1.0 Introduction Network security entails the enforcement of protection on networks, their services and programs from unauthorized access. Securing a network encompasses policies, software, hardware and procedures designed to defend against both external and internal threats to the network (Perez, 2014). Multiple hardware and software layers can also be implemented as part of the network security strategy to help defend against intruder threats and prevent the spread of attacks in case of security breaches. Without a proper security infrastructure, every part of the network is highly vulnerable to unauthorized activities from intruders and security breaches.
Intruders can range from relentless criminals, competitors, employees and careless users. As such, maintaining security over the network is one of the most crucial activity to the business.
2.0 Overview of network security fundamentals 2.1 Network security threats 2.1.1 Denial of Service attacks These are series of attacks in which the attacker aims at making a network resource or machine inaccessible to the intended user by permanently or temporarily disrupting service hosts.
The attack is typically achieved by flooding the target resource or machine with superfluous requests which overloads it preventing it form delivering legitimate requests from users (Perez, 2014). These attacks are most often characterized by very slow network performances, disconnection to wired or wireless internet connections, inability to access particular websites and an upsurge in the number spam emails to the network users.
2.1.2 Network Phishing This is an attempt by an intruder to obtain access to network user information like passwords and usernames for malicious purposes. The attacks are mainly conducted through techniques like website forgery, link manipulation and conversion of redirects.
In all the techniques, the intruder utilizes scams to deceive the user into submitting their details by creating deceptive replicas of the content like websites and links the users intend to use. The attacks most often target the executives and high profile organization members in order to obtain access to vital components of the organization.
2.1.3 Network spoofing This is an attack conducted while data is in transit from hosts to client computers. The attacker basically tries to emulate a trusted host by first identifying its IP address, compromising it and then modifying messages in transmission making them appear to be originating from the trusted host (Perez, 2014).
2.1.4 Viruses and malicious software Viruses are computer programs created by hackers and can be injected into systems through user computers. Once in the network, they can collect organization information and transmit them back to the intruder who can utilize them for malicious purposes. The programs can also be used to damage organization files and limit their access by the target users.
2.2 Issues in network security 2.2.1 Security policies These are set of practices, procedures and rules dictating the sensitivity with which network information should be managed, distributed and protected. Usually, a security policy is a document providing an expression of the exact security levels the network should have and providing the techniques to accomplish them (Perez, 2014). For network security, the policies are often specific with individual areas of coverage and there are dozens but the application of each depends on the size of the organization which dictates its network security requirements. In some organizations, a single document can cover all the security facets while others may need multiple individually focused documents. Sample policies that the company should consider include information sensitivity, ethics, risk assessment procedures, emailing, passwords and acceptable usage policies.
2.2.2 Standards These provide a description of industry best practices, design principles and concepts as well as the frameworks for security implementations to attain the required level of access procedures and processes. They are basically strategic in nature providing definitions of the system processes and parameters and just like security policies, they also vary by industry. Sample security standards include COBIT and ISO 17799 (Perez, 2014).
3.0 Detailed Network Security Recommendations 3.1 Fundamentals of firewalls and VPNs 3.1.1 Firewalls A firewall is a network security system that controls and regulates access to protected networks such as private corporate networks. This protections is particularly from external untrusted networks like the internet. For this reason, firewalls are implemented in a way in which all access requests from external networks must pass through it thereby eliminating the need for individual protection of every host and server in the network. Its location is typically at the point where the network links with the external network. This location also allows it to implement authentication and security services to remote users thereby facilitating the detection of unauthorized users from accessing the network. For its efficiency, the company will first need to define the network security policy which will define the resources to be protected and their vulnerabilities and threats.
Below is a diagram depicting the implementation of a firewall. 3.1.2 Virtual Private Networks A Virtual Private Network is an extension of a private network encompassing links across shared networks like the internet (Seitz, 2016). The VPN utilizes the internet as the public communication framework while ensuring privacy within the network layer.
Technically, it encapsulates IP packets into other IP packets after which it implements cryptographic techniques in encryption and authentication (Zhang, Zhang, Chu, & Li, 2004). It also uses other data encryption techniques to ensure authorized access to organization data. VPN allows for remote access where multiple computers can be connected to networks through the client server architecture. Alternatively, this is achieved by network site to site connection (Zhang, Zhang, Chu, & Li, 2004).
