Table of Contents
Project Outline 3
Security Requirements 4
Perimeter Security 5
Client and Server Security 10
Database Security 10
Server Security 12
Wireless and Remote Access Security 15
Security Configuration Management 19
References 23

Project Outline
Tiger Tees is a medium sized business with 4 locations across the eastern United States. This company produces and sells t-shirts for school systems, both locally and across the country via the internet. The organization’s headquarters is located in Beckley, West Virginia, and employs 25 people. The departments include the warehouse, human resources, accounting, sales, and administration. The second location of Tiger Tees is located in Columbus, Georgia, and employs 10 people full time, and 4 persons part time. The third location is located in Washington, DC, and employs 15 people. The fourth location located in Richmond, Virginia is the smallest of all the locations employing 5 persons full time.
Tiger Tees is a fast growing company in dire need of a secure network that will ensure that the confidentiality, integrity, and availability of client information remain confidential. All transactions completed are sent to the organizational headquarters in Beckley, WV and processed there. In the past these orders and transactions have been completed by telephone and e-mail. A secure wide area network would streamline this process making the transactions more secure, and providing faster service to the customers.

Security Requirements The proposed network for this organization will be a virtual private network (VPN) that will connect each of the three remote locations directly to the headquarters in Beckley, WV. This network shall support credit card transactions, as well as the ordering of products that occur on location and via the company website. The Beckley office network will have multiple segments. The server segment will consist of a database server, human resource server, accounts payable/accounts receivable server, and an application server. The web/email server will be segmented from the other portions of the network using a DMZ. The servers will be secured in a locked server room to prevent physical access by unauthorized personnel. The internet facing portion of this network will be the greatest security concern due to outsider attacks. This segment will be protected by a router, a firewall, and an intrusion detection system. There will be a wireless access point on this network, and this is also a point of concern. Security will come from the settings on the wireless router. The server set identifier or SSID is an alphanumeric character that is used to identify wireless workstations attempting to connect to the network. The information sent across this wireless network will also be secured using Wired Equivalent Privacy or WEP (Microsoft, 2012). The office located in Columbus, Georgia, Washington, DC, and Richmond, VA, all have small networks that are connected to the virtual private network. All data that is stored from these locations is stored on the servers located in Beckley, WV. These networks are connected to the VPN using a router. An enterprise firewall working with a router secures the networks. Each of these networks also has an intrusion detection system in place (SANS, 2012).

