Network Hardening

There is nothing more important in any business than securing your network topology from hardware, design and software. This plan is called network hardening and this plan needs to be incredibly detailed with how the network will be secured in each area. The first step to the network hardening plan resides in how you will build the network and then from there how you will secure each section of the network. This paper will discuss access control measures, encryption, PKI, certificates, OS hardening, application hardening, transmission, remote access protection protocols, wireless security, anti-virus software as well as spyware, and email security. One of the first steps in securing a network is setting the access control measures to various network resources. Access control is fundamental to securing the network as it is the first line of defense for all internal network access. This starts with a simple username that is used to identify a person who can access the network. The username is where all permissions to the network reside. The best way to control access is through an active directory structure that a system administrator will define rules for network access. Active directory is a program that is installed on a server that holds all usernames, passwords, permissions, and network access to the entire network. Here you can even set up an audit of what is happening on the server or different applications that are being run on the network. This is the first place any system administrator needs to have the most security is the active directory server(s). The reason behind this is that the active directory holds all permissions for various users and there must not be a backdoor for any hacker to get through to the active directory server. Otherwise the hacker will be able to destroy the network from the inside. Another access control is the password a user must put in as another step of authentication to gain access to the network. The system administrator can use active directory to make a user change their password monthly or certain amount of time and to make sure that the user uses different passwords each time. Another strong method is making the user make a password that is at least six characters long with one capital letter, number and unique character. Most networks stop at this type of authentication of just using the username and password to control all permissions granted within the network. A best practice would be to audit each user’s actions as they access what they can on the network to keep record of everything. There are also various access control models that can be implemented within a network and the choice is up to the IT team to implement the model that they believe is best. I think that for a small to medium size business the best method would be the Rule based Access Control or RBAC. This model will dynamically assign roles to users based on a set of rules defined by the system admin of which is used for managing user access to one or more systems on the network (Ciampa, 2012). Another way to harden the network is to give each use the least amount of access they need to the network to efficiently do their job. This method ensures that each user can work but at the same time are limited in their scope. The most effective way to manage least amount of access and method of control is group policy in active directory. Group policies are an effective way to manage all user’s permissions as all a system administrator needs too is give the user access to the group(s) needed. After the user is assigned to a group they can access whatever their group permissions are set to. This is the most effective group policy to give instead of individually assigning permission to each user as that could change constantly. The best way to give permissions is to set up different groups for each type of permissions to give. Another way to secure the network is to setup login times for each user with time of day restrictions. This setting limits when a user can log onto the network thus giving another portion of control of the network. A good habit would also be to setup account expirations on each user to ensure that a user who is no longer with the company cannot log unto the network. Lastly with access control you can use terminal access control access control system (TACACS) to authenticate user access to the network. This section will discuss and define encryption, PKI and certificates. Encryption is the process of making data secure for file transfer. This gives a user the ability to encrypt their data and send it to someone to read over the internet securely. Once the user receives the encrypted message they will need to use a key or password to decrypt the message. The encryption of data can protect the confidentiality of the information, can protect the integrity of the information, can help ensure the availability of the data, can verify authenticity of the sender and can enforce nonrepudiation (Ciampa, 2012). There are various types of encryption methods like the basic hash algorithms like your debit card PIN, message digest, secure hash algorithm, data encryption standard, and advanced encryption standard. I think the best encryption type is advanced encryption standard (AES) as it has not been hacked into as of yet. “AES is a symmetric cipher…that performs three steps on every block (128 bits) of plaintext. Within each round, bytes are substituted and rearranged, and then special multiplication is performed based on the new arrangement,” (Ciampa, 2012). This type of encryption is hard to support but it is necessary for secure information. A PKI is a Public Key Infrastructure that is used over the internet to send and receive encrypted messages. The PKI gives you the ability