D482 Secure Network Design
docx
keyboard_arrow_up
School
Western Governors University *
*We aren’t endorsed by this school
Course
D482
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
16
Uploaded by HeyyyJordo
Jordan McCready
Student ID#: 010287766
D482 Secure Network Design
DHN1 Task 1
Network Merger and Implementation Plan
A. Network Security / Infrastructure Problems
Company A
Network Security:
1.
Company A Risk Analysis, Table D. Risk Identification, Risk #1, Open ports 21-90, 3389
Ports 21, 23, and 80 specifically are outdated and insecure. These ports should be closed to secure the network. Ports 22 and 443 are more secure and should be used to replace those insecure ports.
2.
Company A Risk Analysis, Table D. Risk Identification, Risk #2 and Risk #5, All users utilize eight-character passwords/Regular password changes are not enforced
Passwords of eight characters can be hacked within a relatively short amount of time depending on the complexity of the passwords. Also, once a user’s account is compromised, it can remain compromised due to there not being a maximum lifetime of passwords being enforced. Company A needs to document and enforce a password policy that lays out a password length of 10-24 characters for users. The complexity of the passwords should be required by requiring a minimum of multiple character types. In
addition to those requirements, there should be a maximum lifetime for passwords of 60 days or so. Infrastructure:
Company A has many end of life components in use, which no longer have security updates or provide technical support.
1.
Security updates and technical support for Windows 7 ended on January 14, 2020 (Microsoft).
2.
Security updates and technical support for Windows server 2012/R2 ended on October 10, 2023. This affects the Application server, File Server, and DMZ FTP and external Web Server (Microsoft).
3.
Cisco 7600 series routers reached end of support date July 31, 2021 (Cisco).
4.
Cisco 3750X series switches reached end of support date October 31, 2021 (Cisco).
Company B
Network Security:
1.
Insecure open ports: 20, 21, 23, 80
Ports 21, 23, and 80 specifically are outdated and insecure. These ports should be closed to secure the network. Ports 22 and 443 are more secure and should be used to replace those insecure ports.
2.
All users have local administrative privileges
It is a major concern that all users have local administrative privileges. This goes against
the security principle of least privilege. A regular end user with local administrative privileges
has the power to do significant damage to a network. This can lead to an inadvertent insider attack. It is best practice to put group policies in place to restrict users of these privileges and provide them with the just right amount of functions to perform their jobs.
Infrastructure:
Similar to Company A, Company B has many end of life components in use, which no longer have security updates or provide technical support.
1.
Security updates and technical support for Windows XP ended on April 8, 2014 (Microsoft).
2.
Security updates and technical support for Windows 7 ended on January 14, 2020 (Microsoft).
3.
Security updates and technical support for macOS 11 Big Sur ended at the end of 2023.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
B. Vulnerabilities: Impact, Risk, Likelihood
Company A
Vulnerability 1:
Company A does not enforce a password policy as all users utilize eight-
character passwords and regular password changes are not required. Passwords of eight characters can be hacked within a relatively short amount of time depending on the complexity of the passwords. Also, once a user’s account is compromised, it can remain compromised due to there not being a maximum lifetime of passwords being enforced.
Impact:
High
The impact of Company A not enforcing a password policy is high. If a privileged user’s account is hacked, attackers can gain a dangerous amount of control over the company’s resources. With Company A storing financial data, this can provide a wealth of information to the hacker(s) and cause significant damage to the owner of that financial data.
Risk:
High
The risk of Company A not enforcing a password policy is high. This vulnerability can provide attackers access to resources that can be detrimental to Company A. This would affect Company A’s reputation and customers may seek external services.
Likelihood:
High
The likelihood of user accounts being compromised is high if a password policy is not enforced. Computing power has increased exponentially since the beginning of the technological era. The amount of time it would take to crack simple eight-character passwords, knowing what information these accounts would give you access to, is worth the effort.
Vulnerability 2:
Company A has many end of life components in use, which no longer have security updates or provide technical support. Security updates and technical support for Windows 7, Windows server 2012/R2, Cisco 7600 series routers, and Cisco 3750X series switches are no longer provided.
Impact:
High
Utilizing end of life components in your organization can have a major impact. These components may provide functions that are critical to meet your customers’ needs. If an attacker
exploits a vulnerability in one of your components, this could eliminate the availability of that component. If that component is no longer available to its users, then the services that component provides cannot be utilized. Also, end of life components can become pricey to maintain, as they would require extra protection.
Risk:
High
It is a high risk to depend on end of life components within your organization. The functional requirements of your organization and customers cannot be met if the end of life components can no longer be utilized. With security updates and technical support no longer provided for these components, they’re one exploit away from causing detrimental effects to your organization.
Likelihood:
Moderate
The likelihood of end of life components causing issues to your organization is moderate. Although security updates and technical support are no longer provided, extra protection and knowledgeable employees can help prevent the likelihood that issues arise. However, there is only so much an organization can do, as you need to balance security measures with the availability of these components to ensure users can perform their business needs.