Perimeter Security
Network perimeter security requires both function and policy to secure the perimeter of the network. The perimeter of the network is the segment that is internet facing, and has data flowing in and out of the network. This perimeter must be protected against outsider threats and attacks. There are hardware applications that will be in place to ensure that the maximum amount of security is in place while still allowing for network usability.
The most commonly used security measure of this network is the firewall. This application firewall will work be checking IP packets that flow in and out of the network. When the firewall finds that an IP packet does not meet security policy, the IP packet is blocked. If all packets that pass through a firewall are examined it can create a bottleneck on the network slowing down performance drastically. Policy can help alleviate this bottleneck by using policy to determine which packets to inspect. Some examples of these rules are:
• All packets traveling from a public interface to a private interface shall be inspected.
• All packets traveling from a private interface to a public interface shall be inspected.
• Packets traveling from a private interface to a private interface shall not be inspected.
• Packets traveling from a public interface to a public interface shall not be inspected.
These firewall policy rules allow the firewall to inspect the packets that are the biggest threat to the network without inspecting internal traffic. There are also allow, deny policy that will be configured into the firewall.
• Traffic coming from a non-secure interface to a private interface is always denied.
• Traffic coming from a private interface to a non-secure interface is always denied.
• Traffic coming from a non-secure interface to a non-secure interface is always allowed.
• Traffic coming from a public interface to a non-secure interface is always allowed.
These policies and rules will ensure that only traffic deemed necessary to the everyday functions of the business will be allowed to access to the network. These policies also insure that the outgoing traffic is filtered as well ("SANS Information, Network, Computer Security Training, Research, Resources", 2011). This firewall will also contain a state based filter. A state based filter keeps a log of connection states as data travels across the network. When a connection from inside the network is made, the filter saves the connecting and receiving address until the connection is no longer active. When the IP addresses are saved packets flow easily to and from the destination without being subject to firewall policy. This makes secure data transfer move smoothly. This type of filtering also ensures that applications such as web browsers are not able to communicate with non-secure areas while they are idle ("Uninformed - vol 1 article 3", 2011).
The intrusion detection system (IDS) is another form of perimeter defense located on this network. This system provides another layer of redundancy to the perimeter security of the network. The intrusion detection system works by collecting information from the network, and analyzing the information for possible attacks. The IDS collects this information from a variety of places on the network. These include: user activity, system activity, system configurations, and network vulnerabilities, integrity of data, activity patterns, abnormal activity, and operating systems. The IDS takes the collected information and compares it to a library of known attacks. If an attack is detected on the system an alert is sent to the Network Administrator ("SANS Information, Network, Computer Security Training, Research, Resources", 2012).
A screened subnet firewall is also present on this information system. This firewall is used to create a DMZ. A screened subnet is a method used to segregate portions of a network when there is both public and private access to the network. The local intranet handles the private segments of the network while the subnet contains the web server and email server. When using this topology, inbound traffic is only allowed to move to the DMZ, while outbound traffic also flows through the DMZ. This means that all traffic that is SMTP, HTTP, or FTP will be routed to the DMZ (Pearson IT Certification, 2013).
Internet Security Protocol (IPsec) is a family of protocols used for securing communication by encrypting each data packet during communication between machines. There are protocols used in IPsec that establish mutual authentication at the start of a communication session so that cryptographic keys to be used in the session may be agreed upon. All traffic that occurs across the IP network is protected by used of IPsec. This protocol suite will be used to add another layer of security to the perimeter of the network (IPsec. 2009).
A proxy firewall is one of the most advanced firewalls on the market. A proxy firewall filters, logs, and caches all requests for control in an attempt to keep the network free from threats. These firewalls perform as a middleman between the client and the server, as opposed to traditional firewalls that only analyze passing traffic to decide whether or not it will be allowed to pass. A proxy firewall will establish a connection with the client and the server which means that the data in the connection stream is completely analyzed. Proxy firewalls are very secure, but there is a downside to these applications. These firewalls are very expensive, and this small sized business is not able to make this kind of investment (IPsec, n.d.).
Digital Signatures provide the network with authentication and non-repudiation while insuring the data integrity of the information system. A digital signature is a mathematical scheme used for authenticating a digital message, and verifying the sender of the message. This will be very important for this organization as financial transactions will be taking place on a regular basis. When money is taken for an order, and sent to the main office, each transaction will be signed with a digital signature, ensuring that the person taking the money is responsible for the money. A digital signature consists of three separate algorithms. The first algorithm is a key generation algorithm that randomly selects a key from a set of predefined keys. The algorithm then sends out the private key with the public key that corresponds with the private key. The second algorithm is a signing algorithm. When a message is sent and a private and public key are given, this algorithm produces a signature of the user sending the message. The third algorithm verifies that the each message contains a private key, a public key, and a signature. Once verification of these things is complete the algorithm decides whether to accept or reject the message ("What is an Electronic Signature? Electronic & Digital Signature FAQ", 2011).
Access lists provide a layer of perimeter security by controlling whether incoming traffic is forwarded into the network, or blocked at the network perimeter. The type of access control is able to allow one node access to a segment of a network while forbidding access to another segment. These lists should be configured in the outermost firewall router between the physical network and the internet.
Fail-safe equipment is that which in case of failure will not endanger properties or people. Fail-secure equipment is equipment that upon failure denies access to sensitive data, or access to the network. Fail-safe is obtained by redundancy of network equipment. The goal of a redundant topology is to eliminate network downtime and network vulnerabilities in the case of network hardware failure. The most redundant type of topology is the mesh topology. In this topology all nodes are interconnected to prevent downtime in the event of node failure. Networks should be designed with both primary and secondary or redundant firewalls to ensure that the network remains protected.

