DANIEL HOWELL
[COMPANY NAME]
NTW275
Table of Contents
Summary....................................................................................................................... 3
Section 1: Assets........................................................................................................ 3
1-A: Hosts................................................................................................................ 3
1-B: Servers............................................................................................................. 3
Figure 1: Servers.................................................................................................. 4
1-C: DMZ................................................................................................................. 4
Figure 2: DMZ....................................................................................................... 5
1-D: Remote Location.............................................................................................. 5
Figure 3: Remote Location....................................................................................5
Section 2: Security Mechanisms................................................................................. 6
2-A: Vlans................................................................................................................ 6
Figure 4: Vlans...................................................................................................... 6
2-B: Honey Pots....................................................................................................... 7
Figure 4: Honey Pots............................................................................................ 7
2-C: Checkpoint Firewall.......................................................................................... 7
Figure 5: Edge...................................................................................................... 8
2-D: Internal Firewalls.............................................................................................. 8
Figure 6: Monitoring............................................................................................. 8
2-E: Internal Traffic Monitoring................................................................................8
Section 3: Security Risks............................................................................................ 9
3-A: Wi-Fi................................................................................................................. 9
3-B: Remote Location.............................................................................................. 9
3-C: Employees....................................................................................................... 9
3-D: DMZ................................................................................................................. 9
Section 4: Security Policy........................................................................................... 9
4-A: Access Policy.................................................................................................... 9
4-B: Accountability Policy...................................................................................... 10
4-C: Authentication Policy..................................................................................... 10
4-D: Privacy Policy................................................................................................. 10
4-E: Security Policy................................................................................................ 10
4-F: Security Response Policy................................................................................ 10
4-G: Remote Access Policy.................................................................................... 10
4-H:Router and Switch Policy.................................................................................11
Summary
This document is intended to explain the security measure that could be
implemented to protect the system. Section one of this document lists the
companys assets on the network. These assets include the hosts on the network,
the servers in the data center, the companys DMZ, and the remote sales location.
This section does not cover all aspects of the network just the sections that are
considered assets to the companys operations.
Section two of this document covers the security mechanisms that could be put in
place to protect the network. The security mechanisms that are being purposed
include isolate Vlans, Honey Pots, firewalls, and IDS/IPS. The installation of these
measures is not covered in this document.
Section 3 of this document lists the security risks of the network. The risks of the
network include the company Wi-Fi, the remote sales location, the employees, and
the DMZ. The listed risks are considered the weakest points in the network.
Section 4 of this document outlines the security policies. These policies include
accessing a systems or data, accountability for the use of a workstation,
authentication of the user, privacy of data in the network, and security policies.
Section 5 of this document explains why these security measures should be
implemented in the network.
Section 1: Assets
This section outlines the assets of the ElectroMyCycle company network. This
section is only intended to explain what the assets are, the security for the assets in
covered in section 2 of this document. The assets include the hosts in the onsite
offices, the servers in the company data center, the company DMZ, and the remote
sales office. The following sub sections cover each asset in detail.
1-A: Hosts
The onsite offices are able to support up to 200 employees. The 200 employees are
broken up into five different Vlans. The Vlans are outlined in section 2-A. The hosts
in the remote location are not covered in the section. The remote location is
covered in section 1-D. All of the company daily operations are run from the hosts.
1-B: Servers
The companys servers are housed in a small data center. The servers contain
company records from all departments as well as customer information. The
backups are also stored in the data center. Figure 1 shows a diagram of the
companys data center. The security mechanisms in place for the data center are
covered in section 2 of this document.
Figure 1: Servers
1-C: DMZ
The company DMZ is comprised of three servers the web server, DNS server, and
Email server. The company also used the DMZ to support online sales. The DMZ is
on the outside of the companys network. Figure 2 show the DMZ that is used by the
company. The security of the DMZ is covered in section 2 and the risk of the DMZ is
covered in section 3 of this document.
Figure 2: DMZ
2-A: Vlans
The companys internal network has been divided into five Vlans. Figure 4 shows a
diagram of all the Vlans on the network. The company did not give a specific
number of employees who are working in each work group. Vlan 1 is set for the
management teams use in daily operations. Vlan 2 is set for the marketing
department. Vlan 3 is the information technology (IT) department. Vlan 4 is set for
the accounting department. Vlan 5 is the manufacturing facility. The security
policies for the use of and access of the companys systems are outlined in section
4 of this document. Vlans 3 and 5 are operated differently than the others.
Vlan 3 is the only one that has the protocols to access all other Vlans. This is so the
IT department can provide technical support when and where it is needed. This is
also the only Vlan with a Wi-Fi___33 access in the main facility. Do to this level of
access the Vlan is closely monitored for any possible security breaches.
Vlan 5 is the companys state of the art manufacturing facility. This Vlan is mostly
the machinery that is used to create the companys products. There are only a few
workstations that are used to monitor and operate the machinery.
Figure 4: Vlans
Figure 5: Edge
3-A: Wi-Fi
The network has two Wi-Fi connections. The first is located in the main facility
however it is only accessible by the IT department. Figure 4 shows a diagram with
the Wi-Fi connection on the IT departments Vlan. If a malicious hacker was able to
gain access to the Wi-Fi they could start to spread across the whole network quickly.
This is due to the IT department Vlan privileges. Vlan 3 is the only Vlan that is able
to communicate with the other Vlans with relative easy. Referrer to section 2-A for
details on the company Vlans.
3-C: Employees
The human element well always be the weakest link in security. To aid in the
prevention of human error in the network referrer to the security training policy in
section 4 of this document. With proper training the risk of employee error can be
managed easily.
3-D: DMZ
The company DMZ has a firewall on it however that does not make it completely
secure. The DMZ houses three servers that give hackers three different options to
attack. Referrer to section 1-C for details on the DMZ. The DMZ can be compromised
by an attacker and used to attempt to gain access to the main network. They could
also exploit the servers in the DMZ causing them to crash costing the company
money in down time.
authorization prior to accessing the data. Users are not able to download or install
new programs on the system.
5-A: Cost
The implantation of these security measures is low cost. The monitoring can be
done with a Free BSD virtual device on the network. The honey pots are simple to
set up and fill with fake information. Cisco switches come with the ability create
Vlans.
Glossary
Vlan Virtual Local Area Network that is a broadcast domain that is partitioned and
isolated in a computer network at the data link layer.
DMZ Demilitarized Zone is physical or logical sub network that separates an
internal local area network from other untrusted networks such as the internet.
VPN Virtual Private Network is a private network that extends across a public
network or internet.
Honey Pot a computer security mechanism set to detect, deflect, and counteract
attempts at unauthorized use of information systems.
IDS intrusion detection system is a device or software application that monitors
network or system activities for malicious activities or policy violation.
IPS intrusion prevention systems is a network security appliance that monitors
network or system activities for malicious activities.