Question

In: Operations Management

How would you secure computer networks if you could design the Internet? What technologies would you...

How would you secure computer networks if you could design the Internet?

What technologies would you deploy or develop to meet the need?

CMGT/442

Solutions

Expert Solution

Within a network, we will find ways to add security to it, by installing and configuring devices that comply with the necessary measures providing a care behavior in the network.

The most common hardware that is implemented to increase security in the network are Firewall, IDS and IPS. It should be noted that within each network device (router / switch / hub) there are configurations that will help us increase security. The access control lists (ACL) are a clear example, they allow us to program rules to deny or allow a specific service or device within the networktraffic.

Firewall

It is a network device, where its main function is to block all access to the network (Incoming) and from it (Outgoing), through configurations called "rules or policies", it works by checking all specified traffic and comparing it with the logic of allow or deny according to behavior criteria.

  • Restrictive: what is not explicitly allowed, will be denied.
  • Permissive: what is not explicitly denied, will be allowed.

A firewall can be not only a network device, but we can also find it through an operating system software, also fulfilling the function of allowing or denying, where the firewall is installed, it will indicate as intermediate the communications of the network that want to inspect or protect.

  1. Dual Homed-Firewall: the device has two devices, which allow interacting with both the public network and the private network

  2. Multi Homed-Firewall: the team has several devices, which will allow interaction with several different networks, giving the possibility of implementing different policies and rules for each one

  3. Demilitarized Zone (DMZ): a demilitarized zone or perimeter network is a local network that is located between the internal network of an organization and an external network, usually the Internet

  • One of the objectives of a DMZ is that connections from the internal network and external to the DMZ are allowed.
  • Generally positioned in that DMZ, the services that want to publish in a public network (Internet) such as email servers, Web and DNS.
  • Within the family of Firewalls, we can also find services such as packet filtering (packet filtering), application layer (layer analysis) and statefull (memory of established sessions)


Intrusion Detection System (IDS)

Another element that can be found and help us "census" the type of traffic we have on the network is the IDS (Intrusion Detection Systems). By analyzing each packet that is circulating within its range of coverage, it has the capacity to detect anomalies or signatures, giving the possibility of programming rules based on what it detects in the network.

It also has a database (signatures) where based on the technique of "census" packages, compares them and acts accordingly, respecting the parameters assigned to which they are configured (sending alarms, emails, etc).

Act in 2 ways:

  1. NIDS: totally hardware-based, you buy it and physically install it in your network place, where you want it to start "census" the traffic in search of anomalies.
  2. HIDS: based on software, you simply acquire a license like any antivirus or download it if it is source code and install it, you can dedicate a complete machine to the IDS to optimize resources, 2 examples of free and widely used software They are Suricata y Snort.


Intrusion Prevention System (IPS)

And finally we have the IPS (Intrusion Prevention Systems) that unlike the IDS, it analyzes in real time, taking into account that possibility, a port of entry and another exit, its operating logic is to analyze incoming and outgoing traffic in Real time, this must be controlled well because it can cause performance problems in the network, since each packet will be analyzed and the network can return slowly.

Potential threats

Threats to information security threaten their confidentiality, integrity and availability. There are threats related to human failure, malicious attacks or natural catastrophes. Through the materialization of a threat could occur the access, modification or elimination of unauthorized information, the interruption of a service or the processing of a system, physical damage or theft of equipment and means of information storage.

This situation produces the following:

  • Security holes in operating systems
  • Security holes in applications
  • Errors in system configurations
  • Users who lack basic information about computer security

The potential attackers, collect information about the possible infrastructure of the computer network these give more chance to succeed, the most common information they seek is:

  • Identification of the operating system: Attacks differ greatly depending on the operating system that is installed on the computer
  • Scanning of protocols, ports and services: Services are the programs that the operating system loads itself to be able to work, printing service, automatic updates, etc.

Basic attacks

There are thousands of techniques, methods and attacks that an attacker could use to illegally enter your network, but there are always a few that are used by the majority and of which you must be prepared, let's see what they are:

  1. Denial of service (DoS/DDoS) attacks, send you billions of requests to a service on your network so that it collapses causing a denial of service, because it will no longer accept incoming requests.
  2. Attacks against the authentication, if you do not put a limit of access failed an attacker will use brute force to try to guess a user of your network.
  3. Modification attacks and integrity damage, once inside your network, they can modify files and damage the integrity of your information.
  4. Attacks taking advantage of security deficiencies, if you do not update or protect your network well, the attacker could find "holes" to attack.

Build a secure network

Currently there are millions of attacks against network infrastructures occurring throughout the day, to try to have a more secure network, because deep down we know that there are no 100% secure computer systems, but we know that we can reduce the possibilities that they attack us by designing a network infrastructure adapted to the best security practices in networks.

There are 3 key questions to ask, before designing a secure network:

  1. What to protect?
  2. How to protect?
  3. Where to protect?

When we talk about knowing what to protect, it is important to determine what the most important assets of the network can be devices, services or even a certain type of traffic (encrypt internal traffic, to give an example) , it is not the same to protect the main server where the business logic of the company is to protect the server where deploys are made to test new features of the application. The one to protect, we will determine it by doing a risk analysis of the network, where we will know the level of importance of each asset in the network.

