1 Networks and Information Security Case study Copyright © Edilson Arenas CQUniversity Case Study 1 Bank (Golden Bank) The Golden Bank (GB) is the largest financial institution operating in mainland Tivoli. GB has 28 branch offices around Tivoli and two remote branch offices in the islands of Greenland and Faroe. GB has three major facilities, all located in mainland Tivoli: Headquarters, Operations and Backup. The Headquarters facility is located in a downtown office that houses the administrative staff. The Operations facility is located in a warehouse near an industrial area in the outskirts of Tivoli. The Operations building located 60Kms from the headquarters houses the back-office technical functions, the data centre and the GB IT staff. Finally, the Backup facility, located in the country area of Tivoli about 100km from the headquarters is used as a warm-site facility which can take over within minutes in the event that the Operations facility fails. The 28 branch offices are very similar in size and staff, spread around Tivoli in small buildings that use relatively old and complex technology. Automated Teller Machines (ATM) at each branch use different SNA (Systems Network Architecture) protocols to talk to the mainframe computer at Operations. Currently, File servers still require IPX/SPX communication and some branches (not all) use TCP/IP to connect to the Internet. Additionally, each branch is connected to the Operations through a Cisco 2600 series Multiservice Platform router for flexible LAN and WAN configurations and easy upgrading, also capable of handling the many protocols used at the internet and transport layers in branch office communications. Apart from internal connections supporting the day-to-day activities of the organisation, GB also deals with a dozen (12) outside support vendors including credit card processing, credit card authorisation etc., all in a different way. The lack of standards is a major issue in Tivoli. WANs in GB Figure 1 outlines the complex group of WANs Tivoli currently uses to support its operations. A mesh of three T3 leased lines connects the Headquarters, Operations and Backup buildings. These lines operate at 44.7 Mbps, providing redundancy between the major facilities. Branches connect to the major facilities most of the times via Frame Relay links. For each branch, there are two 56kbps PVCs. One leads to the Operations and the other leads to the Backup facility. There are ISDN backup lines in case of Frame Relay failure. The two islands are connected to the Headquarters via 128kbps fractional T1 digital leased lines. By the same token, the 12 vendors are connected to the GB via a frame relay network of 56kbps each. As shown in the diagram, GB uses two separate ISPs for Internet connection via T1 leased lines. 2 Networks and Information Security Case study Copyright © Edilson Arenas CQUniversity Figure 1 Golden BANK WAN LANs in GB Each branch office (including the two islands) is supported by 10Base-T Ethernet LANs, GB is expecting to change for more modern Ethernets. Each branch has an average of 20 employees including the bank tellers, customer service and branch managers. The Headquarters houses 80 administrative, finance, accounting and management staff, supported by 100BaseT Ethernet LANs. In the Operations facility, there are 20 engineers in charge of the technical support of the data centre, networking, and maintenance and application development. The organisational and operational structure of the Backup facility is very similar to Operations. Current ICT infrastructure Branch (including the islands) Hardware ? Staff equipped with Desktop PCs running Windows 8 ? Two ATM machines ? 2 networked Laser Printers ? 2 network flat-bed scanners ? 1 NAS for local storage ? Cisco 2600 series Multiservice Platform routers ? 10BaseT Ethernet ( 2 subnets: administrative + management) 3 Networks and Information Security Case study Copyright © Edilson Arenas CQUniversity Software ? Microsoft outlook installed in all staff workstations to access emails ? Accounting, finance software and Microsoft Office suite ? Anti-virus and software firewalls Headquarters Hardware ? Ten ATM Machines ? Staff equipped with Desktop PCs running Windows 8 ? 10 networked Laser Printers ? 10 network flat-bed scanners ? Cisco 2600 series Multiservice Platform routers ? 