Network Security Proposal

Name

Date

Section 1: Analysis and Planning

 A. Vulnerability Assessment

Requirements. Network security assessments are often limited to patch management and

antiviral software, but these solutions often expose networks to vulnerability. It is critical, then,

for administrators to perform vulnerability assessments to prevent a range of threats [2]

Proposed Solution. Using a dedicated vulnerability scanner will be necessary. These are

devices, which “frequently include port scanners,” which scan a specified set of ports on a given

remote host, as well as serve to test the “service offered at each port” for known vulnerabilities

[7]. Because these processes -- as with the Nessus Vulnerability Scanner, which is free and open-

source -- stand to “connect with the ports and test them out in quick succession,” they stand to

potentially “overwhelm” company systems, causing them to crash [7]. As a result, it will be

necessary to mount such security scans no more often than once a month or quarter.

Justification. Security scans are critical to the maintenance of secure network

infrastructure, and in identifying problems which cannot be discovered -- or prevented -- through

alternative means. Though scans can pose certain threats to the systems upon which they are

mounted (in the form of crashing), these efforts are nonetheless worthwhile.

B. Security Policy

Requirements. Though many institutions follow informal ‘best practices’ based in

generalized norms, such measures are often deficient when it comes to addressing explicit

network threats [20]. These deficiencies must be rectified through the establishment of a written

network security policy upon which network use will be predicated.

Proposed Solution. A written network security policy will pertain to a range of factors,

including (1) Computer acceptable use, including over “desktop, mobile, home PCs, and

servers,” (2) Password protection, as pertains to “rules for choosing passwords,” as well as
enforcement thereof, (3) Email, to cover appropriate use of email sent from company addresses

or received at any given company email system, (4) Internet, pertaining to specific choice of

browser (and their configuration), as well as any restrictions on websites which can be visited by

employees, (5) Mobile computing and portable storage, regarding authorized devices to be used

in such a matter, (6) Remote access, which will outline policy pertaining to “who can access

what information from which locations under what circumstances,” and (7) An incident response

plan, which pertains to security incidents, and who is “responsible for enforcing applicable local

laws,” as well as “who speaks for the company” in the event of a network security failure or data

breach [20].

Justification. No network security infrastructure is sound without the establishment and

implementation of a robust -- and explicit -- network security policy. The terms and specific

implementation of such policies will be considered in greater detail in the following sections.

C. Risk Management

Requirements. It will also be necessary to draft and implement an explicit network risk

management plan. The purpose of such a plan is to establish policies by which “appropriate

activities” are undertaken to mitigate risks associated with information resources, whether

directly tied to “sensitive” areas, or with respect to “monitoring [undertaken] on an ongoing

basis” [8].

Proposed Solution. This plan will be predicated upon establishing a list of centrally

managed information and network resources whose ‘risk levels’ -- or ‘sensitivity’ to attack -- are

of greatest concern. This will involve the analysis and listing of assets which are “acquired,

managed, and retired,” to facilitate the maintenance of stated and explicit standards by which risk

levels can be reduced [8]. Qualitative risk assessment must also be mounted to identify (1)
Inherent risk, defined as “raw risk…[which] does not take into consideration mitigating

controls,” as well as (2) Residual risk, which regards the “impact the risk [caused] by

implementing mitigating controls,” to develop a robust “corrective action plan” for all

circumstances [8}.

Justification. Though network security policy may ‘encompass’ risk management

procedures, the importance of risk mitigation highlights the necessity of establishing a discrete --

and explicit -- plan for the reduction of network risk based upon explicit vulnerable resources..

D. Business Continuity Plan

Requirements. Network security attack can pose present threats to the continuity of

organizational operations, meaning that threats to network integrity are just as grave as

“traditional threats, such as severe weather or supply-chain disruptions” [1]. Because business

continuity is so often the product of IT policy maintenance, it will be necessary to establish and

implement an IT-focused network security plan which focuses explicitly upon business

continuity [1].