Active: any electronic device connected to the Internet.

A very common example, a client asked us to protect the local network (LAN) from any unauthorized traffic from the outside, well we know what to protect and we designed and implemented a firewall between the ISP and the router that will provide Wi-Fi to all devices that may have access.

What to protect is about having a clear objective of what you want to take care of or protect from attackers.

The how to protect, would be taking into account all the
services offered by the firewall (ACLs, NAT, VPN) and the
good use of them or other security devices such as IDS or IPS.

  • ACL: It is a way to determine the appropriate access permissions to a certain object, depending on certain criteria of the process that makes the order these operations could include reading, writing and execution on a destination the criteria would be: origin of traffic, traffic destination and protocol used.

How does it work?
The firewall or router analyzes each packet, comparing it with the corresponding ACL and compares the ACL line by line if it finds a match, takes the corresponding action (allow or deny), and no longer reviews the remaining lines. That's why you have to list the commands from the most specific cases, to the most general ones.

Remember: the exceptions have to be before the general rule

The general rule, if you do not find a match in any of the lines, automatically reject the traffic consider that there is an implicit "deny any", at the end of each ACL there are many ways to create an ACL, we depend on what type of technology is used, writing it or through options in the application that is running.

How to protect, is to think what is the technology or method that will be used in the solution on what needs to be protected.

The where to protect, will be implemented in an area that is active firewall or security device, or taking into account the services or devices to protect, the location of it will be of greater importance to affect what we need to protect.

Structuring a secure network

When we are in front of a network, the first thing that should be done is a survey of all the involved devices and then we can have an idea of whether we should modify the topology or leave it like this. Knowing that we have equipment related to data protection, they should be positioned in a sector where access to that data meets the purpose we need, is it useful to put a firewall behind a network? Do we leave it configured for defect?, or worse yet, does an important server have free access from the Internet of any intruder?

That is what the structuring is about, protecting assets, confidential information, etc, in an efficient and safe way, taking into account the positioning of security devices or systems that we have for protection.

1. Survey of the network, how many assets are there?
2. What to protect?
3. In what sector of the network are they the same? Could they be elsewhere?
4. What do I have to protect them? (Budget, hardware and software)
5. Where do I protect them and where do I install the security system?
6. Is it okay what I did? Can there be other, safer options?
7. What happens if they attack and gain access to the network? Is there an incident or contingency plan?


Related Solutions

Describe how you would design the experiment, what you would measure, and how you could determine...
Describe how you would design the experiment, what you would measure, and how you could determine the specific heat capacity of water.
E-Business is the use of the Internet and other networks and information technologies to support electronic...
E-Business is the use of the Internet and other networks and information technologies to support electronic commerce, enterprise communications and collaboration, and Web-enabled business processes, both within a networked enterprise, and with its customers and business partners. Particularly, Enterprise e-Business Systems outlines the goals and components of customer relationship management (CRM), enterprise resource planning (ERP), and supply chain management (SCM). The current trend is toward implementation of cross-functional integrated enterprise systems such as ERP, CRM and SCM in business. Answer...
How critical has e-commerce and internet technologies be for international management? What do you think of...
How critical has e-commerce and internet technologies be for international management? What do you think of the many barriers to international e-commerce? What do you think of the cross-cultural differences in terms of how web pages are designed/constructed?
When working on secure a computer system a security design guide gives an essential guidance one...
When working on secure a computer system a security design guide gives an essential guidance one such example is the national security agency and the us department of Homeland security which lists the security design principles shown.
6.7 How would you design an organization so that it could, in Tom Peter’s (1998) words,...
6.7 How would you design an organization so that it could, in Tom Peter’s (1998) words, “thrive on chaos”? What characteristics would such an organization have? What kind of people would you try to hire? How would the role of the manager’s differ from the traditional view of what a manager does?
If you could be an entrepreneur, what kind of business would you start? How would you...
If you could be an entrepreneur, what kind of business would you start? How would you succeed?how would you overcome the people that believe you will fail?
Comment on why directed diffusion is a reasonable design choice with computer networks. Explain why caching...
Comment on why directed diffusion is a reasonable design choice with computer networks. Explain why caching is ineffective at accelerating performance of the algorithm.
Discuss how emerging technologies, such as the Internet, affect the GL/ BR process. In what ways...
Discuss how emerging technologies, such as the Internet, affect the GL/ BR process. In what ways will organizations have to adapt their business processes to reflect the changes in these external factors?
How would you leverage the Internet to develop a business? Also, how would you manage the...
How would you leverage the Internet to develop a business? Also, how would you manage the increased competition?
)? How would you electroplate a brass object with silver? What is EPNS? How could you...
)? How would you electroplate a brass object with silver? What is EPNS? How could you use electrodeposition to measure the purity of a sample of copper sulfate? How is this process used industrially to purify copper?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT