Key Topics
- QUESTIONS:
- Network Addressing and Security
- A. Subneting
- B. Firewall Implementation
- C. Intrusion Detection System/Intrusion Protection System
- D. DMZ Implementation
- E. Physical Security Measure
- F. Additional Network Security Measures
- G. Personal Use of Device and Security Problem Resolution
- References
QUESTIONS:
A. Watch How to Subnet a Network Video provided in Content -> Project Instructions
Review the Network Address Template provided in Content -> Project Instructions -> Project Templates for Parts 2
Complete the subnet chart provided at the end of the document.
B. Select each of the firewall types to implement, describe network or host-based placement, and configuration details; and justify each of the decisions.
Students should be specific when discussing the models, types, and costs.
C. Select an IDS, IPS, or both for the network and justify your decision.
Students should be specific when discussing the models, types, and costs.
D. Define a DMZ implementation and justify the decision.
E. Select physical security measures for each of the new academic buildings and justify the decision.
Students should be specific when discussing the models, types, and costs.
F. Select additional network security measures to be implemented and justify the decision. They should include:
How you will protect against social engineering attacks, and justify your decision.
How you will protect against faculty or students willingly, or unwillingly introducing malware onto the network, and justify your decision.
What secure protocols you will require for faculty and students to use while accessing resources internal, or external to the network, and justify your decision.
G. Make explicit that Building will not be liable for any problems arising from personal use of devices in the two buildings.
Review the Network Address Template provided in Content -> Project Instructions -> Project Templates for Parts 2
Complete the subnet chart provided at the end of the document.
B. Select each of the firewall types to implement, describe network or host-based placement, and configuration details; and justify each of the decisions.
Students should be specific when discussing the models, types, and costs.
C. Select an IDS, IPS, or both for the network and justify your decision.
Students should be specific when discussing the models, types, and costs.
D. Define a DMZ implementation and justify the decision.
E. Select physical security measures for each of the new academic buildings and justify the decision.
Students should be specific when discussing the models, types, and costs.
F. Select additional network security measures to be implemented and justify the decision. They should include:
How you will protect against social engineering attacks, and justify your decision.
How you will protect against faculty or students willingly, or unwillingly introducing malware onto the network, and justify your decision.
What secure protocols you will require for faculty and students to use while accessing resources internal, or external to the network, and justify your decision.
G. Make explicit that Building will not be liable for any problems arising from personal use of devices in the two buildings.
Network Addressing and Security
A. Subneting
Business Requirements:
UMUC requires 8 subnets under its building. This is due to fact that there are 5 classrooms at floor first and floor second, one student computer lab, one office and one library. Each of the class room, office and student computer lab requires 25 IP addresses for systems, library requires 15 IP addresses for systems. Further, a wifi network having different class c address is required for UMUC.
Subnet Requirements:
The class C IP address 192.168.1.0 is allocated for UMUC which is required to create 8 subnets to distribute the masked IP addresses for the required systems in each of the subnet. The details of the IP addresses required for each of the subnet of building LAN of UMUC is as follows.
UMUC requires 8 subnets under its building. This is due to fact that there are 5 classrooms at floor first and floor second, one student computer lab, one office and one library. Each of the class room, office and student computer lab requires 25 IP addresses for systems, library requires 15 IP addresses for systems. Further, a wifi network having different class c address is required for UMUC.
Subnet Requirements:
The class C IP address 192.168.1.0 is allocated for UMUC which is required to create 8 subnets to distribute the masked IP addresses for the required systems in each of the subnet. The details of the IP addresses required for each of the subnet of building LAN of UMUC is as follows.
Proposed Subnet:
Justification
Above proposed subnet requirements with mentioned IP address ranges, subnet address/network address and broadcast address of subnets will achieve the requirements of UMUC building LAN for classrooms, Lab, office and library at first and second floor. The given IP address 192.168.1.0 is taken to create 8 different subnets and each of the subnet is assigned with network address and broadcast addresses. The 25 IP addresses from given range of IP addresses of each of the subnet are assigned to the systems. With above given 8 subnets the subnet mask is required to be used as 255.255.255.224. This subnet masks provides 30 usable IP addresses for the allocation to the systems (Desktops and server) and one IP reserved for broadcast and one (First) is for subnet or network address respectively [1].
