As part of the network security team, we will be proving IDI with a network security plan to mitigate the vulnerabilities that have been discovered. A secure site will be set up with network intrusion detection and network protection systems will be available to access via the internal network. Policies will be presented for remote access and the use of VPN. Also contained within this report will be strategies for hardening the network and mitigating risks. An updated network layout with increased network security to meet the current needs will be included.
In the interest of business continuity, remote access will be utilized. User wishing access to internal network assets will only be able to access said assets with the use of a company issued laptop. We will make use of MAC address filtering to allow remote users access to the internal network via VPN. Each of the remote access laptops will have been loaded with VPN and have the MAC address added to the list on the MAC address filter. Users will be able to login to the VPN by using their local username and password.
By making use of a VPN connection, users should be able to easily access the network assets. VPN connections are protected by SSL encryption which provides communication security over the internet. Each of the remote access laptops will be encrypted with McAfee safeboot encryption and all local data will remain encrypted until a valid login is entered. McAfee safeboot encryption requires additional login information to access the IDI internal network. At the present there is one web server for employees to access both internal and external sites.
The network security team will be integrating a web server located within the internal network. This Web server will be accessible only from within IDI’s local area network. We will be using the layered security concept to protect IDI’s internal servers. An (IDS) intrusion detection system will be set up to send out alerts in the event of an intrusion and log all connections. An (IPS) intrusion prevention system will be set up to prevent the detected intrusions and will make use of MAC address filtering to deny or allow connections based off the MAC address or physical address of each machine.
MAC address filtering will allow the servers to accept incoming traffic from predetermined hosts. To further secure the local area network, the network security team will be implementing the principle of least privilege in regards to the users. By using the principle of least privilege we will be preventing multiple forms of malicious or accidental risks by only giving the user the permissions and privileges necessary to complete their job. Microsoft’s default security software is commonly used and well known making the vulnerabilities well known, which would make it easier for a hacker to plan out an attack.
Third party antivirus\malware and firewall software will be used on all machines. The servers located within the network will make use of a statefull firewall to monitor and filter all traffic on the network by scanning for congruence between data packets. The public facing servers used to connect the internal webserver to the customer website are contained within the demilitarized zone. Due to the demilitarized zones proximity to the wide area network, we will be taking a layered security approach. There will be a statefull firewall located between the router and the demilitarized zone.
This firewall will protect the internal network via the LAN-to-WAN connection by performing in-depth packet inspection and closely monitoring the LAN’s inbound and outbound traffic. A stateless physical firewall device will be in place between the internet service provider and the demilitarized zone. This firewall hardware will allow for larger amounts of inbound and outbound traffic. The demilitarized zone will make use of both an IDS and IPS to handle any intrusions within this part of the network. Current IDI Network Weaknesses/vulnerabilities Logisuite 4. 2.2 has been installed 10 years ago, has not been upgraded, however over 350 modifications have been made, and license is expired RouteSim-
The destination delivery program is used to simulate routes, costs and profits , it is not integrated into Logisuite or oracle financials to take advantage of the databases for real-time currency valuation and profit loss projections IDI needs to standardize office automation hardware and software currently there are about 600 workstations , 200 HP, 150 Toshibas, 175 IBM, 50 dell, rest are apple PowerBooks without CAD software available Software ranges from various antique word processing packages of which are incompatible for integration with each other, causing transfer of files to become corrupt when opened by incompatible software Polices exist that prohibit the introduction of personal devices, many executives have had administrators install clients on their unsupported non-standard personal laptops, pcs, ws that interface with internet with little or no personal protection WAN was designed by MCI in early 2000’s which has not been upgraded since data rate increases have occurred in Asia and Brazil has been distressed. Between September and March (peak hours) capacity is insufficient, customers are lost due to dropped connections and abandoned shopping baskets, further reducing growth and revenue Telecommunications – limited Mitel SX-2000 private automatic branch exchange (PABX) that only provides voicemail and call forwarding Current IDI Strengths
Sao Paulo is presently the strongest link in the chain. Sao Paulo Brazil is a model of standardization; all other sites will be modeled after this site. The Sao Paulo office includes the following setup 30 MS windows for file and print 4 Linux (Unix) servers for major production applications 2 Linux (Unix) servers with the internet zone with juniper high-speed switches and routers A storage area network based on EMC CLARiiON SAP R/3(ECC6-Portal based apps) Up-to-date security policies although in Spanish The telephone system provided by SP Telesis- one of the four competing providers in the metropolitan city The NEC NEAX 2400 Series PABX used for internal and external communications