Network Security Plan Essay

INTRODUCTION (Purpose and Intent)The thr angiotensin converting enzyme technical school IT net income hostage Plan establishes guidelines for IT practices affair on a day to day basis to provide a batten and robust calculate environment. These practices be employ in indian lodge to treasure the mission, work, and reputation of passel tech System and its cultivation systems. These system tribute system policies, standards, and procedures that get down been established for the stack tech System, be intended to comply with the regulations and policies set down by the State of Florida, bow window technical school, and the Federal nurture shelter Management Act (F philosophical systemA).SCOPEThese standards and procedures apply to altogether breeding systems and re get-gos under the get wind of corporation tech, including every last(predicate) reckoners touch oning to the dope technical school mesh topo put downy and altogether grass technical school Sy stem employees, contractors, and some(prenominal) new(prenominal)wise individuals who social function and/or administer those systems and computers, positionly those involved with randomness system counsel.STANDARD PROVISIONS mountain tech IT blank out screw manage assay by identifying, evaluating, controlling, and mitigating vulnerabilities that argon a potence threat to the entropy and learning systems under its control. User key outs and passwords argon implemented to prolong individual reembrasurepower for internet resource usage. whatever substance abuser who obtains an account and password for memory irritateing a potful Tech provided resource, is undeniable to keep these credentials confidential. Users of these systems whitethorn further use the accounts and passwords for which they confirm been planate and pass to use, and atomic form 18 prohibitedfrom victimization the earnings to advance these systems by means of all other means. This p lan besides prohibits the sharing of personal user accounts or passwords for additioning crapper Tech or Internet computing resources. In the interest of proceeding account security, passwords ordain be changed on a regular schedule or all cartridge holder the virtue of the account is in question. kitty Tech IT profits or computing resources may non be utilize for personal commercial purposes, for personal re repeal or to violate the laws and regulations of the United States or whatever other nation, or the laws and regulations of either state, city, province or other local jurisdiction in both material way. Use of fellowship Tech resources for any illegal activity may result in loss of entanglement vex privileges, pipicial reprimand, hanging or dismissal. Corporation Tech exit get together with any legitimate law enforcement agency or inquiry in the investigation and prosecution of any alleged wrongful activity. Corporation Techs net or Internet facilities m ay non be utilise to disable or rob any computer system or entanglement, or to circumvent any system intended to encourage the privacy or security of another user.Corporation Tech owned networking and communications equipment, may and be moved by net profit and cipher Sup behavior staff, or real agents. Re manakin of network hardw atomic number 18 or softw ar program, except by designated individuals within IT, is strictly prohibited. Prior to connecting any innkeeper, network communication or monitoring thingummy to the Corporation Tech meshing, cheers moldiness be obtained from information join Communications. addendum of any the adjacent ruses to the Corporation Tech network, other than those provided or tail endonical by entanglement and reckoning Sup sort, is strictly prohibiteda. DHCP servers.b. DNS servers.c. NAT routers.d. Network Gateways.e. Packet capturing or network monitoring devices.f. any device that disrupts or negatively impacts network op erations.STATEMENT OF PROCEDURESThe procedures for conducting a risk assessment and for the control and mitigation of risks to the Corporation Tech Information Systems include earnings CONTROLCorporation Tech IT has softw ar and systems in place that obligate the ability to monitor and record network, Internet and computer system usage. This includes monitoring and security systems that argon clear of recording network profession, including transaction to World big Web sites, chat rooms, newsgroups and e-mail messages, bill servers, telnet sessions and record transfers into and out of our internal networks. This capability is necessary in order to maintain the health of Corporation Tech network operations and diagnose network link up problems. Corporation Tech IT reserves the right to bring about network monitoring at any time. The information collected may be use by technicians and management to assess network utilization and trends, and may similarly be provided to upper management or other authorities as evidence as part of any investigation of alleged insurance violations.Corporation Tech IT reserves the right to father periodic fashion scans, segment sweeps, and exposure scans on all network segments. Network operations, functions, and resources, which are not required as part of the normal and approved put-on duties or projects at Corporation Tech, may be bandwidth limited or engluted by network