The process of implementing security frequently opens one’s eyes to other forms of security

at
Categories
Tags

 

 

The process of implementing security frequently opens one’s eyes to other forms of security not previously considered. In this two-part assignment, you should experience just that. This assignment focuses on a model of implementing security in layers, which, in many cases, requires a network that is designed accordingly.

Recommend best security practices to achieve business objectives based on risk assumptions.
Instructions
Design a network that incorporates the following:

One corporate site (Chicago).
All servers exist here (web server, file server, print server, mail server, FTP server).
Connection to the Internet (50 MBps).
300 employees who only need access to local corporate resources and the Internet.
One remote site (8 miles away).
20 employees who need access to all resources at corporate, plus the Internet.
Connection to the Internet (3 MBps).
Part 1
Use Microsoft Visio or an open-source alternative, such as Dia Diagram Editor, to:

Create a network diagram with defense in depth in mind, citing specific, credible sources that support the design and depicting at least four-fifths of the following:
All necessary network devices (routers, switches and/or hubs, firewalls, VPNs, proxies, and others).
The interconnections between network devices.
Connections to end-user (client) devices (desktops, laptops).
Connections from the Internet cloud to the network input.
Part 2
Write a 6 page paper in which you:

Describe the flow of data through the network, citing specific, credible sources.
Assume data begins at the remote site.
Data flow may be monitored by an IDS.
Explain all three elements of the CIA triad and how isolating by network functions helps deliver a layered approach, citing specific, credible sources that support your assertions and conclusions.

Sample Solution

As an AI, I cannot directly create a Microsoft Visio diagram or a Dia Diagram. However, I can provide a detailed textual description of the network design with defense-in-depth principles, recommend best security practices based on risk assumptions, and outline the content for your 6-page paper, including the data flow description and the explanation of the CIA triad in a layered security context.

 

Part 1: Network Diagram Design (Textual Description)

 

Goal: Design a network for a corporate site in Chicago and a remote site 8 miles away, incorporating defense-in-depth principles to achieve business objectives based on risk assumptions.

Risk Assumptions & Business Objectives:

  • Risk Assumption: External threats (malware, DoS, unauthorized access) are a constant danger from the internet.
  • Risk Assumption: Internal threats (insider misuse, accidental data leakage) are also significant.
  • Risk Assumption: Data integrity and availability are crucial for business operations.
  • Business Objective: Ensure secure and reliable access to corporate resources for all employees.
  • Business Objective: Protect sensitive corporate data on servers.
  • Business Objective: Maintain business continuity and minimize downtime.

Defense-in-Depth Strategy: Employing multiple layers of security controls to protect critical assets. If one layer fails, another layer is in place to provide protection.

Network Components and Interconnections:

I. Corporate Site (Chicago) – Main Data Center & User Access

  • Internet Connection:
    • Main Router (Edge Router): Connects the corporate network to the Internet Service Provider (ISP). Configured with Access Control Lists (ACLs) for basic traffic filtering.
    • Perimeter Firewall (Firewall 1 – Stateful Packet Inspection/Next-Gen Firewall): Sits directly behind the edge router. This is the first critical line of defense. It inspects all incoming and outgoing traffic, enforces security policies, and performs deep packet inspection. It should have Intrusion Prevention System (IPS) capabilities.
    • DMZ (Demilitarized Zone) – First Layer:
      • DMZ Firewall (Firewall 2 – Internal DMZ Firewall): A dedicated firewall separating the DMZ from the internal corporate network. This provides an additional layer of isolation for publicly accessible servers.
      • Web Server: Sits in the DMZ. Only ports 80 (HTTP) and 443 (HTTPS) are open to the internet through Firewall 1.
      • FTP Server: If public access is required, it sits in the DMZ with limited port access (e.g., 21/20 for FTP or preferably SFTP/FTPS ports like 22/990). If only internal FTP is needed, it moves to the internal server VLAN.
      • Proxy Server (Forward Proxy): Sits in the DMZ. All outbound internet traffic from corporate users is routed through this proxy for URL filtering, content inspection, and caching. This adds a layer of protection against malicious websites and allows for web usage monitoring.
      • Reverse Proxy (Application Gateway): Sits in the DMZ, in front of the Web Server. It intercepts incoming web requests, inspects them for threats, and forwards legitimate requests to the internal web server, hiding the internal server’s IP address.
    • Internal Network (LAN):
      • Core Switch (Layer 3 Switch): High-capacity switch connecting various internal VLANs. Provides inter-VLAN routing.
      • Internal Firewalls (Firewall 3 & 4 – Internal Segmentation Firewalls):
        • Server Farm Firewall (Firewall 3): Dedicated firewall protecting the internal server farm VLAN from the rest of the corporate LAN. Only necessary ports are open between user VLANs and server VLANs.
        • User Segment Firewall (Firewall 4): Optional but highly recommended for large organizations to segment different departments or sensitive user groups.
      • Server Farm VLAN:
        • File Server: Access controlled via Active Directory (AD) and file permissions.
        • Print Server: Manages print queues.
        • Mail Server: Handles corporate email.
        • Active Directory Domain Controllers: For authentication and authorization.
        • DNS Servers (Internal): For internal name resolution.
        • Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) Sensors: Strategically placed to monitor traffic within the server farm VLAN and between VLANs.
        • SIEM (Security Information and Event Management) System: Collects logs from all network devices and servers for centralized monitoring and analysis.
      • User VLANs (e.g., Employee VLAN, Guest VLAN):
        • Access Switches (Layer 2 Switches): Connect end-user devices (desktops, laptops) to the network. Configured with port security.
        • Wireless Access Points (WAPs): For Wi-Fi access, segregated into secure employee and guest SSIDs (separate VLANs).
      • VPN Concentrator/Gateway: Sits behind the Perimeter Firewall, accessible from the internet but protected. This allows remote users and the remote site to establish secure encrypted tunnels (IPsec/SSL VPN) into the corporate network. It authenticates users against Active Directory.

This question has been answered.

Get Answer
WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, Welcome to Compliant Papers.
Hi, how can I help?