Proposal for Network Security

A vulnerability is defined as "a flaw or a weakness in a system's design, implementation, or operation and administration that could be exploited to violate the system's security policy" [18] by the Internet Engineering Security Taskforce. Due to the constantly evolving nature of security threats to the network, the team in charge of network security at University of Maryland University College (UMUC) conducts recurring Vulnerability Assessment tests to identify any risks that may have an impact on the network and to find solutions to keep it secure [11].


The OpenVAS Server will be set up as our preferred vulnerability scanner. OpenVAS Server works in similar way to an Intrusion Detection System. The OpenVAS Server will perform diagnosis for the first phase of the vulnerability assessment; it will detect problems on the network and notify us but will not solve the problems, so we still need to address the identified issues after diagnosis.


Justification


The OpenVAS Server is an updated vulnerability scanner that can make a real difference in scanning and detecting network errors. Among other things, it provides a recommendation for the problems found in the system. OpenVas also allows us to install additional plugins to customize our experience and its functionality providing a wide range of possibilities and feature for its users.


B. Security Policy


A network security policy is a written paper containing rules dictating how a particular institution or organization plans to protect its physical and technological assets such as computers and savers. Security policies keep changing since the requirements and circumstances such as security threats to information systems within which they operate keep evolving.[5] [12].


Requirements


Having a Security Policy for our network at UMUC will allow us to control and monitor how our students, tutors, workers and everyone else accessing the network is retrieving relevant information and using resources available to the system. A security policy is necessary to assure network users of their personal safety since it spells out what personal information can be accessed by the Information technology department. Security policies also ensure legal liabilities for students, faculty, and staff because they are bound to follow a code of conduct they signed and agreed to abide by while using the network [14] [13].


Proposed Solution


We will develop a security policy for the university network to govern how the system is accessed and also to allocate different permissions to different people so that the network environment is safer for both the user and University of Maryland University College. Our network policy contains several documents


Acceptable Use Policy (AUP) – Defines what the Staff members at UMUC are allowed to do and what they are restricted from doing with university property such as computers and the internet. A vital feature of our user policy is defining how we will monitor the activities and behaviors of the employees. The policy recommends monitoring everything including data that is considered personal such as passwords and dates of birth to prevent employees who are the primary network users from having loopholes that they can exploit as a security weakness in our system.


Procedure document- is a detailed and in-depth, step-by-step document that details exactly what can be done on the network and how it can be done. It will give directions to students on how they can access learning materials on the system and what procedures they must follow to download essential documents from the network or upload their assignments for lectures.


Baseline document – states the minimum level of security that a device such as a computer must adhere to on our network this is important since sometimes we use the bring your own device (BYOD) policy to allow more students access the UMUC network at their convenience [8].


Authorized access document- The Authorized access document states that only users with authority are allowed to access specific resources on the system, these resources include term papers for other students or the grade awarding portal. One user might have the authority to access term papers but the same user might not have the authority to access the grading system. An example is faculty are allowed to access and make changes to the grading system while a student is not allowed accesses to the same grading system and only IT stuff are permitted access to activity logs generated by the system while the faculty is not permitted to access activity logs.


Configuration and change policy document states that only authorized IT personnel from the UMUC IT department can make any changes such as install or delete software any other person must get direct authority from the IT department to make any changes to the system. This protects assets from improper use and also prevents spammers.


A password policy document will detail specific length requirements such as mixed letters, numbers, and symbols for passcodes. It will also require an authentication to make sure of the legitimacy of the user information provided. This will be achieved by receiving a confirmation code by phone or email that you are required input while signing up for an account to ensure the users are the real bearers of the passcodes.


Other documents will include organizational security policy, human resource policy and codes of ethics policy; these policy documents are vital in protecting UMUC from liability and exposure.


Everybody at the university must sign the security policy. The lectures will sign on employment while the students will sign on admission. This document will be binding, and anybody found in breach of this security policy is punishable by the disciplinary organs of the university [14].


Justification


The authorized access document in the security policy provides a framework for which the network at University of Maryland University College (UMUC) is protected from unauthorized access by people with malicious intentions who may want to compromise the information in the system or use it for purposes it wasn’t meant to be used. The policy document will also provide a legal framework for prosecution of culprits in case they are found breaching it since every member of the university community will sign papers that are relevant to them and promise to abide by its rules. An example, if a student is found trying to change grades which are the sole authority of the faculty as per the security policy he or she can be punished because they broke the security policy by accessing a section of the system that they are not authorised to access. Without the security policy it would be difficult to find a law the student breached [13].


