for ABC Broadcasting Corporation. This network link types are IP-VPN
and Point to Point Leased Line. Point to point leased line is to be used to link branch offices that
shares common country boundary with the Head Quarters office which is located at Kuala Lumpur,
Malaysia, while IP-VPN is to link branch offices that are farther away in other parts of Asia. The
operation of ABC Broadcasting Corporation is particularly centered on the Asian continent.
The other phase of this document talks about Network and organizational security. Efforts are made
to detail all the measures needed to achieve a Hack-Proof Network, both on the Network
infrastructural part and the employees’ part.
In conclusion, the war between Network Security experts and organizational security threats like
Hackers and Social Engineers will never end but it is expected that with the extent of security which
46
this document has spelt out for ABC Broadcasting Corporation, the organization will be able to stand
the test of time as well as claiming its ground and proving its worth in the market place amongst it
fellow competitors.
11.3.0 TERMS AND DEFINITION
Authentication
Proof of identity (or source). An authentication scheme between two entities consists of a
proving party and a verifying party. Authentication can be provided in various ways like for example
username-password, keyed hash, MAC (symmetric encryption) or digital signature (asymmetric
encryption).
Authorization
A set of rules which determine who get access with what kind of privileges on a specific
resource. Authorization should be preceded by a strong form of authentication to be effective.
Cisco IOS (Internetwork Operating System)
Cisco IOS is the software used on the vast majority of Cisco Systems routers and all current Cisco
network switches. IOS is a package of routing, switching, internetworking and telecommunications
functions tightly integrated with a multitasking operating system.
Console
The console is an interface on the router which can communicate with a terminal or terminal
emulator via a serial port.
Daemon
A daemon is a computer program that runs in the background, rather than under the direct
control of a user; they are usually initiated as processes. Typically daemons have names that end with
the letter "d".
DMZ
Demilitarized Zone: a network segment between two networks of different security level. A
DMZ is used to\ create a secure and controlled environment to protect traffic between two networks.
DoS
Denial of Service: an abbreviation often used for network attacks that prevent a network
component from providing its operational functions.
External Interface
The interface on a router directly connected to the network that is not under control by the
owner of the router. In some cases internal and external interface on a router are merely pointed out by
definition.
FTP
File Transfer Protocol: Widely used TCP-based files transfer and file management protocol.
IDS
An Intrusion Detection System (IDS) generally detects unwanted manipulations to computer systems,
mainly through the Internet. The manipulations may take the form of attacks by crackers.
IPS
An Intrusion Prevention System (IPS) is a computer security device that exercises access
control to protect computers from exploitation. Intrusion prevention technology is considered by some
to be an extension of IDS technology but it is actually another form of access control, like an
application layer firewall.
IPSec
IPSec (IP security) is a suite of protocols for securing Internet Protocol (IP) communications by
authenticating and/or encrypting each IP packet in a data stream.
47
Promiscuous mode
Refers to a configuration of a network card wherein a setting is enabled so that the card passes
all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for
packet sniffing.
Protocol
A communications protocol is the set of standard rules for data representation, signaling,
authentication and error detection required to send information over a communications channel.
Proxy
A proxy is a server (a computer system or an application program) which services the requests
of its clients by making requests to other servers. A client connects to the proxy server, requesting a
file, connection, web page, or other resource available from a different server.
VPN
A Virtual Private Network (VPN) is a private communications network often used by companies or
organizations, to communicate confidentially over a public network. VPN traffic can be carried over a
public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service
provider's private network with a defined Service Level Agreement (SLA). A VPN can send data (e.g.,
voice, data or video, or a combination of these media) across secured and encrypted private channels
between two points. Before a firewall policy can be created, some form of risk analysis must be
performed on the applications that are necessary for accomplishment of the organization’s mission.
The results of this analysis will include a list of the applications and how those applications will be
secured. Risk analysis of the Information Technology infrastructure should be weighed based on an
evaluation of the following elements:
• Threats;
• Vulnerabilities;
• Countermeasures in place to mitigate vulnerabilities, and
• The impact if sensitive data is compromised.
The goal is to understand and evaluate these elements prior to establishing firewall policy.
The result of the risk analysis will dictate the manner in which the firewall system handles network
applications traffic. The details of which applications can traverse a firewall, and under what exact
circumstances such activities can take place, should be documented in the form of applications Traffic
Rule Matrix.
48
REFERENCE
• Mitnick, K & Simon , W, 2002, Art of Deception (Controlling the Human Element of
Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA.
• James, F K & Keith, W R, 2009, Computer Networking: A Top-Down Approach Featuring the
Internet, 3rd edn, Pearson Education South Asia, India.
• Chow C, 2006, Astro; Operational Security Guideline: Cisco Router, Version 1.0, Kuala
Lumpur.
• Gilbert, H 2004, Virtual Private Networking: A Construction, Operation and Utilization Guide,
2nd edn, John Wiley and Sons, USA.
• Todd, L 2007, CCNA: Cisco Certified Network Associate (CCNA), 3rd edition, John Wiley and
Sons USA.
• Larry, L P & Bruce, S D, 2007, Computer Networks: A System Approach, 4th edition, Morgan
Kaufmann Publications. Retrieved April 5, 2009 from;
http://books.google.com.my/books?id=fknMX18T40cC&printsec=frontcover&source=gbs_su
mmary_r&cad=0.
• Robert S, Michael C, & Laura, E, H, 2005, Network+ study guide & practice exams
(CSU/DSU chap 3, p.141), 3rd edn, Elsevier Publications. Retrieved April 6, 2009, from;
http://books.google.com.my/books?id=l8hU54ewGaYC&pg=PA141&dq=csu/dsu.
• Lemos, R 2000, “Mitnick teaches ‘Social Engineering’.” July 17, 2000. ZDNet News,
Retrieved April 1, 2009, from http://zdnet.com.com/2100-11-522261.html?legacy=zdnn.
• Wikipedia 2009, Internet Protocol Security (IPSec) Wikipedia: The Free Online Encyclopedia.
Retrieved April 6, 2009 from; http://en.wikipedia.org/wiki/IPsec.
• Spirent White Paper 2002, Broadband Architecture: Point-to-point Protocol Come of age.
Retrieved April 2, 2009 from; www.spirentcom.com/pdf.
• Simpson, W 1994 "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661 .Retrieved April 2,
2009 from; http://www.ietf.org/rfc/rfc2341.txt.
• How Stuff Works 2009, Virtual Private Network (VPN), How Stuff Works Inc. Retrieved April
5, 2009 from http://computer.howstuffworks.com/vpn.htm/printable.
• Microsoft TechNet 2009, Virtual Private Network, TechNet Magazines, Microsoft
Corporations. Retrieved April 5, 2009 from; http://technet.microsoft.com/en-
us/network/bb545442.aspx.
49

