Review the following summary points before proceeding to the “Review Questions” and “Exam Questions” sections at the end of this chapter to make sure you are comfortable with every concept. After completing the review, answer the review questions to verify your knowledge of the material covered in Part III.
The routing information is stored and updated in a logical memory table referred to as routing table.
NOW that you have read Chapters 11 through 16, it’s time to revisit the observations you made in Chapter 11. In the following section, complete the information requested and then compare this information to your original Chapter 11 assessments.
Identify:______________________________________________
Protect: ______________________________________________
Detect: ______________________________________________
Respond: ______________________________________________
Recover: ______________________________________________
Identify: ______________________________________________
Protect: ______________________________________________
Detect: ______________________________________________
Respond: ______________________________________________
Recover: ______________________________________________
In this section, you will compare your observations to those of a working security specialist—in this case, Philip Craig, the founder of BlackByte Cyber Security—to improve your understanding of cybersecurity.
Getting the opportunity to design an overall computing environment may be one of the most challenging, frustrating, and rewarding endeavors in your career. It will challenge both your technical and interpersonal skills, keep you bound up in detail after detail, and most importantly force you to learn an immense amount about the whole process from start to end. Whatever the environment, remember some key points:
You have been tasked with making recommendation for equipping a new data network for a small, educational-content development company (fewer than 20 employees). The new company has outgrown its old network and computing equipment and wants to start out in the new facility with a network that meets their current needs.
Because their business is based on the creation of IP (intellectual property) in a market that is highly competitive, they have asked for equipment and configuration recommendations to establish the most secure physical networking environment they can afford.
In particular, the customer has asked that you provide comprehensive recommendations for implementing their server-related security policies and standards. Figure 17.1 provides an overview of the company’s electronic workflow structure.
The company’s major functions can be organized as follows:
With this scenario in mind, provide suggestions as to how you would implement their server functions and what security measures should be set in place to provide security for their corporate resources. Recommendations should include, but are not limited to, physically securing the server and server room, establishing policies to protect the company’s intellectual property and personal information, and establishing procedures for maintaining the company’s servers.
There are six major departments within the organization. Initially mapping them to a basic role profile that can be implemented by a number of domain controllers (Microsoft, Linux, etc.) is important.
The existing functions are initially provided by the scenario, so a role-based access program will provide sufficient operational (and security) access controls for them:
Building role-based access controls is a two-step process. The domain controllers can allow/disallow access to the application, and the application itself can be discriminant of users and privileges. This multi-authentication approach is a good idea. With such a small company, however, there may not be a domain controller, so you’ll have to take that into consideration.
With 20 people or so in the company, a central server (and backup preferably off-site) will provide good functionality. Your initial role-based architecture might look like Figure 17.2 (with the capital letters representing the application function).
Usually, almost everyone in the company will need to access the Internet. In reality, giving access to online email, banking, and a few Internet-surfing liberties won’t be a burden to your network or your computing platforms. What it can do, however, is challenge productivity! To help prevent employee slacking, disallow excessive content streaming (music services, Amazon Prime video, and so on) that can disrupt your business.
Now that you generally have a role-based, electronically enabled user policy, you can determine how the application itself will provide the separation of roles and duties necessary to maintain the operational integrity of the software systems deployed. As an example, everyone in the timekeeping system would need to input their time but not be able to access or report anyone else’s. The “timekeeper,” however, would need to have access to those higher-level functions of the payroll software. What you’re trying to avoid is the warehouse being able to access the customer contact database.
Proprietary information and intellectual property are main concerns in this scenario. The role-based access-control methodology will extend into these concerns. The objectives are to limit access to the information, keep it from leaving the company, and ensure that your employees understand that there are serious ramifications if they themselves compromise it. A good document management plan, policy, and procedures will provide a sound basis to protect this information. Some basic principles include keeping the company proprietary and intellectual information inside the system. Don’t let employees take it home on a thumb drive, don’t email it all over the company, and don’t let just anyone access it. Consider the loosely managed environment shown in Figure 17.3.
Just a simple “I’ll get this done tonight!” scenario will significantly compromise your files or data. In the worst case, data comes off the work computer, onto a removable device, to a laptop, to a home network (or computer if it has the larger screen you want to use), back onto the laptop, and back to the office computer. From a security perspective, this is a nightmare! From a file or data perspective, the sheep have left the pen! Remember, this is a worst case; it can be argued that the employee has malware/antivirus protection, the file is deleted (even wiped) on all devices, and further it is checked before it is put back on the network. Would everyone really take the time to do all of these tasks? Even with these protections, your files have left the premises. This is not what you want to have happen.
The potential solutions are abundantly more secure. As an example, you could implement the simple, cost-effective solution discussed here:
Assume that the employee needs to be off-site for some reason. You want to accomplish the following:
This means you need to extend the desktop in a secure fashion. As shown in Figure 17.4, we usually accomplish this with a simple VPN connection back into the office and extend the remote desktop (RDP) session to the employee’s workstation. This approach doesn’t provide absolute security. It is, however, a much stronger approach than the original and can offer accountability (logging) as well. Remote access is a very effective and productive method in current business practices, and it can be very secure as well.