Proposed Solution. This plan must identify all “critical IT processes, data, and

locations,” which support the organization’s IT and network-focused infrastructure for the

maintenance of “revenue, customer information, trade secrets” and other pertinent information

[1]. Once such elements have been identified, explicit plans will be established by which “secure

work-arounds or redundancy” can be secured in the event of attack, by which stakeholders will

be able to gain access to such critical systems rapidly [1], Once established, these continuity-

focused procedures will then be “thoroughly tested” in order to ensure their efficacy and

feasibility,
 Justification. Network security is only as robust as its capacity to be restored in the event

of failure, and business continuity protection are critical to this effort. As with the previous

considerations of network security, it will be necessary to establish areas of ‘concern,’ followed

by testing of the capacity of network security to restore access after network or IT failure..

E. Access Controls

Requirements. Access to network resources is a major area of concern. Such methods,

“also known as authorization,” maintain a ‘body’ of stakeholders who can access critical data,

“and for what purpose,” so such procedures must be robust and mandatory, but also

discretionary, to afford administrators a degree of flexibility in their ‘designation’ of authorized

users [12].

Proposed Solution. A ‘common’ variant on network access control (NAC) will be

employed. This involves procedures by which “endpoint devices” connected to the network are

identified, after which a NAC server initiates “authentication and security assessment” processes,

either directly by a “software agent” installed on the ‘endpoint’ device, or by an “external

network-based scanning engine” [6]. If the device satisfies the security policy, as defined --

whether by password or by more robust software authentication -- then it will be granted access

to network resources. However, “insecure endpoint devices” will be isolated in a “quarantined

area” until they can be authenticated, or they will be excluded from network access altogether

[6].

Justification. Without robust procedures in place to ensure that access is limited to

authorized users, the system will expose itself unnecessarily to attack or theft of data, no matter

how strong its other security measures. It is critical that such procedures be put into place.

Section 2: Securing Boundary Devices, Hosts, and Software

 A. Physical Security

Requirements. The maintenance of the physical security of network devices may be

overlooked by network administrators and IT and data security personnel, because of the vast

degree of focus which is often placed upon the creation and maintenance of “technology-oriented

security countermeasures” [14]. That said, a host of devices are exposed to physical theft or

attack, especially easily ‘removed’ devices such as “USB hard drives, laptops, tablets and

smartphones” [14]. In this way, the necessity of implementing physical data security is shown.

Proposed Solution. Network security must establish a dedicated team responsible for

“designing a physical security program,” to be tasked with a thorough consideration of physical

threats, both to devices upon which critical data is kept, as well as to the facilities (physical

buildings) where they are maintained [14]. Though this policy might focus upon external

criminal threats, and establish “multiple layers of security [through which] such actors have to go

through” in order to prevent unauthorized access to a particular “asset,” they must also take into

account the fact that such threats can be posed by internal actors -- employees -- as well [14]. To

this end, denial must be implemented to counter all threats, both external and internal, and

through collusion, as through the use of “locked doors and vaults,” and physical intrusion

detection systems, such as “alarms,” and “cable locks” on protected computers and other systems

[14].

Justification. Though such ‘countermeasures’ can be costly, they are necessary to

mitigate the threat posed by actors seeking to compromise critical systems in a physical manner.

Failure to mitigate this threat unnecessarily exposes network resources to intrusion risk.

B. Mobile Device Security

 Requirements. Over the last several years, mobile devices have become integral to how

people “accomplish tasks,” both at home and in their professional lives [4]. Though these devices

have expanded in their capabilities and productive potential, such expansion has carried

increased risk for their use as a “target for attackers,” especially through “malicious applications

with hidden functionality” which secretly “harvest user data” or facilitate criminal access to

systems [4].

Proposed Solutions. Data integrity must be maintained through the establishment of a

robust mobile device security protocol, as to mitigate weaknesses in “vendor-advertised

controls” on mobile devices linked to an organizational intranet, or in the case of their loss or

theft [4]. A structured approach to ensuring mobile data security must be implemented, through

which all mobile devices used to connect to internal networks are logged and tested, in

procedures comprised of both “manual testing and automated reviews” of all employee-user

mobile devices, which will focus upon testing (1) Network accessibility, by which “availability

of internal web servers, FTP servers, database servers, and other critical infrastructure,”

especially those which should be inaccessible to the device [4]. This will be combined with (2)

Policy configuration, by which mobile devices are tested to determine whether end users have

“excessive rights or capabilities,” as through existing commercial tools, and through assessment,

through which testers attempt to “bypass or change policies,” especially those which pertain to

“device password requirements, inactivity timeout durations,” and to the installation of

unapproved software [4].

Justification. Mobile devices are network access points, the same as any other computer

used to connect to the internal network, and are just as prone to criminal use (if inadvertent),

meaning that they must be tested for their security as rigorously as any other network asset.
 C. Perimeter Defenses

Requirements. Though a robust firewall is deployed, network perimeter defenses stand

to be comprised from a range of factors, including (1) Applications which traverse “through

firewall policies,” by (2) Mobile devices, (3) IP-enabled devices which are “internal to the

network,” (4) External devices “allowed on the internal network temporarily,” (5) Wireless

access points that are “unknowingly deployed,” and (6) Direct internet access from devices [5].

As a result, it will be necessary to improve internal perimeter defenses in order to mitigate these

security threats.

Proposed Solutions. Perimeter defense can be improved through a range of protocols.

These include (1) Passive monitoring tools, including vulnerability assessment applications as

considered, which can be useful in discovering “devices connected to the network,” and the

capabilities of such devices [5]. Scanners will be useful in analyzing the “configurations, patch

levels, operating systems, and installed applications” of such devices, to discover “vulnerabilities

that can be exploited by hackers” seeking to gain unauthorized network access, even with the

presence of a firewall [5]. In addition, (2) Active monitoring of network activity must be sought,

such as Anomaly Detection Software (ADS), employed to “look for patterns and events...like

unwanted IP structures and unknown communication patterns,” in order to ‘better define’ the

network perimeter in real-time, in order to track and detect security threats as they occur [5].

Finally, perimeter defenses can be rendered more robust through the thorough management of

(3) Logs, which must be evaluated “constantly and consistently,” and though it might be partially

automated, such logs must be “evaluated and cross-referenced” by IT specialists, especially

through correlation, in order to identify patterns which are potentially indicative of threat [5].
 Justification. Though network security at the ‘perimeter’ is often protected by firewall

alone, so security policies must adopt passive and active monitoring of all network activity, to

reduce the chance of threat or attack that might ‘bypass’ even the strongest of perimeter

firewalls.

D. Network Defense Devices

Requirements. Firewalls are the most common means by which boundary protection is

undertaken, typically through design which “[allows] good traffic in,” without permitting “bad

traffic,” as through intrusion prevention and intrusion detection systems (IPS/IDS) employed

across the network {12]. Network security can be maintained locally, and physically, through

adopting network defense and boundary protection devices. Such devices aid in controlling the

“flow of information into and out of the internal operational network,” and in “protecting it from

malicious insiders, external entities with malicious intent,” or otherwise unauthorized access or

the “disclosure of sensitive information” [16]. Though software perimeter defense was

considered in the previous section, it must be complemented by the practice of “due diligence in

ensuring physical security” of any site or asset upon which boundary protection devices are

installed [16].

Proposed Solutions. Such systems are robust, especially in their capacity to detect

network traffic anomalies, as are signature-based systems, which analyze actions undertaken on

the network and “compare them to a database of signatures to determine if action should be

taken,” as in the case of anti-virus software. This work proposes implementing Snort, an open-

source “signature based [IPS/IDS]” to perform “protocol analysis as well as content matching,”

with high efficacy in detecting and acting upon a wide range of malicious activity, including
“buffer overflows, stealth port scans, CGI attacks, SMB probes and OS fingerprinting attempts”

[12].

Justification. Though this security system may apply any software-based network

defense devices (as augmented by the physical security of these systems), Snort is the best

solution, due to its open-source nature and support for both Windows and Linux operating

systems.

E. Host Defenses

Requirements. Typical paths by which host security is maintained include IDS/IPS, as

well as “firewalls and mandatory access control,” though such methods typically fail to account

for “host flows” as well as from vulnerabilities which may result from “minor modifications to

host configurations” [17]. That said, such policies are frequently reactive in nature, and tend to

“[respond] to vulnerabilities as adversaries identify them” [17]. To this end, it will be necessary

to “proactively block remote adversaries” through superior host defenses [17].

Proposed Solutions. Antiviral software is one of the most commonly-implemented host

defenses, but these often fail to meet any standard of proactivity. That said, the most efficacious

form of host defense is a robust host-based firewall complemented by IPS/IDS. Host-based

firewalls can follow “coarse-grained rules,” such as those which define which network ports and

associated services may be accessed, or “finer-grained” rules which enforce policy regarding

“which hosts are allowed to connect with [which] services” [10]. It is also recommended that this

organization enforce a type of host-based firewall, often called the “personal firewall,” which

will “dynamically adapt to the user’s network use,” in order to prevent attackers from entering

systems via a “previously unauthorized network path” without escaping detection [10].
 Justification. Though robust network security might be maintained through perimeter

defense and IPS/IDS, these systems leave the ‘host’ user open to attacker compromise. Personal

firewalls offer a critical means by which this ‘final’ area of vulnerability can be corrected.

Section 3: Securing Data at Rest and In Transit

A. Public Key Infrastructure.

Requirements. In order to maintain the security of e-mail, as well as intranets and

extranets in a manner by which “confidentiality, access control, data integrity, and

accountability” are maintained, public key infrastructure (PKI) , as facilitated through

cryptography, has recently seen adoption [11]. These systems use algorithms in order to convert

“intelligible plaintext,” -- as in e-mail text -- into “unintelligible ciphertext,” and back again at

the secured point of destination [11]. They help to ensure that secured data, if ‘intercepted,’

cannot be used by attackers.

Proposed Solutions. To implement a PKI function, it will be necessary to establish a

means of (1) Issuing certificates, (2) Revoking certificates, (3) Publishing ‘Certificate

Revocation Lists,’ through a “directory service, where access is facilitated by Lightweight

Directory Access Protocol (LDAP). Under this structure, the ‘certificate authority’ (CA) would

provide user keys to each public key user [11]. The maintenance of trust is critical between users

and CAs, and will be maintained through regular “audit of CA policies and procedures” and

adherence, to be employed at regular intervals [11]. ‘Transactions’ which employ PKI will be

cross-certified in a hierarchical manner in order to ensure their authenticity, and “time-stamped,”

in order to further ensure their validity. This will necessitate the augmentation of a PKI with a

“time-stamping service” [11]. Policies will be implemented by which keys are ‘backed up’ and

available for restoration in the event of “disk crash or virus attack,” and updated yearly, in order
to reduce network security and data risk exposure from keys that have been “unknowingly

compromised” [11].

Justification. Robust public key cryptography will provide a critical means by which

data can be secured in the network, thereby adding to its robustness and protecting it from attack.

B. Secure Protocol Implementation

Requirements. In wide-reaching network systems, the maintenance of security

necessitates the periodic updating of systems, as through patching of software. However, such

efforts may expose systems to security flaws and potential “spoofing and replay attacks,” as

through tampering with updates or in “replaying an old bitstream to downgrade the system,”

thereby demanding that protocols be implemented to secure such activities {3]. Because current

approaches to the standardization of security patching protocol are “ad hoc” in nature, it will be

necessary to establish a stated and explicit methodology to govern such network-host update

transactions [18].