control devices in order to comfort the equity and availability of the overall system. Corporation Tech IT may suspend network access to any location or system that disrupts normal network operations or systems that violate Corporation Tech policy. In this compensatet, an attempt forget be do to contact the responsible individual to resolve the problem.DHCP goCorporation Tech IT provides centralized and redundant DHCP and DNS work for Corporation Tech. Due to the nature of these go, and because of the potential blusteringing of profit and possible security br each(prenominal)es resulting from in plant frame-up of additional systems, attachment of unauthorized DHCP or DNS servers is prohibited. The following guidelines must(prenominal)inessiness be followed when requesting or using any DHCP or DNS services Systems requiring an IP target must supembrasure DHCP and be capable of obtaining DHCP address information from one of the centrally administered University DHCP servers. Using DHCP, devices requesting an IP address go out be assigned a dynamical pool address from the subnet to which the device is attached. Devices with dynamically assigned IP addresses may have their address change. tranquil IP addresses needed for server class machines or specialized clients must be quest from the Data Center Communications Team via a dish Desk ticket.DNS SERVICESUser workstations, which have been assigned a dynamic pool IP address, ordain have an associated DNS earn assigned by the network. Any DNS name or domain name that is to be associated with Corporation Tech network, must be requested from and/or registered through Web serve. DNS names ending in corptech.com are made forthcoming upon request for Corporation Tech approved services. Requests for assignment of DNS names must be for valid Corporation Tech related to purposes.DNS names for domains other than corptech.com, and which are to be hosted by Corporation Tech systems, must be requested from Web Services. Any charges for initial or current registration of the requested name are the certificate of indebtedness of the requestor. DNS names, not in the corptech.com domain, willing be handled on a fictitious character by fictitious character basis. Corporation Tech IT will work with any user requesting a domain name to identify an allot and addressable name, however Corporation Tech IT has concluding approval for all DNS name assignments.WIRELESS engagement SERVICESBecause wireless networks can be apply to provide access to the same resources and services as wired network systems, the same basic procedures that are employ in a wired network environment can also be apply in a wireless network environment. However, collectable to the nature of wireless networks, additional security and control mechanisms are needed in order to maintain the security, operation and inter-operability of two traditional and wireless systems. piano tuner routers are not leted on the Corporation Tech network unless they have been approved by Corporation Tech IT. coming to the Corporation Tech radiocommunication network is limited to individuals who have a Corporation Tech account except in locations where the lymph gland network is available. The Corporation Tech invitee Network is segregated from the internal servers and resources used by evidence users to keep the network secure. The Corporation Tech lymph node Network is only available in approved areas, and require a request to be expand into any other areas. U sers of the Corporation Tech Guest Network are required to provide a valid cell phone number in order to authenticate.Destruction and Disposal of Information and Devicesqualified information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. When donating, selling, transferring, surplusing or disposing of computers or removable media (such as DVDs), the decorous procedures to make data unreadable on those media will be taken. grateful procedures are listed on ISSP-009, Medial Disposal.NETWORK entreAnyone who uses the Corporation Tech computing environment must have hold positioning (e.g. management, employee, staff, or authorized third party) and must be decently authenticated when required. introduction will be provided to vendors and or other Corporation Tech partners through the sponsored very authorized person account process, as described on http//www.corptech.com/it/services/vip.aspx. VIP accounts are reviewed and renewed on six calendar month intervals to see if access is still needed. When an employee leaves the organization accounts will be disabled once TERM status is updated, and individual departments must approve re-activation of account access. exploiter COMPUTING DEVICESUsers are responsible for the security and integrity of Corporation Tech information stored on their workstation, which includes controlling physical and network access to the equipment. Users may not run or otherwise configure software or computer hardware that may exit access by unauthorized users. Anti-virus software must be installed on all workstations that connect to the Corporation Tech Network. Corporation Tech Computers may not be used to copy, distribute, share, download, or upload any copyrighted material without the permission of the copyright owner.PHYSICAL glide pathAccess to Corporation Tech IT Data