Q-3: A company Vortex® works mainly in currency exchange. The company has more than 10000 customers, and 700 employees. The company has 25 servers in different types (database, web server, product activation server, etc.
). Two servers are still unoccupied. The company employees utilize different operating systems such as Windows XP, Windows 8.1, Windows Server 2012, and Debian Linux. The client computers used in the working environment are mix of computers provided by the company, employees BYOD (bring your own devices) computers, and mobile devices. The clients are connected through both cable and Wi-Fi.
The internet connection comes from two different ISPs. A lot of time is spent on setting up local user accounts on every employee’s computer and to troubleshoot third party applications installed by the employees. The company plans to move some of their used applications to the cloud, and the company needs this issue to be considered.It is required to:1. Design complete server security architecture for the company Vortex®. The design should produce secure servers, and build a secure working environment from both inside and outside the company2. Develop a flowchart that describes the design aspects for the entire design process. You can use IF-THEN approach.
Hints: You can consider different factors and keywords in your design like:• The network design/ topologies for the 25 servers. Dividing the servers into different network zones according the sensitivity and functionality of 2 the servers• Protection of the servers from the networking perspective. Network-based firewalls, distrusted firewalls, and host-based firewalls• The installation and the hardening process of the server OSs which needs a policy or a regulation document• User /customer authentication to the servers (from inside the company and from outside the company as well)• Servers management plans by IT personnel• Security techniques for the database servers that are connected to database security on the application layer• Security awareness, training, and education for the employees• Advices about using cloud computing by Vortex®The question has a broad scope, and you have to do your best to bring all the possible design aspects. You need to apply what you have learned from the lab assignments in the design of the server security architecture.AnswerInterconnected computers bring large amounts of possibilities in the company Vortex for collaboration, intercommunication, remote access, social networking file and printer sharing. Network communications in small to medium organizations is largely and often impaired malicious attacks which target network equipment and users to disrupt network traffic. The most common among those attacks is the denial of service attacks and user or host compromise attacks.In a denial of service attack, the attacker sends large amounts of bogus data traffic to the target computer with intentions of causing disruptions while consuming large amounts of bandwidth and in the end rendering the computer unable to provide services to the intended legitimate users.
In a host compromise attack, the attacker exploits vulnerabilities in a host thereby gaining control of it 2. When these two attacks are combined, they can be used to cause more distrustful kind of attack called distributed denial of service attacks(DDoS).Network Security for Client-ServerArchitecture Using Wiretap CodesMatthieu Bloch, Member, IEEE, Rajesh Narasimha, and Steven W.
McLaughlin, Fellow, IEEEThe number of DDoS have been on the rise recently on many popular e-commerce and gaming websites which have been targeting mostly the Domain name servers. The most important solution that research has found on better countering them is through design of secure servers and schemes of detecting and recovery using detection features like intrusion detection systems (IDS). Other methods range from resistant schemes designed based on built capabilities to survive and resist network attacks. All these measures have been proposed but has not solved the ever increasing attacks yet hackers still launch successful attacks 2. The solution therefore resides in the design of secure network architectures and other network schemes that are capable of avoiding and mitigating serious impacts of the attacks.The reasons for the security architecture design include;? For consumer trust and confidence? Better business focus? Better and secure information exchange? Remote and secure access to internal workings and operations? Improved business productivity? Reduction in costs associated with loss of informationcomponents of security architecture model componentsThe successful security model will be in position to put together a combination of policies and also leading practices, user training and education, encompassing new technologies, and awareness programs. There are four different layers considered in the design of the server security architecture which are addressed in the architecture,? Secure access? Hardware and operating system? Applications? Human aspectsA number of programs like anti-virus, intrusion protection systems, firewalls play an important role in the protection of the companies from any attacks coming from within the organization or outside it. A holistic architecture will be implement at Vortex® to achieve the highest from the security mechanisms that will be inclusive of all the security elements.
This architecture is coordinated and structured to include the people, the network servers, the end user computers, which work together to completely ensure security at Vortex®.To align these components effectively, the security architecture needs will be driven by policy stating management’s performance expectations, how the architecture is to be implemented, and how the architecture will be enforced. This will enable the architecture to guide management so that decisions are aligned and consistent throughout the entire IT landscape. The architecture also will be strategic — it will be structured in a way that supports the organization’s business goals.The IT department will be in position to understand the design of the security architecture and its main components, how to assess the architecture’s effectiveness and the all the needed frameworks in order to maximize any audit efforts3.The following areas of concern will also form part of an effective and carefully planned security architecture and will be evaluated during audits of the security architecture;? Guidance in the areas of incident response, baseline configuration, account creation and management, disaster recovery, and security monitoring.
