Assignment 8

DANIEL HOWELL
[COMPANY NAME]

NTW275

Table of Contents
Summary....................................................................................................................... 3
Section 1: Assets........................................................................................................ 3
1-A: Hosts................................................................................................................ 3
1-B: Servers............................................................................................................. 3
Figure 1: Servers.................................................................................................. 4
1-C: DMZ................................................................................................................. 4
Figure 2: DMZ....................................................................................................... 5
1-D: Remote Location.............................................................................................. 5
Figure 3: Remote Location....................................................................................5
Section 2: Security Mechanisms................................................................................. 6
2-A: Vlans................................................................................................................ 6
Figure 4: Vlans...................................................................................................... 6
2-B: Honey Pots....................................................................................................... 7
Figure 4: Honey Pots............................................................................................ 7
2-C: Checkpoint Firewall.......................................................................................... 7
Figure 5: Edge...................................................................................................... 8
2-D: Internal Firewalls.............................................................................................. 8
Figure 6: Monitoring............................................................................................. 8
2-E: Internal Traffic Monitoring................................................................................8
Section 3: Security Risks............................................................................................ 9
3-A: Wi-Fi................................................................................................................. 9
3-B: Remote Location.............................................................................................. 9
3-C: Employees....................................................................................................... 9
3-D: DMZ................................................................................................................. 9
Section 4: Security Policy........................................................................................... 9
4-A: Access Policy.................................................................................................... 9
4-B: Accountability Policy...................................................................................... 10
4-C: Authentication Policy..................................................................................... 10
4-D: Privacy Policy................................................................................................. 10
4-E: Security Policy................................................................................................ 10
4-F: Security Response Policy................................................................................ 10
4-G: Remote Access Policy.................................................................................... 10
4-H:Router and Switch Policy.................................................................................11

4-I: Server Policy................................................................................................... 12

Section 5: Achieve Buy-in......................................................................................... 13
5-A: Cost................................................................................................................ 13
Glossary................................................................................................................... 13

Summary
This document is intended to explain the security measure that could be
implemented to protect the system. Section one of this document lists the
companys assets on the network. These assets include the hosts on the network,
the servers in the data center, the companys DMZ, and the remote sales location.
This section does not cover all aspects of the network just the sections that are
considered assets to the companys operations.
Section two of this document covers the security mechanisms that could be put in
place to protect the network. The security mechanisms that are being purposed
include isolate Vlans, Honey Pots, firewalls, and IDS/IPS. The installation of these
measures is not covered in this document.
Section 3 of this document lists the security risks of the network. The risks of the
network include the company Wi-Fi, the remote sales location, the employees, and
the DMZ. The listed risks are considered the weakest points in the network.
Section 4 of this document outlines the security policies. These policies include
accessing a systems or data, accountability for the use of a workstation,
authentication of the user, privacy of data in the network, and security policies.
Section 5 of this document explains why these security measures should be
implemented in the network.

Section 1: Assets
This section outlines the assets of the ElectroMyCycle company network. This
section is only intended to explain what the assets are, the security for the assets in
covered in section 2 of this document. The assets include the hosts in the onsite
offices, the servers in the company data center, the company DMZ, and the remote
sales office. The following sub sections cover each asset in detail.

1-A: Hosts
The onsite offices are able to support up to 200 employees. The 200 employees are
broken up into five different Vlans. The Vlans are outlined in section 2-A. The hosts
in the remote location are not covered in the section. The remote location is
covered in section 1-D. All of the company daily operations are run from the hosts.

1-B: Servers
The companys servers are housed in a small data center. The servers contain
company records from all departments as well as customer information. The
backups are also stored in the data center. Figure 1 shows a diagram of the
companys data center. The security mechanisms in place for the data center are
covered in section 2 of this document.

Figure 1: Servers

1-C: DMZ
The company DMZ is comprised of three servers the web server, DNS server, and
Email server. The company also used the DMZ to support online sales. The DMZ is
on the outside of the companys network. Figure 2 show the DMZ that is used by the
company. The security of the DMZ is covered in section 2 and the risk of the DMZ is
covered in section 3 of this document.

Figure 2: DMZ

1-D: Remote Location

The company has a remote sales location that is 500 miles away from the main
facility. The location is not large and does not require much hardware. Figure 3
shows a diagram of the remote facility. The facility is only used for selling the
companys product. The facility has only a few workstations and a couple of onsite
servers. The servers are for company information, customer information, and
backups of the onsite systems. The information is backed up to the data center
systems every day. The onsite servers are in place to insure that the business can
operate even if the connection to the main facility goes down. Security measures for
the remote location are covered in section 3 of this document.

