QUESTION 1. Using the concepts studied in this class develop a secure LAN or WAN for a hypothetical organization.
Currently there is a tendency to switch from wired networks to wireless ones because of their numerous advantages. Among these advantages there are flexibility and scalability of wireless networks, as well as mobility of the devices, speed and simplicity of installation, and smaller cost of ownership compared to wired networks. However, convenience and easiness of access create additional security threats for wireless networks. Thus, it is reasonable to focus on the development of a secure wireless network, because this is a more actual problem compared to development of other types of network.
First of all, it is necessary to choose the type of wireless technology which would be used for this network. Among available wireless technologies, there are wireless personal area networks (IEEE 802.15, part of which is Bluetooth technology), wireless local area networks (IEEE 802.11 referred to as Wi-Fi) and wireless wide area networks (IEEE 802.16 referred to as WiMax). Bluetooth technology requires low power and operates at short distances, Wi-Fi works with medium range and medium distance, and WiMax is a powerful technology which can operate in broad geographical regions. For organizational needs, Wi-Fi would be the most appropriate technology.
WLAN creates Layer 1 security issues associated with uncontrolled spread of the radio signal. It is recommended to use sector or panel wireless antennae and to avoid using omnidirectional ones. Antennae should be located in the center of organizational locations, and availability of the wireless signal outside organizational locations should be minimized. Horizontal polarization of access point antennae can be used to reduce interception risks. Wireless access points and routers should support power regulation, in order to modify the signal so that it would be minimally reached outside. Organizational locations should be reviewed in order to determine optimal signal spread, and wireless devices should be tuned accordingly. In addition to this, the security policy should include a ban on unauthorized devices, to avoid rogue access points and other security breaches.
At Layer 2, the problems of SSID and device identification should be addressed. SSID of access points and routers should be changed to remove all meaningful patterns, and SSID broadcasting should be turned off. If it is acceptable, MAC address filtering should be turned on for all wireless access points and routers. If the network is used only for particular purposes, it is also effective to use protocol filtering. All devices should support WPA2 encryption, and this mode of encryption should be turned on everywhere. WPA2 should be used in AES-based mode (CCMP) using RADIUS server authentication, and the encryption key should be a string of 64 hexadecimal digits (not a pass phrase or other meaningful combination).
Furthermore, higher layer security solutions should be implemented. A wireless intrusion detection system should be launched and properly tuned for the WLAN; if the organization also interacts with a wired network segment, then a special secure wireless gateway should be placed between wired network and WLAN. Multiple access points should be united in the same VLAN, and should be clearly separated from the wired segment. It is useful to purchase wireless devices with hardware firewall functions, and to filter network traffic according to the organizational needs.
Besides hardware and software security measures, corporate security policy should also be modified to guarantee compliance with the principles of security policy architecture. Security officers and employees should be trained to inform IT department if they notice suspicious wireless activity, find new wireless devices or encounter a new wireless network. They should be trained not to share network keys and settings specific for their network devices. Furthermore, since the owners of wireless devices might be exposed to external threats, they should be specifically trained on computer security and wireless security, and pass specific certification.
QUESTION 2: (33 POINTS): What security roles do the following play in a LAN/WAN environment: Hub, Router, Gateway, Client Server, Workstation, VLAN, LAN Media, Switch, Spread Spectrum, Modem, Multistation Access Unit, Bridge. Be specific and brief in your discussion. If there is no role played by any of these please state “NONE”.
Hub: no security roles (they are only used for small networks, hinder performance in larger ones and pose a security threat)
Router: these devices are used to transmit traffic between several different networks or between the segments of one network. Routers can have a variety of sources for hardening the protection of the network – static routing, support of complex routing protocols with authentication, access control lists for monitoring traffic and blocking unwanted traffic. Most routers allow to configure and to disable services which are not in use and might present a security threat, if they are turned on; examples of such services are proxy ARP, Cisco discovery protocol, web server, diagnostic server, finger server, TFTP server and other extraneous services. Routers also provide different channels of managing this devices, which also enhance security; these are Telnet, SSH and SNMP-protected web interface. Cisco routers enhance security basing on authentication and centralized account management processes (which utilize either RADIUS or TACACS security systems).
Gateway: represents a point which serves as the entrance to another network. Devices acting as gateways are configured to act as firewalls or proxy servers, and are tuned according to the security requirements of the company. Routers can also act as gateways and perform the associated network security functions.
