Gp823@mynsu.nova.edu
Dr. Yair Levy
ISEC-615 Winter 2020
Due Date: June 14, 2020
Hardware Components of Office Network
Below is an office network diagram that includes several basic components. A description of each component and their individual function is also included below.
A router delivers IP packets (information) between physically separate networks. The router receives and routes using the IP address in the packets, it determines where to forward the packet in order for the packet to reach its destination. In the network diagram above, the router routes packets between LAN 1 and LAN 2 Local Area Networks (LAN). Additionally, the router can route packets to networks external to this office network via the internet in this example (WAN).
A firewall is a device or software. It is a barrier between the internal private network and the internet. The purpose of a firewall is to protect the internal network from unauthorized access flowing inbound from the internet. Firewall rules are also established to determines what traffic, outbound from the network, can leave the network. The firewall distinguishes between authorized and unauthorized traffic using rules, Access Control List (ACL) to filter the traffic. This component of the network provides the internal network with protection from external threats.
A switch provides wired network access for devices. The switch has several ports that allow for physical connection to devices on the network using cables (Cat5). In the diagram included above, Switch1 is connects a printer, a server and three desktop PC. These are referred to as endpoints. Switch1 allows information to be passed between each of the devices that are connected to it.
Endpoints are devices, also called nodes, that are connected to the network, physically or wirelessly. They send and receive packets on the network. In the office network diagram above, examples of endpoints are the desktop PCs, the printer and server. Endpoints can be wired or wireless.
Office Network Security
In order to secure the organizational assets, the network depicted in the diagram in the previous section, is itself protected both physically (physical security) and logically (cybersecurity).
Physical
In order to protect the organization from damage or theft, the physical components of the network are stored in buildings that are physically protected. Steps are taken to prevent, detect and recover from intrusion. While the building does not have physical perimeter barriers, the building is equipped with closed-circuit television cameras (CCTV) at each entrance. Employee can enter most entrances using a card reader while visitors can only enter the building from a single manned entrance while each guest is photographed along with an id presented by the guest. The photo and the id are logged. Employees are train to be aware of piggybacking and tailgating. Physical network components are stored in areas (data center, network closets) that are locked and monitored with CCTV. All servers are secured inside cabinets. Authorized access is permitted via card reader for a designated few employees. Hardware checkout policies also exists for this organization.
Cyber
At the edge of the network, web content filters are used to prevent authorized users from accessing restricted websites and websites that are known to be malicious. Also, at the edge is Email filters and anti-phishing software are used to protect against spam and phishing attempts. Network mapping software is used to provide documentation of the network components so that appropriate security is implemented for all components and to detect unknown systems. Unused ports are disables. Firewall rules disallow access to a variety of internet sites, includes those that are known to be malicious or are used for gaming. The firewall rules ensure that internet sites that are needed for normal business operations are accessible. Intrusion Detection Software is installed inside of the firewall to detect unauthorized attempts to reach the office network. The office network is monitored for deviation from network baselines, that includes normal traffic patterns and server loads in order to detect intrusion. Network segmentation is also implemented to make it easier to detect suspicious network traffic. Highly sensitive data and servers are monitored in order to detect insider attacks from authorized network users. Software is kept current with the latest patches. Complex passwords policies are required (password length of 8 with mixed characters and symbols). Role based security is in place and logs are analyzed in order to detect privilege escalation. In order to prevent backdoors, developers are not allowed to bypass network security during software testing or to hardcode passwords. Vendor default accounts and passwords are not in use. User education and training social engineering attacks, such as phishing, password projection (example, do not write down passwords). Additionally, the organization contracts with a third party to do vulnerability scanning.
Hardware Components of Cloud-based Hosting Services
Cloud-based hosting services allow an organization to outsource components of its network resources in order to reduce expenses. This can include computing resource that perform data process for complex and time-consuming algorithms, applications software, application servers or data storage. Below is a diagram of the components of a cloud-based hosting service. There are 5 characteristics that define a cloud-based service. A cloud-based service, must have an on-demand self-service model. It needs to have broad network access, which means that the resource being hosted, and services provided must be provided through a network, such as the internet, that has multiple platforms (workstations and mobile devices). It must also provide resource pooling which means users are sharing resources. It has to have rapid elasticity (on-demand scaling). Lastly, it must allow for measure services (the ability to control and optimize resources).
The cloud-based hosting service depicted in the above diagram provides Infrastructure as a service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS). The IaaS model provides customers with infrastructure. This can include storage processing, virtualized environments and network. This allows cloud customers to avoid the expense of procuring hardware, real estate to house hardware and networking equipment. The PaaS model provides customers with everything provided in the IaaS model in addition to configuration, setup and management of the cloud environment. The SaaS model provides customers with a software application environment where the customer’s users can access it via the internet or their local area network. There are two types of SaaS. First is simple multi-tenancy resources where each customer has dedicated resources. In contrast, the second type, fine grain multi-tenancy, customers share resources, however each customer’s data is separated from other customers. Another type of cloud-based model is Security as a Service SECaaS. This model provides customers with services that include intrusion protections, antivirus authentication, security event management and penetration testing.
Cloud-based Hosting Services Security
A Cloud Access Security Broker (CASB) is used to ensure that the traffic and access to the cloud service is aligned with organizational policies and procedures.
The risk of security breaches is reduced in cloud-based hosting services. Cloud-based services accomplish this in part through managing authentication and by providing users with access to only the resources they need. Information confidentiality and integrity is ensured by separating each customer’s data from one another. There are procedures for user access requests as well as more major needs such as handling catastrophes and data breaches. Security monitoring against network baselines and contract with third parties for vulnerability testing are used. Cloud-based services also adhere to the Sarbanes-Oxley Act.
Conclusion
In conclusion, an organization’s network has both physical components and logical components. Both types of components need to be secured using physical security and cybersecurity. Cloud-based hosting services provide and organization with alternatives to address its network infrastructure, networking security, storage and application needs, at a lower cost.