Client and Server Security
Database Security Network databases hold an organization’s most valuable information, and are therefore vulnerable to attack. To ensure the confidentiality, integrity, and availability of these database systems, the fundamentals of database security must be set in place. The fundamentals of securing a back end database include access control, encryption, configuration and architecture, and monitoring. Access control is at the forefront of securing a database. Users should be only granted access to the data that is needed for the individual to perform their job duties. This is the process of least privilege. The complete access of the database should be limited to the System Administrator. This full access will allow for maintenance, and authorizing and denying of access by users. All other users will be provided the access to read, write, and execute as their job requires. Access to the database can be issued using authentication that is different from the information system, but as a best practice an access management platform such as Active Directory should be incorporated into the system so that access and access logs can be maintained for all users. Databases that are used for highly sensitive data such as system backup, and disaster recovery should be highly restricted as this data is essential to the longevity of the organization. Typical information system users will have no need for the data that is stored in this database, and therefore should have no access to the database. Access to this database should only be granted to an individual such as the System Administrator, and only available through a single interface. Data encryption is the next layer of security to ensure the security of the network’s databases. Transparent Data Encryption or TDE encrypts data at both the table and table space layer. Data encrypted using TDE is encrypted in backup and when saved on a hard drive. This form of database encryption is fairly easy as the users of the database do not have to manage the encryption key. TDE is a key-based access control system, and uses a single key to encrypt all the columns in a table. A master key that is stored in a dictionary table, and only accessible to the System Administrator, is used for all the encrypted tables in the database ("Transparent Data Encryption", 2012). Architecture and database placement must also be considered when securing a database. The network webserver must be kept separate from the database. Using a DMZ to subnet the webserver is a good practice, and will keep the webserver segregated from the database. This type of architecture is more expensive, but will add additional layers of security to the database system. To add yet another layer of security to the database system, real time database monitoring must be set in place. This monitoring can be accomplished in two ways. The first way is to monitor normal network traffic on each server using software agents. The second way is to analyze SQL traffic on the network. Database monitoring may be used to identify vulnerabilities, or policy breaches within the database. Analyzing database activity over time helps to show normal database activity and anomalies in the system that could be an attack on the system itself. A database audit trail such as this will allow the System Administrator to monitor, and possibly terminate a user session that he or she finds to be suspicious (SANS, 2013).
Server Security Steps must be taken to secure both Windows and UNIX servers that are located on the network. To secure UNIX servers there are five best practices that should be followed in order to ensure that as much security as possible is in place. The first security best practice to implement on the UNIX server is: turn off all unused services. Disabling services that are not in use are that are not needed keeps those services from adding vulnerabilities to the server. UNIX systems contain applications that run in the background as opposed to being controlled by the user. These applications are known as Daemon. Some of these applications contain vulnerabilities, such as buffer overflows, that may be exploited if the application is enabled. Daemons often times start with the system boot up, and remain running until the system is shut down. IP filters or firewall rules will also add another layer of security to a UNIX server. Both of these practices will limit network traffic, which in turns provides greater security to the network. Access permissions in UNIX are also a good way to secure a server. Security can be set on a file in the database by using CHMOD command. These permissions include read, write, and execute. These permissions can be given to individual users or to entire work groups. Limiting access to only the files that are need by the user or group provides a layer of access control to the files and applications on a UNIX server. When securing a UNIX system it is also very important to use a strong password. All essential information about the user is stored in the etc/passwd file, and can be read by anyone using the workstation. With this in mind it is important to protect this file using the etc/shadow file to limit accesses to everyone accept the root user. This password security feature will only show the password as x (UNIX 2010). As Windows servers will be used on this network, they must also be secured. Physical security must be maintained on all servers. If an attacker can manage to obtain access to your server room, the damage or theft could be catastrophic to the organization. The BIOS and boot loader should also be protected by a strong password to prevent the system from being booted from an external hard drive. All drives on the server should use encryption. If a drive is stolen or accessed the encryption will ensure that the data is not compromised. Servers should also be kept from internet facing segments of the network. A DMZ that contains the networks web server and mail server will prevent outside attacks directly on a server. Security patches and updates must be kept up to date to ensure that all known vulnerabilities are patched as soon as possible. Antivirus software will also give the server an additional layer of security. This software should be updated through an update server, or manually with updates sent from the vendor. These virus updates will ensure that the latest virus definitions are used when the system is being scanned and protected. Services that are not needed on the Windows server should also be disabled. These services include: Windows Messenger, Fax Service, SMTP, task scheduler, telnet, and terminal services. The disabling of these services greatly reduces the vulnerabilities of the server. Unused software on the server should also be disabled or removed. Application such as Java and Flash will not be needed on the server as the network nodes contain these applications. File access should also be restricted when using a Windows server. This can be accomplished using New Technology File System (NTFS). Server file access should be limited to only the data that is needed to perform a user’s job functions. File auditing should be used to view a log file on who is attempting to read, write, or delete sensitive files on the database. This can be accomplished through the file properties. Finally when securing a Windows server, administrative permissions should only be used when absolutely necessary. When these types of permissions must be given to a user, ensure that an extremely strong password is used (Windows Server Security. (2013). Windows Active Directory will be used for authentication on this network. Active Directory will authenticate all users who attempt to access the network. This service assigns and enforces security policies for all nodes on the network. Active Directory is information about objects on the network. The objects gathered are separated into groups. These groups are security principles and resources. The objects that fall into the security principles are assigned a security identifier or SID. Each object on the network is identified by name and attributes. This name and attribute set is known as a schema. Once an object schema has been created it can only be made inactive as opposed to deletion. This authentication process will add an additional layer of security to this network (Microsoft, 2012).

