NetGamesRUs Week-3 Security Policies

NetGamesRUs.com

NetGamesRUs is a sample company.  It is a small organization with a midsize network and some specific needs.

Organization Overview

NetGamesRUs (NGRU) is an upstart gaming company in the world of massively multiplayer (MM) games. These games allow thousands of users from around the world to connect to the same server to take part in a game. MM games attract a devoted following that doesn’t take too kindly to downtime and is even less tolerant of game bugs or cheats that allow a certain player to gain an unfair advantage over others.

After finishing the beta phase for its first game, NGRU quickly realized that it had a hit on its hands. The buzz on the Internet was that this game could sell over 100,000 copies in its first month of release. During peak times, the company estimates that as many as 10,000 people can be logged on to its servers.

Unfortunately, NGRU designed the infrastructure for the game back when it thought it would be lucky to sell 10,000 copies in the first 3 months. As such, NGRU needs an improved design that allows a high rate of throughput. Security wasn’t top of mind during the game’s development, but after seeing a competitor’s customer database get hacked and the bad PR this caused, NGRU decided to hire a security professional, you, to come in and help improve its security in the 30 days leading up to the commercial release of the game.

NGRU has a staff of 30 in one location, mostly developers, some of whom work remotely. It has one dedicated IT staffer for both security and networking.

Current Design

The NGRU network is shown in Figure below.

The NRGU network is currently a flat internal network with a firewall between the internal network and the Internet. As you can see, all public services are in front of the firewall. This was done because NGRU didn’t spend the money on a three-interface firewall when it built out the network originally. All public servers, including the gaming servers, are UNIX based.

All internal systems are unprotected beyond application security. Each game developer has a UNIX box for development, e-mail, and other work-related tasks. They also have a Microsoft Windows box that they use for game testing because Windows is the dominant MM gaming platform.

Security Requirements

The following are the basic network-relevant decisions related to the security improvements NGRU wishes to make. Some of the requirements are found in the security policy; others are derived from the policy’s mandates.

Campus Security

The following are the security considerations in the campus network:

·         Internal employees are trusted, in addition to being a very small group. Policies were written to encourage strong password selection, antivirus, host patching, and basic hardening, but internal security is left intentionally weak.

·         All devices are stationary, so there is no wireless LAN (WLAN). Physical access to the building is basic lock and key.

·         No inbound access to the campus network should be allowed as a default. (Exceptions are noted in the following sections.)

Edge Security

The following are the security considerations in the edge network:

·         The public services (DNS, SMTP, HTTP) should be separated from the game servers, and both collections of hosts should be protected from attack.

·         The game servers listen on User Datagram Protocol (UDP) port 4432.

·         Remote workers should have a secure channel to access the internal network and the game servers.

·         The availability of the game servers is of paramount concern.

·         The customer database should be protected against direct attack from the Internet because it contains credit cards and other sensitive information.

Management

The following are the security considerations related to network management:

·         Devices on the edge network should be managed securely when possible. Systems on the internal network can be managed using any available method.

·         The game servers should not be managed over the same links that route the production traffic.

Q1: Outline NGRU's primary business needs to be protected. Develop security policies for NGRU using network Security Policies Best Practices to meet minimum primary business needs of NGRU's.

Q2: Put yourself in the shoes of a resourceful attacker. What damage could such a person with lots of free time and patience do to NGRU's organization business need?

Q3: The company president went to Washington to attend Homeland Security conference and just returned. He called you (Chief Security Officer) and ask you to revise your security policies to include a Terrorist Attack. More specific, he wants to minimize the loss, if such an attack occurs at one location or in town. What would you recommend and also, list your basis of recommendations.