Figure 3: Remote Location

Section 2: Security Mechanisms

This section outlines the security measures that are in place to protect and secure
the network. These security measures include Vlans, various firewall, traffic
monitoring, authentication measures, and honey pots. The follow sub sections
explain all security measures in details.

2-A: Vlans
The companys internal network has been divided into five Vlans. Figure 4 shows a
diagram of all the Vlans on the network. The company did not give a specific
number of employees who are working in each work group. Vlan 1 is set for the
management teams use in daily operations. Vlan 2 is set for the marketing
department. Vlan 3 is the information technology (IT) department. Vlan 4 is set for
the accounting department. Vlan 5 is the manufacturing facility. The security
policies for the use of and access of the companys systems are outlined in section
4 of this document. Vlans 3 and 5 are operated differently than the others.

Vlan 3 is the only one that has the protocols to access all other Vlans. This is so the
IT department can provide technical support when and where it is needed. This is
also the only Vlan with a Wi-Fi___33 access in the main facility. Do to this level of
access the Vlan is closely monitored for any possible security breaches.
Vlan 5 is the companys state of the art manufacturing facility. This Vlan is mostly
the machinery that is used to create the companys products. There are only a few
workstations that are used to monitor and operate the machinery.
Figure 4: Vlans

2-B: Honey Pots

In the event an intruder does gain access to the companies system there are four
honey pot servers set up to distract the intruder while the security team follows the
security plan to secure the network. The honey pots are intended to draw in the
intruders with false information. While the intruders think they have found an
unsecure server the security team is isolating the rest of the system and monitoring
the intruders to find out how they got in. The four honey pots are spread out
throughout the data center to insure that an intruder will find them. Figure 4 shows
the honey pots. Referrer to figure 1 to see where they are in the data center design.
Figure 4: Honey Pots

2-C: Checkpoint Firewall

The edge of the network is configured with a checkpoint firewall system. There are
two paths coming into the network. A primary route that is the default path in and
out of the network and a secondary route this is ready to take over the traffic flow in
the event the primary route goes down. This insures that there is always a firewall
in place to protect the network. Figure 5 shows a diagram of the check point
system. The third firewall that is shown in the system is only traffic flowing to and
from the DMZ. It is not part of the checkpoint system.

Figure 5: Edge

2-D: Internal Firewalls

There a multiple firewall on the internal network as well to that server as an
intrusion prevention system (IPS). The firewalls are in place in key locations on the
network. Figure 6 shows how the firewalls are configured in the network topology.
By looking at any of the figures in this document one can see the firewalls that are
spread across the network.
Figure 6: Monitoring

2-E: Internal Traffic Monitoring

In conjunction with the internal firewalls there are monitoring devices that serve as
an intrusion detection system (IDS). Figure 6 shows how the system is configured.
The internal IDS and IPS protect the network from internal threats as well as allow
the security team to track any possible intruders.

Section 3: Security Risks

This section outlines the security risks in the company network. The Wi-Fi, Vlan 3,
remote location, employees, and DMZ are all considered security risks. This section
one explains the security risks that each item presents. Section 4 outlines the
policies on how to protect these possible risks from exploitation.

3-A: Wi-Fi
The network has two Wi-Fi connections. The first is located in the main facility
however it is only accessible by the IT department. Figure 4 shows a diagram with
the Wi-Fi connection on the IT departments Vlan. If a malicious hacker was able to
gain access to the Wi-Fi they could start to spread across the whole network quickly.
This is due to the IT department Vlan privileges. Vlan 3 is the only Vlan that is able
to communicate with the other Vlans with relative easy. Referrer to section 2-A for
details on the company Vlans.

3-B: Remote Location

The second Wi-Fi location is located in the remote sales location. If this connection
was compromised the malicious hackers could gain access to the VPN that connects
the location to the main facility. From there they could begin exploiting the systems
further by spoofing credentials from the workstations that are at the location.
Referrer to figure 3 for a diagram of the remote location.

3-C: Employees
The human element well always be the weakest link in security. To aid in the
prevention of human error in the network referrer to the security training policy in
section 4 of this document. With proper training the risk of employee error can be
managed easily.

3-D: DMZ
The company DMZ has a firewall on it however that does not make it completely
secure. The DMZ houses three servers that give hackers three different options to
attack. Referrer to section 1-C for details on the DMZ. The DMZ can be compromised
by an attacker and used to attempt to gain access to the main network. They could
also exploit the servers in the DMZ causing them to crash costing the company
money in down time.

Section 4: Security Policy

This section covers the policies of general areas of the network. The policies listed
in this section address the Email policy, password policy, and security response
policy. These policies are meant to aid in protecting the network from malicious
individuals.

