Please re-write this for me Assignment 1: Defense in Depth Due Week 4 and worth 70 points Oftentimes, the process of implementing security opens one’s eyes to other forms of security they hadn’t thought of previously. Well, in this assignment you shoul

201133103assignment1
 

Please re-write this for me

Assignment 1: Defense in Depth 
Due Week 4 and worth 70 points

Don't use plagiarized sources. Get Your Custom Essay on
Please re-write this for me Assignment 1: Defense in Depth Due Week 4 and worth 70 points Oftentimes, the process of implementing security opens one’s eyes to other forms of security they hadn’t thought of previously. Well, in this assignment you shoul
Just from $13/Page
Order Essay

Oftentimes, the process of implementing security opens one’s eyes to other forms of security they hadn’t thought of previously. Well, in this assignment you should experience just that. This assignment focuses on a model of implementing security in layers which in many cases requires a network that is designed accordingly. In this assignment, you are to design a network to incorporate the following: 

Corporate Site (Chicago)

  • All servers exist here (Web server, file server, print server, mail server, ftp server)
  • Connection to the Internet (50mbps)
  • 300 employees who only need access to local corporate resources and the Internet

1 Remote Site (8 miles away)

  • 20 employees who need access to all resources at corporate  plus the Internet
  • Connection to the Internet (3mbps)

Write a four to five 4-5) page paper in which you:

  1. Using Microsoft Visio or its open source alternative, design a network diagram, particularly with defense in depth in mind which depicts:

    All network devices used (routers, switches, hubs, firewalls, VPNs, proxies, and / or others)
    The interconnections between network devices
    The end user (client) devices (desktops, laptops)
    The Internet cloud, generically, to represent your network’s interface to the Internet

Note: The graphically depicted solution is not included in the required page length.

  1. Describe the flow of data through your network, and explain how your network design provides multiple layers of security.
  2. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:

  • Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
  • Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
  • Include charts or diagrams created in Visio or an equivalent such as Dia. The completed diagrams / charts must be imported into the Word document before the paper is submitted.

The specific course learning outcomes associated with this assignment are:

  • Explain the essentials of Transmission Control Protocol / Internet Protocol (TCP / IP) behavior and applications used in IP networking.
  • Identify network security tools and discuss techniques for network protection.
  • Use technology and information resources to research issues in network security design.
  • Write clearly and concisely about Advanced Network Security Design topics using proper writing mechanics and technical style conventions.

** I can take care of the diagram, don’t worry about that, just keep the devices & numbers the same.  thanks

DEFENSE IN DEPTH
6

Introduction

The objective of this paper is to visually display a defense in depth model and explain features that will encourage an overall layered defense tactic to strategically mitigate against potential threats. The network is comprised of a corporate site in Chicago where all servers are located to include:

Web

server, file server, print server, mail server, and ftp server. This

connection

to the

Internet

has a speed of 50mbps with 300 employees that have access to the Internet, as well as local and corporate resources. There is also one remote site that is 8 miles away with 20 employees that need access to all resources at corporate as well as an Internet connection with the limitation of 3mbps. In this design all network devices will be utilized to include: routers, switches, hubs, firewalls, VPN’s, and proxies. Along with the devices being displayed the interconnections between these devices will be shown, the end user (client) devices (desktops, laptops), and the Internet cloud, which will generically be shown to represent the network’s interface to the Internet.
In addition to the design this discussion will review the flow of data throughout the network to reveal security features that create that in depth design to protect any organization with similar requirements. I will first review the network diagram with physical features, locations, and Internet speeds; then discuss in depth, security features from each of the seven network domains (user, workstation, Local Area network (LAN), LAN-to-Wide Area Network (WAN),

Remote Access

, WAN, and Systems/

Application

s) and how they will be incorporated throughout the design and infrastructure of the network.

The objective is to implement these features to enforce the confidentiality, integrity, availability, privacy, authenticity, authorization, non-repudiation, and accounting. (Stewart, J. M., 2011).

