Firewall and Networking Tarleton State University Network Security Plan HW Final Project: Network Security Plan Scenario You have been working as a techn

Firewall and Networking Tarleton State University Network Security Plan HW Final Project: Network Security Plan

Scenario

You have been working as a technology associate in the information systems department at Corporation Techs for three months now. You have conducted a network survey and developed a basic network design intended to provide security for private network resources and publicly exposed

Your manager specified that all information transferred between the sales team in the field and the organizational servers must be protected against snooping. The manager also wants the secured reporting site to be available only through the organization’s private network so that an outsourced network-based intrusion detection system (NIDS) service can log all connections.

Tasks
You need to recommend a network design and identify hardening strategies intended to meet the requirements. To do so, you must:

Access the PCAP and other scan data for this project.
Conduct research and determine the best network design to meet the stated requirements.
Research hardening strategies and identify recommended mitigation strategies for identified vulnerabilities.
Identify mechanisms for secure network access by remote users, both in terms of secure Web access as well as reporting access conducted using the private network.
Develop a network security plan including network realignment, hardening practices, and policies for remote resource access.
Identify expectations from recommended changes and provide justification for each recommendation in simple language so that primary stakeholders are able to understand it.
Create a professional report detailing the information above, presented as a recommendation for a network security realignment project for Corporation Techs. Include persuasive justification and measurable expectations as part of this recommendation. Network Design
1
Network Design
Antwain Mergerson
Professor Teeters
Firewalls & Network Security
10/25/2017
Network Survey
2
Identifying the hosts within Corporation Tech’s network
By analyzing the PCAP data in Netwitness Investigator, we can be able to identify the number of
hosts that are within Corporation Tech’s Network. From the analysis, these seven machines were
determined to be running within the said network:
•
A Debian 6.0 (Squeeze) Linux Kernel 2.6
172.30.0.1
•
A windows server 2003 with NetBios name BASE-LAB
172.30.0.2
•
A Linux server – Debian 6.0
172.30.0.200
•
Windows XP pc NETBIOS name VULNXP
172.30.0.3
•
Ubuntu server 10.04
172.30.0.4
•
Windows Server 2003 with NETBIOS name BASE-LAB-TG01
172.30.0.8
•
Ubuntu server 10.04
172.30.0.9
Protocols in use within the Corporation Techs’ network. Nessus scan report can be used to
identify the protocols and services running on each of the machines.
•
The scan on the Debian 6.0 Linux server, with IP 172.30.0.1, one can be able to tell that
the server had the following open ports. ICMP port 0, TCP port 111, TCP port 22, TCP
Network Survey
3
port 23, TCP port 40674 and UDP port 60517. The port ICMP 0 is most common in
Linux Operating systems, and it can be used to determine the timestamp of a machine
within a network. The server is also listening on TCP port 22 which is an SSH port. Have
port 22 running on the server is a clear indicator that the server is running an SSH server.
The server also had telnet port 23, meaning that the organizations’ users have probably
been connecting to the server via telnet. The server also had the following ports open
UDP port 60517 and TCP port 40674, and these are known for running ONC RPC
service.
•
The BASE-LAB server (windows server 2003) with IP 172.30.0.2 was noted to have
open ports. These were some of the ports which were open on the server. TCP port 1025,
1241, 135, 139, 3389, 445, 6051, 8000, 8089, 8834, 1994 (spontaneous) and UDP port
137. TCP port number 1994 was initially noted to be open but was immediately closed
hence no information about what service was running it could be determined. The TCP
ports 1241, 8089, 8834 were used on the server to listen and server and SSL requests
made to the server. The server also had HTTP and HTTPS services, and these were
listening on ports 8000 and port 8089. The windows server was also running a remote
RPC service which was listing on port 1025. Server BASE-LAB was also set to listen and
answer NetBIOS requests sent to UDP port 137 and TCP port 445. There was also an
SMP service which was running on the windows server, and this was listening on port
139. The server mainly used the SMB service for shared access to files or printing
purposes. The windows server BASE-LAB also had port 3389 as open. Having port 3389
on the server was clear that the server had a remote desktop server running on the
machine.
Network Survey
•
4
Debian 6.0 (squeeze) Linux server that was assigned port 172.30.0.200 had six open
ports. These were ICMP port 0 that could be used to determine the timestamp of the
server. TCP port 111, 40674 and UDP port 60517 were run by the ONC RPC service
which allowed Remote Procedure Calls to be made to the server. The server also had an
SSH server running, and this was listening on the default SSH port number 22. There was
also a telnet server which was run and listened on the default port 23.
