Nt1330 Unit 3 Security Risk Management

The security analyst of the accounting firm suggested that it's a good practice to have a dedicated room for server’s equipment to avoid any damages. This could be quite costly for the small company, however it would make a good investment in order to secure the company's network. The servers would be positioned on a server rack in the designated room with network devices such as modems, switches, routers, firewalls, and the Intrusion Detection System. This room should have restricted access and only authorized personnel must have access to it, by using sophisticated keycard systems and even having additional security procedures such as biometrical readers etc. It was also proposed to get rid of Motorola SB3100 and Net Gear MR814 to increase
the overall security with more advanced networking devices to provide new security features such as VLANs, access lists, and secure protocols.
In order to protect the application servers from the internet, the most common un-trusted network, the proposal suggests a firewall to be installed between the internal network and external router. The firewall would be an Adaptive Security Appliance (ASA) firewall, "the ASA is not just a pure hardware firewall. In brief, the Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network. " [1]
In addition to the proposed solutions above, ASA also provides Secure Shell (SSL) and IPSec services which are both vital to encrypt all traffic intended to the internet. As disscused in the project scenario, that the accounting firm's requirements was to host their website internally. The best option for this is to configure a demilitarized zone (DMZ), as the DMZ provides another layer of security to the firm's local area network. Since the company's website needs to be seen by public users, the website should be exposed in the DMZ network to allow internet traffic. In order to backup a company's vital information, the proposal suggests the use of a Network-Attached Storage (NAS) which is a cloud model, known as internal storage cloud. Since the accounting firm is a small business, NAS would be very beneficial for them as it is easy to operate, and this will also lower the cost for the company by just having a one IT professional. NAS gives capability to backup/restore data in a reliable way and backups can be sent outside the firm using a VPN, virtual private network, over a WAN, wide area network.
Since the firm was proposed to use router, the security best practices has to apply to take care of CDP protocol over the data link layer, as this protocol provides critical information such as IP address and OS version of company's network, that’s why unused services must get disabled and the firewall should be implemented to save the network from the attackers.
Another important security feature for routers and switches are the extended access list (ACLs), which is a rule and must be implemented to control/filter the network traffic from the un-trusted networks. “You can use access lists to restrict contents of routing updates or to provide traffic flow control, One of the most important reasons to configure access lists is to provide security for your network.” [2] The switching device which is a layer 2, have several ports, are proposed to shut down all unused ports and use MAC addresses to avoid any access point (AP) placement. In the proposed Gliffy network diagram, an Intrusion Detection System (IDS) is depicted. "An IDS is a special network device that can detect attacks and suspicious activities." [4] It will just detect threats and will not take any action to stop the attack. It will be accounting firm's analyst responsibility to monitor the logs and interpret them correctly for the false and real time
attacks.
The wireless portion must be in a different subnet (sub-network) as the wireless clients are not always trusted. Segmenting the wireless network from the wired network though, is not only a trust issue, wireless networks suffer from many attacks such as Denial of Service caused by interference. The access point that will provide wireless access will be connected to a wired switch, however the separation of the wireless network is proposed to be done with the use of virtual LANs. VLANs will separate the network to two logical networks operating on the same physical network. This separation will enchant network’s security as the main network will be inaccessible from customers as well as it will not be affected if the wireless network is facing issues. The AP must be using Wi-Fi Protected Access 2 (WPA2) security protocol that has advanced encryption standards comparing to WEP.
Final recommendations in regard to BYOD in order to protect the network are network policies to be applied. Such policies are, not allowing to browse certain websites while using the firm’s network, devices may not be used to store or transmit information belonging to the company, engage on outside business activities, the use of application downloaded from untrusted sources, storing passwords or other sensitive information etc. The devices must use encryption, be password protected, must lock itself and the device must be able to be wiped remotely if it is lost or the employee terminates his/her employment. Last recommendation considers the email access (accessing through browser or outlook). It is strongly recommended to use encryption such Secure Sockets Layer (SSL) VPN which operates at application layer. With this technology, the communication between users’ device and the mail server (either webmail or outlook) will be encrypted and protected from eavesdropping and man-in-the-middle attacks.