Kyle Lapato

ITSY 2401
Firewalls and Network Security

Project Part 3: Network Security Plan

Submitted to
Professor Melanie Teeters

South Campus

Submitted in Partial Fulfillment of the Requirements for

ITSY 2401
Spring 2019
by

Kyle LaPato

4/20/2019

1
Kyle Lapato

Given the results from the various vulnerability scans, reports, and

provided documentation it is shown that the Network has a total of 7 hosts, one

of which being the Web Server. There are also a number of general purpose pcs

and workstations being used on the network. The biggest and most common

issue seen from each host is outdated operating systems. As operating systems

age and fail to be updated, attackers discover new vulnerabilities and attack

vectors for any system running on older versions of system software. The

majority of these security vulnerabilities can be solved by updating the operating

systems on all of the machines. Upgrades to the operating systems will bring

newer, more secure certificates as well as avoid any known security issues that

can be found in the older operating systems, given the hardware permits the

upgrades. There are also a number of open ports that are not being used on

each host that should be closed in order to prevent unauthorized access to any

of the machines. Any ports that could be used for streaming, peer-to-peer, or

gaming should be closed for a matter of safe practice. Lastly, any unencrypted

traffic being transmitted on our network in clear text should be switched to

encrypted methods to protect the confidentiality of the company’s data. The

following ports should be blocked to minimize unauthorized clear text packet

transfers:

- Port 21 - FTP

- Port 23 - Telnet

2
Kyle Lapato

- Port 80 - Basic HTTP

- Port 110 - POP3

The best design moving forward to ensure both internal security for

Corporation Tech while still retaining the availability of the public web server

contains a multi-layer approach to ensure there is no single weakness that could

cause another data leak. As a network management team, we will be

implementing a network security plan to mitigate all known vulnerabilities. We’ll

setup a secure site that can be accessed from the internal network that will

include intrusion detection and network protection systems. Hardening strategies

will also be discussed as well as the policies for both remote access and VPN

use. In the interest of security, any user attempting to access the VPN will have

to have their device registered with the IT department. By registering their device,

the user consents to having the VPN installed onto their system as well as having

their MAC addresses added to the list on the allowed MAC address filter. This

updated network layout will help increase network security to match the

company’s current needs.

3
Kyle Lapato

The network team will protect the web server by keeping it isolated within the

internal network, and anyone wanting to access the web server will have to

tunnel through the VPN. This ensures that all traffic to the web server will be

encrypted and protected by user accounts and passwords. An Intrusion

Detection System (IDS) will be implemented and configured to send out alerts in

the event that someone manages to break into the network. In a final attempt to

keep data confidential, we’ll implement a shared infrastructure that will distribute

data amongst a multitude of machines in a data center that will prevent a total

loss of data if an attacker gains access to a single machine.

4
Kyle Lapato

Multi-Layer Defense Strategy:

➢ WAN Domain

○ Encryption and VPN tunneling mandatory for remote connections

○ Configure network firewalls and routers to block Ping requests to reduce

the chance of DoS / DDoS attacks

○ Mandatory scanning of all email attachments with anti-virus / anti-malware

software and promptly remove any identified threats

○ Implementation of multiple redundant internet connections to maximize

server availability

➢ LAN to WAN Domain

○ Set up a perimeter firewall to filter both incoming and outgoing traffic as

well as block off any unused ports to help mitigate the chance of unwanted

network access

○ Implement an IDS to alert network administrators in the case a breach in

the network is detected

○ Keep all networking hardware up-to-date with current OS patches and

security updates.

○ Setup a DMZ to house the Web Server to secure it from both outside

attacks and in case the internal LAN becomes compromised

5
Kyle Lapato

➢ LAN Domain

○ Secure server rooms under lock and key to prevent unauthorized access

○ Enforce WPA2 encryption on all wireless access points

○ Utilize network switching, firewall rules, and subnetting to section off

different parts of the LAN to prevent the spread of potential viruses and

protect the rest of the network in case of an intrusion

➢ Workstation Domain

○ Schedule regular scans with anti-virus / anti-malware programs on each

workstation to ensure systems are healthy

○ Block off any sort of media streaming ports through the system firewall to

prevent user distractions as well as mitigate network congestion

○ Encrypt storage devices on company equipment to prevent loss of

sensitive data in the case said equipment is stolen

➢ User Domain

○ Inscrut all employees regularly with basic security awareness training to

hopefully prevent network compromises from occurring from the inside

○ Audit all user activity to ensure no employees are leaking confidential data

○ Establish strict password and lockout policies to defend the network from

brute force attacks, utilizing authorization tokens or other forms of

two-step authentication

6
Kyle Lapato

Remote Access Policies and Procedures

➢ Each user attempting to connect via remote access must have a unique

username and password. This establishes accountability for anything a

particular user may do while logged into the VPN. All network resources must

be encrypted before accessing.

➢ All users must have a strong and unique password that is different from their

local user login. This prevents the loss of both local and VPN accounts should

one of the user’s accounts becomes compromised. Passwords will be

changed every 3 months and must have a length longer than 8 characters

and contain all of the following: a capital letter, a lowercase letter, a number,

and a special character.

➢ All devices connected to either the VPN or the LAN must be pre-approved by

the IT department and must follow the regular update policy in place to

ensure that all devices connected to the network are up-to-date, healthy, and

secure.