Wireless and Remote Access Security

Symmetrical key encryption is a group of algorithms that use the same keys for plain text and ciphertext encryption. These keys are known by both the sender and receiver of the data, and are used to share a private link of communication. Symmetric key can use either block or stream ciphers to encrypt data. When using the stream cipher method the digits of the message are encrypted one message at a time. This is accomplished by adding a bit from a key stream to a plain text bit. There are two different stream ciphers, synchronous or asynchronous. With synchronous stream ciphers the key stream only depends on a single key. Asynchronous stream ciphers use the key stream along with ciphertext. When symmetrical key encryption uses block ciphers, the entire box of plain text bits are encrypted at a single time, and uses the same key. Each of these types of ciphers has different uses that best suits the way that data is encrypted. Block ciphers are often used for encrypting data that is being sent over the internet or public facing intranets, while stream ciphers are small and very fast, and are most commonly used for encryption on mobile devices (Microsoft, 2013). Public key encryption is a cryptographic algorithm both a public key and a private key to decipher encrypted data. Each key used to decipher the data is mathematically connected. The public key is used in encrypting plain text and verifying the digital signature, while the private key is used to decrypt the ciphertext and to verify the digital signature. The public keys used for encryption are mathematical equations that have no efficient solution, and make it impossible to determine the correct private key. When data is encrypted using public key encryption, the message must be processed with the private key which in turn produces a digital signature. This digital signature can then be verified by processing the value of the digital signature with the signer’s public key ("How PGP works", 1999). There are many uses for public key cryptography, and is used in applications and system software. These uses include: https protocol, SSH, PDF files, encrypted files and email, and many more. There are pros and cons of both symmetrical and public key encryption. Public key has a definite advantage of symmetrical as there is no common key to be agreed upon. Another advantage public key has over symmetrical is that public is able to guarantee integrity and authentication, whereas symmetrical encryption can guarantee privacy only. Symmetrical key encryption is much faster than public key, and is more of a cost effective form of encryption. Lastly symmetrical key requires less computation to encrypt data than the large computation required by public key ("Symmetric key encryption algorithms and hash function cryptography united", 2011). After researching the above security encryption algorithms, I will implement public key encryption for the virtual private network of this organization. When encryption occurs on a VPN, the sending node encrypts the data before placing it on the network, and the receiving node decrypts the data that is received. There are protocols that must be used for this encryption to take place. The encryption algorithm can use either the IPsec protocol, or the Generic Routing Encapsulation protocol (GRE). IPsec is more commonly used, and uses two sub-protocols to encrypt data. Encapsulated Security protocol gives the data a symmetric key, while the Authentication protocol hides parts of the data header until the message is decrypted. GRE is a framework for sending data over the internet. IPsec can be used in two ways, transport mode or tunnel mode. Transport mode encrypts data as it travels between devices. Tunnel mode builds a tunnel from one network to another. When a data message is sent across a VPN both the sending node and receiving node have their own personal private key that only that machine knows. Both machines have access to the public key. The sending computer places the encrypted message on the network, and the receiving machine uses the public key along with the private key to decrypt the message. This type of data encryption adds a layer of security to the network as all data that moves across a VPN, and cannot be decrypted without both the public and private keys. This is imperative if the confidentiality of the data is to be upheld. Securing the wireless access point in this network is paramount. For this security the IEEE 802.11 standard will be used. There are two types of authentication that this standard defines, open system authentication, and shared key authentication. Open system is used when no authentication is necessary to access the WAP. Shared key authentication requires that both the sender and receiver of data are aware of the shared secret. Shared key uses the following processes:
• The initiating machine sends a frame containing ID information and authentication request.
• The WAP responds to the initiating machine with a challenge question.
• The initiating machine replies to the WAP using WEP encryption and an encryption key that corresponds with the shared key.
• If the text matches, access is granted by the wireless node.
A high level of encryption on this network will ensure that all data moving across the network is inaccessible to only those who have been granted access. While authentication procedures will ensure that only those with the proper security keys can access the WAP. Hardware configuration is also important when attempting to secure a wireless access point. The remote administration feature should be disabled on wireless routers to prevent changes to the settings of the hardware. Broadcasting should also be disabled on the wireless router. This makes the network much harder for outsiders to find the network. Mac filtering should be enabled to allow or block access to devices located on the network. When MAC filtering is enabled every device must have a MAC address. These will prove to be essential in adding layers of security to this organization’s network.