C. Risk Management


Requirements


A Risk Management Plan is essential to our university network because it helps reduce the effect of threats or risks that could happen to the UMCU network. Such risks are natural disasters which would include fire breakouts and managerial errors such as the wrong decisions made on the running of the system or the implementation of a new idea [4].


Proposed Solution


We will implement a risk management plan that outlines how we will deal with possible threats if they occur. In our risk management plan, we classify threats into three categories. Internal and external threats and natural disasters


Justification


Our Risk Management plan helps lay out a road to recovery when complications in the future of the university occur. By following the four strategies of mitigating risk Avoidance, Reduction, Transfer, and accepting risk any risks that might affect our network can be managed with ease.


D. Business Continuity Plan


Requirements


A Business continuity plan (BCP) is a mandatory document that will help UMCU have a plan in case something goes wrong and provide a route to recovery.


Proposed Solutions


We will carry out a Business Impact Analysis (BIA) and prioritize which recourses are most critical to our system. We will then devise a Disaster Recovery Plan (DRP) the DRP will cover every possible disaster and develop a plan for each one in case it happens to avoid being caught off guard and reduce the downtime as much as possible.


Justification


Our Business Continuity Plan will assist us to continue in case of a disaster or a disruption to the regular running of the network, it will save us time and money by pointing our critical functions and resources to the network that might be affected most in case of an interrupt. Our Business Continuity Plan helps make sure that the UMCU network can continue in times of disaster rather than stall until complete recovery.


E. Access Controls


Requirements


Access controls are crucial because they regulate access to only authorized people and prevent unauthorized people from accessing the network. They are two types of access. Physical and logical access


Proposed Solution


We will implement two types of access controls Physical where the building and rooms containing important network facilities such as computers and the savers can only be accessed by authorized Information Technology Staff any other person must have permission from the department. The doors in the saver room will use biometric identification to assure total security. Logical access will limit access to the network, its files and data by encrypting the data and also by the use of passwords. The four access controls implemented in our system are


Mandatory access control, Rule-based access control, Role-based access control and Discretionary access control.


Justification


Implementing those access controls makes our physical and logical environment safer. They help regulate access to the system environment preventing unauthorized people who might have ulterior motives when trying to access the system. The integrity of data contained in the system is also assured.


II. Security Boundary Hosts, Deceives and Software.


A. Physical security


Requirement


Barriers of physical nature like high walls and steel doors protect the vital network infrastructure from unauthorized access.


Proposed Solution


The university sever facility will have a perimeter wall build around it to prevent access from all entry points; the only entry point will be the gate. Security lights will also be installed to provide light at night while CCTV cameras will also be introduced. Finally, motion detectors will be installed in the computer room.


Justification


It is easier to monitor who gets in and out through the gate because people will be checked and their identity established through there ID cards any unauthorized person will not be allowed past the gate. The CCTV cameras will monitor the facility on a 24hr basis to ensure everything that happens can be tracked. Motion detectors are the final physical security measure and in case there is a break in they will notify the security team of any unauthorized activity in the saver room.


B. Mobile Device Security


Requirements


Mobile devices are a significant part of the University of Maryland University College, probably every single member of the university uses a mobile device to access the university network. Mobile phones like other devices are vulnerable to attacks and other forms of breaches that could lead to security problems for the network [7].


Proposed Solutions


In our security policy, mobile devices are only allowed to access a few elements of the system and not sensitive information on the system like the grading system. Mobile devices must also be registered to be able to access the university networks.


Justification


Registering mobile networks makes sure we can be able to track the owner of the mobile device in case it is used for purposes other than the accepted purposes while limiting their access to our network helps us easily control what they can do since they are too many mobile devices at UMCU [7].


C. Perimeter Defenses


Requirements


The UMUC network is an essential resource to our university to achieve its purpose of offering quality education; the system contains vital information that is personal such as student registration numbers and their official names. Perimeters defences will ensure there is no breach of the system exposing this critical information to manipulation and also ensure the system is up at all times [3] [6].


