Allen & Bose Insurance Services Firewall Security Project

Business Requirement and proposed Solution Report

CIS 343

July 10, 2013

Dr.

Table of Contents

Executive Summary 3
Introduction/Background and History 4
Issues faced and specific needs to be solved by installing upgrades 5
Projects Assumptions and Constraints 7
Business Requirement ….………………………..………………………………………..8
Definition of Terms ….……………………………..……………………………………..9
Project Scope...……………………………………..……………………………………10
References…………………………………………..……………………………………13

Executive Summary

The objective of this paper is to educate both the senior management of Allen & Bose Insurance Inc. on the network security threats that exist with our current network design. The enclosed report presents an analysis on Allen & Bose Insurance Services current security posture and highlights the issues we have face over the past year as well as industry best practices and recommended updates we should make to our network security design that will protect the organization from the myriad of security threats that are out there.

Introduction/Background and History

Allen & Bose Insurance Services has become a dynamic and intricate player in the automotive and home insurance market. The company has grown from 25 employees in one office to over 225 employees in 3 offices. In the early days the computer systems that were used were on a close network of networked computing systems and the systems were freely accessible because security was not a major concern. As the company began to grow and the closed network was connected to multiple local and remote networks via the internet; network intrusions from both internal and external users have become increasingly frequency an on more than a few occasion has limited or halt the business ability to function effectively. Its original network design consist of a 15 workstations connected to a shared storage server and 3 shared printer on a closed network. Through the years, Allen & Bose Insurance Service’s has grownin size to nearly 200 employees with over 200 workstations, 1 Cisco 2800 routers, 9 Cisco 2950 switches 2 shared storage server, 25 shared printers and as well as 3 remote access sites all connected via the internet. It the past all employee had access to the entire network because multiple task were performed by the same employees. With the increase in personnel there are now distinct roles that the two created (Sales and Accounting departments have to perform. The sales department and the accounting department only need to have access to the servers and printers assigned to their department. The remote sites need to have the ability to access their prospective department and an executive department needs access to all parts of the network. Customers also need to have access to our web server so that they can sign up and paid online.

Issues faced and specific needs to be solved

I am aware that implementing network security is something that no one really likes to do because it’s one of those business costs that you don’t see the Return on Investment upfront. Unfortunately the current network security is the same one that was used since the company was formed. It utilizes the Norton 360 Software on it host machines as the only source of protections. While this was ok during the early days of the organization the current security approach leave the network wide open to attacks and is unable to efficiently handle the threats associated with the current network structure. If left unchanged there could be no or limited returns on investment. . In the past year we’ve had attached that have varied from: computer virus, worm, denial of service, Trojan horse, port scanning and many others. Criminal have been stealing our personal and business information for their own use, vandalizing our web site and corrupting data on hard drive as well as degrading or disrupting our service. Figure 1 below highlights some of the common ways we were attacked and the vulnerable points of our networks
[pic]
Figure 1

To combat these issues we should update our security posture by adding in Trunks and VLAN to our switches that will restrict user to their appropriate resources as well as prevent access from unauthorized personnel. We should a Proxy Server that will restrict all external host requests to a single local machine and validate before allowing them access to our network as well as restrict authorized user from accessing unauthorized Web addresses. We should to add access-lists to our router that will restrict unauthorized user from accessing our internal network and restrict authorize personnel to appropriate resources. We should also use NAT on our router interface so that we can hide our IP scheme from the external network so that it makes targeting us a little harder for hackers. We should add a Boarder Firewall to our existing network as well as update all host firewall software so that we are able to protect our network from most attacks and quickly ID when we have been attacked. We should set up a DMZ on the outside of our internal network and place our Web mail servers in it to restrict external host from access to our internal network. We should set up a Bastion Host to be used to protect our internal host from attacks.

Assumptions and Constraints

The following is a brief summary of, Assumptions Constraints and Risk associated with the upgrade of the organization network.

Assumptions;

➢ The project will be completed within the budgetary constraint ➢ IT Personnel will have to be trained on the new equipment

Constraints;

➢ The cost of the equipment need to upgrade the network.

➢ Project must be completed within six months

➢ The senior management belief that the changes to the network are necessary.