Center should be restricted to those responsible for operation and maintenance. Access by non-IT personnel is not permitted unless they are escorted by an authorized IT staff member. Computer installations should provide fair(a) security measures to protect the computer system against innate(p) disasters, accidents, loss or fluctuation of electrical power, and sabotage. Networking and computing hardware are placed in secure and appropriately cooled areas for dataintegrity and securityNETWORK HARDWARENetwork hardware are housed behind a locked door to protect physical access to switches and other network hardware. Access is only allowed though card access or with a checkered out key. All switches and network hardware are password protected at a negligible via a local account setup on the device itself, these passwords are changed periodically as executives leave the organization. Subnets allowed to authenticate with switch management will be restricted, to create tighter control of backend administration. Exec level access Timeouts implemented on Console and VTY lines, so th at any raving mad sessions are terminated automatically. All switches are time synced using NTP, so that incidents can be track and correlated to the proper timeframe.SERVER ENVIRONMENTSAll servers are subject to a security audit and paygrade before they are placed into production. Administrative access to servers must be password protected and use two-factor authentication whenever possible. servers should be physically located in an access-controlled environment. All internal servers deployed at Corporation Tech must be owned by an working(a) group that is responsible for system administration. Servers must be registered with the IT department. At a minimum, the following information is required to positively identify the flow of contacta. Server owner contact(s) and location.b. Hardware and Operating System/ versionc. Main functions and applicationsd. MAC address (If not a virtual server)Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods to the extent possible. The in effect(p) about recent security patches must be installed on the system as concisely as practical. Do not use administrator or root access when a non-privileged account can be used. Privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).EXCEPTIONSAll requests for exceptions to these standards and procedures will be handled by request, and will follow these guidelines Must be submitted in writing to and approved by the CIO or with the proper authority. Will be reviewed on a case by case basis.NETWORK credentialCorporation Tech network design is built just about three principles, Defense-in-Depth, Compartmentalization of Information and precept of to the lowest degree Privilege. Our first step was to look at what we are protecting, which is ultimately our business and clients data and information. To ensure a so und architecture we started the design of our network with scalability in mind. It is im sortant that our design is flexible enough to converge future needs. The threats we know about and face wish a shot may not be the ones we face tomorrow. plot of land developing security requirements for our IT system resources, we will crack if they are mission-critical or data-sensitive resources. This will allow us to determine where data confidentiality and integrity are the most im user interfaceant requirements, or where the priority is continuity of operation (availability).DEFENSE-IN-DEPTHNetwork safeguards erect the first protection breastwork of IT system resources against threats originating outside the network. These threats can be in the form of intruders or malicious code. Our network design offers horizontal surfaceed protections. What this means is the security layers complement each other what one misses the other begetes. This will be accomplished by locating security defence forces in assorted places throughout our IT system, as well as not using two of the same types of safeguards. Although this may increase the complexity of our security system and can potentially make management and maintenance more(prenominal) difficult and costly, we believe the safety of the IT system resources should be based on the protection. With defense-in-depth in mind, the first layer of our network security plan starts with our network moulding security.The principle network security defenses are firewalls, misdemeanour detection and prevention systems (IPS/IDS), VPN protections and content inspection systems like anti-virus, anti-malware, anti-spam and URL filtering. The traditional first line of defense against attacks is typically the firewall, which is tack together to allow/deny traffic bysource/destination IP, port or protocol. Its very straight forward, either traffic is allowed or its blocked. With the advent of Next contemporaries firewalls, which c an include application control, identity sense and other capabilities such as IPS, vane filtering, and march on malware detection, all of these features can be controlled by one device.COMPARTMENTALIZATION OF INFORMATIONCorporation Tech will have IT system resources with different sensitivity levels or different risk tolerance levels and threat susceptibilities. These resources should be located in different security partitions. The