•
The Windows XP PC (VULNXP) with IP address 172.30.0.3 and had several open
ports. By looking at the opened ports, we can be able to tell the type of services that were
being run on the PC. These are TCP port 1025, 135, 139, 3389, 445. UDP ports 1027,
123, 137. Port 3389 indicates that the pc could be accessed remotely via remote desktop
and that the machine was probably running a remote desktop server. Port TCP 135 was
used as a messenger port on the machine. Port 135 and 139 were used for NetBIOS and
SMB/SAMBA, respectively. Port 445 on the PC could be used to remote command
execution. The machine also ran an LSASS service and an RPC service. The server also
had a service and port listening for file/print sharing. The server also had a CIFS server
running.
•
Server 10.04 that was assigned the IP address 172.30.0.4 had several open ports. Based
on the explicit ports being run on the server, we can safely say that the server acted as the
webserver within the network. The server had the following open ports; port TCP port 21
that was ran by the FTP server. Port 22 on the server was run by the SSH server. There
was also an SQL server which was running, and this is evidenced by port 3306 which
was open. The server also had these open ports TCP port 80 and 443 which indicated that
Network Survey
5
the server was used to service and HTTP or HTTPS requests. There was also an mdns
protocol running on the server as evidenced by the open port 5353 on the server.
•
There was also a windows server 2003 with the NetBIOS name BASE-LAB-TG01 that
was discovered to be running within the network, and this was assigned the IP address
172.30.0.8. The server had these open ports ICMP port 0, TCP port 1031, 1241, 135,
1994, 21, 3389, 445, 69, 8000, 8089 and 8834. TCP port 1031, 135 was used for
DCE/RPC service. Port 445 indicated that there was a CIFS service which was running
on the server. Port 3389, as previously seen in other servers, indicated that the server was
running a remote desktop server. Ports 8000, 8089, and 8834 indicated that there were
HTTP and HTTPS servers that were configured and set to fun on our server. The open
port 69 also indicated that the server also ran and listened for any requests sent to the
TFTP server.
•
Finally, there was also noted to be another Ubuntu 10.04 server that existed within the
Corporation’s network, and this was assigned the IP 172.30.0.9. The Ubuntu server had
the least number of open ports. These ports are TCP port 22 which is the default SSH
port, an mdns port 5353 which was used for mdns protocol and the ICMP port 0 which
would be used to determine the timestamp of the server.
Development of the Network Security Plan
From the PCAP file, the Netwitness investigator results and the Nessus scan report, we can note
that the Corporation Techs network consisted of only seven devices which were hooked up to the
company’s network. Based on the number and types of open ports found on each of the
machines, we can be able to say that each of the devices had been set up and mandated to run
specific tasks within the network.
Network Survey
6
Based on the Nessus scan report, it is easy for one to conclude that the Corporation’s network
contained several loopholes which could easily be attacked and used to steal the company’s data.
It can be noted that all the servers had a remote service which allowed TCP timestamps to be
used to determine the exact time that has been set on each of the devices. In any network, having
such a feature enabled on hosts might end up being quite tricky since an attacker might use such
information to bypass any time-based authentication measures which might have been deployed
on one’s system.
It can also be noted that all servers seemed to have self-signed/unknown SSL certificate authority
and with some having expired also. Having SSL certificates that are not signed by know
certificate authorities installed on publicly accessible hosts/devices might end up having dire
consequences for any organization since an attacker could easily initiate a man in the middle
attack on the host/device and end up getting compromising a system. Therefore, it is prudent for
any organization to ensure that they either generate and deploy proper SSL certificates for any of
their publicly accessible systems or they consider purchasing their SSL certificates from
reputable SSL vendors.
Most of the server that ran or serviced HTTP/HTTPs requests were also noted to be outdated.
Having outdated servers such as apache in the Ubuntu server 10.04 (IP 172.30.0.4) might end up
putting the organization in jeopardy since these might end up being susceptible to attackers while
also causing remote users or website users to experience degraded service. It is also important to
ensure that one disable features such as WebDAV on their site if they are not regularly used or
needed since this will go a long way in minimizing chances of one falling for a man in the
middle attack. Another important feature that one can disable is the debugging functions which
were noted to have been enabled on the webservers. Having the debugging feature on the
Network Survey
7
webservers was a security risk for the organization since attackers could easily perform Trace
and track attacks on the servers.
