Furthermore, it is not advisable for even the employees within the organization to have completely unrestricted access to all of the organization's data. A comprehensive security architecture must be established in order for EX. Corp..
To continue to grow and flourish on a solid foundation. This proposal will outline a multifaceted approach to security architecture which will mitigate against both internal threats, such as data theft or leakage by employees, and external threats such as network intrusions and mallard.The specific areas which this proposal will cover in detail are: access intro measures, password policy, encryption methods, remote access solutions, and perimeter defense measures such as firewalls and intrusion prevention and detection systems. By implementing the measures outlined in this proposal, EX. Corp.
. Will exponentially increase the security of it's network and of it's critical data. Access Control The first and most vital recommendation for establishing security over shared resources is to implement a Windows Domain environment.While alternative (non Microsoft) domain server solutions do exist, it makes natural sense to establish a Windows domain for a number of reasons. First of all, the workstations are almost certainly running a Windows operating system, which means that a Windows domain server will integrate much more seamlessly with the workstations than any other competing solution. Secondly, Windows Server is an extremely robust, mature, well documented and well supported solution.
There is a wealth of information, resources and training available on Windows Server, both from Microsoft and through other third parties.In an enterprise level business environment, running a Windows domain is nearly always a good decision. Once a Windows domain controller is established and all of the workstations are joined to the domain, administrators can utilize Active Directory and it's associated tools in order to centrally manage access control for all resources on the domain. Active Directory is a directory service that Microsoft developed for the purpose of managing users, groups and resources on a Windows domain, and it is built on top of the Lightweight Directory Access Protocol (LDAP).Active Directory is essentially a database of "objects.
" An object can be a physical resource such as a printer or river, or a software based concept like a user account or group of accounts. The relationships between these objects, and all of their associated attributes are maintained in the Active Directory database. Administrators can organize user accounts into groups, and then manage access control for these groups via "Group Policies. " Group Policies limit what operations and resources users have access to.
For instance, group policies can be used to enforce password policy, or to control access to network shared file systems. Active Directory provides an extremely robust, flexible and centrally managed solution to the problem of access control. For these reasons it is the ideal solution for this scenario. Password Policy One of the most crucial elements of good security is a strict password policy. Passwords are one of the most fundamental forms of access control, and are built into nearly everything we do with computers today.
The most important thing to understand about passwords is that they are only as effective and secure as we make them. There are scripts and utilities today which are capable of attempting hundreds of thousands of password combinations in a matter of minutes. Simple dictionary words are not sufficient for effective security. There are a number of password complexity factors which have been identified which directly correlate to password security. These are: character length, inclusion of both upper and lower case letters, numbers and special characters.In addition to constructing complex passwords, there are a number of administrative controls which can be used to make the password policy even more secure.
On a Windows domain environment, administrators can use group policies to establish rules on password duration (how long passwords remain valid before having to be updated) and account lockouts (the umber of times an incorrect password can be entered before the account is administratively locked and requires administrative assistance to recover). Utilizing all of these in combination will yield the most secure result.An effective password policy should mandate at a minimum: a minimum number of characters, the inclusion of upper and lower case letters, numbers and special characters, password duration, and a maximum number of failed attempts before account lockout. Again, a Windows domain environment allows for centralized control of all of these elements of password policy via Group Policies.
Encryption The next measure which should be taken to enhance the security of EX. Corporation's data is to implement encryption. Encryption protects data through the use of digital "keys. These keys are used to scramble and unscramble the data, meaning that the data can only be accessed by a system or user account which contains the appropriate key. Encryption can be applied to both the storage of data on disk and the transmission of data across the network. Using an encryption scheme on a file system ensures that disks and files are not simply copied or moved from one yester to another to be accessed by another machine or operating system.
Data encryption can be performed at both the file and disk level.As the name suggests, a file level encryption solution works by encrypting the individual files on a drive. File encryption can be performed either by the operating system or through the use of third party software. Disk level encryption works by encrypting the entire disk as a whole, rather than the individual files on the disk.