melodic theme is to hide the data or information and make it available only to those systems where it is necessary for conducting system tasks. exemplifications of this are E-mail, Web and DNS servers are located in the demilitarized zone behind the perimeter firewall. Databases servers such as SQL servers are located in the Database Zone, within the internal firewall/IPS. Intranet servers, file servers and user workstations are in the local area network zone within the internal firewall. The Internet is located in the Internet zone behind the perimeter firewall.Principle of Least PrivilegeCorporation Tech administrators and users will have minimal privileges necessary for proper go within the organization. This territorial dominion applies also to data and services made available for international users. An extension to this rule is the Need-To-Know principle which says that users and administrators of Corporation Tech IT system have access to only the information relevant to their procedure and duties performed. Other points of security that we will address in our network services availability is the single point of failure principle, the separation of duty and job gyration rules.The network paths in the midst of users and mission-critical IT system resources, all the links, devices (networking and security) as well as the servers will be deployed in redundant variants. The goal of the separation of duty and job gyration rule is to limit an employees ability to neglect and break the IT systems security policy. S eparation of duty dictates that important tasks/functions should be performed by two or more employees. Job rotation states that there should be rotation of employees in important positions.NETWORK HARDENINGFor each layer of security, we will ensure they are running the most current software and operating systems, and that the devices are tack together properly.SECURITY ZONESIntrusion Prevention (IPS) devices are responsible for discover and blocking penetrations and attacks conducted by intruders and malicious malware applications. We propose an IPS be installed in the network path between potential threat sources and sensitive IT system resources. Attacks through encrypted SSL sessions are a potential vulnerability so we recommend decrypting the sessions prior to it reaching the IPS device in order to inspect unencrypted packets.The IPS will be properly optimized and monitored to catch attackers that have slipped past the first defense (firewall/router). inhering networks wil l not have direct access to the Internet so a trojan horse send to a users workstation through a phishing attack would not allow the intruder to connect to the external network. Internet services are available for internal users only through company telecommunicate and HTTP Proxy servers.ENABLE sound NETWORK aditWe will install a VPN that is configured to allow encrypted communication to our network from the outside. Utilizing two-factor authentication, ensuring the integrity of the users making the request. This is external-facing to our network and allows users to tunnel into our LAN from the outside once the appropriate measures are taken to secure access.SEGMENTED demilitarized zoneThere will be a front-end firewall for the external traffic and a back-end firewall for the internal traffic. Firewall rules will be optimized and tightened on all publicly available systems to allow traffic to only the necessary ports and services spirit within the DMZ. Firewall rules have been c reated to only allow the source IP addresses and port to the specific servers and proxies have been added in the network from which administrators are allowed access to the systems. Systems within different VLANs (with a layer 3 switches) have been configured to help isolate and respond to incidents if a server in the DMZ is compromised. Authentication on the LAN is required before access to the DMZ is even attempted. This prevents allowing complete control over these systems at any given time.DEVICEINTEGRITYAll hardware and software will be purchased only from the producer or from resellers who are authorized and certified by the equipment manufacturer. Unused physical interfaces on network devices will be shut down. Access lists that allow only those protocols, ports and IP addresses that are required by network users and services are implemented. Everything else is denied. Network device configuration file are protected from unauthorized disclosure. locomote have been taken to avoid plaintext passwords in the configuration files. This has been accomplished by using encryption and/or a salted hash with iteration to protect the confidentiality of passwords in configuration files. Change passwords/keys immediately if the network device configuration file is transmitted in the clear (or is otherwise exposed) while containing non-encrypted passwords/keys. Secure protocols will be used when transmitting network device configuration files. All unneeded services on network devices must be shut down. log files will be reviewed regularly to gain an in depth understanding of normal network behavior. Any irregularity will be reported and investigated.SECURE MANAGEMENTOnly secure protocol standards (SSHv2 IKEv2/IPsec TLS v1.0+) will be used when performing remote management of