Question

You have been hired as consultants to design and implement a widespread security initiative for a rapidly expanding global eCommerce corporation with two websites and locations in New York, Chicago, San Francisco, London, Paris and Johannesburg. Business is good! In the next three months, the corporation will be acquiring another company in a different line of business with plans to offer products for sale online.

Part of your role is to recommend the best way for integrating both environments. However, not much information is available about the IT setup for the company being acquired. The other company might even have a mix of different operating environment – it is unclear since the IT staff in that company is not very communicative.

Some critical staff members in the other company are not happy with the upcoming merger and have sworn to be as uncooperative as possible. In particular, the Network Manager for the other company is a difficult personality – plans have been afoot to fire him but unfortunately he is the only one who knows the network architecture completely and he is not willing to share. You must find out everything about the new environment and propose specifics on how to seamlessly integrate both environments

In the initial conversation with executives of the global company, you realize that the company does not have a security policy. After much discussion, they have agreed that you should come up with a detailed security policy customized for the company.

In a follow-up meeting with the executives and IT staff of the global corporation, you are also assigned the task of identifying two (2) security audit tools (vulnerability/web scanners), two (2) intrusion detection systems and two (2) network firewall products that would be suitable for the global company. You are to test and describe the features of selected security solutions, indicating (a) which you prefer and (b) providing convincing rationale for why you prefer a specific solution in each category. In other words, you are to evaluate two products for each category and recommend one, giving the reasons for your choice.

Salient points: The new corporate acquisition will increase the total number of computers under you IT department’s care to about 60,000 computers and network devices. The exact number is not clear: even the management at the other company is not sure of the number of systems in that network because of the difficulty in finding out the specifics about the company being acquired.

From the little information that has been gleaned from the other company, it appears to run a mixture of a peer-to-peer network and the domain model. Part of the decision you would have to make would be how the integrated environments would be networked: you have been given the discretion to come up with the design and budget (subject to approval, of course) for the overall security initiative, covering (1) the security policy, (2) network audit to determine what devices and data are being protected, (3) seamless integration between the merging companies, (4) recommendation for IDS system(s), (5) recommendations for security audit tools (web/vulnerability scanners) and (6) recommendation for network firewall device(s).   

Deliverables:

The Security Policy Document (You can adapt an Acceptable Use Policy document from www.sans.org)

An eight-page paper in Microsoft Word double-spaced describing how you would go about implementing the overall security initiative for the company, including a budget. Breakdown:

1 page summary of your overall strategy

1 pages of information security-related recommendations for integrating both corporate environments

1 page for the IDS

1 page for the web/vulnerability scanners

1 page for the network firewall device(s)

1 page of your overall conclusions showing demonstrating you grasp of information security best practices and current trends

1 page for budget  

1 page of references

Answer 1

Network devices we can use in the topology are:

Network Interface Card (NIC): Allows our PC to communicate with other PC’s. It converts data transmission technology.

Bridge: To improve the performance, networks are divided in smaller networks. Bridge is used to divide a large network in smaller networks.

Switch: connect multiple computers together in a LAN segment.

• Router is a device which forwards data packet from one logical network segment to another. Router forwards packets on the bases of their destination address

Considering all the above network configuration and network devices we can Connect all users to company resources (e.g. printers, scanners, and other items), provide file sharing options, manage these resources in a central location.

IP Infrastructure

The IP infrastructure represents a key boundary between a communications medium and the applications that are built upon this medium.

IP addresses are broken into different classes.

Class A IP addresses are used for huge networks, like those deployed by Internet Service Providers (ISPs).

Class B IP addresses are used for medium and large-sized networks in enterprises and organizations. They support up to 65,000 hosts on 16,000 individual networks.

Class C addresses are most common and used in small business and home networks. These support up to 256 hosts on each of 2 million networks.

Class D and E addresses are least used. Class D is reserved for a not widely used, and reserved for special cases largely for services and applications to stream audio and video to many subscribers at once. Class E addresses are reserved for research purposes by those responsible for Internet networking and IP address research, management, and development.

Here for us Class C ip addresses are good to use, as it is a small firm.

There are different types of IP addresses as below:

Static IP: If your IP address is static, it means that it will remain the same every time you connect.

Advantages of Static IP address:

• Businesses are better suited for it than residences.
• It's also better for dedicated services such as mail, FTP and VPN servers.

DHCP: Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.

Mixing Configurations

It's possible to mix static IP and DHCP addressing schemes.