ABC Network Setup Security

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ABC Network Setup Security

Diunggah oleh

Hak Cipta:

Format Tersedia

UNIVERSITY OF WALES NEWPORT

COM PUT ER NET WO RK

Network design & network hardening

ABC BROADCASTING CORPORATION

DATE SUBMITTED: May 11, 2009

This document is intended to be an accompaniment to ABC Broadcasting Corporation IT

1.3.0 COMPANY PROFILE OF ABC BROADCASTING CORPORATION

ABC Broadcasting Corporation is a private broadcasting company that broadcast satellite

Figure i: Diagram of Asian Countries Where ABC Broadcasting Corps Operates

1.4.0 LINKING ABC BROADCASTING CORPORATION TO ITS VARIOUS BRANCHES

1.5.0 THE VIRTUAL PRIVATE NETWORK (VPN)

1.5.1 HOW VPNS WORK

IP-VPN Internet Cloud

ABC's Head Quarters

1.5.2 SECURITY MEASURES USED IN IP-VPN

1.5.6 POINT TO POINT TUNNELING PROTCOL (PPTP)

1.5.7 INTERNET PROTOCOL SECURITY (IPSEC)

1.5.8 AAA SERVERS

2.2.0 POINT TO POINT PROTOCOL

The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for

2.3.0 CSU/DSU DEVICE

Lists of hardwares used in setting up ABC’s network:

3.2.0 HEAD QUARTERS AND BRANCH OFFICE VPN CONNECTION

3.3.0 HEAD QUARTER AND BRANCH OFFICE LEASED LINE CONNECTION

ABC BROADCASTING CORPORATION NETWORK INFRASTUCTURE

Figure iii: A Detailed Diagram of ABC Broadcasting Corporations Network

4.2.0 NETWORK HARDENING MEASURES

4.2.1 BASIC FIREWALL REQUIREMENTS

(a). Mandatory Requirements

(b). Recommended Requirements

(c). Prerequisite Operating System (OS) and Appliance OS

Note: that a, b, c are only applicable to software based firewall.

4.2.2 PROCEDURES AND RESPONSIBILITIES

4.2.3 FIREWALL ENVIRONMENT

4.2.3.1 GUIDELINES FOR BUILDING FIREWALL ENVIRONMENTS

4.2.3.2 GENERAL SECURITY MEASURES

4.2.3.3 INSTALLATION AND CONFIGURATION

4.2.3.4 FIREWALL SOFTWARE

4.2.3.5 ACCESS TO THE FIREWALL

4.3.0 TESTING THE FIREWALL

4.4.0 DEFAULT SETTINGS

4.5.0 RULE SETS

4.5.1MANAGING THE RULE SETS

4.5.2 HARDENING THE RULE SETS

4.7.0 MANDATORY REQUIREMENTS

These requirements are mandatory to ensure a secure firewall system.

4.8.0 CONSEQUENCES OF NON-COMFORMANCE

4.8.1 FIREWALL DOCUMENTATION

4.8.2 PHYSICAL SECURITY

4.8.4 BACKUP PROCEDURES

4.8.5 ALERT PROCEDURE

4.8.7 RECOMMENDED REQUIREMENTS

4.8.8 TESTING PROCEDURES

4.8.9.0 USER NAMES / PASSWORDS

4.8.9.1 ACCESS AND CONFIGURE

4.9.0 OPERATING SYSTEMS (OS) / CISCO IOS REQUIREMENTS

4.9.1 NON-BETAS AND UP-TO-DATE

4.9.2 QUALIFIED FOR THE FIREWALL VERSION

4.9.4 CAPACITY MATCH THE EXPECTED NETWORK LOAD

4.9.5 INSTALLED, ADMINISTERED, AND OPERATED THAT MAINTAINS SECURITY

4.9.7 CHANGE MANAGEMENT (CM) PROCEDURE

4.9.8 SEPARATION OF ROLES FOR MANAGING

4.9.9 BE INFORMED OF RECENT ATTACKS

5.1.0 GUIDELINES FOR BUILDING FIREWALL ENVIRONMENTS