network devices. Default usernames and/or passwords will not be used. The network infrastructure security policy should define password length and complexity requirements. brushup the network i nfrastructure security policy. This policy identifies who is allowed to log in to network infrastructure devices and who is allowed to configure network devices, and defines a plan for updating network device firmware at scheduled intervals.PORT VULNERABILITES air 25 Is used for SMTP (Simple Mail Transfer Protocol). It uses some(prenominal) transmission control protocol and udp protocols. This port used for e-mail routing between mail servers and is susceptible to many known Trojans. We are keeping this port in a closed(a) state. bearing 80 Is used for web traffic Hyper Text Transfer Protocol (HTTP). It uses both tcp and udp protocols. Port 80 udp is also used by somegames, like Alien vs Predator. regulation Red and Nimda worms also propagate via transmission control protocol port 80 (HTTP). Also, a number of trojans/backdoors use these ports. We are keeping this port in a closed state. Port 139 Is used for NetBIOS. NetBIOS is a protocol used for File and Print sacramental m anduction under all current versions of Windows. By disrespect, when File and Print Sharing is enabled it binds to everything, including TCP/IP (The Internet Protocol), rather than just the local network, meaning your shared resources are available over the entire Internet for reading and deletion, unless configured properly.Any machine with NetBIOS enabled and not configured properly should be considered at risk. The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. We will leave this port in an open state but will turn off file and im patsy sharing capabilities. Port 1900 Is used for SSDP, UPnP. UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. It is vulnerable to denial of service and buffer barrage attacks. Microsoft SSDP Enables discovery of UPnP devices. We are keeping this port in a closed state. Port 2869 Is IANA register ed for ICSLAP. It uses both tcp and udp protocols and is used for Microsoft Internet familiarity Firewall (ICF), Internet Connection Sharing (ICS), SSDP Discover Service, Microsoft Universal Plug and foregather (UPnP), and Microsoft Event Notification. We will leave this port in an open state.Port 5357 Is used by Microsoft Network Discovery, and should be filtered for public networks. It uses both tcp and udp protocols. It is also IANA registered for Web Services for Devices (WSD) a network plug-and-play possess that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702. We will close this port and redirect traffic to HTTPS (TCP port 5358). Port 6839 This port is not associated with any particular services and should be closed unless it is associa ted and used. Port 7435 This port is not associated with any particular services and should be closed unless it is associated and used. Ports 9100, 9101 and 9102 These TCP ports are is used for imprinting. Port numbers 9101 and 9102 are for parallel ports 2 and 3 on the three-port HP Jetdirect external printservers.It is used for network-connected print devices. These ports should persist in open to allow print services. There are no listed vulnerabilities associated with these ports. Port 9220 This port is for raw scanning to peripherals with IEEE 1284.4 specifications. On three port HP Jetdirects, the scan ports are 9290, 9291, and 9292. It is used for network-connected print devices. This port should remain open to allow print services. There are no listed vulnerabilities associated with this port. Port 9500 TCP Port 9500 may use a be protocol to communicate depending on the application. In our case we are using port 9500 to access the ISM Server.The ISM Server is used for exchanging backup and retrieval information between storage devices. This port should remain open while services are in use. There are no listed vulnerabilities associated with this port. Port 62078 This port is used by iPhone while syncing. The Port used by UPnP for multimedia files sharing, also used for synchronization iTunes files between devices. Port 62078 has a known vulnerability in that a service named lockdownd sits and listens on the iPhone on port 62078. By connecting to this port and speaking the correct protocol, its possible to spawn a number of different services on an iPhone or iPad. This port should be blocked or closed when service is not required on the device.ReferencesBEST Network hostage Policy and Procedures. (n.d.). Retrieved from http//www.ct.gov/best/cwp/view.asp?a=1245&q=253996 Example Security Plan. (2014, November 17). Retrieved from http//www.binomial.com/security_plan/example_security_plan_template.php Hardening Network Infrastructure Security Rec ommendations for System Accreditors. (n.d.). Retrieved from https//www.nsa.gov/ia/_files/factsheets/Hardening_Network_Infrastructure_FS.pdf Network Security Policy best Practices White Paper Cisco. (2005, October 4). Retrieved from http//www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html Paquet, C. (2013, February 5). Security Policies Network Security Concepts and Policies. Retrieved from http//www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3 SANS Information Security Resources Information Security Policy Templates .