Disk encryption is a more complete and secure solution, but may not be necessary in every instance. The Windows family of operating systems (from Windows Vista and Windows Server 2008 on) come packaged with a disk encryption utility called Footlocker, which is ideal for this purpose.Network encryption comes in a number of different forms and protocols, to include: Pipes, SSH, HTTPS etc. These protocols protect data from electronic eavesdropping as they travel across the network, and especially as it leaves the internal network and traverses the public internet.
Network encryption will be discussed in more detail in the following sections on remote access and perimeter offense. Remote Access As EX. Corp.. Continues to expand it has become apparent that there is a requirement for Virtual Private Network(VPN)/remote access capability in order to meet it's objectives.
Remote access is a general term which describes different technologies that allow a remote access to a private network from outside that network, and often across a public network, by creating an encrypted tunnel for communication. Remote access solutions such as Van's allow for authenticated users to access the private network from virtually anywhere in the world, at any time. For emote access, there are many competing solutions available such as Team Viewer, WAP VPN, Pure VPN and Cisco Annoyance. Each of these solutions excel in different areas, and have different licensing schemes and pricing options.
This proposal will discuss in detail the Cisco Adaptive Security Appliance (AS) and Coco's Annoyance VPN server solution. One of the Cisco AS device's capabilities is it's ability to act as a server for the Cisco Annoyance VPN platform. Cisco Annoyance performs two basic functions in order to provide a secure connection: authentication and encryption. For authentication, the Cisco AS supports a variety of industry standard protocols such as Remote Authentication Dial In User Service(Radius), Lightweight Directory Access Protocol(LDAP), Cerberus, digital certificates and Terminal Access Controller Access Control System Plus(ATTACK+).For encryption, the AS/Annoyance platform relies on two protocols. For encrypting Transmission Control Protocol(TCP) traffic, the AS utilizes the Transport Layer Security(TLS) protocol.
TCP is utilized when one hundred percent data integrity is required, for example in the transmission of a aerogram, a data file or a weeping, where each bit must be guaranteed to be delivered and ordered in the correct sequence. While TCP guarantees data integrity, the tradeoff is speed. TCP is considerably slower than it's alternative, User Datagram Protocol(UDP).For streaming or real time, latency sensitive traffic such as voice and video, JODI is the protocol of choice. UDP speeds up data transmission by not waiting for confirmation of receipt of the previous packet.
UDP is a constant stream of packets across the network, with no guarantee of delivery whatsoever. For the encryption of JODI traffic, the AS/Annoyance platform utilizes Datagram Transport Layer Security(TLS). TLS was developed to provide a comparable level of security to TLS but for JODI traffic. The combination of these two protocols ensures that remote access traffic is encrypted at all times.
The Cisco Annoyance VPN Server is a great solution for providing trusted users with "anytime, anywhere" remote access capability. Perimeter Defense For EX. Corps's perimeter security, the Cisco Adaptive Security Appliance (AS) can also fill the role of a highly secure and configurable Firewall and Network-based Intrusion Prevention System (NIPS). The Cisco AS can monitor and filter all traffic entering and exiting the network based on rules established by the administrator, dropping any suspicious packets before they can do any harm to the organization's data or create further security vulnerabilities.
Utilizing the Cisco AS for both firewall and VPN server makes sense because both functions can be administered via the same interface. While the AS is an excellent perimeter security tool, host based anti- mallard software should still be utilized on all hosts on the network, as an added assure of security. After all, it is entirely possible for malicious software to be introduced to the domain from within the private network by an employee, either intentionally or unintentionally, and host based anti-mallard software will be the only way to mitigate against this.The combination of a network based firewall and 'AS, and host based anti-mallard software provides redundant, multilayered protection from malicious software. Summary This proposal has outlined a comprehensive, multi-tiered approach to network security and described detailed measures which can be taken to implement access intro, effective password policy, encryption, remote access and protection from external mallard threats.
