In the business organizations having multiple branches that are geographically separated the wireless LAN extends the computer network to the end user or the employees of the organization (Ahmad, Maynard & Park, 2014). The Wireless networks are considered as an efficient method in order to provide network connectivity avoiding the deployment of the fixed line at the workplaces.
As the Fine Auto Parts Ltd had different branches at different geographically separated positions the use of the wireless network is helpful in increasing the employee productivity by providing network access without being substantially tied down to their desk to have the connectivity. In this context the, security of this networks is also important so that the communication between the different branches at the different sites. Flaws in the security measures of the wireless network helps the intruders like the sacked IT administrator of the company and other to get into the network of the organization and exploit the network make the network unserviceable.
The following report contributes to the analysis of the present situation and installation to find out the different risks, selection of the different counter measures to mitigate those risks. In addition to that the selection of the appropriate software and hardware to deploy the secured wireless network, development of user policies to make the network more resilient is also discussed in this report.
The Fine Auto Parts Ltd is a suppliers of automotive parts to dealers, mechanics and mining industry. The company have an inventory at the Osborne Park and stores at the Hillarys, Alexander Heights, Kewdale and Melville. The turnover of the company is $50 million with 150 employee strength.The following table shows the position of the stores respect to the warehouse.
|
Shop |
Distance from Warehouse |
|
Hillarys |
17Km |
|
Alexander Heights |
14Km |
|
Kewdale |
20Km |
|
Melville |
25Km |
The IT administrator of the company was sacked by the organization due to her unethical behavior at the organization (accessing illicit material) after the third warning. After she was forcefully ejected from the office premises, the network of the organization became unserviceable. It is suspected that, the sacked IT administrator is responsible for the failure of the network and its downtime. This failure resulted in the untraceable error in the inventory system. Due to this untraceable error, the delivered orders are wrong for 60% leading to the loss of reputation and huge restocking expenditure.
At present following are the installed network configurations
The Stores are using 16Dbi omni-directional antennae’s on 16 meter towers. This antennas have 2 Watt injectors that connect to 200mW APs (Linksys WRT54G).
The APs in the store are a mix of Netgear WG602s and Cisco 1200 series APs.
Managerial Aps are of Cisco 1200 series at 100mW.
Inventory AP is Netgear WG602 at 100mW with 6dBi antenna
Wireless cards are a mix of 802.11b and g cards from Netgear, Proxim and DLink
The wireless tills are Casio QT-6000’s
SSID is Fine Auto Parts Ltd.
WEP Encryption for data security.
Only Antivirus protection.
No VPN, Firewall or other countermeasure to protect the network.
Running on 172.16.0.0/16 network
Fine Auto Parts Ltd uses the Linksys WRT54G as the access points (200mW). Even though the Linksys WRT54G access points are hugely popular due to its easy maintenance and better efficiency the access points can be easily exploited using the vulnerabilities in their configuration flaws and inconsistency in the firmware’s. Some of them are discussed below.
Modification of the firmware: The unauthenticated intruders can modify the WRT54G firmware due to the design flaws of the “upgrade.cgi” handler of the access point. The authentication of the users is not verified until the processing of a POST request of the user. Therefore in this time interval the intruder can install their own modified firmware on the access point by using the upgrade.cgi or modify different permissions using the “restore.cgi”. Which needs proper administrator attention as modified firmware may contain predefined settings set by the attacker.
Threat of DOS attack: The firmwares of the access point also helps the remote attackers to cause a denial of service (due to server hang and exhausted CPU consumption) using an HTTP POST request that has negative Content-Length.
Lack of securities and keys: The Linksys WRT54G access points stores keys and passwords in clear text in the Config.bin file. This makes it easily available to the remote authenticated users to get the sensitive information about the network via an HTTP request.
Lack of FTP session verification: The FTP server on the Linksys WRT54G access points does not verify user credentials, that may lead to the attackers to establish an FTP session by sending an arbitrary username and password to the network and acquire the sensitive business information.