➢ For the project to stay within budget ➢ Any deviations from the originally approved plan must be approved by the CEO ➢ Need to train IT personnel on new technology

The following risks have been identified as possibly affecting the project during its progression:

• Hidden cost in construction of the Data storage rooms • Return on our investment • Security of the stored data

Business Requirements:

In the past year we’ve had network issues that have hamper our productivity. The attacks have varied from: computer viruses, worms, denial of services, Trojan horses, port scanning and many others. Criminal have stolen some of our personal and business information, vandalizing our web site and corrupting data on hard drives. This project will address these issues by updating the first, second, and third floors of the current building, with the appropriate equipment needed to harden the organizations security posture. Below Diagram 1 shows our current security posture that included a router provided by the service provided and a single 24 port switch for the 15 users using Norton 360 host base software for protection.

[pic]
Diagram 1

Throughout this paper I will be using terms which you may or may not be familiar with so I have included a Definition of Terms table below that should give you a brief understanding of the terms used.

Definition of Terms

Proxy Server: a proxy server is a computer system or router that breaks the connection between sender and receiver. Functioning as a relay between client and server, proxy servers help prevent an attacker from invading a private network.

Packet Filtering: Packet filtering is the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols.

Virtual Private Network: A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.

Adaptive Security Appliance (ASA): The Adaptive Security Appliance is a unified security device that combines firewall, network antivirus, intrusion prevention, and virtual private network (VPN) capabilities, provides proactive threat defense that stops attacks before they spread through the network.

Secure Sockets Layer (SSL): Secure Sockets Layer, a protocol used for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.

Internet Protocol Security (IPsec): IPsec is a technology protocol suite for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet of a communication session

Project Scope

To combat these issues we will need to upgrade our current security posture by installing a Data closet on the second floor which will be our Access Point to the outside network. In the data closet we will be installing a service rack with the follow equipment a Cisco 2811 series router to serve as the organizations internet gateways, a Cisco ASA 5500 series firewall that will provided high-performance packet filtering security services, including application-aware firewall, SSL and IPsec encryption for VPN clients, IPS with, antivirus, antispam, antiphishing, and web filtering services, A Cisco Proxy Server Cache Engine 505 that will reduce WAN bandwidth usage and accelerate network performance, Secure WIFI Access Point. (See Diagram 2 below)

[pic]
Diagram 2

On the first and third floor we will be adding in some Cisco 2950 switches and Secure WIFI access point. See Diagram 3 and 4 below.

[pic]

Diagram 3

Diagram 4

To accomplish this we will need to expand our network from one floor to three floors. During this process we will continue to use the existing network and will switch over all users once the new network is up and has been validated as operational by our IT Team. Customizations of the building three floors will be limited to 3 corner offices being remodeled to accommodate the Data rooms needed to secure the new equipment.

The new architecture will be upgraded to 2811 CISCO routers, 2950 CISCO switches, Cisco 5500 ASA and a Cisco Proxy Server Cache Engine 505. By using the same vendor we can ensure that we will have system compatibility as well as only on vendor to contact for support. Inspections will be conducted by the Fire Marshall to ensure that the new Data rooms and all new cabling is up to code prior to installing network equipment. Testing of network devices to include servers, routers, switches, and storage devices will be conducted prior to the implementation phase. Funding for the project funding will limited to $70,000 which includes purchase and installation of all equipment and the modification needed for the data rooms as well as vendor training conducted by CISCO Certified trainers which will ensure that all our IT personnel are fully trained on the newly installed equipment.

We will finish up the project by updating our security policies and standards and providing the IT team and all employees with applicable user training.

Reference

Green, S. (2006). Security Policies and Procedures. Upper Saddle River, NJ: Prentic Hall.

Whitman, A., Mattord, H., & Green, A., (2011). The Guide to Firewalls and VPNs, Course Technology, Boston, MA, Cengage

Chapman, B., & Zwicky, E. (1995). Building internet firewalls. (Ex: 1st ed.). Retrieved from http://docstore.mik.ua/orelly/networking/firewall/index.htm
Anderson, R. J. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems (2nd ed.). Indianapolis, IN, Wiley Publishing, Inc.
-----------------------
100+

25X

UKN+

UKN

UKN

3X