Above proposed subnet requirements with mentioned IP address ranges, subnet address/network address and broadcast address of subnets will achieve the requirements of UMUC building LAN for classrooms, Lab, office and library at first and second floor. The given IP address 192.168.1.0 is taken to create 8 different subnets and each of the subnet is assigned with network address and broadcast addresses. The 25 IP addresses from given range of IP addresses of each of the subnet are assigned to the systems. With above given 8 subnets the subnet mask is required to be used as 255.255.255.224. This subnet masks provides 30 usable IP addresses for the allocation to the systems (Desktops and server) and one IP reserved for broadcast and one (First) is for subnet or network address respectively [1].
B. Firewall Implementation
Technical Requirements
LAN resources of UMUC is required to be protected from unauthorized access, so that firewall must be configured with respect to need of the security scope of UMUC. The security threats are associated with internal users such as staffs, students and also from the external entities like hackers [2]. Hence, firewall is needed to be implemented to filter out all inward and outward network traffic of UMUC LAN of its building.
Proposed Network Security Hardware (Firewalls)
A firewall is also categorized with different categories with respect to its functional scopes. Following categories of firewalls are required to be implemented with the UMUC network to protect the network resources from the internal users and external intruders.
-Packet Filter Firewall : A packet filter firewall filters all the internal and external traffic to go outside from the UMUC network and comes into the UMUC network. The implementation of packet filter firewall is required to be taken between the point of connectivity of internal LAN and external network such as WAN or Internet.
-Application Gateway: An application gateway is known as proxy firewall. This is required to be implemented into each of the servers of the LAN of UMUC.
-Stateful Firewall: A stateful firewall is required to be implemented over the point of the UMUC LAN and external network such as WAN. This firewall provides handshaking for the TCP connection between the External server and host of the UMUC LAN.
Above mentioned 3 different categories of firewalls are very popular in the field of network security. A packet filter firewall is one of the best firewall suited for the security requirements of network of UMUC, so that it is selected to implement with the network of UMUC. The cost of this packet filter firewall is currently $ 300 to $350 from the manufacturer Cisco Inc.
LAN resources of UMUC is required to be protected from unauthorized access, so that firewall must be configured with respect to need of the security scope of UMUC. The security threats are associated with internal users such as staffs, students and also from the external entities like hackers [2]. Hence, firewall is needed to be implemented to filter out all inward and outward network traffic of UMUC LAN of its building.
Proposed Network Security Hardware (Firewalls)
A firewall is also categorized with different categories with respect to its functional scopes. Following categories of firewalls are required to be implemented with the UMUC network to protect the network resources from the internal users and external intruders.
-Packet Filter Firewall : A packet filter firewall filters all the internal and external traffic to go outside from the UMUC network and comes into the UMUC network. The implementation of packet filter firewall is required to be taken between the point of connectivity of internal LAN and external network such as WAN or Internet.
-Application Gateway: An application gateway is known as proxy firewall. This is required to be implemented into each of the servers of the LAN of UMUC.
-Stateful Firewall: A stateful firewall is required to be implemented over the point of the UMUC LAN and external network such as WAN. This firewall provides handshaking for the TCP connection between the External server and host of the UMUC LAN.
Above mentioned 3 different categories of firewalls are very popular in the field of network security. A packet filter firewall is one of the best firewall suited for the security requirements of network of UMUC, so that it is selected to implement with the network of UMUC. The cost of this packet filter firewall is currently $ 300 to $350 from the manufacturer Cisco Inc.
Justification
Cisco Inc. is a very popular manufacturer of various categories of networking and security devices. It filters the packets as per the defined rules so that the UMUC can implement the filtering rules as per the requirements of security. Further, the cost of Cisco packet filter firewall is also justifiable with respect to the functional security requirements of UMUC.
C. Intrusion Detection System/Intrusion Protection System
Technical Requirements:
The monitoring of network of UMUC to detect the intruder and then protect the network from malicious activities of intruder is one of the core security requirements [3]. Thus, an intrusion detection system/ intrusion protect the network.