Netgear WG602 APs
NetGear WG602 Wireless Access Point contains a hardcoded account with the username “superman” and password “21241036”. This which allows remote attackers/intruders to modify the configuration of the access point. As the account is hardcoded, thus this username cannot be removed from access point settings.
Cisco 1200 Aps
Cisco 1200 Access Point (AP) devices propagate the contents of certain multicast data packets in the form of clear text, which makes it easy for the attackers to discover the controller MAC addresses and IP addresses of the targeted Wireless LAN, access point configuration details, by sniffing into the wireless network of the organization.
Threat of DoS attack: The Cisco 1200 access points allows the intruders /attackers to implement a denial of service (radio-interface input-queue hang) via IAPP 0x3281 data packets. Multiple number of TCP implementations with PAWS (Protection against Wrapped Sequence Numbers) with the timestamps option enabled, allows the attackers to cause a DoS (connection loss) via a spoofed data packet with a large timer value. This large timer value of the data packet causes the receiver to discard later data packets as they appear to be too old compared to the previous one.
This encryption technique relies upon a secret key distributed to all the communicating stations (Access points and mobile station/devices) in order to protect the payload of a transmitted data frame in every direction. Moreover, the RC4 PRNG algorithm used by WEP includes an integrity check vector (ICV) so that the integrity of the data packets can be checked (Ahmad, Maynard & Park, 2014). It uses only two keys to encrypt each bit of information sent over the network. The first is the user password, which is set up on the router and typed by employees/users of Fine Auto Parts Ltd who’d like to connect to the network. The second one is used to encrypt the information is a randomly generate key known as the Integrity Vector (IV).
As the WEP encryption technique uses short IV keys there are only around 16 million possible combinations. For this reason there is not enough available combinations of them to go around. Because of the huge volume of information transferred it is inevitable that there will eventually be a repeat of the combination. Hence, once a repeat happens it is easy to figure out the content of the message/ data packet being transferred is – and hence it becomes easier to infer into the network of the Fine Auto Parts Ltd.
The fine Auto Parts does not use any kind of firewall, Intrusion detection system, Intrusion prevention system, or VPN within its organizational network. This may cause of concern for the organization for the security of its network and may attract attacker’s (like the sacked IT administrator) that may lead to the unauthenticated user logins to the network and modify the settings of the network as well as sniffing into the data transmitted packets.
Moreover, the company only uses an anti-virus as the means of protection for its computer network. The anti-virus programs does not integrate a strict and professional rule set for data packets or network access ,VPN client, or a list of network bundled security suites (Daya, 2013). Therefore it is not the best protection against network oriented attacks for the organizations network.
In addition to that the company has no data backup’s mechanisms for its business information in case of any emergency or data loss by any kind of network or hacker attacks. The effect of such incident can be seen as the cleansing of the account passwords after the expulsion of the sacked IT-administrator.
As the QT-6000 tills used at inventory and the stores uses the WEP encryption technique to transmit and receive data to the PDA devices used by the employees during purchases and transactions. Additionally, as cracking of the WEP encryption technique is easy for the hackers due to its vulnerabilities thus becomes a source of concern for the organization (Ahmad, Maynard & Park, 2014).
The use of the Omni-directional antenna provides a maximum range of 1kM signal radiation which is too less while considering the current network scheme. In addition to that, omnidirectional antennas are only able to transmit signals in a wide area, rather than directing the signals to a specified direction and area.
As the IT administrator is responsible for maintaining and running the whole network of the company, thus she is aware of existing network schemes and access controls thus can easily carry out different kind of network attacks Such as MITM (Man in the Middle) or Dos attacks that can severely affect the functionality of the business processes. In addition to that, it is also possible that the sacked IT administrator had installed some kind of rouge or spyware in different network devices that helps her to get access to the network and affect the data traffic in the network.