100BaseT Ethernet (4 subnets: Finance + Accounting + Management + Administrative) Software ? Microsoft outlook installed in all staff workstations to access emails ? Specialised software including Accounting, Finance, Decision Support, Executive and management) and Microsoft Office suite. ? Anti-virus and software firewalls Operations ? Cisco 2600 series Multiservice Platform routers ? Operating system: Combination of Windows and Linux for servers ? Staff equipped with Desktop PCs running Windows 8 All operational servers including FTP, HTTP/HTTPS, SMTP/SMTPS, DHCP, DNS, Authentication, Telepresence, Domain Controllers, Database, SAN, Load Balancing and video are concentrated in this facility. Backup As mentioned, the Backup is a warm-site facility which can take over within minutes in the event that the Operations facility fails. Its infrastructure mirrors Operations’ Problem Statement GB business processes rely on a combination of systems including Internet, IPX/SPX, SNA and ICT related services with a very complex ICT infrastructure in place seen by the GB board of directors as problematic for the sustainability and further GB business growth. They argue that the organisation is spending a great deal of money in the maintenance and integration of disparate and cumbersome systems; and with little room to expand and improve its services. The GB board of directors claim that there needs to be a change and re-provisioning of its ICT infrastructure to remain competitive. As part of this change, the transition to interoperability should be achieved in a smooth manner and leverage in the latest advancements in secure network infrastructure to guarantee “zero” problems within the GB business processes. The bank is expected to expand its branch services to 30% in the 4 Networks and Information Security Case study Copyright © Edilson Arenas CQUniversity next 3 years. They are also considering embracing the latest Cisco immersive telepresence system across the organisation, staff remote access and mobile services (staff BYOD and Work-at-home (WAT) policies) that GB bank currently does not have. In terms of security, the new system should safeguard the appropriate access and use of ICT resources; ensure unauthorised and malicious internal and external network attacks are properly blocked. Network redundancy is currently achieved with the mesh of three T3 leased lines connecting the Headquarters, Operations and Backup buildings; however, nothing has been done so far in terms a security plan including a robust disaster recovery and business continuity plan. Statement of Work Your task is to design and implement a secured network infrastructure that ensures high availability, reliability, scalability, performance and security to support GB services. This requires 1) the design of the network; 2) the delivery of a comprehensive network security plan; and 3) Security technology implementation – proof of concept. The following is a description of what is required. Network Design 1. Network design including LANs, VLANs, WANs and VPNs. In this design, the IP address allocation should use the CIDR format (x.y.z.t/n). Each group should have different ranges of IP public and private addresses. Discuss with your mentor the range of addresses you are planning to use. 2. Each LAN, WAN, VLAN and VPN should be justified in terms of traffic, reliability, performance, availability, scalability and security. To do this you need to make a number of assumptions (discuss this with your mentor / facilitator / teacher); however, assume that ATM machines, Operations and Backup facilities are to operate 24/7. Other facilities are to operate from 6:00am to 8:00pm daily. For this design, take into account the following: a. Traffic generated by the hosts: ATMs, clients, servers and backup devices b. Appropriateness of current WAN links c. Appropriateness of current WANs (Frame Relay) d. Appropriateness of current LANs e. VLANs requirements f. All networking devices including routers and switches at each site or location g. IP address allocation of each network and main network devices h. Sub-netting to separate traffic including IP address allocation i. Firewalls positioning and strategy: Dual firewall, Single firewall, stateful packet filter, j. Proxies k. NAT/PAT l. DMZs m. Routing tables for all routers n. Firewalls Access Control Lists 5 Networks and Information Security Case study Copyright © Edilson Arenas CQUniversity o. Diagram of the network topology and allocation of devices; and IP addresses for the main network devices Network Security plan The network security plan should contain as minimum the following: 1. Introduction outlining the importance of the plan and its purpose 2. Scope outlining the areas of the organisation that the Plan applies 3. Assumptions documenting any assumptions you have made in order to prepare the plan 4. Clear and concise statements about what the Security Plan is designed to achieve. 5. Summary and analysis of the organisation’s risks, highlighting the current threats, challenges and vulnerabilities along with an assessment of current security environment and treatments in place. 6. Security policies to address all possible network attacks and vulnerabilities 7. Disaster recovery and Business continuity plans 8. Security Strategies and Recommended controls including security policies 9. Residual risks that remain after all possible (cost-effective) mitigation or treatment of risks. Your security plan should estimate, describe and rate these risks to guide the priorities for ongoing monitoring of risks. 10. Resources and cost requirements for implementing the recommendation Security Technology Implementation As part of the security technology implementation and in line with the recommended controls mentioned above in item 8, you need to provide at least the complete design of the following: 1. Data backup and recovery procedures. Note that there are NASs at the branches to back up the data generated locally, however the vast majority of data is backed up to the File Server Operations facility through the network. 