Company B
Vulnerability 1:
Systems using Distributed Ruby (dRuby/DRb) does not restrict allowed hosts from executing system commands or Ruby scripts.
Impact:
High
The impact of systems using Distributed Ruby (dRuby/DRb) is high. Distributed Ruby does not restrict hosts allowed to execute system commands or Ruby scripts. This can provide attackers the ability to run commands that give them access to credentials, or by deleting critical files, or even installing a backdoor. The possible outcomes that this vulnerability can lead to could bring about a major impact to the organization.
Risk:
High
The risk of this vulnerability is high. The risk is high due to the potential commands that can be executed by attackers. This emphasizes the importance for administrators to put security controls in place to mitigate this vulnerability.
Likelihood: Low
The likelihood of attackers executing system commands or Ruby scripts is low. Administrators of systems using Distributed Ruby can put controls in place to ensure access is only to those of trusted hosts. Vulnerability 2: Similar to Company A, Company B has many end of life components in use, which no longer have security updates or provide technical support. Security updates and technical support for Windows XP, Windows 7, and macOS 11 Big Sur are no longer provided.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Impact:
High
Utilizing end of life components in your organization can have a major impact. These components may provide functions that are critical to meet your customers’ needs. If an attacker
exploits a vulnerability in one of your components, this could eliminate the availability of that component. If that component is no longer available to its users, then the services that component provides cannot be utilized. Also, end of life components can become pricey to maintain, as they would require extra protection.
Risk:
High
It is a high risk to depend on end of life components within your organization. The functional requirements of your organization and customers cannot be met if the end of life components can no longer be utilized. With security updates and technical support no longer provided for these components, they’re one exploit away from causing detrimental effects to your organization.
Likelihood: Moderate
The likelihood of end of life components causing issues to your organization is moderate. Although security updates and technical support are no longer provided, extra protection and knowledgeable employees can help prevent the likelihood that issues arise. However, there is only so much an organization can do, as you need to balance security measures with the availability of these components to ensure users can perform their business needs.
C. Network Topology Diagram
D. OSI / TCP / IP
Components
OSI
TCP/IP
Cabling
Layer 1 - Physical
Layer 1 - Network Access
Wireless Access Points
Layer 2 - Data Link
Layer 1 - Network Access
Switches
Layer 2 - Data Link
Layer 1 - Network Access
Routers
Layer 3 - Network
Layer 2 - Internet
VPN
Layer 3 - Network
Layer 2 - Internet
Firewalls
Layer 7 - Application
Layer 4 - Application
Desktops
Layer 7 - Application
Layer 4 - Application
Laptops
Layer 7 - Application
Layer 4 - Application
Printers
Layer 7 - Application
Layer 4 - Application
Servers
Layer 7 - Application
Layer 4 - Application
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
E. Rationale For Components In Newly Merged Network Topology Diagram
The first action to take would be to properly replace the end of life components in use. These components would include the hosts running Windows XP, Windows 7, macOS 11 Big Sur, the servers running Windows server 2012/R2, the Cisco 7600 series routers, and the Cisco 3750X series switches. All hosts will be upgraded to Windows 11, totaling $12,000. Updated Cisco stacked switches will be implemented, totaling $6,000. Two additional Fortinet firewalls will be purchased as well, totaling $4,000. The addition of three VPN routers will require remote users to authenticate to access the network, providing a zero trust environment. These VPN routers will cost roughly $7,500 per year. AWS VPC cloud-based servers will run about $1,600 per month and will replace the end of life Windows server 2012/R2. This will also provide the merged company a cloud infrastructure environment with scalability and redundancy. All in all, the total of these added components comes to $48,700.
Component
Quantity
Price
Total Price
VPN Routers
2
$3,750
$7,500
Fortinet Firewalls
2
$2,000
$4,000
Windows 11
30
$400
$12,000
Cisco Switches
6
$1,000
$6,000
AWS VPC Servers
4
$1600/mo
$19,200/yr
$48,700
F. Secure Network Design Principles
1.
One secure network design principle used in the proposed network topology diagram is defense in depth. The implementation of VPNs, firewalls, DMZ, and VLANs provides multiple levels of security that an attacker must penetrate in order to access sensitive components of the network. An attacker may exploit a vulnerability in a layer of security, however the likelihood of the attacker continuing to migrate across the network decreases for every additional layer of security added to the network (Stewart, 2021).
2.
Another secure network design principle used in the proposed network topology diagram is network segmentation. With the continued implementation of a DMZ and VLANs, network segmentation allows for parts of the network to be divided based on specific characteristics of certain parts of the network. The DMZ allows for external users
to access the web servers but isolates their access from the internal network. VLANs allow for switch partitioning, which can break down a network into subnetworks. Subnetworks can then become more organized, manageable, and secure (Stewart, 2021).
G. Regulatory Compliance
1.
