In: Computer Science
In this project, you’ll create a security infrastructure design document for a fictional organization. The security services and tools you describe in the document must be able to meet the needs of the organization. Your work will be evaluated according to how well you met the organization’s requirements. About the organization: This fictional organization has a small, but growing, employee base, with 50 employees in one small office. The company is an online retailer of the world's finest artisanal, hand-crafted widgets. They've hired you on as a security consultant to help bring their operations into better shape. Organization requirements: As the security consultant, the company needs you to add security measures to the following systems: An external website permitting users to browse and purchase widgets An internal intranet website for employees to use Secure remote access for engineering employees Reasonable, basic firewall rules Wireless coverage in the office Reasonably secure configurations for laptops.
The following elements should be incorporated into your plan:
Authentication system
External website security
Internal website security
Remote access solution
Firewall and basic rules recommendations
Wireless security
VLAN configuration recommendations
Laptop security configuration
Application policy recommendations
Security and privacy policy recommendations
Intrusion detection or prevention for systems containing customer data
Step by Step security infrastructure design document for a fictional organization
1) Authentication system :
Authentication involves determining whether a user is, in fact, who he or she claims to be. Authentication can be conducted through the use of logon passwords, single sign-on (SSO) systems, biometrics, digital certificates and a public key infrastructure (PKI).
User authentication is critical to ensure proper authorization and access to systems and services, especially since data theft and information security threats are becoming more advanced. Although authentication cannot completely stop information and identity theft, we can make sure that our resources are protected throughout several authentication methods.
There are three factors of authentication to consider: something you know, such as a user ID and password; something you have, such as a smart card; and something you are, which refers to a physical characteristic, like a fingerprint that is verified using biometric technology. These factors can be used alone, or they can be combined to build a stronger authentication strategy in what is known as two-factor or multifactor authentication. This guide reviews the methods associated with all three authentication factors.
2) External website security :
Protect Your Company Website From Hackers. so we can follow below step
-Stay updated.
-Toughen up access control.
-Update everything.
-Tighten network security.
-Install a web application firewall.
-Install security applications.
-Hide admin pages.
-Limit file uploads.
-Use SSL.
-Remove form auto-fill.
-Back-up frequently.
3) Internal website security
We can follow below step to protect Internal website security
-Use HRMS security controls and firewalls
-Encrypt sensitive Web pages.
-Develop and coordinate policies with IT.
-Educate workers how to use the system correctly.
-Establish access controls and other physical controls.
-Establish manager controls.
4) Remote access solution
Remote Access Solution increases your organizations overall productivity by allowing users of different security profiles to access resources at any time, from any location with any device. Remote Access Solutions have typically evolved from client-to-site IPSEC VPN technology to a thin client based SSL VPN remote access solution supporting a plethora of endpoint devices. Next generation of Remote Access Solutions have strict integration with Identity Access Management involving Authentication, Authorization and Accountability, User Profiling, Endpoint Security and Malware protection.
Providing a secure and fully integrated Remote Access Solution should be the aim of your organization; whilst requirements from employees to access resources from corporate assets exist, employees may also want to access restricted resources from personal computers or kiosk machines. Such security risks of managed and unmanaged endpoints accessing resources need to be addressed pragmatically. As your organization develops strong partners and supplier relationships; you may well be tasked to provide a secure Remote Access Solution for extranet users or users that are considered semi-trusted. With such requirements, authentication and authorization play a key part, but the ability to create a full audit trail and monitor user activity also needs to be considered. Integrating Remote Access solution with Firewalls and IPS systems to provide Coordinated Threat Control based on the dynamics of the traffic is also changing the way how remote access solutions are viewed. Other challenges organization face that already have existing Remote Access Solutions are to validate existing security configuration, typically user access configurations are applied without changes being audited on a regular basis, users that may have left the organization may still have access to resources, remote access from users not being integrated into the organization overall log management solution. For that reason, we can provide Security Audits for Remote Access Solution including framework development, remote access workflow and guidance on improving the security posture of your remote access solution.
5) Firewall and basic rules recommendations
firewall configuration, it is important to consider potential security risks to avoid future issues. Security is a complex topic and can vary from case to case, but this article describes best practices for configuring perimeter firewall rules.