Proposed Solutions. A policy of moving from “informal to formal specifications” will

be implemented [18]. This will require moving from security and update protocols which employ

“standard notation,” to those which employ a “formal specification language” which makes use

of “well-defined semantics,” and which can be analyzed using formal techniques, in order to

verify that the “desired security properties” it seeks will be upheld in the event of potential attack

(18]. Such ‘conversion’ and standardization of protocol will apply “code generation”

methodologies, in order to automate this process, and to mitigate the inherent risk of “human

error in interpretation” of the often ‘subtle’ semantics of security protocol specifications [18].

Software such as Sn2Spi will be used in this effort, as well as analyzed using any of the “formal
techniques applicable to Spi Calculus,” and then implemented using Spi2Java (or similar)

conversion software [18]

Justification. The standardization of security protocol elements is satisfied by this plan.

It will be necessary to remove the ‘human’ coding element from this equation, to ensure all

systems are limited in their exposure to security attack which takes advantage of critical security

updates.

C. File Encryption

Requirements. Similar to PKI, file encryption involves maintaining the translation of

data “into a secret code,” after which the security of files is maintained through the use of a

“secret key or password” which enables their decryption [9]. At present, 128-bit cryptography

has “emerged as the new digital standard” in such processes [9]. The requirements for algorithms

used in such security processes are high, and are dictated by U.S. federal regulation [15].

Proposed Solutions. It will be necessary to implement a file encryption and decryption

process which is “Advanced Encryption Standard [AES]-compatible,” as defined by the National

Institutes of Standard and Technology [NIST]” [15]. Any algorithms for file encryption must

meet NIST standards, especially regarding the use of Rivest–Shamir–Adleman (RSA) or

“Elliptic Curve Cryptography [ECC]” algorithms [15]. In adhering to NIST standards and

recommendations, all endpoints must be “authenticated” before any “exchange or derivation” of

session keys, and public keys used to establish trust (as augmented through regular audit of

security policy) must be “authenticated prior to use” [15]. Other modes of authentication include

their transmission via “cryptographically signed message,” or manual verification through use of

“public key hash [15]. Any cryptographic keys generated must be “seeded from an industry
standard random number generator,” and stored in a “secure manner” which prevents their lost,

theft, or compromise [15].

Justification. As with PKI, all file encryption must be coordinated in a thorough manner.

Due to the range of NIST-advanced requirements, organizations must adhere to all applicable

law.

D. Hashing

Requirements. Another means by which data security is ensured is through hashing,

which is used to index and retrieve database items, but has also seen much use in encryption

algorithms. Critically, when employed in encryption, they will not ensure “confidentiality” as

with NIST methods, but they will provide “verification that a message has not been altered” [19].

As a result, hashing is most useful in storage of passwords and other ‘static’ sensitive material.

Proposed Solutions. In order to maintain the security of stored network authentication

material (passwords) through use of hash functions, three conditions must be satisfied: First, no

hash value should be “usable to determine the original input,” -- thereby risking the security of

any data, as with passwords -- and no hashing algorithm should be “run on the same input and

produce different hashes,” thereby reducing the usability of this method. Finally, steps must be

taken in order to avoid collision. This occurs during processes of computing the Message Digest

5 (MD5) or Secure Hash Algorithm (SHA), when “two different initialization vectors [produce]

the same hash value,” thereby reducing the security advantages offered by this methodology

[19]. In any case, hash functions represent a strong means by which the security of stored

passwords can be maintained, provided that network administrators adhere to these practice

recommendations.
 Justification. This system must be reinforced by methods by which its ‘static’ elements,

such as passwords, are maintained. Hash-based encryption methods offer an effective means by

which this critical task can be performed, but they must not be used in file encryption processes.