? Identity management.? Inclusion and exclusion of who and what is subject to the domain of the security architecture.? Access and border control.? Validation and adjustment of the architecture.? Training.? EducationThe logical network zoning or separation of the serversThe 25 servers will be positioned in logical division of network servers in the Vortex company. This division is done for better manageable network to reduce on data theft, reduce attack surface and for compliance. The security zone will have a well-defined perimeter and strict protection of its boundaries because the systems that are it can highly be attacked.
For example an end user computer will be given different security requirements in the architecture as compared to the financial accountant that store confidential financial reports in the restricted zone. The zones must all comply to the general security rules and guidelines? Each zone will only have one separate entry point as defined by the firewall? All outbound and inbound traffic must be monitored at the system perimeter? All systems and groups must be identified? Only traffic that relates to Vortex® will be allowed to leave and enter the system perimeterWhile this can be done smoothly, complexity must be limited by defining clear security requirements and defining a few or small network security zones The Goals:The goal is to reduce the attack surface in a zone, which can be achieved exposing a few number of services coupled with a much more tremendous and strict access control methods that can be used to provide limited access to only identified groups of users. This makes the zones safe in case of an attack, which will essentially mean the attacker must compromise all the outer zones before accessing the inner zones where critical information is stored thus highly increasing critical systems availability.Network segmentation provides the following goals as part of a defense in depth? Minimal data breach? Limits attack surfaces? Divides the system into compartments? Increase the availability of the systemThe network zones and their attached trust levelsZone Trust level attachedRestricted The highest rustManagement Highest trustExtranet MediumEnterprise MediumExternal DMZ LowInternet Don’t trustRestricted ZoneThis is a place for the all sensitive information breach of which of its confidentiality, integrity and availability has far reaching consequences to the company on its reputation, competitiveness, and its market share prices. The highest protection will be placed at this zone to detect and stop any attacks.
The number of critical systems at this level will include;? Financial database? User system databases? Human resource database? Intellectual propertyManagement zoneThe management zone is the center of monitoring and control like performance servers, security management and configuration management. Here some users have a more high access privilege than other users thus making systems in this zone a prime target of attackers. Extranet ZoneThis zone will house highly trusted connections with third party partners in business which also extends to the enterprise zone. Information and data flow from the internal network and the external network must be filtered and monitored in order to strictly allow company information to leave or enter the zone at the perimeter.The Vortex® has no control on systems that are outside its control in the external zone.
This requires that all third parties adhere to risk assessments to be able to understand their security position before any connection is being allowed to them.External Demilitarized zone(DMZ)The external DMZ is responsible for all devices that require internet connectivity. It provides access to systems that operate between enterprise zone and the internet.All traffic is to be monitored that passes the extranet and the enterprise zones. Under the extranet zone, hardening is performed on the systems to minimize attacks, these systems include;? email gateway? External web servers? Web proxy servers? Remote service access? FTP serversIntranet zoneThis zone is solely responsible for mediating between the restricted zone, external zone and the internal zone. Application servers will reside in this zone and end user’s devices must authenticate to the restricted zone before being allowed access.Enterprise zoneThis is the platform for end user devices like computers, printers, mobile phones and tablets.
Their protection is important to reduce exposure of end user devices to the risks of malware. Zone control and data accessEach zone is attached a security level with a trust relationship which increases as to the inner most zone from the outer zones. Data must be prevented from flowing unnecessarily by deploying security controls between zones. This canm be will be achievd by use of monitoring tools like intrusion detection and prevention systems, inspection firewalls, continuous access controls, and data loss prevention. The control security implementation within a zone will enable easy detection of malicious activity across systems security with in a zone (SecureArc, n.
d.).Training and educationTraining is key and will be vital in establishing a secure architecture in support of the efficiency of system users. In some scenarios some individuals may perceive security as a hindrance to the day to day duties of their jobs and may not have an understanding of the risks they face as a result of system use. This can be attributed to the numerous changes in security updates and security architectures due to emerging security threats.
Therefore, regular user training and education keeps security awareness visible in the minds of employees enabling them to be updated on the value of the information in their hands and the current security best practices and company management expectationsHardware and software technologyThe deployed hardware and software in Vortex® used to monitor and manage this security architecture will be the center of the security concerns. Other security mechanisms will be put in place to protect the physical hardware. Like locks, man traps, biometric devices at door entries and etc. This architecture will not only rely on technology and disregard the the individuals who use it. As technology changes and new solution are put in place, the possibility is high this will also have an impact on the architecture. The change must also be evaluated to determine if a related counter change in architecture need to be performed