It was noted that some of the servers had weak root passwords or network share passwords that
could easily be bypassed by using null session attacks on the respective devices. It is advisable to
the organization to ensure that they use strong passwords on all their networked devices and to
ensure that all network shares are also password protected as this will go a long way in slowing
down or deterring attackers.
Most of the server that had Remote desktop servers running also seemed to be running outdated
security protocols that could be susceptible to a man of the middle attacks. Therefore, the
organization must ensure that all the remote desktops and more so devices are updated and
patched to ensure that they are using the latest security measures.
Proposed network design which will help secure the network
When creating a network design for any business, one needs to have a clear understanding or
concept of how the network will flow. It is also crucial for the network engineers to have a clear
idea of how the network traffic will be managed and moved from point to the other and if
possible, how it can be scaled to support future needs. One should create a network design so
that users’ resources can be incorporated within the same building.
Based on the IP addresses which have been assigned to each of the host machines within
Corporation Techs network, we can be able to tell that they are using a /24 subnet. A /24 subnet
means that the network in question is capable of supporting 254 hosts. Having a /24 subnet for
such a network seems to be quite a waste of IP addresses since from our analysis, there were
only seven live hosts which were detected. The following proposed network design aims at
Network Survey
8
depicting how the network should be segmented in order to ensure that we added an extra layer
of security to our Corporation Techs Network.
Before we begin to segment the network, we will need to first understand the role of each of the
devices from that exists within the network. To do this, we can easily denote the role of each
device by looking at the open ports on each of the devices.
From the open ports on each of the devices, we can be able to tell that there were three devices
which were acting as webservers and these are namely, BASE-LAB server with IP 172.30.0.2,
Linux server 10.04 with IP 172.30.0.4 and windows server 2003 BASE-LAB-TG01 with IP
172.30.0.8.
Based on the above, we can easily say the indicated servers are outward facing on the network
and will each require a public IP so that outside users or visitors can still access the
organization’s websites.
We can also see that there are three servers which have port 22 running on the network. These
are Ubuntu 10.04 server with IP 172.30.0.9, Debian 6.0 (squeeze) Linux server that was assigned
port 172.30.0.200 and Debian 6.0 Linux server, with IP 172.30.0.1. From this, we can then
dedicate only one server to have a public IP which will have it’s port 22 open to the world.
Therefore since Linux server 10.04 with IP 172.30.0.4 has port 22 and the HTTP ports open we
can dedicate it to be the only server to have a public IP
Based on the devices that have remote desktop enabled on each of the windows devices, we can
decide only to have one device to have a Public IP so that it can make it easier for the
organization’s administrators to work remotely. With this in mind, we can select either server
Network Survey
9
windows server 2003 BASE-LAB-TG01 with IP 172.30.0.8 or BASE-LAB server with IP
172.30.0.2 to have port 3389 accessible from outside.
It will also be prudent for us to introduce a cisco router to the network. Having a cisco router in
the network will help us control how traffic flows within the network itself and how it flows
outside. The router will also enable us to do port mapping on some of the devices, meaning that
we can have many private IPs being NATted to a single public IP. The router will also help us to
implement Access Control Lists on the network (ACL). The Access control lists will dictate
which service should be accessed from outside hence adding an extra layer to our network since
not all the ports will be easily accessible from outside the corporation’s network
Based on the above, we can then conclude that the network will need to have only three servers
and one router which will be assigned public IPs.
Subnetting
To assign the IP, we will need to subnet the network so that we can easily manage it while also
ensuring that the cost of purchasing the IP addresses is lowered. To do the subnetting we will be
using the following chart.
2^8
256
2^7
128
2^6
64
2^5
32
2^4
16
2^3
8
2^2
4
2^1
2
We will also need the following chart for determining the number of hosts that will exist within
the class C subnet that we will also be using
/30
Amount of
hosts a Class
Addresses Hosts
Netmask
C
4
2 255.255.255.252
1/64
Network Survey
/29
/28
/27
/26
/25
/24
/23
/22
/21
/20
/19
/18
/17
/16
10
8
16
32
64
128
256
512
1024
2048
4096
8192
16384
32768
65536
6
14
30
62
126
254
510
1022
2046
4094
8190
16382
32766
65534
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
255.255.255.128
255.255.255.0
255.255.254.0
255.255.252.0
255.255.248.0
255.255.240.0
255.255.224.0
255.255.192.0
255.255.128.0
255.255.0.0
1/32
1/16
1/8
1/4
1/2
1
2
4
8
16
32
64
128
256
From the number of hosts (four) that we have identified as needing public IPs, we can easily tell
that our network should use a /29 network since the network will have 8 IP addresses. However,
only six IP addresses will be useable, and this will range from IP 172.30.0.1 to 172.30.0.8. The
/29 network will use the NetMask 255.255.255.248.