Works Cited
[1] Britton, C. “Cybersecurity Considerations for Your Business Continuity Planning.” Internet: ‘
https://www.rockdovesolutions.com/blog/cybersecurity-considerations-for-your-
business-continuity-planning. 2017. [November 9, 2017].
[2] Carabott, E. “Why you need to run a vulnerability assessment.” Internet:
https://techtalk.gfi.com/vulnerability-assessment/, 2011. [November 9, 2017].
{3] Devic, F., Torres, L., and Badrignans, B., “Secure protocol implementation for remote
bitstream update preventing replay attacks on FPGA.” 2010. Internet:
http://ieeexplore.ieee.org/document/5694243/. [November 10, 2017].
[4] Ernst and Young. “Mobile device security: Undertsanding vulnerabilities and managing
risks.”
2012. Internet:
http://www.ey.com/Publication/vwLUAssets/EY_Mobile_security_devices/$FILE/EY_
Mobile%20security%20devices.pdf. [November 9, 2017].
[5] IBM. “Understanding IT Perimeter Security.” 2008. Internet:
http://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf. [November 9, 2017].
[6] Joint Universities Computer Center Ltd. “Network Access Control.’ 2016. Internet:
https://ito.hkbu.edu.hk/pub/is_newsletter/professional/Issue_09_NAC/JUCC%20Newslet
ter-IT-9%20NAC.pdf, [November 9, 2017].
[7] Kak, A. “Port and Vulnerability Scanning, Packet Sniffing, Intrusion Detection, and
Penetration Testing.” Internet:
https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture23.pdf, 2017,
[November 9, 2017].
[8] Lamar Institute of Technology. “Information Technology Risk Management Plan.” Internet:
http://www.lit.edu/depts/TechService/Docs/LIT%20Risk%20Management%20Plan%20v
er%202.31.pdf. 2012. [November 9, 2017].
[9] Lantronix. “Encryption and its Importance to Device Networking.” 2016. Internet:
https://www.lantronix.com/wp-content/uploads/pdf/Encryption-and-Device-
Networking_WP.pdf. [November 9, 2017].
[10] Nazario, J. Defense and detection strategies against Internet worms. Artech House, 2004.
{11] RSA Data Security. “Understanding Public Key Infrastructure.” 2014. Internet:
ftp://ftp.rsa.com/pub/pdfs/understanding_pki.pdf. [November 10, 2017].
[12] Russell, D. and Gangemi, G.T, Computer Security Basi Rice, B. “Automated Snort
Signature
Generation.” 2014. Internet:
http://commons.lib.jmu.edu/cgi/viewcontent.cgi?article=1314&context=master201019.
[November 10, 2017].
[14] Sans Institute. “Physical Security and Why it is Important.” Internet:
https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-
37120. 2016. [November 9, 2017].
[15] Sans Institute. “Acceptable Encryption Policy.” 2014. Internet:
https://www.sans.org/security-resources/policies/general/pdf/acceptable-encryption-
policy.
[November 9, 2017].
[16] State of Georgia. “Network Security -- Boundary Protection.” Internet:
https://gta.georgia.gov/psg/article/network-security-boundary-protection. [November 9,
2017].
[17] Talele, N., Teutsch, J., Jaeger, T., and Erbacher, R.F. “Using Security Policies to Automate
Placement of Network Intrusion Prevention.” Internet:
https://people.cs.uchicago.edu/~teutsch/papers/ESSOS_2013.pdf. [November 10, 2017].
[18] Tobler, B. “A structured approach to network security protocol implementation.” 2005.
Internet: http://pubs.cs.uct.ac.za/archive/00000281/01/ben-tobler-2005-12-thesis.pdf.
[November 10, 2017].
{19] Weaver, R., Weaver, D., and Farwood, D. Guide to Network Security and
Countermeasures.
Cengage, 2013.
[20] WatchGuard. “Producing Your Network Security Policy.” Internet:
https://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf. 2007. [November
9, 2017].