Block by default
Block all traffic by default and explicitly allow only specific traffic to known services. This strategy provides good control over the traffic and reduces the possibility of a breach because of service misconfiguration.
You achieve this behavior by configuring the last rule in an access control list to deny all traffic. You can do this explicitly or implicitly, depending on the platform.
Allow specific traffic
The rules that you use to define network access should be as specific as possible. This strategy is referred to as the principle of least privilege, and it forces control over network traffic. Specify as many parameters as possible in the rules.
A layer 4 firewall uses the following parameters for an access rule:
Source IP address (or range of IP addresses)
Destination IP address (or range of IP addresses)
Destination port (or range of ports)
Specify source IP addresses
If the service should be accessible to everyone on the Internet, then any source IP address is the correct option. In all other cases, you should specify the source address.
Specify the destination IP address
The destination IP address is the IP address of the server that runs the service to which you want to allow access. Always specify which server (or group of servers) can be accessed. Configuring a destination value of any is discouraged, because doing so could create future issues, such as a security breach or server compromise for a protocol that you might not intend to use on a server that might be accessible by default.
Specify the destination port
6) Managing Wireless Security :
Currently, about 150 million organizations worldwide use wireless technologies. The technology is implemented to
gain flexibility of infrastructure, reduce capital expenditure gain advantages over competitors and to solve business problems. In academic institutions such as universities,
wireless technology is widely used. Lecturers and students use wireless network to access information over the internet. Business people use the potential to increase production, generate more sales, as well as to interact with
the customers better. Wireless networks allow for more adaptable in office environment configurations (Negrino and Smith 26). Wireless networks have a number of components. One of the components is access points
which are the equivalent of a hub in a wired network. The access point is connected to a wired backbone through an Ethernet cable and communicates with the attached devices through an antenna. The unit uses the 802.11
standard modulated techniques (Potter and Fleck 9). In a normal configuration, the access point shows its presence to the wireless uses. The second component is NIC(Network Interface Cards) of the device.
Wireless networks provide an alternative, flexible network infrastructure in an organization as compared to wired networks.
WLAN is beneficial to many organizations worldwide since it provides for reduced capital investment and convenience in access to company information.
Wireless networks components include access points and NIC (Network Interface Cards).
7) VLAN configuration recommendations
In order to understand the purpose of VLANs, it's best to look at how Ethernet networks previously functioned. Prior to VLANs and VLAN-aware switches, Ethernet networks were connected using Ethernet hubs. A hub was nothing more than a multi-port repeater. When an end device sent information onto the Ethernet network toward a destination device, the hub retransmitted that information out all other ports as a network-wide broadcast.
The destination device would receive the information sent, but so would all other devices on the network. Those devices would simply ignore what the heard. And while this method worked in small environments, the architecture suffered greatly from scalability issues. Too much time was spent discarding received messages and waiting for a turn to transmit their own messages that Ethernet networks using hubs became congested.
While the forwarding table does a great deal to limit broadcast messages, and thus reduce the amount of broadcast overhead, it does not completely eliminate it. Broadcast messages are still required in many situations. And as such, the more devices on a physical network, the more broadcast messages are going to be clogging up the network.
8) Laptop security configuration :
-Select a strong password for all user accounts.
-Configure your screen saver to be password protected and to activate in 25 minutes or less.
-Configure your Power Options to prompt for password when computer resumes from standby.
-Do not store confidential information on your laptop's hard drive (or on removable media including flash drives) without the approval of the Chief Information Security Officer (see note below). This includes but is not limited to, proprietary business information relating to Temple University and personal confidential information related to other employees, students, applicants, retirees, alumni and social security numbers. Note: If you store sensitive information on your laptop that could cause financial or reputational damage to the University if the laptop is lost or stolen, please contact the Help Desk and request a consultation with the Office of Information Security. The Office of Information Security has laptop encryption software that can be ordered for your laptop to protect your data in the event of loss or theft.
-Request installation of Temple’s Symantec Endpoint Protection software by using the Request Help tab on the Information Technology Services home page.
-Use Temple's tuapps.temple.edu website when remotely accessing Temple University systems. To learn how, see the instruction page.
Note: If you connect to Temple's TUsecurewireless network from on-campus, you do not need to use VPN software.