...Fundamental Principles of Network Security By Christopher Leidigh White Paper #101 Executive Summary Security incidents are rising at an alarming rate every year. As the complexity of the threats increases, so do the security measures required to protect networks. Data center operators, network administrators, and other data center professionals need to comprehend the basics of security in order to safely deploy and manage networks today. This paper covers the fundamentals of secure networking systems, including firewalls, network topology and secure protocols. Best practices are also given that introduce the reader to some of the more critical aspects of securing a network. 2005 American Power Conversion. All rights reserved. No part of this publication may be used, reproduced, photocopied, transmitted, or stored in any retrieval system of any nature, without the written permission of the copyright owner. www.apc.com Rev 2005-0 2 Introduction Securing the modern business network and IT infrastructure demands an end-to-end approach and a firm grasp of vulnerabilities and associated protective measures. While such knowledge cannot thwart all attempts at network incursion or system attack, it can empower network engineers to eliminate certain general problems, greatly reduce potential damages, and quickly detect breaches. With the ever-increasing number and complexity of attacks, vigilant approaches to security in both large and small enterprises are a...
Words: 5831 - Pages: 24
...outline what resources you’ll need to have in place in order to begin testing. Any NAC deployment must start by answering three critical questions: 1) What is my access control policy? 2) What are the access methods (such as LAN, wireless, or VPN) I want to protect? 3) How will this integrate with my existing infrastructure? Once you answer these questions, you can begin to gather test lab resources, such as servers (for policy definition points), laptops or desktops (for network access requestors), and switches, access points, and VPN servers (for policy enforcement points). Getting Started with Network Access Control What is my access control policy? NAC is a generic concept that deals with defining access controls based on user authentication, end-point security assessment, and network environmental information. That’s too big for most network managers to bite off in a single chunk, so many NAC deployments hone in on a subset of these goals and expand over time. You’d be wise to do the same---trying to do too much too early in the lifecycle of this emerging group of products will lead to undue frustration and unnecessary complexity. To start, you should define a simple network access control policy. It is important to define your access control policy first, because that will frame the rest of your testing and deployment. You can put it in any format you want, but most network managers will be most comfortable with something that looks like a table. The following table might...
Words: 1611 - Pages: 7
...abilities. Administrators can have the option of laying security by enforcing the use of pin numbers, hardware tokens, client certifications and other form of secure authentications on top of AD or LDAP. After I enforce several security policies I would create a SSL VPN network. A form of VPN that can be used with any standard web browser. In a traditional Internet Protocol security a SSL VPN does not require installation of specialized client software on the end of the user’s computer. This is used to give the remote user access to the web applications and client server applications and internal network connections. The SSL VPN does not require specialized client software on the user’s computer. For a site to site we would just use VPN to secure the network data and encrypt it for security measures. A SSL VPN offers versatilely. It ease of the use and granular control for a range of users on a variety of computers. There are two major types of SSL VPNs. The SSL portal VPN is a type of SSL VPN that allows a single SSL connection to a website so that the end user can securely access multiple network services. This site is called portal because it is a door that can lead to many other resources. This remote user can access the SSL VPN gateway using any web browser. This identifies the user to the gateway by using authentication method supported by the...
Words: 307 - Pages: 2
...Abstract E-commerce has presented a new way of doing business all over the world using internet. Organizations have changed their way of doing business from a traditional approach to embrace ecommerce processes. As individuals and businesses increase information sharing, a concern regarding the exchange of money securely and conveniently over the internet increases. Therefore, security is a necessity in an e-commerce transaction. The purpose of this paper is to present a token based Secure E-commerce Protocol. The purpose of this paper is to present a paradigm that is capable of satisfying security objectives by using token based secure Keywords: Trusted Third Party (TTP), Pretty Good Privacy (PGP), Secure Socket layer (SSL), Secure Electronic Transaction (SET). 1. INTRODUCTION E-commerce refers to a wide range of online business activities for products and services. Security is the basic need to secure information on internet. It also pertains to any form of business transaction in which the parties interact electronically rather than by physical exchanges or direct physical contact. A security objective is the contribution to security that a system or a product is intended to achieve. E-commerce has become a dynamic force, changing all kinds of business operations world-wide. E-commerce is conducted on global network i.e. Internet which is un-trusted. So confidentiality is required during transmission and it must be kept secure against all type of threats The related...