4-A: Access Policy

Employees are not allowed to bring in their own devices to connect to the network.
This includes devices that other individuals could bring in. If a workstation is
required for an employee to do their job they will be assigned a system. All outside
devices that are connected to the network will be destroyed. Users are not able to
access data regarding departments other than their own unless they are given

authorization prior to accessing the data. Users are not able to download or install
new programs on the system.

4-B: Accountability Policy

Each employee is responsible for their own workstation and work area. This also
includes locking there station when they leave and following all rules and
guidelines. In the event a data breach is traced back to a specific users workstation
they will be held accountable for the breach.

4-C: Authentication Policy

All users have a username and password that access there network. The passwords
are comprised of at least eight characters. It needs to have upper case and lower
case letters, numbers, and special character.

4-D: Privacy Policy

All activity on the network is monitored. This includes emails, logging keystrokes,
and files access. This is meant to insure a secure network.

4-E: Security Policy

Passwords are a critical component of information security. Passwords serve to
protect user accounts; however, a poorly constructed password may result in the
compromise of individual systems, data, or the Cisco network. This guideline
provides best practices for creating secure passwords. The passwords that will be
used follow the standard naming convention that has been developed for the
network. For security purposes the name convention is not included in this
document. Passwords for any device running on the network cannot be changed
with a simple request. All passwords are changed for each of the devices on the
network on a regular basis.

4-F: Security Response Policy

A Security Response Plan (SRP) provides the impetus for security and business
teams to integrate their efforts from the perspective of awareness and
communication, as well as coordinated response in times of crisis (security
vulnerability identified or exploited). Specifically, an SRP defines a product
description, contact information, escalation paths, expected service level
agreements (SLA), severity and impact classification, and mitigation/remediation
timelines. By requiring business units to incorporate an SRP as part of their business
continuity operations and as new products or services are developed and prepared
for release to consumers, ensures that when an incident occurs, swift mitigation and
remediation ensues. The purpose of this policy is to establish the requirement that
all business units supported by the Infosec team develop and maintain a security
response plan. This ensures that security incident management team has all the
necessary information to formulate a successful response should a specific security
incident occur. All incidents that arise within the network will be addressed in order
of severity. Each incident will documented and submitted for review regardless of
event that occurs. All incidents will be submitted using the incident response
template that has also been created for the network.

4-G: Remote Access Policy

Remote access to our corporate network is essential to maintain our Teams
productivity, but in many cases this remote access originates from networks that
may already be compromised or are at a significantly lower security posture than
our corporate network. While these remote networks are beyond the control of
Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of
our ability. Remote access for the devices on the network is limited. Remote
connection via a virtual private network (VPN) is not allowed. General access to the
Internet for recreational use through the network is strictly limited to employees,
contractors, vendors and agents (hereafter referred to as Authorized Users). When
accessing the network from a personal computer, Authorized Users are responsible
for preventing access to any computer resources or data by non-Authorized Users.
Performance of illegal activities through the network by any user (Authorized or
otherwise) is prohibited. The Authorized User bears responsibility for and
consequences of misuse of the Authorized Users access. For further information
and definitions, see the Acceptable Use Policy. Authorized Users will not use
networks to access the Internet for outside business interests

4-H:Router and Switch Policy

This document describes a required minimal security configuration for all routers
and switches connecting to a production network or used in a production capacity at
or on behalf of. All employees, contractors, consultants, temporary and other
workers at Cisco and its subsidiaries must adhere to this policy. All routers and
switches connected to Cisco production networks are affected. Every router must
meet the following configuration standards:
1. No local user accounts are configured on the router. Routers and switches must
use TACACS+ for all user authentication.
2. The enable password on the router or switch must be kept in a secure encrypted
form. The router or switch must have the enable password set to the current
production router/switch password from the devices support organization.
3. The following services or features must be disabled:
a. IP directed broadcasts
b. Incoming packets at the router/switch sourced with invalid addresses such
as RFC1918 addresses
c. TCP small services
d. UDP small services
e. All source routing and switching
f. All web services running on router
g. Cisco discovery protocol on Internet connected interfaces
h. Telnet, FTP, and HTTP services
i. Auto-configuration
4. The following services should be disabled unless a business justification is
provided:
a. Cisco discovery protocol and other discovery protocols
b. Dynamic trunking
c. Scripting environments, such as the TCL shell
5. The following services must be configured:
a. Password-encryption
b. NTP configured to a corporate standard source