Proposed Solutions


Proper defense systems will be implemented. An intrusion prevention and detection system will be installed; the system will also utilize a firewall. The pfSense XG-1541 1U HA firewall that will act as the first perimeter defense measure. The firewall will work alongside inbuilt router firewalls to secure the system form breaches. Finally, we will create DMZ proxy saver and content filters using windows server 2012 [6].


Justification


The pfSense XG-1541 1U HA firewall will act as a barrier between our network, and other non-trusted networks, it will also control access to the resources on our system through a positive control model. While the pfSense XG-1541 1U HA firewall will be the first defense the DMZ is a second defense mechanism that will detect unwanted activities within the DMZ and prevent them from infiltrating the UMCU network systems. Content filters and a proxy saver are crucial because they protect the network from within so the users will not invite unwanted internet activities and malware such as Trojans some without their knowledge or intention.


D. Network Defense Devices


Requirements


Switches, routers computers, and servers are the main IT infrastructure on our network. When any of those are compromised or break down the entire system is vulnerable to attacks and the information in the database is at risk of manipulation or deletion that is why it is our primary requirement to protect the system devices to ensure the integrity of the data contained in the files and minimize vulnerabilities [9].


Proposed Solutions


Our policy will demand that passwords are of a standard nature, they will all contain at least two special characters such as the hyphen or dollar sign, they must also contain at least a capitalized letter and also a lower case letter passwords must also be a minimum of 8 characters and a maximum of 12 characters. All the switches, routers, computers and other network devices will be placed in a safe and locked environment access only granted to authorized people who can be identified. Students will be recognized with their identity cards while tutors will be identified with their tutor identities. The firmware on the routers will be regularly updated to improve security. We will also configure the DNS settings manually on all our routers and check them frequently to ensure they are not easy targets for hackers. The router settings will also be backed up at a central source to be retrieved in case someone wipes out the configurations; with them backed up it will be easy to restore if need be. We will protect switches with firewalls to ensure they can’t be hacked traffic using the routers and switches will be encrypted by using SSH and SNMP encryption technology [16].


Justification


Encrypting traffic on the network ensures hackers cannot obtain our passwords by sniffing around our network when data is being transferred on the system this makes us safer. The recommendations on password are meant to secure and make the passwords crack proof they also cannot be easy to guess. Regular update of the router firmware is meant to keep up with the latest technology to prevent easy hacking due to the old and obsolete firmware.


E. Host Defenses


Requirements


Due to the many devices used on the UMCU network. A proper host defense is required to assure the integrity of the data and prevent it from malware that can infect the devices such as computers when they connect to external networks that are not safe or when the user of a computer tries to connect to the system using an external network such as public WiFi.


Proposed Solutions


Malicious software can affect the functionality of computers and in turn run down the network and should be prevented to assure network security. The proposed solution is to install an antivirus software to help in detecting the malware and preventing it from infecting the system. We will continuously update the operating system and all relevant software on the network. An AdBlock program will be installed.


Justification


The antivirus software will help detect any files or programs that may contain malware of different forms such as Trojans, spyware, and worms and prevent them from affecting the system while an Adblock will help protect the computers from ads that may contain malware. Constant updating of the operating system leaves the system in good condition and no loopholes for malware to attack the system from.


III Securing Data at Rest and in Transit


A. Public key infrastructure


Requirements


A public key infrastructure (PKI) supports the distribution and identification of public encryption keys enabling users and computers to securely exchange data over networks like the Internet and verify the identity of the other party [1] A PKI includes some elements. The first element is a Certificate of authority which is a trusted party that acts as a root of trust it authenticates the identities of the different communicating entities on the network a certificate database to store certificate requests that issues or revokes or issues certificates [17].


Proposed Solutions


The United States’ Higher Education Root abbreviated as USHER is a trusted PKI system for institutions of learning that is why we will implement it as the core of our system it provides a trusted root for higher education institutions [17].


Justification


USHER offers greater authentication to information resources on our network and it also provides protection to our digital assets from theft, manipulation, and unauthorized access. Usher will provide an environment for reliable communication between students and tutors and tutors with their colleagues.


B. Secure Protocol Implementation


Requirements


A security protocol is a network protocol that that protects the integrity and security of data or information travelling over a medium or network such as the internet. Network security protocols provide secure data delivery between two parties on the network [10].