Eavesdropping indicates to the unauthorized monitoring of data communication between different parties (in this case between the warehouse and different stores). It can be carried out on ordinary instant messaging, emails, online ordering services or other Internet services used by the organization. As the eavesdropping does not affect the normal operation of network traffic and transmission, it is hard for the sender and the recipient to notice that the data has monitored, stolen, or defaced by someone else outside the network.
Some of the data interception attacks includes Man in the Middle Attack (MITM), Accessing /Interception/ Modification of http cookies used by the equipment’s, sniffing into the network traffic, and data leakage from the network.
As the Fine Auto Parts Ltd have Lack of authentication credentials by the different network devices, Lacks of countermeasures rather than antivirus, uses default usernames and passwords, weak WEP protocol as the encryption standard for its data packets, thus it makes easy for the attackers to use this security flaws to get into the network (Daya, 2013). This kind of risks has medium risk rating and medium impact on the performance of the network.
Port Redirection is another kind of network based attack in which the attacker sits between the sender and receiver in the network and alters the data traffic without being easily detected by any one of them. As in this scenario (The Fine Auto Parts organization) there are no countermeasures are in place (except the antivirus program), such as use of a strong encryption technique of the data packets in the network, and lack of awareness of the users (the sender and receiver) to determine whether the data has been modified or not in its transmission path. This kind of attacks has high risk rating as well as higher amount of impact on the network performance.
The Denial of Service (DoS) attack is a good example of data interruption in any organizational network. In this type of attacks, the attackers uses “Zombie clients/system” in order to prevent legitimate users (employees at the four branches and warehouse) from accessing or utilizing the service or the assets inside the network (Ahmad, Maynard & Park, 2014). There are several ways to carry out a denial of service attack such as: flooding the targeted network with spoofed or fake data packets and causing immense congestion within the targeted network, disturbing the communication between the different network devices or users from a service. The incident in which the Fine Auto Parts companies store at the Hillarys became unserviceable which can be considered as an example of a denial of service conducted upon a wireless network of the organization.
As identified and discussed above there are several backdoors and vulnerabilities that can that can be easily exploited by the attackers to get into the organizational network of Fine Auto Parts (Daya, 2013). Therefore, it is important for the organization to monitor its systems and network for potential unauthorized access and other network attacks. In order to secure the sensitive business information, the organization should perform routine checks so that it can create a reliable and safe network.
A secure organizational network incorporates the understanding of the different vulnerabilities, threats, aligning multiple layers of defense to mitigate those security risks and periodical monitoring of the network events in order to ensure the integrity of the data traffic inside the network consisting of the warehouse and the stores at the different positions. In this kind of scenario it becomes obvious that networking devices and software’s are upgraded or replaced to mitigate the flaws which exist due to the back doors within the network. Thus following are the list of suggestions that can be implemented to protect the network of Fine Auto parts Ltd.
For both the access points it is found that, due to the loopholes in the firmware’s used in this network devices, it is possible for the attackers to use and execute different administrative commands in the organizations network (Ahmad, Maynard & Park, 2014). Thus it is important for the organization to use the Patch provided by the company for the specific devices in order to resolve these firmware issues. Therefore, the access points does not require any replacement rather a firmware upgrade.
The Cisco 1200 series access points consist of several vulnerabilities that may lead to denial of service attacks to the network of the Fine Auto Parts Ltd by exploiting the backdoor entrances. Most importantly the installed access points uses the WEP encryption technique for data protection rather than WPA2. Therefore in order to mitigate the risks due to the vulnerabilities of the access points it is important to replace them with some more secured devices such as Cisco Aironet 600 Series OfficeExtend Access Points.
As the selected Cisco Aironet 600 access points supports 802.11a,b,g, and n wireless solutions. Additionally, the access point contains the WPA2 enterprise authentication and encryption standards and rogue access point detection that will help the organization to detect any kind of unauthorized access from any attacker to the organizations network.
The selected Cisco 600 series access point will be deployed in every store at Hillarys, Alexander Heights, Kewdale and Melville including the warehouse at the Osborn Park. The warehouse will two access points and one access point in each store that sums up to 6 access points in total.
