Your duties as Insecure University’s security administrator just got even more interesting because they are now sold on the fact that a proactive approach to security is their only option. They want a multi-layered security approach, but need you to provide a more granular snapshot of what a DID architecture means for them. You are asked to turn the DID diagram from last week into a slideshow/PowerPoint presentation and elaborate on each layer of security in regards to Insecure University.
What solutions will provide Insecure University with a DID architecture. Please go into depth on each layer (types of firewalls, what does OS hardening consist of, definition of strong authentication, user awareness activities, IDS or IPS?, these are just examples to give you an idea of what I am looking for relative to each layer.)
A computer network if left unsecure can result in losses like a violation of confidentiality, data manipulation or breakdown of systems and this can increase an organization’s operation cost with regard to ICT infrastructure hence the need to make the network system secure. A secure network system requires a well defined risk assessment plan in which the resources to be protected are first identified plus the vulnerabilities attached to each of the network resources after which a measure is put in place to counteract the identified vulnerabilities.
Use of the internet at times provide the hackers with the opportunity to identify the vulnerabilities existing within a network system then plan to exploit such vulnerabilities. Such a step can compromise on the confidentiality of the information stored, result into unauthorized data manipulation and cause infection on computers which can lead to total system breakdown. This paper seeks to identify the information assets of the institution that are vulnerable to attack by hackers then suggests measures which if put in place will prevent the threats from turning into reality.
To succeed in implementing a secure network system, the four step procedure mentioned here below would be useful.
There is a need to ensure that the software used by the network system is guarded by strict policies and secure authentication for purposes of authorization.
Here, there will be continual monitoring of every event which takes within the network. Use of proper tools can help reduce the risk of attack on the network system. Firewall, if properly configured, can effectively serve as a defense of a network system. A network firewall will set rules regarding the ports to be open and the ones to remain closed.
There is need to perform regular test on the network system to evaluate the defenses and security access through letting the network be attacked by a security testing tool or some trusted body.
After the three stages of attaining network security mentioned above, a regular test should be carried out on the network system. For the network system to remain safe, constant testing should be done and action taken in areas that need improvement.
Some of the identified vulnerabilities existing within the institution are:
Wireless Access Points
These access points are inherently insecure and protocols like wireless encryption protocol have particular vulnerabilities that are easy to compromise using specific attack frameworks like Air crack. Wireless attacks are also likely by the wardrivers in case they manage to find unsecured Wi-Fi networks.
It is recommendable that the university introduces WPA2 Enterprise using RADIUS together with an access point with the ability to perform authentication and enforce security measures. Strong passwords containing mixed characters should also be used and the passwords should be changed periodically.
An employee could for instance borrow a laptop from a colleague and the process compromise the network endpoints. Another employee can request a co-worker for help gaining access areas of the network that he does not really have to access
User passwords ought to be regularly changed. Role based authentication will be fundamental for every employee in the university so that different categories of the employees gain access only to the resources that they require to accomplish their daily task.
Students and staff in the institution are never restricted on the web pages to be visited or the internet tools to use. In the process, lots of infections have resulted because some of the visits end up in malicious websites.
Use of proxy will help in blocking malicious or useless websites that could be infected or redirect you to malicious websites. The proxy will protect the network system from persons intentionally visiting bad sites.
The benefit of assigning an IP is that when you check your router logs, you’ll know which IP is associated with a specific PC and/or user. With DHCP, the same PC could potentially have different IPs over a period of time as machines are turned on or off. By knowing what’s on your network, you’ll know where problems are coming from when they do arise.
Use of Dynamic Host Configuration Protocol (DHCP)
This scheme make the process of network administration simple in that any new computer added to the network system is automatically assigned an IP address, it has the disadvantage that the attackers can too gain easy access to the network system whenever they wish to exploit it. Again a single PC might have varied IP addresses within different time periods as machines are turned off and on.
The administrator should physically assign IP addresses to PCs that are in the network. If this is correctly done, then he will be in a position to determine the specific user or PC that is associated with a given IP address and so be able to establish wherever problems are from.
Use of File exchange Services
Lots of infections on the PCs within the institution could result from files downloaded from web pages or those acquired through other file exchange tools. Files getting into the network system could be infected and whenever an infected file gains access to a network, it will open back doors that can trigger additional intrusions.
There is need to use antivirus software meant for internet security and the software should be regularly updated.
Solutions based on the internet protocols are:
Security Measures for HTTP
Use of S-HTTP, an extension of HTTP, provides a means to ensure that exchange of files over the World Wide Web remains secure. Every S-HTTP file could be contained a digital certificate, be encrypted or feature the two.
Security Measures for DNS
The attacks likely to face Domain Name Service are DNS spoofing, DNS ID hacking and DNS Cache poisoning.
Some of the measures that can be helpful in preventing DNS attack include:
Keeping at minimum the possible queries or hosts permitted to query do not have all the DNS servers put on a single subnet, the same leased line or behind a single router. This helps to avoid having a single point of network failure.
To avoid spoofing, recursive queries should never be allowed.
Security Measures for FTP
Use of SSH’s SFTP enables encryption of a whole login session and this includes password transmission. Any outsider will certainly encounter difficulty to observe or collect passwords from the network system via the SSH/SFTP
Make use of an FTP server logon exit program to log the IP address plus the username of all FTP logon attempts. Regularly review the logs and in a state whereby a profile gets disabled because off password attempts that get to a maximum value, establish who the perpetrator is using the IP address information, then take an appropriate action.
Take advantage of an FTP server logon exit to keep at a minimum the client machines from where a user profile is permitted to gain access to the FTP server.
With the FTP server logon exit program, there are system user profiles and other profiles that you will specify never to be allowed to gain access to the FTP server.
Security Measures for the Mail server
This can be achieved by use of the two firewalls. The dual firewall topology is a scheme which provides a means of protection of the internal Exchange servers whilst filtering every incoming email from possible attacks. The region between these two firewalls is known as perimeter network.
If the vulnerabilities in a network system are identified in time and plans put in place so that the attackers don’t exploit such weakness, the institution is less likely to witness losses that result from breaching network security. This will in the long run help the university minimize the overall operation cost as far as the ICT infrastructure is concerned.