Proposed solution


UMUC's network shall implement the Internet Protocol Security (IPSec) as our preferred security protocol which has a very complex set of protocols described in RFC2401 and RFC2411 and can run in both versions of internet protocol IP version 6 (IPv6) and the older IPv4 to protect the system. We will also implement a site to site virtual private network (VPN) that will have two software terminators for data encryption to enhance security.


Justification


Internet Protocol Security provides security to the network layer in a number of ways. IPSec controls access by allowing only authorized people to access specific resources; this is achieved through checking permission levels and policies. It also assures data integrity to give assurances that the data signal transferred from one client to the other on the network has not been tampered with or corrupted in the process of transmission. The VPN will provide encryption of data through its terminators where data will be sent in an encrypted format and decrypted at the other end to ensure data security during transit [10].


C. File Encryption


Requirements


With the day to day activities and communication between savers and client devices on UMUC network, the amount of data generated and stored in files and folders is vast. It is essential to encrypt these files using a file encryption system to ensure that in case of unauthorized access such as hacking these files are still protected since the person will not be able to understand the content of the files without decoding the encryption even if he got hold of the files [15].


Proposed Solutions


We will implement a reliable file encryption system preferably the Encrypting filing system (EFC) that is a component of the NTFS file system for Windows 2000. This system facilitates encryption and decryption of files containing data using an advanced data cryptographic algorithm to protect data and only a person with permission and a required cryptographic key can decrypt the data and access it. Another encrypting method we will implement on the UMUC network is BitLocker full volume encryption that will encrypt the entire hard drive preventing the drive as the whole from unauthorized access unless you have the required permission.


Justification


EFS will facilitate encryption of files at several levels, at a shared folder level only the owner with a special key will access the particular files while bit locker technology on the other hand, will protect entire hard drives from unauthorized access.


D. Hashing


Requirements


Hashing is mapping data of arbitrary size to data of a fixed size. Hashing transforms strings of data into usually shorter fixed strings to represent the original data. All data in the UMCU system is handled carefully, but data that is considered personal which identifies end users explicitly require more attention due to the sensitive nature of the individual data the network stores that is why hashing is necessary because it helps protect personal data such as student admission numbers and names [2].


Proposed Solutions


We will implement The MD5 algorithm which is the most popular data hashing tool today which produce 16-byte hash values that are expressed as 32 digit hexadecimal numbers and also SHA-1 online hash generator that produces 20-byte hash values [2].


Justification


Hushing is an ideal way to store information like passwords, it is very difficult for someone to generate passwords stored in hash format even when they have the raw data. Hashing stores data is a secure form since the data is shortened and cannot be understood by just looking at it. Hashing also encrypts and decrypts digital signatures authenticating message senders and receivers.


E. Backup and Restore


Requirements


Data backup is the process of keeping identical copies of the data in the database stored in a different medium and preferably place for the purposes of recovery in the unlikely case of a complete system interrupt. In order to restore the system to its normal working state in case of a system interrupt we will have a backup policy where the IT department will back up data on a weekly basis and will test the backed up data on a quarterly basis to ensure it is not corrupted.


Proposed Solutions


We will use Cobian Backup software that will automatically back up data on the system once changes occur to the current set of data. This data will then be backed up manually on a weekly basis on external hard drives that will be located at a different positions from the savers. The technology department at UMCU University will periodically check the backed up data to assure its integrity and completeness.


Justification


By storing the external hard drives at a different locations form the savers containing the original data UMCU, IT department is taking precautions in case of a disaster that may destroy the IT infrastructure such as a fire in the saver room. Checking back up data regularly assures the security and integrity of the data stored in the backup system in case of an interrupt.


Works Cited


[1] M. Rouse, "What is PKI (public key infrastructure)? - Definition from WhatIs.com", SearchSecurity, 2017. [Online]. Available: http://searchsecurity.techtarget.com/definition/PKI. [Accessed: 07- Nov- 2017


[2] S. Ltd., "What is The Difference Between Hashing and Encrypting", Securityinnovationeurope.com, 2017. [Online]. Available: https://www.securityinnovationeurope.com/blog/page/whats-the-difference-between-hashing-and-encrypting. [Accessed: 10- Nov- 2017].


[3] W. Western Illinois University, "Sensitive Data Handling Procedures - Administrative Services - Western Illinois University", Wiu.edu, 2017. [Online]. Available: http://www.wiu.edu/vpas/administrative_procedures_handbook/sensitiveData.php. [Accessed: 07- Nov- 2017].