to submit secure applications and transmissions via the internet. This can be something simple like doing online banking. What is required is the personal computer or organization must have digital certificate that can be used. Then you must have a registration authority that verifies the certificate which is then compared to a certificate management system. You have your own public key that all can see but you also have a private key that you can see with the ability to decrypt messages. A great system to use is VeriSign to show that your website uses a secure certificate. A digital certificate is a way to verify a user’s identity by using third party software like VeriSign. Also, digital certificates can be used to identify objects other than users, such as servers and applications (Ciampa, 2012). The best way to manage digital certificates is to use a server running active directory with certificate authority. registration authority, and certificate revocation list. Another application to run on active directory is the certificate repository that approves and rejects websites certificates based on the rules. There are many malicious websites that want to destroy your network and they can gain a foothold if your network accepts the malicious website’s certificate. The certificate acts as an agreement between the network and any website to gain access to the website. There is a need to have the active directory store all accepted certificates as well as giving a user access to request a certificate be added. This way the network is more secure since the user is unable to accept a certificate or go anywhere that is not allowed on the network. There are also multiple models of how to run certificates on a network. The best model to be used is the bridge trust model that there is one certificate authority that facilitates all other certificate authorities in giving access to a certificate. Another security measure is using key storage in the certificate authority hardware on the server. The best way in handling key management is to use a key escrow. The key escrow is controlled by a third party who will split the private and public key in transmission which will secure the data. The last part to certificates are transport encryption algorithms. There are four types of encryption secure sockets layer (SSL), secure shell (SSH), hypertext transport protocol over secure sockets layer (HTTPS) and IP security (IPsec). “SSL Certificates are small data files that digitally bind a cryptographic key... When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser” ("Ssl certificates a," 2013). The new protocol is HTTPS which is more secure webpage to go to. IPsec gives an additional layer of security to the network and if you can secure the network layer then other applications will be secure. IPsec also enables users to just use the internet freely without understanding how encryption works since IPsec is installed on a firewall or router. Lastly, IPsec provides protection in authentication of packets, encrypting the packets to secure confidentiality, and by managing the key management to ensure that packets are not intercepted or used by unauthorized parties (Ciampa, 2012). Operating System (OS) Hardening is the process of addressing security weaknesses in the operating system by implementing the latest OS patches and updates. Also, by following set procedures and policies to help reduce attacks. The best way to do this is to setup active directory to push out updates a month a time as there could be bugs in the current update that is being released. As mentioned earlier you can lock down the OS by giving each user limited amount of access to run or install an application. Securing applications are by far the hardest to secure as many applications are needed among users. Also, the applications need to talk to different ports on the internet. The best ways to harden applications are to only allow approved applications, build your own applications for internal use, use firewalls to filter applications, and close access to any applications no longer in use. The corporate world is demanding that they need to work with complete mobility and flexibility. The way this can be accomplished is by using a virtual private network or VPN. A VPN uses your local internet connection and makes your connection secure as if you were in the office. This gives you the ability to work anywhere with an internet connection with access to the secure network on your PC. All a user has to do is download or setup a VPN connection or client to then access the VPN. The need for a VPN arises from users using their Wi-Fi to work abroad. Now, not all PCs are connected by LAN lines so we must secure our Wi-Fi with the same security as the LAN network. There are various ways to secure your wireless router by setting up different protocols to keep your WAN secure. There are two main standards that come on each router that should be activated at all times. The first standard is Wi-Fi protected access (WPA) which uses an encryption called temporal key integrity protocol (TKIP). The TKIP uses a 128-bit key that dynamically generates a new key for each packet (Ciampa, 2012).The second standard is Wi-Fi protected access 2 (WPA2) which is just an upgraded version of WPA. WPA2 uses a strong 128-bit encryption called AES-CCMP encryption which provides the highest level of security. I believe that all wireless routers should have AES enabled as it will provide the greatest level of security for all transmissions. Another form of wireless security is extensible authentication protocol (EAP) which uses four types of packets to secure the transmission of data. Not only do you have to protect the wireless router with its software but you must protect it from others