Client server: the client/server model represents the method of network transactions, and implies different roles for client and server computers in the network. Client/server model nowadays is primarily based on TCP/IP and inherits all security issues and structures focused on the security of TCP/IP connection.
Workstation: this is a role for the typical client of the network, which does not commonly store network data, and the security role of a workstation is focused on compliance with all requirements of the security policy; thus, workstations often play a passive role in network security.
VLAN: it is a logically broadcasted domain of IP addresses which allows to unite different network segments; functions of VLAN include limitations of domain size, improvement of network performance and implementation of security protection through secure authentication. Switches use VLAN functionality to avoid ARP poisoning attacks.
LAN Media: the selection of LAN media affects the choice of network topology and therefore changes the network policy and limitations; for example, the choice between wired and wireless media determines the choice of security policy for hardware and software.
Switch: these devices commonly operate at Layer 2 and implement a number of technologies essential for network policy, among them there are MAC address filtering, VLAN functionality, access control lists and port management functionality; thus, switches protect network security and can be used for network authentication.
Spread spectrum: this concept is important for wireless network security issues; wireless standards define several wireless spread spectrums for wireless standards, such as Wi-Fi and WiMax, and neighboring networks should select different spread spectrum to avoid overlapping. Also, use of an uncommon spread spectrum can be viewed as additional security measure.
Modem: currently the most often used type of modems are DSL or wireless modems. These devices commonly support encryption, MAC address filtering, several types of encrypted connection with external gateway, some of these devices have embedded firewalls and can thus be used as supplementary means of security.
Multistation Access Unit: these devices basically represent hubs used to connect the network working on the Token Ring topology, and route packets of data to create the ring topology. MAU can be used for security purposes as they might support the rules of routing and port management.
Bridge: these devices connect different LANs which use the same protocols; bridges provide several methods for enforcing elements of network security policy: static entries for addresses and filters working at Layer 2 based on MAC addresses. The use of bridges can help to limit the attacks to the whole network to a particular segment.
QUESTION 3: (33 POINTS): List the hardware/software products available on the market that support Network/System security. Identify which layer(s) of the OSI model that these products operate at. For example locks and keys to doors operate at Layer 1, the physical layer while logins and passwords operate at Layer 7, the application layer.
Layer 1 of OSI model is related to the physical communication channels between end stations. The means of network security operating at this level are enclosures and locked perimeters, electronic mechanisms which support detailed authorization and logging, systems of surveillance (both video and audio), systems of biometric authentication, various methods of electromagnetic shielding, data storage cryptography and various secured locks using PINs and passwords.
Layer 2 is the data link level which relates to logical data transmission between two connected stations. At this layer, there are such network security controls as built-in authentication and encryption means in wireless devices, MAC address filtering and separation of different network security levels (which takes place starting with Layer 2).
Layer 3is the network layer, which focuses on the topology of the network and paths for data transmission. At this level, it is reasonable to apply software for ARP and/or broadcast monitoring, apply controls for routing policies, and firewalls with possibilities of filtering and anti-spoofing. Also, at this level there is a powerful security approach – disconnection of all unused extraneous services.
Layer 4 is the transport layer, where the transmission of data takes place, as well as packaging and repackaging of data. For this layer, common network security mechanisms include implementation of mechanisms for layer and transmission session identification, inspection of data transmission by the firewalls, and rules assigned to specific protocols and features of these protocols, e.g. port management, ICMP type limitations, etc.
Layer 5 is session layer, it deals with organizing data communications into logical flows. At this level, network security measures include the storage and exchange of encrypted passwords, account expiration management, account authorization mechanisms, verification of account credentials and session limitations basing on expiration time. At this layer, the information used for identification should also be protected using different cryptographic methods.
Layer 6 is the presentation layer: it deals with data coming from the application network layer and organized this data. At this layer, various cryptography solutions are applied for data encryption, methods of separating user input and software control functions for security purposes are implemented, and different software for controlling the input into library functions or applications can be applied. Finally, Layer 7 is the application layer where high level software operates; at this level, different credentials are entered and checked (e.g. user data and passwords), higher levels of firewall systems operate, and intrusion detection systems also function at this level.
Bragg, Roberta & Rhodes-Ousley, Mark & Strassberg, Keith. (2004). Network Security:The Complete Reference. McGraw-Hill.