Network Design, Data Flow, and Security Features

The network design features the corporate headquarters site in Chicago that includes within the Information Technical (IT) department is a database server, an

FTP

server, application server, web server, email server, print server, and 30 workstations. The database server utilizes role-based access features as well as two-factor authentication for server and user access (Common Access Card and username/password). The FTP server utilizes the TCP protocols and is within the internal network with additional firewall rules, routing policies that limit open ports, and internal training on how to locate potential threats for the IT department to monitor. The Webserver must be held in the

DMZ

to allow additional port access to utilize the Internet. The email and print servers are also located within the internal network.
Outside of the

IT Department

, this organization has six departments that are on three floors that include45 workstations and 5 printers per department. Each department is interconnected to corporate resources via CAT5 cables and a 48 port switch connections, allows for

10Gbps

, and is housed in an Intermediary Distribution Facility (IDF) on each floor. The 1st and 4th department are on the bottom (1st) floor with one IDF, the 3rd and 6th department are on the top (3rd) floor that houses another IDF, and the 2nd and 5th department are on the middle (2nd) floor, which interconnects both IDF’s via a fiber cable. The IDF’s house cables on the floor it is associated with and the MDF can house cables as well as server racks, patch panels, routers, and switches. However, in this case the server racks, routers, and switches are in a separate locked room to limit access and secure the servers. (E., 2011, February 17).
All departments switches are connected to one router that connects to two separate routers; one router is protected via a firewall that connects the departments to the IT resources; the other router leads to the De-Militarized Zone (DMZ) and out onto the network. The DMZ provides a space within the network to have points of less secure features. For instance, the Web server and Virtual Private Network (VPN) Gateway is in the DMZ along with firewalls and routers. The firewalls and routers in the DMZ can be configured to have specific open ports versus the routers outside of the DMZ which may have only the necessary ports open. Continuing the network design, the Web server within the DMZ has four routers surrounding it with firewalls from the routers to a

VPN Gateway

or the Internet. One VPN Gateways connects to the internal network via a router and the other VPN Gateway leads to the Internet access then from the Internet via a firewall Remote access is available. Remote access is available via Virtual Machines (VM) on personal devices that use the VLAN to utilize the VPN. Within the DMZ two of the routers surrounding the Web server are protected via two firewalls on either side with access to the Internet via a 3 Mbps. This connection is through the cable Internet Service Provider(ISP) and divided into three connections by three different cable Internet Service Providers. The reason for three cable connections is if one connection is not available due to weather for instance, the other providers can provide constant service and lessons the chance of a single point of failure.

This network design is set up in such a manner to compartmentalize information based on the sensitivity levels, risk tolerance levels, and threat susceptibility levels of specific resources. This portion of the design secures the confidentiality of data. This includes specific parts of domains; for instance, the remote domain will have a different data flow of information than the LAN and workstation domains within the corporate office and the remote sites. The next stage in the design is to limit accessbased on the principle of least privilege which means creating a Role Based Access Control list for all employees in every department to ensure that each user has only the privilege necessary for his or her duties. The next phase is to provide high availability through the implementation of redundant configurations of links and devices on the network path between the user and mission critical resources. This prevents a single point of failure and provides the user with insurance of use throughout outages. Also, to encourage this policies such as ‘Separation of Duty’, which states important tasks should be performed by two or more employees and ‘Job Rotation,’ which dictates that employees in important positions should rotate. (Stawowski, M., 2009, October).

The objective is to eliminate single points of failure, this is true throughout the dataflow process as well. Data that is to be sent between networks from an internal resource to a resource outside of the network begins at the network layer of the Transmission Control Protocol/Internet Protocol. The network layer is where physical addresses (device address, logical network address, and the source address) are used in message routing. This address is attached to the packet (data) that will be sent. Next the packet will move into the data link layer which adds an additional physical address (device address) and attempts to locate the destination device. If the destination device is on a separate network the source device will locate the next physical address in the patch, which is a router. The router reviews the destination address at the network layer and eliminates the data link physical address, then notices that the next link in the network path is another router therefore, repackages the message at the data link layer and attaches its own physical address as the source address and the next routers address as the destination. The next router re-assembles that packet at the data link layer and sends it to the destination address where it reaches the physical layer. (Jois, S., 2013, January 21).