One regulatory compliance requirement that is relevant to the newly merged company is the PCI DSS requirement pertaining to the installation and maintenance of a firewall configuration to protect cardholder data (Stewart, 2021). This PCI DSS requirement is relevant to the newly merged company due to its presence in the financial industry and serving customers with various financial products. In the proposed merged network topology diagram, this regulatory requirement is met with multiple firewalls in place. Firewalls sit between both companies, sit between the DMZ, and sit between the VPC where the companies’ cloud-based servers exist.
2.
One regulatory compliance requirement that is relevant to the newly merged company is the GDPR requirement of controlling access to data through the use of access controls (Stewart, 2021). This GDPR requirement is relevant to the newly merged company due to the storage of customer financial data. In the proposed merged network topology diagram, this regulatory requirement is met with the use of VLANs, which isolates data based on its sensitivity. In addition, access controls are also in place with the enforcement of security policies and procedures (i.e. password policy) and the management of user privileges via group policies.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
H. Emerging Threats
1.
One emerging threat that is applicable to the merged organization is artificial intelligence. Artificial intelligence allows for computers to replicate the problem-solving and decision-making capabilities to that of humans. Specifically, AI-powered botnets can
detect vulnerabilities in a network, elude detection from network tools, and ultimately exploit the detected vulnerabilities (Krishna, 2023). This threat can be relevant to any network based on the power of the AI botnets and, depending on the vulnerabilities exploited, this can affect any component of the CIA triad. How to mitigate the potential of
AI-powered botnets would be to stay up to date on beneficial cybersecurity information around the world. This information will provide the best practices to put in place to minimize the risk of being affected by the negative aspects of artificial intelligence. 2.
Another emerging threat that is applicable to the merged organization is quantum computing. Quantum computing is an evolving technology that allows computers to use quantum mechanics to solve complex problems faster than classical computers. Quantum computers are still in the infancy stages, but the threat of these computers lies with them making current encryption algorithms obsolete (NIST, 2023). This would affect
the encryption algorithms used in securing the financial data stored by the merged organization and strip the confidentiality component of the CIA triad. This threat has cybersecurity leaders planning ahead of time to come up with new encryption standards that will maintain the security of confidential data even when quantum computing is developed. One way to manage this risk of quantum computing is to stay updated from governing bodies with newly provided guidance on how to secure data in a quantum computing era.
I. Summary
To adhere to the expressed interests by executives, zero trust principles, regulatory requirements, and the provided budget, the following items have been proposed:
-
AWS VPC cloud-based servers will replace the end of life Windows server 2012/R2. This will also provide the merged company exposure to a cloud infrastructure environment with scalability and redundancy. The merged company can slowly transition
from a hybrid environment to a cloud environment over time as current on-premise infrastructure reaches end of life. -
The addition of three VPN routers will require remote users to authenticate to access the
network, providing a zero trust environment.
-
Two additional Fortinet firewalls will be purchased to further secure the network
-
All end of life components will be upgraded to mitigate current infrastructure vulnerabilities and provide enhanced security capabilities.
The implementation of the above proposed changes will help ensure that the merged company is compliant with all regulatory requirements, including that of GDPR and PCI DSS. This proposed plan will stay under the $50,000 budget, totaling $48,700. The merged company will migrate business processes to the cloud while also maintaining processes on-premise. This allows the company to take part in the digital transformation trend and strive to be a workplace of the future.
J. Sources
Cisco. “Cisco Catalyst 3750-X Series Switches.” Cisco
, www.cisco.com/c/en/us/support/switches/catalyst-3750-x-series-switches/series.html.
Cisco. “Cisco-7600-Series-Routers.” Cisco
, www.cisco.com/c/en/us/obsolete/routers/cisco-7600-series-routers.html.
Krishna, S. Rama. “The Dark Side Unleashed: The Threat of AI-Powered Botnets.” Www.linkedin.com
, 1 June 2023, www.linkedin.com/pulse/dark-side-unleashed-threat-ai-
powered-botnets-dr-s-rama-krishna.
Microsoft. “End of Support for Previous Versions of Windows | Microsoft.” Windows
, www.microsoft.com/en-us/windows/end-of-support.
Microsoft. “Windows Server 2012/R2 Reaches End of Support | Azure Updates | Microsoft Azure.” Azure.microsoft.com
, 13 Oct. 2023, azure.microsoft.com/en-us/updates/windows-server-2012r2-reaches-end-of-support/?
cdn=disable#:~:text=Today%2C%20October%2010th%2C%202023%2C. Accessed 5 Feb. 2024.
Microsoft. “Windows XP - Microsoft Lifecycle.” Learn.microsoft.com
, learn.microsoft.com/en-us/lifecycle/products/windows-xp.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
NIST. “NIST to Standardize Encryption Algorithms That Can Resist Attack by Quantum Computers.” NIST
, 24 Aug. 2023, www.nist.gov/news-events/news/2023/08/nist-
standardize-encryption-algorithms-can-resist-attack-quantum-computers.
Stewart, James Michael. CompTIA Security+ Review Guide : Exam SY0-601
, John Wiley & Sons, Incorporated, 2021.
ProQuest Ebook Central
, https://ebookcentral.proquest.com/lib/westerngovernors-ebooks/detail.action?
docID=6453439.