The cost of Cisco 600 series access point is about $450/ access point and implementing 6 would bring the total cost of purchase to around $2,750 for the organization.
As the lack of intrusion detection, prevention and protection systems are not used in the e in Fine arts network thus it makes the network vulnerable to the hackers and unwanted users of this network. The lack of VPNs, firewalls, Intrusion detection, prevention systems has helped the ex IT administrator to get in the network of the company and to stop all the services from the warehouse to the stores.
After the analysis of the scenario it is decided to implement preventive controls by purchasing the hardware equipment’s for intrusion prevention and detection systems and firewalls. As the addition and the replacement of the hardware should be streamlined in order to reflect a single vendor for all the hardware equipment’s, Cisco is chosen. This time the Cisco SA540 UTM and the SA520 system were decided to be implemented in the network so that the intrusion can be detected and prevented as soon as possible. Some of the Cisco SA500 UTM features are,
The company have to acquire total 5 SA500 UTM series appliances of Cisco. One SA540 UTM will be implemented at the warehouse (Osborne Park) and 4 other SA 520W UTM will be implemented at the 4 stores one at each site. The cost will be, 5*$650= $3150.
For Fine auto parts limited it is observed that it is not using any kind of backup server which implies there is no way for the company to recover business data after any kind of attack or accident which will affect the data accuracy and continuity. For any business organization it is important to protect its business data in order to grow and improve its business performance in the market as well as drive the business forward (Ahmad, Maynard & Park, 2014). The use of the data backup mechanisms helps in reduction in the chances of data loss as well as limits prerequisite of having additional storage and increases the possibility of quick recuperation of the data.
After analysis of the scenario it is recommended to use an off-site or cloud data backup for the organizational data.
Cost: It is decided that currently the best data backup storage solution that would suite the requirements of the Fine auto parts would be at least 120GB. This storage must be expandable whenever required by the organization. The off-site storage company called “Intellect” is chosen as the most viable option for the organization to store and secure the business data
In our investigation of the network of Fine Parts we have observed that, the company has not actualized validation certifications for its staff and workers to track their activity. Validation certifications for kindred staff individuals and representatives will control who has specific access to what web and system assets. This mitigates vulnerabilities in contrast with the present system security design, which enables any representatives to get to classified or critical information.
In order track the activities of the users and valid use of the network resources it is decided to use an Authentication server also called the Radius Server. The present Cisco 541N get to point underpins the Radius validation and is an excellent get to point for that reason. We chose that so as to fulfill this undertaking, a confirmation server should be conveyed (Daya, 2013). The best financially savvy alternative is use the Free Radius Server which is ” a daemon for Unix and other Unix like operating systems which enables the network administrator to set up a range convention server, which can be utilized for Authentication and Accounting different sorts of system access by the staffs of the Fine Auto parts ltd.
“FreeRadius” will be helpful in reducing the vulnerabilities by inciting clients into distinguishing themselves utilizing validation qualifications and controlling access to illicit or improper materials.
It is often seen that for the illegal sites, it consist of malicious programs such as the Trojans, viruses or other malware which thus may contaminate the whole network framework of Fine Auto parts ltd. Moreover, this concern becomes more obvious from the blackout of the one of the stores of Fine Auto parts, we can find that there could be potential maverick programming introduced by the ex-manager to increase delicate data or get to. Such is a hazard if not alleviated quickly.
Since the antivirus database in Kryptonite’s frameworks were late for their updates and the security foundation practically didn’t exist, it would be an astute thought to move down vital information and configuration the PC frameworks and reinstall the whole working framework, projects and security applications, to guarantee the incite evacuation of rebel programming/malware.
Passwords are considered as a vital part for digital security (security of the network resources and business data). An ineffectively picked password may bring about unapproved access as well as misuse of the Fine auto part Ltd’s available resources. Different clients, as well as the employees at the four stores and suppliers with access to Fine arts resources using the network framework frameworks, are in charge of making the proper efforts, as sketched out underneath, to choose and secure their passwords.