The three servers fall under our DMZ network and will one public IP and no private IP. This
way, the devices within the network will still be secure even if either of the servers is
compromised
Network Survey
11
Below is a diagram depicting how the network will be:
Conclusion
It is important to be regularly conducting network and system analysis tests since this will end up
showing which services ran within one’s network. Such tests are also crucial since they will end
up also pointing out which applications might need to be updated or stopped altogether as they
might pose a security risk to the organization. Finally, it is prudent for the Corporations’
information systems department to ensure that all the servers and users machines are updated and
patched while also ensuring that they change and utilize strong passwords for all their servers
and personal computers.
Semester Project: Corporation Techs
The overall task for Final Project: Network Security Plan is to recommend a network design and a
security plan that meet specific requirements for Corporation Techs.
Project: Network Design and Plan
Purpose
This project provides you an opportunity to solve a comprehensive problem in firewall and VPN
implementation at various levels. You will play the role of an employee participating in the network
security update planning process in a specific business situation.
Required Source Information and Tools
The following tools and resources will be needed to complete this project:
•
A Web browser and access to the Internet to perform research for the project
•
Access to the NetWitness Investigator application
•
Packet trace files, vulnerability scans, and associated reports (provided by your instructor)
o
general_comm.pcap
o
encrypted_comm.pcap
o
nmap_scan.xml
o
topology_fisheye_chart.pdf
o
nessus_report.html
Learning Objectives and Outcomes
•
You will be able to apply core competencies learned throughout the course to a single
project.
•
You will be able to analyze and apply knowledge of firewalls, VPNs, network diagrams, and
defense measures.
•
You will be able to demonstrate logical reasoning and decision-making skills.
Deliverables
The project is divided into two smaller assignments and one major assignment. Details for each
deliverable can be found in this document. Refer to the Course Calendar for submission dates.
•
Project Part 1: Network Survey
•
Project Part 2: Network Design
•
Final Project: Network Security Plan
Project Part 1: Network Survey
Introduction
Network defenses rely first on understanding the current configuration of hosts, services, and
protocols in use within the organization. Before it is possible to plan to change anything, you must first
understand what is present and where it is located within the network. The initial phase of any network
security realignment process involves identifying existing resources.
Scenario
You have been working as a technology associate in the information systems department at
Corporation Techs. The Corporation Techs’ management is concerned that they are losing business
to a competitor whose bids are too accurately just under the bids offered by Corporation Techs––by
an exact amount. A security firm was contracted to conduct a review of Corporation Techs’ systems,
identifying unauthorized access to the Web server as a potential source of compromise due to the
shared reporting and public Web site functions. The packet trace and vulnerability scans gathered
during this review are available for your use.
The Web server provides public access to the organization’s static Web site for contact information,
while sales team members in the field transfer contract and bid documents using a site secured with a
logon and password. Corporation Techs has budgeted for new networking hardware but does not
want to add additional servers due to cooling issues. Your manager has asked you to create a security
plan that will prevent unauthorized access, while making sure that both public and secured Web
access remain available.
Tasks
The data and information you need to complete this part of the project are provided to you. (See the
Required Source Information and Tools section at the beginning of this document.) In this part of the
project, you need to conduct a survey of the existing hosts, services, and protocols within Corporation
Techs’ network. Specifically, you need to:
1
Access the PCAP data using NetWitness Investigator.
2
Identify hosts within the Corporation Techs’ network.
3
Identify protocols in use within the Corporation Techs’ network.
4
Develop a list of hosts and services provided by each.
5
Create a professional report detailing the information above as the initial document for
development of the network security plan.
Write the network survey results as detailed in the instructions above.
Evaluation Criteria and Rubrics
Evaluation Parameters
Percentag
e Weight
Did the student demonstrate an understanding of the competencies covered to date?
30
Did the student include all hosts identified within the provided packet trace?
30
Did the student include all services and protocols identified within the provided packet trace
30
and align them with the proper host?
Did the student create a professional, well-developed draft with proper grammar, spelling,
10
and punctuation?
Total
100%
Project Part 2: Network Design
Introduction
As discussed so far in this course, the configuration of a network …
Purchase answer to see full
attachment