Proposed Network Security Hardware
UMUC network IDS/IPS is selected as HIDS (Host Based Intrusion Detection System). This HIDS protects the network of UMUC from the intruders to enter into the network and launch the malicious activities such DOS (Denial of Service Attack) etc.
Justification
IDS/IPS is a network security tool available for both local and enterprise use. This is a network defense tool that protects the network from malicious activities occurs in the legitimate network where it is implemented. HIDS is open source intrusion detection system and intrusion protection system. This protects the network from following categories of network attacks.
-Denial of Service Attack (DOS Attack)
-Distributed Denial of Service Attack (DDOS)
-Internet hackers and cyber criminals attacks.
-Network Malicious activities
This HIDS is open source tool so that it is freely available to download and implement with the network to provide the intrusion detection and prevention.
The monitoring of network of UMUC to detect the intruder and then protect the network from malicious activities of intruder is one of the core security requirements [3]. Thus, an intrusion detection system/ intrusion protect the network.
Proposed Network Security Hardware
UMUC network IDS/IPS is selected as HIDS (Host Based Intrusion Detection System). This HIDS protects the network of UMUC from the intruders to enter into the network and launch the malicious activities such DOS (Denial of Service Attack) etc.
Justification
IDS/IPS is a network security tool available for both local and enterprise use. This is a network defense tool that protects the network from malicious activities occurs in the legitimate network where it is implemented. HIDS is open source intrusion detection system and intrusion protection system. This protects the network from following categories of network attacks.
-Denial of Service Attack (DOS Attack)
-Distributed Denial of Service Attack (DDOS)
-Internet hackers and cyber criminals attacks.
-Network Malicious activities
This HIDS is open source tool so that it is freely available to download and implement with the network to provide the intrusion detection and prevention.
Place Order For A Top Grade Assignment Now
We have some amazing discount offers running for the students
Place Your OrderD. DMZ Implementation
Technical Requirements:
Demilitarized Zone or DMZ is security framework that provides very high level of security to the network and network resources [4]. The network of UMUC and its some resources require the DMZ security to be implemented to provide high level of security to them.
Proposed DMZ
Firewalls such as stateful or packet filtering are used to create the DMZ. Hence, the DMZ is based on the firewall implementation. Cisco Firewalls are selected to create the DMZ to the network and network resources of UMUC. In a DMZ more than one firewall are used to provide different levels of the security to the network and network resources. Cisco firewall is selected to implement to create the DMZ for the servers of the network of UMUC. The cost of Cisco firewall is $240 to $300.
Justification
Host of UMUC network also access the Internet to access the external world servers and web resources. Similarly, different users groups such as student, staffs, teacher etc have their own server to access the resources. To protect the resource of a user group from another one DMZ is required to be implemented. This DMZ provides the high level of security during the access of the resources of server so that unauthorized disclosure of sensitive and private information related to a user group is protected from another user group. Therefore, DMZ must be implemented with each of the server configured under the subnet of user group to protect the network resources from internal user groups and also from the external users.
Demilitarized Zone or DMZ is security framework that provides very high level of security to the network and network resources [4]. The network of UMUC and its some resources require the DMZ security to be implemented to provide high level of security to them.
Proposed DMZ
Firewalls such as stateful or packet filtering are used to create the DMZ. Hence, the DMZ is based on the firewall implementation. Cisco Firewalls are selected to create the DMZ to the network and network resources of UMUC. In a DMZ more than one firewall are used to provide different levels of the security to the network and network resources. Cisco firewall is selected to implement to create the DMZ for the servers of the network of UMUC. The cost of Cisco firewall is $240 to $300.
Justification
Host of UMUC network also access the Internet to access the external world servers and web resources. Similarly, different users groups such as student, staffs, teacher etc have their own server to access the resources. To protect the resource of a user group from another one DMZ is required to be implemented. This DMZ provides the high level of security during the access of the resources of server so that unauthorized disclosure of sensitive and private information related to a user group is protected from another user group. Therefore, DMZ must be implemented with each of the server configured under the subnet of user group to protect the network resources from internal user groups and also from the external users.
