Question:
Network Security Plan and Implementation Report for GB.
Banking sector is one popular area where computer networks and IT systems are extensively used. Banks make use of IT network capabilities to improve their business outcomes and ensure efficiency in all their operations. In this report the network security implementation is analyzed for The Golden Bank (GB). The network security aspects are explored for security planning and for ensuring robust and adequate security measures are implemented in their systems. GB network is wide and big and faces lot of issues in maintaining and managing their IT network infrastructure. This is because the existing network found in their HQ, operations and branch offices use different protocols which are viewed as a security challenge since some of the native protocols are more vulnerable to latest attacks and viruses.
GB Headquarters is based in Tivoli which has 80 employees. There are two remote branch offices, one at Greenland and the second one at Faroe. In addition to this the operations building is located 60 Kms away from Tivoli and a warm backup storage site located 100 Kms away from Tivoli. In addition to this, there are 28 branch offices all connecting to operations office using frame relay or DSL links. All these 28 branch offices are similar in spread. GB also has 28 ATM machines which use SNA protocols to communicate with operations. Some file servers still run primitive IPX/SPX protocols and some of them use TCP/IP. The HQ and operations office and warm backup site use T3 leased line, HQ connects with Greenland and Faroe with T1 leased line. The warm site backup office is used for off-site data storage and this is done regularly to ensure protection. The bank also provides connectivity to outside vendors. The bank uses CISCO 2600 multiservice platform routers, has network attached storage (NAS), a combination of windows and Linux servers and desktops running Windows 8 OS. Each branch office, the operations office, remote offices and warm backup site has a LAN running on 10Base-T Ethernet, the LAN in HQ runs on 100Base-T Ethernet. Frame relay networks are used by branch offices and vendor to connect to operations center.
Problems faced by GB: GB network is dependent on IPX/SPX, SNA and frame relay networks which the board feels is a bottleneck for further business growth. Further, GB is already pending huge amount of money in maintaining existing IT network and infrastructure with very less room for expansion. The bank also plans to expand its existing branch offices by 30% in which case the network must be scalable and flexible to accommodate more data volumes efficiently. GB also desires to have an efficient and high performing WAN/LAN with zero problems during their business operations.
The scope of this report is to explore traditional WAN based solutions for managing all systems and LANs in GB through IP addressing, and to plug vulnerabilities in their servers, network devices and to protect all systems IT network infrastructure of GB from attacks and hackers. The security plans are explored and discussed for their importance in securing data and customer services in GB.
Security plans and security measures will be implemented across all areas of GB operations to,
The GB network consists of different networks all of them connected through some common routers and protocols. In order to secure the network in GB, the following general aspects are analyzed (Daya, 2008). They include,
GB requires cost effective high speed WAN links with accuracy between their offices. The internet can be considered as a network carrier, but since it is an open public network, GB’s network packets on the internet are vulnerable to attacks. The option of VPN connectivity between operations center and branch office is considered instead of frame relay, because VPN (Ferguson & Huston, 1998) can establish a more secure network compared to fame relay nets.
A WAN network is essential for GB to connect all their sites and branch offices, ATMs and remote sites. WAN has the ability to connect multiple LANs (Rouse, 2007). The sites of GB are distributed however their database is centrally maintained and managed. At the same time, the data available on remote servers are also secured by real time backup at the warm backup site. In order to implement security measures at all LANs and WAN links along with devices, servers and individual computers, the top-down network design approach (Oppenheimer, 2011) is considered. The top-down approach begins with upper layers of the OSI model and moves down to further layers. In this approach the sessions layer and data transport layer is considered. The approach also takes into account GB’s group structure, organization structure along with user and service authentication principles in order to fulfill certain controls in the network are fulfilled.
The secured network for GB is designed to fulfill business goals that include,
The network must also fulfill future information needs (Wen, 2001) and technical goals which is summarized as,
The performance, availability and scalability are handled by the redundancy provided by T1 and T3 links between GB’s offices and remote branches. Security is planned by establishing firewall and IDS at the periphery of the network and in internal LAN respectively. Security measures for user authentication and data encryption, establishing VPNs for connecting branch offices are considered in ensuring network security.
GB has one headquarters, two remote offices, an operations office, a warm site for offsite backup, remote offices and branches. Each office has a LAN with multiple users, routers for transferring packets and firewalls for authentication. The main router is located at operations site and warm site backup. This is the CISCO Immersive Tele-presence system as it can manage multiple protocols. The WAN plan for GB is shown in figure 1 with routers, firewalls and LAN at each location. All data passes through the main router in operations and routed to respective offices. For example, if any one branch office sends a packet to HQ, it is routed through main router.