This password policy incorporates all the employees and the personnel who have access to the network or are in charge of maintenance of the system (or responsible for any type of functionality that asks for password) at any of the Fine Auto parts stores or warehouse, or a system that is connected with the servers of the Fine Auto parts business data.
The passwords must maintain the following guidelines i)At least one lower case character, ii)At least one upper case character iii)one numeric value, iv)”Special” characters (such as @#$%^&*()_+'<>/and others), v) most importantly the password must be consisting of 10 characters with alphanumeric values.
In addition to that, following are the some more guidelines that will help the company to mitigate the security issues that may happen due to the lack of the secured passwords of the officials and the employees at the stores and warehouse.
Different system level passwords such as the IT administrator, Windows Administrator, different cloud based application accounts, workstations and others) must be changed in every two months to make the network secure (Ahmad, Maynard & Park, 2014). The passwords of the systems used in the production units must be created and used by maintain all the above mentioned guidelines. Passwords used for official email, web based applications workstations must be changed in a regular intervals. Moreover, the employees of the organization are suggested to not to disclose their passwords in a written forma or in any kind emails. In addition to that, they should not use any kind easily guessable password hints such as “my surname”.
The fair usage policy is applicable for all the users and employees (working for the organization as a permanent or as a contractual representatives, hiring office laborers, business accomplices, and suppliers) who connect to the network through or by registering from the network peripherals. The organization’s Internet clients are relied upon to be acquainted with and to consent to this approach, and are likewise required to utilize their sound judgment and exercise their practical insight while utilizing Internet administrations.
The main objective of this policy is to determine and set guidelines for the users of the network resources of Fine Auto parts ltd that will help in the limiting and monitoring the use of the internet by the employees using any device being within the Fine auto parts network (Daya, 2013). These standards will be designed to ensure that the employees at the stores and at the warehouse use the Internet in a safe and professional manner, and not for their personal interest. In addition to that these guidelines will help the company to avoid the interruptions in the services due to the malpractices of any employee while using the internet by using the network infrastructure of Fine Auto parts ltd.
This policy will be used to determine the conditions that remote wireless devices must fulfill to interact with the Fine Auto parts network. Just those remote wireless devices/ gadgets that meet the specified guidelines determined in this policy or are conceded a special case as a exception by the IT Administration are affirmed for connecting to the network of the Fine Auto parts Ltd.
Every employee at the four stores and at the warehouse, suppliers who have to the network of the Fine Auto parts Ltd should abide by this policy to communicate through this network (Ahmad, Maynard & Park, 2014). Moreover this policy is also extended for those devices that provide wireless connectivity including, but not limited to, desktops, laptops, and personal digital assistants (PDAs). This wireless communication policy includes, any type of wireless device, that is capable of transmitting packet data using the companies network.
The allowed devices should Utilize Fine Auto parts affirmed authentication protocol to connect to the network and infrastructure.
Utilize Kryptonite Tuning Parts affirmed encryption standards.
Keep up a unique address for the used device (MAC address) that can be enlisted and tracked whenever required.
Not meddle with wireless access deployments kept up by other business organizations supporting Fine Auto parts Ltd.
Any employee or representative found to be violating this policy might be liable to disciplinary activity against him/her, up to and including their termination. An infringement of this strategy by any specialist, supplier may bring about the end of their agreement with the organization (Daya, 2013). At last it suggested that, the policy should be revised according to the security requirements of the organization so that a top level security can be provided to the network of Fine Auto parts Ltd.
This policies are intended to set standards that will ensure the secured configuration of the servers and protect the business data that are stored in those servers from the intrusion or security breaches to the network of the Fine Auto parts ltd.
The policy is applied for all the servers that are used by the Fine Auto parts whether at the warehouse or at the stores at different locations.
In order to secure the servers from the un-authorized access, all the servers should be configured without suing the default routes or routes outside of Fine auto parts network.