Words: 2757 - Pages: 12
...Project: Access Control Proposal * Phase I: Risk mitigation plan to identify critical IT assets * Phase II: Policies and procedures for protecting the IT assets Contents I. Introduction 2 II. Diagram of the proposed solution 3 III. Phase I:Access Control Risk Mitigation 3 1. Identified Treats and vulnerabilities 3 2. IT assets 4 3. Treats and vulnerabilities per IT Domain 4 4. The System Security Team 5 5. Access Control Plan 5 IV. Phase II: Policies and procedures for protecting the IT assets 6 1) General Security Practices for VPN Remote Access 6 2. Protecting Cyber Assets: Secure Interactive Remote Access Concepts 7 2. How Employee Accesses the Corporate Network 9 3. How external Partners (Vendor) Access the Corporate Network 9 V. Conclusion 13 I. Introduction Access control mechanisms operate at a number of levels in a system, from applications down through the operating system to the hardware. Higher-level mechanisms can be more expressive, but also tend to be more vulnerable to attack, for a variety of reasons ranging from intrinsic complexity to implementer skill levels. Most attacks involve the opportunistic exploitation of bugs; and software that is very large, very widely used, or both (as with operating systems) is particularly likely to have security bugs found and publicized. Operating systems are also vulnerable to environmental changes that undermine the assumptions used in their design. The main function of access...
Words: 2458 - Pages: 10
...the network remotely to prevent malware incidents (Wikia, n.d.). 3. What risks, threats, and vulnerabilities are introduced by implementing a Remote Access Server? Risks, threats, and vulnerabilities introduced by implementing a Remote Access Server are: • External hosts gain access to internal resources (Scarfone, Hoffman, & Souppaya, 2009) • An unauthorized user eavesdrops on remote access communications and manipulate them using a compromised server (Scarfone, Hoffman, & Souppaya, 2009) • Partially patched remote access servers (Scarfone, Hoffman, & Souppaya, 2009) 4. What is a recommended best practice when implementing a Remote Access Policy server user authentication service? Using multi-factor authentication is a recommended best practice when implementing a Remote Access Policy server user authentication service (Scarfone, Hoffman, & Souppaya, 2009). 5. What is a Remediation LAN? A Remediation Local Area Network (LAN) is a network with devices like a Remediation Server that quarantines non-compliant computers from an...
Words: 917 - Pages: 4
...Test of Control Activities for Authentication Internal controls weaken the risks that burden authentication. When unauthorized persons access the system, they potentially view confidential information, change data, post deceptive transactions, or steal records. Use of a user id, often referred to as network login (NT) reduces authentication risk. An NT allows the system to recognize the member and validates their credentials to use the system. A password used with the NT is specific to the user and held in privacy so that no other user can access the system under the NT credentials. The Information Technology (IT) group uses authority tables to distribute access levels to the staff that gives users permission to view certain areas in the system and allow employee restriction to confidential information or applications that segregate from a user's responsibility. (Turner, L. & Weickgenannt, 2012) For increased protection, the use of a security token or smart card authenticates users. Both the token and the smart card first authenticate a user by the NT credentials and require a second id displayed by the token and smart card that changes every few seconds. Having a computer log in place compliments the NT credential and security devices and supports non-repudiation; a process that does not allow denial of user transactions while using the system. The log tracks usage, failed login attempts, and can detect changes to applications. After three failed login attempts...