6. All routing updates shall be done using secure routing updates.

7. Use corporate standardized SNMP community strings. Default strings, such as
public or private must be removed. SNMP must be configured to use the most
secure version of the protocol allowed for by the combination of the device and
management systems.
8. Access control lists must be used to limit the source and type of traffic that can
terminate on the device itself.
9. Access control lists for transiting the device are to be added as business needs
arise.
10. The router must be included in the corporate enterprise management system
with a designated point of contact.
11. Each router must have the following statement presented for all forms of login
whether remote or local:
"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have
explicit permission to access or configure this device. All activities performed on this
device may be logged, and violations of this policy may result in disciplinary action,
and may be reported to law enforcement. There is no right to privacy on this device.
Use of this system shall constitute consent to monitoring."
12. Telnet may never be used across any network to manage a router, unless there
is a secure tunnel protecting the entire communication path. SSH version 2 is the
preferred management protocol.
13. Dynamic routing protocols must use authentication in routing updates sent to
neighbors. Password hashing for the authentication string must be enabled when
supported.
14. The corporate router configuration standard will define the category of sensitive
routing and switching devices, and require additional services or configuration on
sensitive devices including:
a. IP access list accounting
b. Device logging

4-I: Server Policy

Unsecured and vulnerable servers continue to be a major entry point for malicious
threat actors. Consistent Server installation policies, ownership and configuration
management are all about doing the basics well. The purpose of this policy is to
establish standards for the base configuration of internal server equipment that is
owned and/or operated by . Effective implementation of this policy will minimize
unauthorized access to proprietary information and technology.
4.1 General Requirements
4.1.1 All internal servers deployed at must be owned by an operational group that
is responsible for system administration. Approved server configuration guides must
be established and maintained by each operational group, based on business needs
and approved by InfoSec. Operational groups should monitor configuration
compliance and implement an exception policy tailored to their environment. Each
operational group must establish a process for changing the configuration guides,
which includes review and approval by InfoSec. The following items must be met:
Servers must be registered within the corporate enterprise management
system. At a minimum, the following information is required to positively
identify the point of contact: o Server contact(s) and location, and a backup

contact o Hardware and Operating System/Version o Main functions and

applications, if applicable
Information in the corporate enterprise management system must be kept
up-to-date.
Configuration changes for production servers must follow the appropriate
change management procedures
4.1.2 For security, compliance, and maintenance purposes, authorized personnel
may monitor and audit equipment, systems, processes, and network traffic per the
Audit Policy.
4.2 Configuration Requirements
4.2.1 Operating System configuration should be in accordance with approved
InfoSec guidelines. 3.2.2 Services and applications that will not be used must be
disabled where practical.
4.2.3 Access to services should be logged and/or protected through access-control
methods such as a web application firewall, if possible.
4.2.4 The most recent security patches must be installed on the system as soon as
practical, the only exception being when immediate application would interfere with
business requirements. 3.2.5 Trust relationships between systems are a security
risk, and their use should be avoided. Do not use a trust relationship when some
other method of communication is sufficient.
4.2.6 Always use standard security principles of least required access to perform a
function. Do not use root when a non-privileged account will do.
4.2.7 If a methodology for secure channel connection is available (i.e., technically
feasible), privileged access must be performed over secure channels, (e.g.,
encrypted network connections using SSH or IPSec).
4.2.8 Servers should be physically located in an access-controlled environment.
4.2.9 Servers are specifically prohibited from operating from uncontrolled cubicle
areas.
4.3 Monitoring
4.3.1 To monitor the network the programs Grey log and Splunk are being used.
4.3.2 All security-related events on critical or sensitive systems must be logged and
audit trails saved as follows:
All security related logs will be kept online for a minimum of 1 week.
Daily incremental tape backups will be retained for at least 1 month.
Weekly full tape backups of logs will be retained for at least 1 month.
Monthly full backups will be retained for a minimum of 2 years.
4.3.3 Security-related events will be reported to InfoSec, who will review logs and
report incidents to IT management. Corrective measures will be prescribed as
needed. Securityrelated events include, but are not limited to:
Port-scan attacks
Evidence of unauthorized access to privileged accounts
Anomalous occurrences that are not related to specific applications on the
host.

Section 5: Achieve Buy-in

This section outlines the reasons why these security measures should be
implemented by the company.

5-A: Cost
The implantation of these security measures is low cost. The monitoring can be
done with a Free BSD virtual device on the network. The honey pots are simple to
set up and fill with fake information. Cisco switches come with the ability create
Vlans.

Glossary
Vlan Virtual Local Area Network that is a broadcast domain that is partitioned and
isolated in a computer network at the data link layer.
DMZ Demilitarized Zone is physical or logical sub network that separates an
internal local area network from other untrusted networks such as the internet.
VPN Virtual Private Network is a private network that extends across a public
network or internet.
Honey Pot a computer security mechanism set to detect, deflect, and counteract
attempts at unauthorized use of information systems.
IDS intrusion detection system is a device or software application that monitors
network or system activities for malicious activities or policy violation.
IPS intrusion prevention systems is a network security appliance that monitors
network or system activities for malicious activities.