The company’s site has a high level plan for security where main applications, network and servers data or resources will be secured from any threat. There are main areas where this high security level plan will be employed to protect main assets. This areas include:
- Servers holding financial data
- Analytical application server for the company bond and stock
- Application servers for market tracking
- Methods and sites for online trading
- Servers holding human resource data
- The company internet data
- The company data transmission system
- The company email server
- All servers holding different data
General Security Architecture
The company network system will focus on enhancing a high level of security to the system. This will be effected by developing the right security architecture. The system will involve the installation of a firewall which will connect the company’s LAN into the company WAN and the internet. This will be followed by routers which will be connected to the Cisco IPS and Cisco ASR Edge Router. The routers are then connected to the web server that is connected to MacAfee antivirus. In addition, the routers are connected to two distribution layer switches which have control access system and the TACLANE-Micro Encryptor. The switches in this layer are then connected to access layer which distribute the signal further to terminals and servers that are installed with MacFee products.
Twelve Specific Security Policies
The company will adopt a number of unique security policies to ensure that all concern individual employ the right measure to prevent the development of some network security loopholes. These policies are provided below:
- Security response procedure should be defined to assist users to report any malicious act they notice prior to IT personnel detection and also to assist in knowing and being prepared for measures to be taken and impact of any security response procedure
- All critical company’s internal servers must have host IDS to assist in preventing local attacks
- The company should ensure file system integrity check
- The use of the company mail must be consistent with the company policies and procedures for compliance safety and ethical conduct with proper business practices and applicable laws.
- There should be the employment of system monitoring technique to be able to identify any attempt to interfere with the system network or any loophole that would facilitate an attack.
- Each user should use a unique and strong password which cannot be cracked. Password will not be shared and users will be required to lock their accounts while not in their work station
- Every device in the network system must be installed with an antivirus and antispyware which will be updated on daily basis
- Users’ system access should be limited based on individual operation level by providing different system access rights
- Data used in all company department should be backed-up regularly to prevent total loss of data in case of an attack
- All data transmitted through the company’s network system should be encrypted
- The company will frequently designate the network security audit personnel to check on the company compliance with set security policies
- The employee should be prohibited to access network through unsecure wireless communication mechanism
Details and Rational for Each Policy
Every device in the network system must be installed with an antivirus and antispyware which will be updated on daily basis
In this case the company servers and all other computers will be installed with McAfee antivirus and antispyware to prevent them from being affected by viruses, trajons, or spywares either from individual user activities online or from any other external input or storage devices. This kind of infection would interfere with the functionality of the servers and computers interfering with data integrity, confidentiality or accessibility.
Each user should use a unique and strong password which cannot be cracked. Password will not be shared and users will be required to lock their accounts while not in their work station.
The company users should use standard password with not less than eight characters. The password should not be associated with anything that can be linked with the user for instance family members’ name, name of a hobby, favorite user’s celebrity, date of birth or important known even in the user’s life. The password should comprised of letters both capital and small letters, numbers and special characters. This is basically meant to ensure that each use has a strong password that can hardly be hacked. Users should always lock their machine to prevent others from using their accounts to perform malicious activities using their accounts or accessing information which they could not access due to rights restrictions.
Users’ system access should be limited based on individual operation level by providing different system access rights
Each user should be restricted on the information to access, based on the individual operation level in the company. These rights prevent junior workers from accessing sensitive information or data that they are not supposed to access for security purpose. It also control inappropriate data update for malicious purposes. Junior workers can be used by competitors to get data or certain information from the company and thus, this is normally limited.
Data used in all company department should be backed-up regularly to prevent total loss of data in case of an attack
Normally, it is hard to establish a 100% efficient systems. Systems are normally impacted by one problem or another. Thus the company should ensure 100% data redundancy to safe the company from any form of data loss in case of security attack. The best secondary storage should involve saving the backup take away from the entire original system possibly in a separate building to ensure 100% restoration.
All data transmitted through the company’s network system should be encrypted
Hackers normally take advantage of data in transition while trying to hack a network system. This is normally done through interception. If this data is not encrypted and the hackers succeed in their interception mission, the company’s data would either be interfered with or blocked from reaching the destination or be used to weaken the company’s competitiveness. However, if data is encrypted it would be impossible to decrypt the actual meaning of the data and thus, saving the data integrity and confidentiality. This would also save the company from any malicious act that can be conducted using the company’s data.
The company will frequently designate the network security audit personnel to check on the company compliance with set security policies
The system audit ensure availability, confidentiality and integrity of resources and information. It also allows the investigation for probable security incidences to guarantee the conformance to the security policies of the company. It also ensure effective monitoring of system and users activity to guarantee they are suitable. The audit is anticipated to identify all the loopholes that would increase to system vulnerability. Therefore, it is very effective for the company’s security implementation.