The client server connection allows for the access of the company intranet from any location while the site to site VPNs allows for sharing over cohesive virtual networks from where employees can access database servers, web servers and virtual drives. Remote access to the network is regulated by the SSL protocol while communication is controlled by RSVP protocol and the RSA technology (Mark & Lewis, 2006). This allows for the manual specification of encryption keys as well as hash algorithms for encryption thus effectively protecting the network from hacker attacks which is a key requirement for the VPN. The VPN also integrates the Transport Layer Security protocol over the entire network thereby ensuring that the network communication occurs over secure individual connections only.
3.2 VPN and firewall solutions recommendation For this implementation, the best VPN to opt for will be Express VPN. The VPN specifically provides a master console from where the administrator can manage the network security settings, monitor remote access and control the devices that can be accessed remotely. Access to the master console is through the devices managed by it and is only accessible via restricted user identifications, SSH keys and passwords over an internet browser. However, the key limitation of the console is the restricted access to storage devices and management tools. For the firewall, I will recommend the Cisco FirePOWER System which uses multiple techniques to detect security threats including signature-based detection, network flow analysis, deep-packet inspection and DoS (Denial of Service) detection (Pascucci, 2016).
3.3 Recommendations for Implementation In terms of implementation, the VPN is host firewall and router aware and will work efficiently with the existing firewalls allowing for the passage of VPN traffic without any hindrance. The only requirement for this implementation will be a VPN appliance, preferably a server for the management of outgoing and incoming VPN traffic. The appliance will also initiate and manage VPN sessions as well controlling their access to shared network resources (“VPN Security and implementation”, 2005). The implementation will also require the use of the client’s internet connection to connect to the vendor’s servers. Also, the system will need the implementation of the VPN client software for the user’s PCs to connect to the VPN. The software will not require much configuration since most of the transmission will be done over the gateways already configured with the private IP addresses of all other VPN locations (Seitz, 2016). For the firewall, effective implementation will first require an understanding of the security (VPN) parameter placement and the precautions for effective management. I would recommend the implementation of multiple firewalls at the points of connection of the intranets to the external network which in this case will be the internet. Below is a layout for the VPN and firewall implementation. All the network connectivity and remote support will be managed by the Hardware Management Console as illustrated in the diagram. The console will be connected to the client’s network while application proxy and the firewall will be between the networks. The console will be installed in a custom supplied rack that is when configured as an external console or as in the base frame of a DS8000 when the configuration is done as an internal console. The DS8000 is a family of storage devices that will be used in the implementation of the VPN network (Zhang, Zhang, Chu, & Li, 2004).
3.4 Security Practices As the Chief Information security officer of the company the first initiative I will put in place to enhance the security of the organization’s information systems is by establishing knowledge of the network. This will involve recording all network addresses, encryption information, device names, their purposes in the network, the people responsible for their control and creating inventories for all the devices as well as recovery tools. This will be vital in enhancing early detection of vulnerabilities and potential threats giving room for corrective measures (Nash, 2016).
I will also ensure that I seize control of the entire system ensuring that all the network connection points to the system are implemented with filters to restrict the use protocols and ports not documented within the organization’s business needs. This will also involve the tuning of logs to keep track of the system’s activities (time stamps, dates, source and destination addresses for activities) and report generation on daily bases (Dhillon, 1997). Besides, for additional security, I will ensure that all security tests are documented on secure offline servers for comparisons in subsequent tests.
Lastly, I will ensure that vulnerability scans are run on the system on weekly or daily bases. The scans will encompass comparison of previous system states with the current, evaluation of previously detected problems and their impacts on the system as well as evaluation of the system’s source code for possibilities of backdoors and malware. The final activity of the tests will be deployment of firewalls to shield the system from common and unpredicted web spasms.
4.0 Summary Securing the company’s network is number one priority and I highly recommend this implementation be based on the firewall and VPN technologies. Specifically, CiscoFIREPOWER and Express VPN are the options to consider given their capabilities and the minimal implementation requirements. The Express VPN will also facilitate remote access which is a key requirement of the organization.