Figure 1: The WAN plan for GB
Since, the entire LAN and WAN for GB is a TCP network, the router uses RIP protocol (Hendrick 1988) for routing packets from any one LAN to other LAN or subnet. For routing correctly RIP must be enabled in all routers. In the figure, the network addresses must be included in routing and interfaces participating in the WAN must be specified. This is done using the RIP command. RIP Version 2 is used to define routing tables in router.
The network command is used to define connected subnets on routers. Subnets are included in routing updates because HQ has four subnets namely Finance, Accounting, Management and Administrative users. In addition to this each branch, remote offices, operations office and warm backup site, ATMs, outside support vendors are also available. RIP command must specify all IPs in each office and must also include network devices. In the GB networks, classful networks are also available in the form of outside support vendors. Classful network refer to IPs that use the GB network in addition to their existing IPs. Certain default routing updates are summarized in the network (Antoniou 2007) perimeter to establish a DMZ.
RIP is used mainly to update routing tables automatically which is done as below:
Therefore RIP is used to define routing tables in routers in GB.
Network address in CIDR format is used for GB as it is a private IP. The private address 10.0.0.0 for GB will be subnetted across its locations by taking 3-bits as below:
Number of subnets = 8 (23)
Total number of hosts = 221 – 2 = 2097150
Subnet mask will be 255.254.0.0
The above is defined to expand the network in future. Table 1 shows the start and end IPs along with their broadcast address.
Network Address |
First Address/n |
Last Address/n |
Broadcast Address |
10.0.0.0 |
10.0.0.1/11 |
10.31.255.254/11 |
10.31.255.255 |
10.32.0.0 |
10.32.0.1/11 |
10.63.255.254/11 |
10.63.255.255 |
10.64.0.0 |
10.64.0.1/11 |
10.95.255.254/11 |
10.95.255.255 |
10.96.0.0 |
10.96.0.1/11 |
10.127.255.254/11 |
10.127.255.255 |
10.128.0.0 |
10.128.0.1/11 |
10.159.255.254/11 |
10.159.255.255 |
10.160.0.0 |
10.160.0.1/11 |
10.243.255.254/11 |
10.191.255.255 |
Table 1: GB’s IP addressing scheme followed for their locations
In the above table since HQ needs 80 IPs, the start address will be 10.160.1.1 and end with10.243.255.254.
The router steps are given below:
Router Network Address = 10.160.0.0/11
Password: gbwan
Router Configuration Steps
hostname hq
hq(#) config t
hq(config) interface fa0/1
hq(config-in) ip address 10.160.0.1 255.243.0.0
hq(config-in) no shutdown
operations(config) int fa0/0.1
operations(config-in) ip address 10.0.0.1 255.248.0.0
operations(config-in) no shutdown
operations(config-in) encapsulation dot1q 2
VLAN Configuration for one branch
vlan 2
name branch1
Likewise all 28 branch offices are defined, along with two remote offices at Faroe and Greenland. As each branch office, remote offices, and operations office have servers they must be defined in router. Similarly the warm back up site has network attached storage which must be taken into account in the routing table.
The main objective is to plan WAN security for GB due to increased threats and their use of old and obsolete protocols and systems. The network security plan is made by ensuring there is no disruption to their existing network and business operations. The following aspects are considered in GB’s security plan:
Data confidentiality, privacy and integrity are highly important in WAN security.
The above five aspects are highly important to be considered in order to have effective secured network system (Dowd, 1998). Physical security measures such as controlled user access by authentication process, establishing access levels in system and encryption are implemented (Oppenheimer 2011). User and access control measures will be implemented across all services, databases, servers and VPNs. The security aspects of RIPv2 protocol is also examined (Davis, 2006). Two authentication methods are available with this protocol namely plain-text and message digest 5 (MD5) (Khalid, et al., 2008). In routers plain-text is the default method, but they must be configured using MD5 because this method encrypts the password in router and secures the table. Hence, if a hacker is able to get access to physical environment the WAN can become unsecured (Parziale, et al., 2006). WAN authentication will occur when updates are received by a trusted source or router. Hence, in routers authentication ensures the entry of corrupt or malicious update, or denial of service (DoS) attacks (Rivest, 1992). Therefore, MD5 algorithm is used for authentication.
From the above, the network security plan for GB network will consist of,
In the WAN firewalls are implemented in the periphery of the network to prevent outside attacks and when users access the internet. A general implementation of a firewall for GB is shown in figure 2. Firewalls are used in periphery of GB network and positioned at different places in the network to prevent IP address that do not meet the specified criteria in routing tables. Since GB network uses the internet for VPNs, security measures such as port address translation (PAT) are implemented to stop attacks from outside.
Figure 2: An implementation of firewall
Further, the main CISCO router will ensure packet filtering, and IDS is used in GB to enhance security of data because this is an additional layer of security to prevent attacks that pass through perimeter firewall. The positioning of IDS for GB is illustrated in figure 3.