E. Physical Security Measure
Technical Requirements:
Physical security measure is also a core requirement of the network and network devices of the UMUC network. The physical security measures provides the security against the fire, flood, theft, intentional damage to the information system hardware and other entities involved in the network of UMUC. SO that physical security majors must be implemented to the UMUC network to protect assets related with network.
Proposed Network Security Hardware
The hardware devices such as locks, CCTV surveillances, fire extinguishers etc are selected to secure the network devices in network perimeter of the UMUC in its building. Locks are ).o,munyt4rev3wcf ,luym,opipiiphysically taken while office is closed. The CCTV monitoring by installing CCTV cameras to all important areas of building must be done. A centralized monitoring through the display devices also be configured to monitor the ongoing surrounding the network perimeter of building inside and outside.
Justification
Physical source of damage is either intentional or non intentional. Non intentional damages such as earthquake, fire, flood etc devastate whole the things in a minute so that there are need to employ the avoiding such areas where these natural disasters occurrence frequencies are high. Further, fire extinguisher, waterproofing system etc protect the network hardware and other assets from some of these natural disasters. Hence, these systems highly recommended to the UMUC.CCTV surveillance hardware implementation and monitoring through this device ensures the avoidance of theft of devices installed for the information system and network of UMUC building.
Physical security measure is also a core requirement of the network and network devices of the UMUC network. The physical security measures provides the security against the fire, flood, theft, intentional damage to the information system hardware and other entities involved in the network of UMUC. SO that physical security majors must be implemented to the UMUC network to protect assets related with network.
Proposed Network Security Hardware
The hardware devices such as locks, CCTV surveillances, fire extinguishers etc are selected to secure the network devices in network perimeter of the UMUC in its building. Locks are ).o,munyt4rev3wcf ,luym,opipiiphysically taken while office is closed. The CCTV monitoring by installing CCTV cameras to all important areas of building must be done. A centralized monitoring through the display devices also be configured to monitor the ongoing surrounding the network perimeter of building inside and outside.
Justification
Physical source of damage is either intentional or non intentional. Non intentional damages such as earthquake, fire, flood etc devastate whole the things in a minute so that there are need to employ the avoiding such areas where these natural disasters occurrence frequencies are high. Further, fire extinguisher, waterproofing system etc protect the network hardware and other assets from some of these natural disasters. Hence, these systems highly recommended to the UMUC.CCTV surveillance hardware implementation and monitoring through this device ensures the avoidance of theft of devices installed for the information system and network of UMUC building.
F. Additional Network Security Measures
Technical Requirements:
Above all security systems are not complete to provide the defense in depth to the network of UMUC. So that, there are need of some of security tools such as network traffic analysis tool, antivirus and antimalware tools and authentication and authorization security measures.
Proposed Network Security System
UMUC network requires to implement the wireshark network traffic monitoring tool to analyze the network activity to detect malicious activity going into the network. Antivirus such as Norton security package is needed to be installed on each host and server of the network. To authenticate each of the user and then authorize to access the network resource of the UMUC network authentication security tool such as Radius and Kerberos servers must e installed with the network.
Justification
Social engineering attacks is launched through the guessed password and by analyzing the frequencies of authentication credentials or anything personally related with the user [5]. Hence, a password policy is selected to implement to provide the strong password for each of the user of UMUC.
Wireshark is very common network traffic analysis software package. This enables the network administrator to detect each event that undergoes with the network. Wireshark provides the network defense against the malicious activities going with the network traffic. Antivirus utility protects the network software resources such as various network device drivers, operating system and application software of host and server machines from virus and bugs. Authentication security measures such as Radius and Kerberos ensures the network resource to be accessed y only genuine users.
Therefore, these all mentioned additional securities measures through the tools and software packages must be deployed with the UMUC building network.
Above all security systems are not complete to provide the defense in depth to the network of UMUC. So that, there are need of some of security tools such as network traffic analysis tool, antivirus and antimalware tools and authentication and authorization security measures.
Proposed Network Security System
UMUC network requires to implement the wireshark network traffic monitoring tool to analyze the network activity to detect malicious activity going into the network. Antivirus such as Norton security package is needed to be installed on each host and server of the network. To authenticate each of the user and then authorize to access the network resource of the UMUC network authentication security tool such as Radius and Kerberos servers must e installed with the network.