Security Configuration Management

Implementing a secure configuration management plan requires planning. Secure configuration management can be defined as the maintenance and technical applications of security policy on an information systems applications, hardware, and network devices. To achieve proper security configuration of a network, a configuration management plan must be developed and implemented. This plan will include the processes, tools to be used, and name the person who is to head the project.
Configuration Identification (CI) is the step in developing a secure configuration management plan. The CIs that are identified on the system will be implemented, measured, and maintained over the lifespan of the application. Certain networking devices must comply with the Federal Information Security Management Act (FISMA). The CI’s on this organization’s information system are as follows:
CI Manufacturer Description Location Inventory Date Last Update
Workstations Compaq
Compaq
Compaq Deskpro
Deskpro
Deskpro Office 1
Front Desk
HR 08 Nov. 2013
08 Nov. 2013
08 Nov. 2013 01 Nov. 2013
01 Nov. 2013
01 Nov. 2013
Laptops Dell
Dell Inspiron
Inspiron Office 2
Office 3 08 Nov. 2013
08 Nov. 2013 01 Nov. 2013
01 Nov. 2013
Database Server Compaq Proliant Server Room 08 Nov. 2013 01 Nov. 2013
Routers Cisco Catalyst Server Room 08 Nov. 2013 01 Nov. 2013
Switches 3Com
3Com OfficeConnect
OfficeConnect Server Room
Server Room 08 Nov. 2013
08 Nov. 2013 01 Nov. 2013
01 Nov. 2013
Web Server Juniper SPC1500 Server Room 08 Nov. 2013 01 Nov. 2013
Email Server Juniper SPC1500 Server Room 08 Nov. 2013 01 Nov. 2013
DHCP Server Dell PowerEdge Server Room 08 Nov. 2013 01 Nov. 2013
Web Proxy Server Intel R2308 Server Room 08 Nov. 2013 01 Nov. 2013
IDS Juniper IDP75 Server Room 08 Nov. 2013 01 Nov. 2013
VPN Server Pro Safe SSL Server Room 08 Nov. 2013 01 Nov. 2013
Firewalls Barracuda
Barracuda
FortiNet
Dell
Dell BWFV
66085
FortiWeb
SonicWall
Sonic Wall Server Room
Server Room
Server Room
Server Room
Server Room 08 Nov. 2013
08 Nov. 2013
08 Nov. 2013
08 Nov. 2013
08 Nov. 2013 01 Nov. 2013
01 Nov. 2013
01 Nov. 2013
01 Nov. 2013
01 Nov. 2013
WAP EdgeMarc 15 Quad T1 Office 1 08 Nov. 2013 08 Nov. 2013