There should be the employment of system monitoring technique to be able to identify any attempt to interfere with the system network or any loophole that would facilitate an attack.
System monitoring gives the system administrator an opportunity to identify any loopholes and other systems weaknesses. This ensures that the company has recognized its system vulnerabilities before they are taken advantage of by the attackers. Thus, system security monitoring prevent the company from successful attacks.
The use of the company mail must be consistent with the company policies and procedures for compliance safety and ethical conduct with proper business practices and applicable laws.
Email policy is placed to guarantee proper utilization of the company’s email system and to ensure that the users are aware of what they can and cannot do with the company’s email. It protect the company from being ruined through passing of important information to unauthorized individuals in the company. Email can easily facilitate the leakage of the company data to outsiders and that is why its operation must be limited to company based activities as guided by procedures.
The company should ensure file system integrity check
The file system integrity depends on an internal tables set to keep track of available blocks and inodes used. When the internal tables are not synchronized properly with a disk data, file systems and inconsistencies resulted to be replied. This prevent abrupt termination of file system and thus, it assist in ensuring effective file system operations.
All critical company’s internal servers must have host IDS to assist in preventing local attacks
Host founded intrusion detection identify intrusion in a single host system. In this regard it prevent that one particular host from being impacted by the intrusion. This will ensure that there is no any form of intrusion gets into the company system via the hosts.
Security response procedure should be defined to assist users to report any malicious act they notice prior to IT personnel detection and also to assist in knowing and being prepared for measures to be taken and impact of any security response procedure.
Response procedure is provided to eliminate chaotic situation in the company in case the company managers need to fix any identified security problem based on the actual location and its magnitude.
The employee should be prohibited to access network through unsecure wireless communication mechanism.
Unsecure wireless network is likely to cause havoc by permitting viruses, trajons, and malwares among other things into the company’s network. Thus, this need to be prevented since it can results to compromise of the data confidentiality, availability and integrity.
High availability secure design for the locations
The possible four forms of attack in an organization include malware infiltration, denial of service attack, intruder threat, and reconnaissance attacks. To eliminate malware infiltration, the company will require to install antimalware or antispyware which can be provided by MacAfee’s products in the servers and other terminal devices. Data protection solution and endpoint protection installation prevent all possible malware in the company.
Denial of service attack are based on the concept which by overloading resources target, the system will eventually crash. This can easily happen in web server applications among other WAN connections. To prevent this, the company will need to install a firewall. Web application firewall will be very efficient in countering denial of service attack.
Intruder threat can be prevented by a number of measures. One of the measures is by enhancing data encryption especially all data to be transmitted via the network system. This will be done by the installation of TACLANE-Micro Encryptor. Another measure include the enhancement of file system integrity check, system monitoring and the employment of security policies. The installation of Cisco IOS IPS will assist in detection of IP attacks.
Reconnaissance attacks is an attack where in the attacker engages with the targeted system to gain more information about the system vulnerability. To prevent this, the company needs to enhance high security policies which can be supplemented by the installation of Cisco Access Control System and Cisco IOS IPS in the routers point where the company’s local system connects with the WAN.
Security Devices and their Specific Roles
Description and Role
|Cisco IOS IPS||It is an inline feature of deep-packet inspection which effectually mitigates different forms of network attacks. The device integrates threat control framework and Cisco IOS feature of flexible packet matching. The device offers the network intelligence to correctly block or stop, classify, and identify malicious traffic in actual time.|
|Cisco ASR Router||This router will be placed at the edge of the company’s network linking the company network to the internet service provider. It will be involved in managing services which include firewall and VPN. It will provide the company with inspection of deep packet and also offer encrypted, secure WAN connectivity and WAN aggregation.|
|Cisco Access Control System||It is a highly sophisticated platform of policy offering TACACS+ and RADIUS services. The device supports the augmenting complex policy required to address new current demands for access control compliance and management. It offers access policies central management for wireless and administration device, remote VPN and wired 802.1x network access situations. It offers standards-compliant services of accounting, authorization, and authentication to the wireless and VPN users of the company|
|TACLANE-Micro Encryptor||It is a high assurance IP encryptor and an encryptor of crypto modernization compliant. It is optimized for strategic and tactical environment. It will be used to encrypt all transmitted data from the new York company to other locations. Will enhance remote keying for HAIPE to HAIPE and enhance the compatibility of the IPv6/IPv4 dual stack, Ethernet.|
|McAfee ePolicy Orchestrator server||It offers host base security to safeguard data loss, service denial, malware, reconnaissance, intrusion, and exploitation. It allows scanning of virus at all levels , data loss prevention and prevention of the integrates host intrusion|
High Level Security Diagram