accessing it. While setting up the wireless network technicians need to be aware of the range of the router and where the router is placed. All wireless routers should keep their range inside the office so that a person in their car cannot access the network or try to hack into it. Also, routers should be out of reach of someone people’s grasp so that they cannot connect a Ethernet cable to the router. Another thing is to disable the router’s broadcast signal so that others cannot access the router. The last way to secure the wireless network is to create a wireless virtual LANs (VLAN). The goal with VLANs is to group users into separate VLANs so that their traffic will stay within the VLAN. Once the VLAN is setup the network can take advantage of various benefits. The benefits are broadcast control as it will broadcast as a switch and only forward traffic out of a specified port. They also provide security as user can be on the same physical network and anyone who is outside of that VLAN can communicate with them. VLANs are logical groups that behave like separate entities, inter-VLAN communication can only be achieved through a router. When inter-VLAN communication uses a router, all the security and filtering functionality that router provides can be used. The best plan would be to implement a VLAN into the network to provide additional security on all wireless transmissions. When you think of protecting your network the first thing after a firewall that should come to mind is your anti-virus program. An anti-virus program can prevent malicious software from gaining access to your network and workstations. There are multiple vendors that provide anti-virus software and they try to keep their software up to date. A major downfall of any anti-virus program is that they developers need to be searching for new viruses every second and they must be ready to put a patch for zero day attacks. All anti-virus programs should be configured to constantly scan the network for any intrusion. Also, they should be set for automatic updates for all new security patches for the new viruses that have been deployed. Lastly, the anti-virus needs to scan the network’s hard drives and PC hard drives on a regular basis. This scan should be conducted when the network is least being used. Most anti-virus programs come with anti-spyware that protects computers from spyware. The anti-spyware should be running constantly to protect your network from malware. This can be done by someone clicking on a site and a pop-up causing malware to latch onto the computer or by a user downloading a new toolbar. The anti-spyware should disable all pop-ups from being executed. The last topic is email security. There is not one day that goes by that someone is not using their email via their desktop, laptop, tablet, or phone. The first line of defense is the firewall that accepts or rejects incoming traffic and emails. The firewall with the aid of the anti-virus should protect you from getting emails infected with a virus or malware. Another great software to have on your email server is anti-spam software. Spam is emails being sent by a spammer trying to get your information by making you think you are purchasing something. One of the most effective ways to cut down on spam is to configure the spam filter on the local PC. This technique can make email addresses go to the whitelist (approved email addresses) or to the blacklist (not approved email addresses). This way provides protection to you by blacklisting all emails from those outside your network domain. Then any email sent to you outside your network domain will automatically be sent to your spam folder since it is not on your whitelist. This is how the anti-spam software protects you by moving all suspicious emails into a safe location so that you will not accidentally open the email or the email’s attachments. The best way to secure any network is to have a combination of hardware and software protection. The main things to think about as a security administrator are firewalls, VLANs, Wi-Fi protection, be on guard to all viruses or malware, and is there any way someone can penetrate the network’s defenses. This paper has reinforced all that I have learned this term and helped me to realize that securing a network is to know that I am in a constant warzone.

Works Cited
Ciampa, M. (2012). Security guide to network security fundamentals. (4 ed.). Boston: Course Technology, Cengage Learning. eweek. (2002, march 25). Application hardening checklist. Retrieved from http://www.eweek.com/c/a/Application-Development/Application-Hardening-Checklist/
Graesser, D. (2001, July 25). Sans institute infosec reading room. Retrieved from http://www.sans.org/reading_room/whitepapers/firewalls/cisco-router-hardening-step-by-step_794
Rous, M. (2006, October). Pki (public key infrastructure). Retrieved from http://searchsecurity.techtarget.com/definition/PKI
Ssl certificates a brief explanation. (2013). Retrieved from https://www.globalsign.com/ssl-information-center/what-is-an-ssl-certificate.html

Cited: Ciampa, M. (2012). Security guide to network security fundamentals. (4 ed.). Boston: Course Technology, Cengage Learning. eweek. (2002, march 25). Application hardening checklist. Retrieved from http://www.eweek.com/c/a/Application-Development/Application-Hardening-Checklist/ Graesser, D. (2001, July 25). Sans institute infosec reading room. Retrieved from http://www.sans.org/reading_room/whitepapers/firewalls/cisco-router-hardening-step-by-step_794 Rous, M. (2006, October). Pki (public key infrastructure). Retrieved from http://searchsecurity.techtarget.com/definition/PKI Ssl certificates a brief explanation. (2013). Retrieved from https://www.globalsign.com/ssl-information-center/what-is-an-ssl-certificate.html