2. Secure staff remote access and mobile services (staff BYOD and Work-at-home (WAT)) 3. A proper authentication system that takes care of highly secured roles and permissions to access, share, download, upload files and folders. 4. Proper safeguard required to prevent spam emails 5. Hardening of application servers including FTP, HTTP/HTTPS, SMTP/SMTPS, DHCP, DNS, Authentication, Telepresence, Domain Controllers, Database, SAN, Load Balancing, video and any other specialised banking software. 6. Network security including DMZs, firewalls, Proxies, IDSs, IPS, Cryptography etc. 7. Security Policies GB Technology implementation – Proof of concept As part of the project requirements, you will need to design; implement and test the Unified Threat Management system (Enterprise Firewall) using open software like Endian FW, Vyatta or any other system you are familiar with. The solution should address the firewall needs of GB, including the installation of the software, configuration of the ACLs, and developing of test cases to check the complete functionality of the rules. 6 Networks and Information Security Case study Copyright © Edilson Arenas CQUniversity For the proof of concept, it is mandatory that you include the documented results (procedures and screen dumps) of various network security attacks tests (such as Network Penetration Test) as part of your final project report. You may use your choice of security software/tools and operating systems (Windows, Linux, or Ubuntu) in a virtualized environment to build and simulate the security tests. To do this students are suggested to get a second-hand personal computer and give a physical demonstration at the end of the term. Final Remark It is important to note that the final output of your project is to deliver a comprehensive report documentation comprising network design, network security plan and security technology implementation. References 1. Ciampa, M. (2012). Security+ Guide to Network Security Fundamentals, 4th Edition, Boston, MA. Course Technology, Cengage Learning. 2. Forouzan, B. (2010). TCP/IP Protocol Suite, 4th Edition, Boston, MA. McGraw-Hill Higher Education. 3. Panko, R. (2003). Business Data Networks and Telecommunications, 4th edition, Upper Saddle River, N.J. Pearson Education. 4. Weaver, R., Weaver, D., & Farwood, D. (2014) Guide to Network Defense and Countermeasures, 3rd edition, Boston, MA, Course Technology, Cengage Learning. 5. Whitman, M., Mattord, H., & Green, A. (2012) Guide to Firewalls & VPNs, 3rd edition, Boston, MA. Course Technology, Cengage Learning.
- Draft_security_planAssignmentThis is a group assessment.
Submission of DRAFT Network Security Plan
Due: Week 4 – Friday 3 April 2015 (23:55pm)
- Project_planAssignmentThis is a group assessment.
Submission of Project Plan
Due: Week 4 – Friday 3 April 2015(23:55pm)
At the minimum, your group is required to submit the following project artefacts as the part of this submission:
- a project charter outlining project scope, objectives and constraints, statement of work, project team members
- a RACI Matrix showing the roles and responsibilities of each team member
- a Project Plan that shows work breakdown structure (WBS) using GANTT chart; and,
- project risks and proposed mitigation plan
- Week7_presentationAssignmentThis is a group assessment and weighs 10% of total course mark.
Due date: Week 7 – Friday 1 May 2015 (23:55pm)
This is a in-class group presentation due in Week 7. The local project mentor (Lecturer) will finalise the date, time and venue of the presentation.
As outlined in the course profile, In this group presentation you will:
- present the summary of your network security plan that you have produced
- identify and justify your selection of key threat or security challenge to the organisation
- explain what technologies will you implement to mitigate or address such threats and challenges
- describe how you will test the security technologies what types of policy and/or procedure documents that you have intended to produce
Submission requirement: for marking purpose, you must submit (electronic upload) the PowerPoint presentation slides that you used for your presentation.
- Week11_presentationAssignmentThis is a plenary group presentation of Project Report – due in Week 11 – Friday 29 May 2015 (23:55 pm) . The local project mentor (Lecturer) will finalize the date, time and venue of the presentation.
- Final_project_reportAssignmentDue date: Week 12 – Friday 5 June 2015 (23:55 pm)
This is a group submission. You must submit a single ZIP that will contain following two separate documents:
- Ancillary project documents formatted in a singe Microsoft Word document. This weighs 5% of total assessment mark.
- Project report formatted in a single Microsoft Word document. This weighs 40% of total assessment mark.
Do you need help with this assignment? Or a different one? We got you covered.