[4] SolarWinds, "Risk Management in Network Security", Solarwindsmsp.com, 2017. [Online]. Available: https://www.solarwindsmsp.com/content/risk-management-in-network-security. [Accessed: 07- Nov- 2017].


[5] I. Tripwire, "Corporate Security Policies: Their Effect on Security, and the Real Reason to Have Them", The State of Security, 2017. [Online]. Available: https://www.tripwire.com/state-of-security/security-awareness/corporate-security-policies-their-effect-security/. [Accessed: 07- Nov- 2017].


[6] P. Certification, "Network Perimeter Security | Firewalls and Network Security | Pearson IT Certification", Pearsonitcertification.com, 2017. [Online]. Available: http://www.pearsonitcertification.com/articles/article.aspx?p=2833296. [Accessed: 05- Nov- 2017].


[7] P. Certification, "Configuring and Securing Mobile Devices | "Do I Know This Already?" Quiz | Pearson IT Certification", Pearsonitcertification.com, 2017. [Online]. Available: http://www.pearsonitcertification.com/articles/article.aspx?p=2833294. [Accessed: 06- Nov- 2017].


[8] E. Creely, "M5 BYOD security implications and how to overcome theme", Trilogytechnologies.com, 2017. [Online]. Available: https://trilogytechnologies.com/5-byod-security-implications/. [Accessed: 07- Nov- 2017].


[9] M. Mimoso and T. Spring, "Netgear Router Vulnerabilities Public Exploits", Threatpost | The first stop for security news, 2017. [Online]. Available: https://threatpost.com/disclosed-netgear-router-vulnerability-under-attack/114960/. [Accessed: 07- Nov- 2017].


[10] N. Lord, "Data Protection: Data In transit vs. Data At Rest", Digital Guardian, 2017. [Online]. Available: https://digitalguardian.com/blog/data-protection-data-in-transit-vs-data-at-rest. [Accessed: 03- Nov- 2017].


[11] Riskbasedsecurity, "Network Vulnerability Assessment", Riskbasedsecurity.com, 2017. [Online]. Available: https://www.riskbasedsecurity.com/penetration-tests/. [Accessed: 07- Nov- 2017].


[12] C. Paquet, "Security Policies > Network Security Concepts and Policies", Ciscopress.com, 2017. [Online]. Available: http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3. [Accessed: 07- Nov- 2017].


[13] Conceptdraw, "Network Security Devices", http://www.conceptdraw.com, 2017. [Online]. Available: http://www.conceptdraw.com/How-To-Guide/network-security-devices. [Accessed: 07- Nov- 2017].


[14] Harvard, "Harvard Research Data Security Policy (HRDSP)", Vpr.harvard.edu, 2017. [Online]. Available: https://vpr.harvard.edu/pages/harvard-research-data-security-policy. [Accessed: 07- Nov- 2017].


[15] J. SCHARR and H. CASEY, "How to Encrypt Files on Windows - Tutorial - Tom’s Guide", Tom's Guide, 2017. [Online]. Available: https://www.tomsguide.com/us/encrypt-files-windows,news-18314.html. [Accessed: 07- Nov- 2017].


[16] T. Republic, "Fundamentals: Five ways to secure your Cisco routers and switches", TechRepublic, 2017. [Online]. Available: https://www.techrepublic.com/blog/data-center/fundamentals-five-ways-to-secure-your-cisco-routers-and-switches/. [Accessed: 07- Nov- 2017].


[17] D. Anthony, M. Franklin and R. Brentrup, 2017. [Online]. Available: https://er.educause.edu/articles/2004/1/pki-a-technology-whose-time-has-come-in-higher-education. [Accessed: 07- Nov- 2017].


[18] Shirey, "Internet Security Glossary", Ietf.org, 2017. [Online]. Available: https://www.ietf.org/rfc/rfc2828.txt. [Accessed: 11- Nov- 2017].

Deadline is approaching?

Wait no more. Let us write you an essay from scratch

Receive Paper In 3 Hours
Calculate the Price
275 words
First order 15%
Total Price:
$38.07 $38.07
Calculating ellipsis
Hire an expert
This discount is valid only for orders of new customer and with the total more than 25$
This sample could have been used by your fellow student... Get your own unique essay on any topic and submit it by the deadline.

Find Out the Cost of Your Paper

Get Price