All the servers should be powered from a reliable and uninterrupted source of power and as a backup plan another power source must be always ready to provide backup for at least minutes (Ahmad, Maynard & Park, 2014).
For the system level access or the privileged access must be done using the secured channels like the encrypted network connections between the two peers of the connections.
For the data stored in the servers it is suggested to back them twice in the week. In addition to that the Monthly full backups must be retained by the company for at least 1 year in order to ensure the availability of the business data after a security beach happens (Daya, 2013).
Conclusion
As the information technology has developed with time it the security breaches using the different loopholes has also increased. Thus in order to implement a proper security plan for an organization like Fine Auto parts ltd, it is important for the organization to encourage the all the employees of the organization to have significant contribution in the implementation of it. As it is critical for the top level management of Fine auto parts Ltd to ensure the data security that is critical for its business. This will help the company to have a better ROI for the investment done to acquire the resources and implement them in order to secure the network consisting of the four stores and a warehouse. In addition to that it is important for the organization to track and monitor its employee’s activities while they are using the network and resources of the organization.
In the different sections of this report we have discussed different guidelines and policies that must be implemented and maintained in order to provide a secured environment for the wireless communication between the warehouse and the stores at four different geographical locations. Acquiring and installing different latest equipment’s will also help in preventing the unhallowed access to the organizations network and theft of data or interruption in the services.
References
Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), 357-370.
Anandhi, R., & Raj, V. N. (2016). Prevention Of DDoS Attacks On Distributed Cloud Servers By Port Lock Mechanism. ARPN J. Eng. Appl. Sci, 11(5), 3013-3019.
Briglauer, W., Frübing, S., & Vogelsang, I. (2014). The impact of alternative public policies on the deployment of new communications infrastructure–A survey. Review of Network Economics, 13(3), 227-270.
Burchill, W. S., Flynn, P. V., Majjigi, V. R., Wang, X., Song, K. B., Mujtaba, S. A., & Zhao, W. (2014). U.S. Patent No. 8,831,655. Washington, DC: U.S. Patent and Trademark Office.
Daya, B. (2013). Network security: History, importance, and future. University of Florida Department of Electrical and Computer Engineering, 13.
Faisal, M. A., Aung, Z., Williams, J. R., & Sanchez, A. (2015). Data-stream-based intrusion detection system for advanced metering infrastructure in smart grid: A feasibility study. IEEE Systems Journal, 9(1), 31-44.
Gibson, D., & Newstadt, K. (2014). U.S. Patent No. 8,776,168. Washington, DC: U.S. Patent and Trademark Office.
Harris, M., & P. Patten, K. (2014). Mobile device security considerations for small-and medium-sized enterprise business mobility. Information Management & Computer Security, 22(1), 97-114.
Kahate, A. (2013). Cryptography and network security. Tata McGraw-Hill Education.
Knapp, E. D., & Langill, J. T. (2014). Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Syngress.
Li, X., & Xue, Y. (2014). A survey on server-side approaches to securing web applications. ACM Computing Surveys (CSUR), 46(4), 54.
Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
Low, K. X. (2015). Intrusion detection system.
Nadiammai, G. V., & Hemalatha, M. (2014). Effective approach toward Intrusion Detection System using data mining techniques. Egyptian Informatics Journal, 15(1), 37-50.
Ng, D. W. K., Lo, E. S., & Schober, R. (2014). Robust beamforming for secure communication in systems with wireless information and power transfer. IEEE Transactions on Wireless Communications, 13(8), 4599-4615.
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78.
Shapiro, C., & Varian, H. R. (2013). Information rules: a strategic guide to the network economy. Harvard Business Press.
Sivanathan, A., Sherratt, D., Gharakheili, H. H., Sivaraman, V., & Vishwanath, A. (2016). Low-Cost Flow-Based Security Solutions for Smart-Home IoT Devices. Proc. IEEE ANTS.
Uma, M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks and their Classification. IJ Network Security, 15(5), 390-396.
White, C. (2015). Data communications and computer networks: A business user’s approach. Cengage Learning.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download