Figure 3: Use of IDS along with firewall for network security
Network services in GB must be analyzed for its implications for users (Zwicky, 2001). For instance, if a user has database server access, the user must be examined for web server and access to file server.
Security areas are classified as trust and untrusted areas. For instance, the internet is an untrust area. In GB network DMZ zones are defined to show if the network is fully secure or insecure. The DMZ zone will provide access to untrusted users, i.e., users gaining access from internet. Normally, web and mail servers fall in DMZ zone. Database servers, authentication servers, file servers and storage systems fall in the protected zone for GB. Virtual LANs (VLAN) are implemented to ensure protection of servers. The protocols implemented in GB for network management are ICMP, RCP, TCP/IP and SNMP for monitoring availability, utilization and latency in WAN (Leskiw, 2005). In addition to this the other protocols used in configuring network security and consistency include WMI, HTTP, UDP MD5, RIP v2.
The next step is to define ACLs. For example,
In ACL Administration is not allowed to access Management and Accounting
Using extended list
ip access-list extended vlan_administration
deny ip 10.8.0.0 0.7.255.255 10.64.0.2 0.31.255.255
deny ip 10.8.0.0 0.7.255.255 10.64.0.3 0.31.255.255
int fa0/0.2
ip access-group vlan_administration out
Faroe not allowed to access warm site
ip access-list extended vlan_faroe
deny ip 10.32.0.0 0.7.255.255 10.64.0.2 0.31.255.255
permit ip 10.32.0.0 0.7.255.255 10.64.0.3 0.31.255.255
int fa0/0.4
ip access-group vlan_faroe out
The ACL is configured in GB for all the sites. The deny ip command will ensure the hosts belonging to administration and Faroe fulfill the access conditions as required by GB.
The next stage is testing. The network and system configurations are considered in testing (Thai, 2012). In addition to this network penetration tests are done to prevent malicious IP from entering the network. The entire security technology is tested using Universal Threat Management System (UTMS) and software tool named Endian FW is used to monitor network traffic and view malicious behaviour. Testing can also be done using tool named CISCO flow, which is also sued for trouble-shooting (Kunth, 2011). The final implementation for network security is illustrated in figure 4.
Figure 4: Network security implementation in GB
To test packet transfer from any user IP to another remote IP on the network, ping command is used. The remote IP will respond as shown in screenshot figure 5.
Figure 5: Ping command and response from staff IP
The network packet flow is illustrated in figure 6 for GB.
Figure 6: Network packet flow in GB
The intrusions are monitored from packet flows using UTMS and monitoring software.
Conclusions
In this report, the redesign of GB enterprise network is explored for ensuring network security to protect their systems and infrastructure. The security solution is achieved through the implementation of network planning, security planning and implementation of secured network to connect their offices with the enterprise network. The existing infrastructure for GB is examined for threats, attacks and performance impact on the network. The redesign of the network is explored by considering different aspects of business and IT operations. The aspects of implementing a security policy and operating procedures are emphasized. The security solution is shown in figure 1 to show the positioning of firewalls, routers and connectivity between different locations. The secured network is implemented using standard protocols with adequate scope for expansion in future. The security implementation is demonstrated using UTMS and Endian FW monitoring and network management software to test the designed network.
References
Antoniou, Stelios (2007). How to configure RIP Version 2.
Daya, B., (2008), Network Security: History, Importance, and Future. Florida, USA: University of Florida Department of Electrical and Computer Engineering.
Davis, David (2006). Cisco administration 101: Know the basics about RIPv2.
Dowd, P.W., (1998), Network security: it’s time to take it seriously. Computer , 24-28.
FCC (2012), Cyber Security Planning Guide. Federal Communications Commission.
Ferguson, P. & G. Huston, (1998), What is a VPN? Cisco Systems .
Hedrick, C. (1988). Routing Information Protocol RFC1058. Network Working Group, Rutgers University.
Khalid, S., T. Hatim, A. Elzoghabi and S. Mohammad (2008), Performance Evaluation of Secured Versus non-secured EIGRP Routing Protocol. Proceedings of SAM. pp.174-178.
Kunath, A. (2011), Enterprise Network Testing . Indianapolis : Cisco press.
Leskiw, Aaron (2015), Techniques for Monitoring WAN Links.
Oppenheimer, Priscilla, (2011), Top-Down Network Design. 3rd ed. IN, USA: Cisco Systems Inc.
Parziale, Lydia, David T. Britt, Chuck Davis, Jason Forrester, Wei Liu, Carolyn Matthews and Nicholas Rosselot (2006). TCP/IP Tutorial and Technical Overview. 8th ed. USA: IBM Corporation.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download