Justification
Social engineering attacks is launched through the guessed password and by analyzing the frequencies of authentication credentials or anything personally related with the user [5]. Hence, a password policy is selected to implement to provide the strong password for each of the user of UMUC.
Wireshark is very common network traffic analysis software package. This enables the network administrator to detect each event that undergoes with the network. Wireshark provides the network defense against the malicious activities going with the network traffic. Antivirus utility protects the network software resources such as various network device drivers, operating system and application software of host and server machines from virus and bugs. Authentication security measures such as Radius and Kerberos ensures the network resource to be accessed y only genuine users.
Therefore, these all mentioned additional securities measures through the tools and software packages must be deployed with the UMUC building network.
G. Personal Use of Device and Security Problem Resolution
Technical Requirements:
Personal use of devices such as Laptop, Ipad, Smart Phones etc may creates the problems such as unauthorized access of sensitive and other relevant information of the network. So, that a system should be implemented to prevent and control the accessibility of information from network resources through users personal devices.
Proposed System to Avoid Problems for use of Personal Device
The personal device use reduces the cost of computing hardware to UMUC, so that use of personal device such as Laptop, Ipad etc must be allowed. A system such as BOYD (Bring Your Own Device) is to be implemented in the administration system of IT and network. This BYOD system provides the wireless network of UMUC building to connect own devices through wifi access point.
Justification
Personal device use provides the problem, but BOYD implementation it is assured that the user of personal device can not do malicious and other unwanted activity as its identity is recorded through the network system. Access in BOYD system requires the registration of physical and MAC address of the devices. Therefore, control over the personal devices is easily taken by network administrator and accessibility is managed.
Personal device use is much beneficial for UMUC as the computing hardware maintenance and management burden goes onto the owner of the device. Thus, the cost is heavily reduced and also staffing is reduced.
Personal use of devices such as Laptop, Ipad, Smart Phones etc may creates the problems such as unauthorized access of sensitive and other relevant information of the network. So, that a system should be implemented to prevent and control the accessibility of information from network resources through users personal devices.
Proposed System to Avoid Problems for use of Personal Device
The personal device use reduces the cost of computing hardware to UMUC, so that use of personal device such as Laptop, Ipad etc must be allowed. A system such as BOYD (Bring Your Own Device) is to be implemented in the administration system of IT and network. This BYOD system provides the wireless network of UMUC building to connect own devices through wifi access point.
Justification
Personal device use provides the problem, but BOYD implementation it is assured that the user of personal device can not do malicious and other unwanted activity as its identity is recorded through the network system. Access in BOYD system requires the registration of physical and MAC address of the devices. Therefore, control over the personal devices is easily taken by network administrator and accessibility is managed.
Personal device use is much beneficial for UMUC as the computing hardware maintenance and management burden goes onto the owner of the device. Thus, the cost is heavily reduced and also staffing is reduced.
References
[1] G. Held, The ABCs of IP addressing. Boca Raton, Fla.: Auerbach Publications, 2002.
[2] "Firewall for ‘always on’ connections", Computer Fraud & Security, vol. 2000, no. 12, p. 5, 2000.
[3] J. Chenoweth, "Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management", Journal of Information Privacy and Security, vol. 1, no. 1, pp. 43-44, 2005.
[4] I. Dubrawsky and C. Baumrucker, Designing and building enterprise DMZs. Rockland, MA: Syngress, 2006.
[5] F. Mouton, L. Leenen and H. Venter, "Social engineering attack examples, templates and scenarios", Computers & Security, vol. 59, pp. 186-209, 2016.
[2] "Firewall for ‘always on’ connections", Computer Fraud & Security, vol. 2000, no. 12, p. 5, 2000.
[3] J. Chenoweth, "Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management", Journal of Information Privacy and Security, vol. 1, no. 1, pp. 43-44, 2005.
[4] I. Dubrawsky and C. Baumrucker, Designing and building enterprise DMZs. Rockland, MA: Syngress, 2006.
[5] F. Mouton, L. Leenen and H. Venter, "Social engineering attack examples, templates and scenarios", Computers & Security, vol. 59, pp. 186-209, 2016.