Words: 522 - Pages: 3
...5) Secure Sockets Layer -SSL will be compulsory through the entire portal experience. Authentication Requirements Ensure the identity credentials for the authentication process are not stored by the browser (e.g., client cache); Never confirm valid usernames, responding to incorrect username and/or password input with the same error message; Create a session key to authenticate subsequent data transmissions in the session; Reject credentials that have expired or have been revoked by the issuing organization; and Support a secure method to recover identity credentials. The authentication mechanism should also: Include protection against automated brute force attacks. Authentication mechanisms must be of a strength and assurance level commensurate...
Words: 623 - Pages: 3
...I. Introduction II. major risks to the organization when implementing and using IT? Cyber-criminals are becoming more sophisticated. The biggest challenge companies face in tackling IT risks is the growing sophistication of hackers and other cyber-criminals, according to 55 percent of survey respondents. One-third of companies suffered significant financial damage as a result of attacks such as hacking and phishing (where customers or employees are tricked into disclosing passwords and account details) over the past 12 months. Companies must now contend with a range of hi-tech attacks orchestrated by well-organised, financially-motivated criminals. III. To what degree are IT security risks and business risks interrelated? IV. What are the What disadvantages might a business encounter from a "locked-down" IT environment a. and how can these be balanced against the disadvantages of a security breach? V. ethics as it relates to handling consumer or patient data and intellectual property. IT “Locked Down”: Good or Bad Strategy? Posted on December 23, 2011 by Phat Pham As organizations worldwide take advantage of information technology to reduce cost and increase performance, digital information can be shared and available over the Internetworking computers, the risk of data security breaches is increasingly concerned. Several major risks that concern Information Technology (IT) professionals and business owners are system breakdown, disaster recovery, and...
Words: 687 - Pages: 3
...access enables users outside a network access and provides privileges based on the security settings. Users are able to access resources through an internet service provider or ISP which is connecting remotely to the resources online. Secure connectivity is able to be done due to an authentication process, this process establishes a user’s identification to enable access and grant permissions. There are several ways to establish a network connection based on the software, hardware, and network type and security requirements. Security authentication Wireless devices are able to connect remotely involving two elements: a temporary network connection and a series of protocols that set the privileges and commands. The temporary network connection, occurred through a wired connection or wireless access, or any other method of connecting to a network. The primary issue is authenticating the identity of the user and establishing proper privileges for that user. This is accomplished using a combination of protocols and the operating system on the host machine. The three steps in the establishment of proper privileges are authentication, authorization, and accounting, also known as AAA. Authentication is the matching of user-supplied credentials to previously stored credentials on a host machine, and it usually involves an account username and password. Once the user is authenticated, the authorization step takes place. Authorization is the granting of specific permissions based...
Words: 1275 - Pages: 6
...using encrypted tunnels on the Internet. Site-to-Site data exchanges will be conducted using IPSec encrypted Tunnels. Customer Remote Access These Connections must allow the customer to securely exchange information with our Web Server applications. The Web Servers will be place on the Corporate DMZ and the Database Servers on the interior corporate LAN. Web to Database traffic will be encrypted. The Web Servers will have PKI certificates from a trusted third party vendor to eliminate spoofing. Data will be encrypted using SSL connections initiated on the customer’s Browser to maintain confidentiality. The customer will need to supply a username and password which the Web browser will pass to a RADIUS Server for Authentication, and Access permissions prior to granting access to protected areas of the Website. Employee Access All Employee Connections, internal and external, to the Internal LAN at all sites will utilize Two Party Authentication to minimize the risks of utilizing passwords as the primary access method. Employees will have a employees will have a onetime pass key generating token (Ex. RSA) and PIN in addition to their Username and Password to access all corporate applications. Passwords will be changed every 90 days and consist of a combination of letters, numbers and symbols to defeat password guessing applications. To provide auditing redundancy, Login credentials will be first passed to the RADIUS Server described above, which will authenticate against...