Configuration Control is the next step in creating a CMP. Configuration control consists of a monitoring system that is mainly used for change detection. There are several tasks associated with configuration control ("Configuration Control", 2013). These include: preparing, analyzing, authorizing proposals, evaluating, and initiating changes to an information system. There are four processes that are encompassed within configuration control. The first process consists of identifying and documenting a need for change in the information system. This need of change must be submitted in a document known as a change request. The second process deals with analyzing and assessing the change requests forming a change proposal. The third phase of configuration control requires analyzing the gathered information, and either accepting or rejecting the change proposal. Finally the fourth phase is the verification and implementation of the change ("Configuration Control", 2013).
Configuration Status Accounting (CSA) is the next process when creating a CMP. CSA is the process of recording and reporting the status of the Configuration Items that have been listed. The history of application lifecycles development is tracked by this process. When a CSA report is created it will contain data such as: any CI that has had a baseline logged, the date the CI was base lined, specifications of the CI, history of the baseline changes, open change requests, configuration audits that have identified deficiencies, and the statuses of approved changes.
Configuration Assessment is the process of monitoring and auditing of network devices. This process creates detailed logs of hardware systems to be compared with previous and existing baselines. This process ensures that the adequate security is in place on the network. This process is often used by government agencies to audit and manage weapons systems and complex systems (Configuration Control, 2013).
Configuration Remediation is the process of changing items that are found to be in need of change to meet policy or compliance regulations. These changes are identified using the above stated analysis. When a configuration change is approved a remediation may be very simple or very complex.
There are other areas of concern when trying to configure an information system in a secure fashion. These concerns are the physical operating system, guest operating systems, applications, databases, infrastructure, and network devices. To ensure that the above are secured there are configuration controls that may be applied in order for compliance to be reached. Networks must be configured into subnets to prevent critical portions of the network from being visible to intruders. Ports and services can be made less visible by closing ports, and making portions of the network unavailable to unauthorized users. Controlling access rights to software and hardware applications to prevent unauthorized users from changing configurations must also be done (SANS, 2012).

References
CONFIGURATION CONTROL. (2013, March 15). Retrieved November 9, 2013, from http://www.navair.navy.mil/nawctsd/Resources/Library/Acqguide/ch5cm.htm encryption - What common products use Public-key cryptography? - Information Security Stack Exchange. (2013). Retrieved October 31, 2013, from http://security.stackexchange.com/questions/1418/what-common-products-use-public-key-cryptography
IPsec. (2011). Retrieved from http://technet.microsoft.com/en-us/network/bb531150.aspx
SANS (2013, October 23). SANS Institute: Reading Room - Application and Database Security. Retrieved October 27, 2013, from http://www.sans.org/reading-room/whitepapers/application
SANS | Retrieved from www.sans.org/reading-room/whitepapers/detection/understanding-intrusion-detection-systems-337
Symmetric-key-encryption-algorithms-and-hash-function-cryptography-united
Transparent Data Encryption. (2012). Retrieved October 27, 2013, from http://docs.oracle.com/cd/B19306_01/network.102/b14268/asotrans.htm
Understanding IDS | Retrieved from www.sans.org/reading-room/whitepapers/detection/understanding-intrusion-detection-systems-337

Understanding the Concepts of Security Topologies | CompTIA Security+ Exam: Devices, Media, and Topology Security | Pearson IT Certification. (2012). Retrieved from http://www.pearsonitcertification.com/articles/article.aspx?p=31562&seqNum=4
Uninformed - vol 1 article 3. (2011). Retrieved from http://uninformed.org/index.cgi?v=1&a=3&p=14

UNIX (2010). Unix System Security. Retrieved October 27, 2013, from http://www.washington.edu/R870/Security.html
What are the disadvantages of proxy-based firewalls? (2012). Retrieved October 20, 2013, from http://searchsecurity.techtarget.com/answer/What-are-the-disadvantages-of-proxy-based-firewalls

What is an Electronic Signature? Electronic & Digital Signature FAQ. (n.d.). Retrieved from http://www.arx.com/digital-signatures-faq

Windows Server Security. (2013). Retrieved October 27, 2013, from http://technet.microsoft.com/en-us/windowsserver/ff843381
How PGP works. (1999). Retrieved November 1, 2013, from http://www.pgpi.org/doc/pgpintro/