Which is better and why?.

DCHP provides true "plug and play" networking, but it can come at a cost.

Fully dynamic or mixed addressing configurations are just fine.

Firewalls/Switches: A firewall is placed on a position connecting an intranet to internet and it controls the traffic between these 2 networks based on rule/policies. It filter outs, stops unwanted traffic. We can implement packet filter architecture or application level gateway.

VPNs: A VPN allows to run secure seemingly point to point connection between 2 networks similar to direct connection but by actually using unsecure media as network connection->internet. Using VPN person outside of the company’s network can access the services/resources from company’s network in a secure way. For security purpose, we can use IPsec protocol. Also can implement site to site VPN or remote access VPN.

Authentication: Authentication is the unambiguous identification of the sender of a information or communication peer. We can implement authentication by using token system, biometry, encryption etc.

Vulnerability assessment: For a successful attack successful vulnerabilities should be there. To avoid these kind of attacks proper assessment of vulnerabilities should be done. Assessment must be done in terms of error in design and specification, erroneous implementation of correct specification, administration error etc.

Security Protocols: Network security protocols are a type network protocol that ensures the security and integrity of data in transit over a network connection. Network security protocols define the processes and methodology to secure network data from any illegitimate attempt to review or extract the contents of data. There are cryptographic or encryption protocols which we can implement.

We can you use the Ring Topology to fulfill all the requirements of our network configuration.

In this configuration it is forming a ring as each computer is connected to another computer, with the last one connected to first. Exactly 2 neighbors for each node. Transmission can be made bidirectional. Data is transferred sequential bit by bit. Data transmitted has to pass through each of the node of network. The advantage of using this topology is, network is not affected by high traffic or by adding more nodes as only nodes having tokens can transmit the data. Cheap installation cost.

In bigger conditions, IT offices may have a Test Active Directory Forest only to test things like Group Policy. Unless you're applying Group Policy to thousands or a huge number of PCs, that might be pointless excess for your association. This is what I normally do to test:

In my Active Directory (AD) association, I get a kick out of the chance to keep a "Test" Organizational Unit (OU) that emulates a common OU for a division. In that OU, I keep a similar sub-OU format, a couple test client records, and test PCs (typically virtual machines) where I can put any of my test Group Policy before I make it accessible to end clients.

Inside the Group Policy Management Console (GPMC), it is anything but difficult to make duplicates of Group Policy Objects (GPOs) by heading off to the Group Policy Objects holder in the Group Policy Management Console (GPMC), right-tap on the GPO, pick Copy, and after that right-click once more, and pick Paste. I normally make a duplicate of the first GPO and incorporate "TEST" in the name and connection it within my Test OU. This gives me an OU where I can roll out improvements to my approach without bringing about issues for existing clients or PCs.

When you test your new strategies, guarantee that you're likewise trying against PCs as well as clients that had the old approaches connected and that have been being used by genuine individuals. In a lab setup, working frameworks have this propensity for having neatly connected pictures that have never been utilized. Client accounts and the records and settings that record have entry to are flawless and haven't been redone or changed. Some client arrangements can be influenced by past settings in the client's profile. The greatest place where this happens is Folder Redirection. You'll need to ensure that the settings that you're changing take both new logons and existing logons into thought. A decent approach to do this is to have a few clients that can test your progressions when you're practically set them out to everybody.

Contingent upon the change you're making, you might not have any desire to move it out to each client or PC in the meantime. For significant changes, I generally jump at the chance to drop a couple client and additionally PC objects into the Test OU and permit those items to keep running for a couple days. Notwithstanding being a decent approach to test how the change functions in this present reality, it allows me to check whether anything will break or cause issues for end clients before the change is taken off to everybody. It is much simpler to manage a couple of troubled clients that are having issues than a considerable measure!

As an IT division, I exceptionally suggest "eating your own particular puppy nourishment." From a Group Policy point of view, that implies that you ought to have a similar GPO's connected to your everyday client record and PC that the greater part of alternate clients in the association are getting. It ought to likewise imply that new approaches ought to get connected to you first. The snappiest approach to perceive how a Group Policy change will affect end clients is to utilize it yourself consistently. How would you realize that a specific script makes logons moderate in the event that it doesn't make a difference to you consistently? How would you realize that the screensaver timeout is too low unless you're continually logging back in light of the fact that you have the setting, as well? How would you realize that handicapping certain settings hamper a client's capacity to work unless you need to manage a similar issue?

Thank you.