Words: 510 - Pages: 3
...Malcolm Testing Solution’s Penetration Test Plan Customer: The Fitness Club Introduction: The Fitness Club has already been victim to hacking that took place on their web server. They are unsure if this occurred due to a former administrator who quit or if by an external party. Malcolm Testing Solutions has been tasked with creating a penetration test plan to prevent further acts of attack on the Fitness Club’s network. The objective of the assessment is to provide feedback to The Fitness Club with respect to its ability to preserve the confidentiality, Integrity, and availability of the information maintained by and used by its origination. Malcolm Testing Solutions will test the use of security controls used to secure sensitive data. Services Overview: This project shall include 1 consultant for a time period of 2 days onsite at a single customer location to provide internal penetration test services. Malcolm Testing Solutions will provide tools, knowledge and expertise to execute an internal penetration test on customer designated devices. Malcolm Testing Solutions will attempt to compromise the access controls on designated systems by employing the following methodology: 1. Enumeration – Once Malcolm Testing Solutions has arrived for The Fitness Club’s assessment they will connect to the network via the data port provided by the customer. Once connected, Malcolm Testing Solutions will run a variety of information gathering tools in order to enumerate computers and devices...
Words: 566 - Pages: 3
...Week 4 Lab Part 1: Design a Multi-factor Authentication Process Assessment Worksheet Design a Multi-factor Authentication Process Lab Assessment Questions & Answers 1. In an Internet Banking Financial Institution is Single Factor Authentication acceptable? Why or why not? Yes it can be acceptable because you can buff up security elsewhere. 2. Explain the difference between Positive Verification and Negative Verification? Negative verification is the opposite of positive verification. The customer must contact the bank to verify that the information is correct. 3. What vulnerabilities are introduced by implementing a Remote Access Server? Could Allow Remote Code Execution, two heap overflow, cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user. 4. What is a recommended best practice when implementing a Remote Access Policy server user authentication service? Using multi-factor authentication. 5. Name at least 3 remote access protections or security controls that must be in place to provide secure remote access. Authorized secure remote access, Traffic inspection and Coordinated Threat Control, Centralized security management and enterprise-wide visibility and control. 6. When dealing with RADIUS and TACACS+ for authentication methods, what protocols are used at Layer...
Words: 1143 - Pages: 5
...Operation High Roller Alejo Maciel II March 25, 2015 Introduction Operation High Roller (OHR) was a brazen cyber-attack discovered in January, and made public in July of 2012 by computer security firms McAfee and Guardian Analytics. OHR targeted high balance accounts of both individual consumer and business financial institutions, using a new extensive level of automation built on previously known Trojans Zeus and SpyEye. Although no person or group has ever been identified for the conspiracy and execution of the operation, the attackers were traced to servers performing these attacks in Russia, Albania, and China. According to the McAfee/Guardian Analytics report “Dissecting Operation High Roller,” the firms first identified the group’s initial attack in Italy. Analyzing the attack and identifying the new tactics the group used to successfully target the Italian Bank, the firms found strong evidence of a replication attack against a German bank. It wasn’t until subsequent evidence of attack campaigns within Latin American and the United States were found that the global nature of these attacks was validated (Marcus & Sherstobitoff, 2012). Over an undisclosed time period an approximate amount of $78 million, with a potentially maxed attempt of $2 billion, was successfully siphoned during OHR (Quain, 2012). Analysis The group responsible for these attacks built their tactics on previously existing malware, custom malware, and an in-depth awareness of global...
Words: 1345 - Pages: 6
...credentials and have been approved for access Unauthorized – Don’t process the proper credentials or do not have the appropriate privileges for accessUnknown – Don’t possess any credentials at all: Don’t know if they should be given access or not | What are the three steps to the access control process? | | Identification – process of Identifying itself Authentication – verification of the subjects identity Authorization – allow or deny access to an object. | What are the principal components of Access Controls? | | Policies – who gets access to whatSubjects – User, Network, process, or applications requesting access to resources Objects – The resource to which the subject desires access | What are the basic access levels | | Administrative – ability to r,w c and deleteAuthor – r,w their own filesRead Only – Read but not edit No Access – denial of access | What are the three primary Authentication Factors? | | Something you know –Secret KnowledgeSomething you have – a tokenSomething you are – biometrics. | Is a subject always a user? | | NO | What...
Words: 2070 - Pages: 9