There are other options to remotely operate. From GotoMyPC software to full-blown Citrix desktop virtualization, people are working remotely extensively. For a 20-person company, some simple solutions such as a properly configured VPN and RDP connections can offer ways to be productive remotely.
With the need for remote connectivity—and for that fact, any connectivity—and keeping files and data (especially that which is proprietary) safe comes the need to discuss how to build a safe and secure environment for our electronic files and data. Keeping all of the company business within the physical walls (even virtual walls) of the company goes a long way toward securing that data. To do so, you can implement a simple communications policy that prohibits emailing files and data when unnecessary, especially internally. Email has become the de facto file repository.
Using email as a file cabinet is easy because attachments are surrounded by the context of the message containing the attachment. But now it sits on the email server—forever! Instead of allowing it to sit, you can file share to an individual on the network file server, and then email them the link to the file with instructions to “track changes” or “save a revision with your initials.” Now, you have an access record on the file server, and the data will remain on the servers. You can allow a working directory on a locally controlled office computer, but by practice and policy, you should always instruct employees to put the file back on the server and remove any local copies.
Most small networks like the size we’re talking about will tolerate simply opening and manipulating the file directly from the file server, so no local copy is necessary. Encryption techniques are extensive! Trying to address them here would consume a lot of space, so we’ll keep it simple. Use encryption when it makes sense. If you have highly proprietary documents, then encrypt them and add the public keys only to those documents that absolutely require it. Always use a master public key in addition to individual keys, as shown in Figure 17.5. This will ensure that the company owner always has access to any encrypted information. You can implement simple, electronic-auditing techniques to collect information on what files have whose key associated with them.
Now that you understand the basic architecture, you can start to focus on the different requirements for deployment. When you’re deploying your resources (that is, hardware, networks, monitors, storage arrays, and so on), there are many novel methods from which to choose nowadays. Let’s leverage a scaled approach. This means that the warehouse won’t get a 30-inch monitor, and the administrative folks won’t get dual screens. As the old saying goes, “the right tool for the right job.”
When it comes to personal computers and servers, there are some pretty simple principles to control costs and maintain capability. Only buy what you need for the job. As a small company, you wouldn’t want to hinder your employee performance with cheap or underpowered equipment. It is the same for very large companies. Can you imagine buying six-thousand PCs all with CD-ROMs? How many times do you actually need a CD-ROM? Maybe buy one or two USB CD-RWs and fetch them from the cabinet when you need them. The same applies for other peripherals. The literal piles of equipment discarded at some companies, quite a bit of it with little actual use, can be amazing.
Let’s look at the small, cost-effective system shown in Figure 17.6. It should meet all of the needs listed in the scenario, but you may consider adjusting for your budget simply because you would like a more commercial approach. The actual networking equipment is not shown, but it is implied that there will, at a minimum, be an outward-facing firewall, a managed switch, unmanaged switches, and the router(s) needed for internal and external access.
It should be no surprise that this looks like almost any other computer network on the planet. After all, there’s only so much you can do with what you have. The difference is that you will implement the following:
The following questions test your knowledge of the material presented in Part III.
Answer: A The data link layer is involved in controlling how the data is packaged and moved between communication points. At this layer, the data is formatted into frames suited for transmission. Components at this level also add error detection and correction functions to the frames, as well as media access protocols and specific information about transmission to specific nodes on the same network segment.
Answer: C IPv6 addresses are typically written in the form of hexadecimal digits, separated by colons (
Answer: D Proxy servers act as intermediaries between network computers and the Internet.
Answer: C RAS (Remote Access System) servers allow clients to dial in to a computer from a remote site, even if they are not connected to a LAN.
Answer: A Packet sniffing attacks are normally conducted using a network analyzer tool referred to as a packet sniffer, to listen to network traffic looking for items such as passwords and usernames sent across the network in a plaintext mode, or sensitive information such as credit card or other financial information they can hijack.
Answer: B In a MAC duplicating or MAC cloning attack, the attacker updates their own MAC address with the target’s MAC address. This will cause the switch to forward traffic to both locations.
Answer: C Although WEP is a strong encryption method, serious attackers can crack it. This has led the wireless industry to create a stronger Wi-Fi Protected Access (WPA) standard. WPA adds improved data encryption, using Temporary Key Integrity Protocol (TKIP) and IEEE 802.1X Extensible Authentication Protocol (EAP) user authentication protocol to provide increased security.
Answer: D Daemon is a standard, default user/group that has privilege to execute daemon programs (background processes) that run without direction from the user.
Answer: B, D Managed switches typically offer DHCP snooping and Dynamic ARP Inspection (DAI) configuration options that are designed to thwart MITM attacks. DHCP snooping is used to filter and block ingress (incoming) DHCP server messages and builds an IP-to-MAC address database. DAI uses the DHCP snooping database to check and validate ARP requests to prevent ARP spoofing attacks.
Answer: A All security efforts begin at the physical access level. If an unauthorized person can gain physical access to the network servers, media, or connectivity devices, then there is no security.
Exam Questions
10000111.10001011.01001001.00110110
191.254.0.0
2001:0db8:00a7:0051:4dc1:635b:0000.2ffe:
13:A2:00:40:6B:8E:66
2001: 0db8:00a7:0051:4dc1:635b:0000:2ffe
).