Throughout this process the information must maintain confidentiality, integrity, and authentication. This is completed via avoiding a single point of failure, previously mentioned and protecting assets by dividing and conquering. This network utilizes physical securities to include: gates, security guards, and cameras, access cards to enter specific portions of the building, Uninterrupted Power Supplies (UPS), and servers with encryption certificates available. Additional security features include the use of Internet Protocol version 6 (IPv6) for applications that offers default encryption transmissions, the use of an encryption tunneling protocol, IPSec, security policies such as an access policy, accountability policy, authentication policy, private policy, computer-technology purchasing guideline policy, training policies and procedures. In addition to security procedures, operations, disaster recovery plan and a plan to maintain the security. (Oppenheimer, P., 2010, October 04).

Conclusion

In conclusion, materials discussed includethe design of a network with a corporate site that includes: servers, a 50 mbps connection to the Internet, and 300 employees that need access to corporate resources and the Internet. In addition, the design includes one remote site with 20 employees with a 3 mbps Internet access and require access to corporate resources and the Internet as well. A review of the physical layout of the design as well as how data flows throughout the network and ways to ensure the confidentiality, integrity, and authentication of information via physical security measures, utilizing cryptography, ensure network design, and implementing a policies and procedures to mitigate against threats.

References

E. (2011, February 17). Physical Network Segmentation. Retrieved May 04, 2014, from http://www.youtube.com/watch?v=cLNCYg5RorY

Jois, S. (2013, January 21). How Data Flow Between Network.wmv. Retrieved May 4, 2014, from https://www.youtube.com/watch?v=SnFau2xFD4A

Oppenheimer, P. (2010, October 04). Developing Network Security Strategies. Retrieved May 04, 2014, from http://www.ciscopress.com/articles/article.asp?p=1626588

Stawowski, M. (2009, October). The Principles of Network Security Design. Retrieved May 04, 2014, from http://www.clico.pl/services/Principles_Network_Security_Design

Stewart, J. M. (2011). Network Security,

Firewal

ls, and VPNs . Sudbury, MA: JONES &

BARTLETT LEARNING.

Defense-in-Depth Design:

Dept 1

Dept 2

Dept 3

Dept 4

Dept 5

Dept 6

Workstation

s

(X45)

Print

er

(x5)

Workstations
(X45)
Printer
(x5)
Workstations
(X45)
Printer
(x5)
Workstations
(X45)
Printer
(x5)
Workstations
(X45)
Printer
(x5)
Workstations
(X45)
Printer
(x5)

Switch

10Gbps
Switch
10Gbps
Switch
10Gbps
Switch
10Gbps
Switch
10Gbps
Switch
10Gbps
IT Department
VPN Gateway

Off-site

Workstations
(X45)
Printer
(x5)
IT Department

Database

Server

FTP
Server
Application
Server
Web
Server

Email

Server
Print
Server
Workstation

(x30)

Database
Server
FTP
Server
Application
Server
Web
Server
Email
Server
Print
Server
Internet
VPN Gateway
Remote Access
Internet
Firewal
Firewal
Firewal
Firewal
Firewal
Firewal
Web
Server
DMZ
Firewal

Firewall IDS/IPS

Corporate Site (Chicago)

Remote Site

(8 miles away)

(50mbps)

connection

(3mbps)

connection

Router

Router

RouterRouter

RouterRouter
RouterRouter

_1464589415.vsd





text



Laptop




Calculator

Calculate the price of your paper

Total price:$26
Our features

We've got everything to become your favourite writing service

Need a better grade?
We've got you covered.

Order your paper