Question

A consulting firm hired you to improve the network security of a Hospital by adding extra services for defence against external attacks.

1. In order to protect classified encrypted data from disclosure and transmission outside of the Hospital network, you need to choose among the following: proper configuration of DMZ, use of strong encryption algorithms, safeguards over keys. State your selection and justify your choice.

2. You want to use a packet firewall to protect the Hospital network but you are hesitant to choose the right location among the following: putting it on the web server at DMZ, putting it along with the IDS server, putting it on the screened subnet with DMZ, or putting it on the domain boundary. Recommend the right answer with justification as to why or why not.

3. Which one of the following can be used to protect a network against unauthorised external connections: VLAN, strong authentication, or an access control list of trusted devices? Justify your answer.

Answer 1

1.).

To protect the encrypted data from disclosure and transmission outside of the hospital network we need to first configure the dmz properly so that any insecure connections is mitigated when the data access request comes to the dmz. Games and wale query e the internal database on behalf of the external client which will act as an extra layer of security. Apart from all of this, a hacker might still get access to the internal database and sensitive data so so strong encryption will be of an added advantage over the DMZ.

2.).

Packet firewall is a type of firewall which district or allowed the packet at the network layer. It means that the packet firewall will check for IP address before allowing or disallowing the packet inside the network. The packet firewall should be kept at a position outside of network boundry which will initially filter all the unwanted packet and the packet now you must move towards the network boundary. Installing firewall on the web server will protect the web server only and it will not protect the unauthorised traffic towards other service such as file server, email server or other network devices such as switch and router inside the network. Packet firewall can be put on the DMZ boundary containing Web Server to isolate web server and filter traffic towards DMZ and Internal LAN.

Placing firewall aside the DMZ:

Therefore the best position to place firewall is on the domain boundary. A secondary firewall may be put aside DMZ to protect malicious access to internal router or file server. This way, most of the attacks are mitigated at the DMZ and External firewall only.

Therefore, primary firewall can be put on the domain boundary and secondary firewall, if required can be put aside the DMZ for an extra added layer of security.

3.).

To protect the network against an unauthorised access through external connections, the best option to consider is strong authentication. The actual motive and purpose of the authentication is by itself protecting any un-authorized access to the resources on the network. The primary purpose of Vlan is to logically subdivide a network into virtual subnetworks so as to reduce the network traffic OK then the whole network architecture and same is the primary purpose for Access control list. They are mainly for reucing the overall network traffic.

Access control list determines restrictions on network port, network interface, IP address, and based on other criteria like protocol to allow or disallow relevant packet within an network boundary but they can be exploited too since a hacker may use some spoofed IP address or port numbers which are allowed on on an access list to access the resources in the network boundary. And same can be happening to Vlan. Therefore strong authentication is the best alternative among the all three.