1 / 56100%
Running head: Final
Final
Southern New Hampshire University
Milestone 1
Final
SNHUEnergey Inc. is a medium-sized oil and gas company that focuses on exploration
and drilling of oil-based products. The company wants to expand into transportation and
refinement of its discoveries. To accomplish this, SNHUEnergy needs to expand its
communication infrastructure within the next 12 to 18 months. The company will grow by 50%
each year for the next two years and expand to three regional offices in Memphis, Kansas City,
and Houston. Each location is a single building with multiple floors and different divisions such
as human resources, IT, accounting, operations, and payroll. The network infrastructure consists
of network routers, switches, and firewall that connect all the users to the intranet and internet.
All connectivity across the network is Transmission Control Protocol/Internet Protocol (TCP/IP)
traffic, which is utilized by data, voice, and video applications across the organization.
The network infrastructure project must address network traffic needs and security
parameters that support a growing company. This means considering future communication
needs. This requires an understanding of the connectivity and traffic traversing internally and
externally then developing a plan to enable end-users access to the correct communication to key
applications across the company. The project will also produce a detailed network architecture
appropriate for supporting growth and improved communication across the company. The
infrastructure should include routers, switches, and firewall equipment and utilize Transmission
Control Protocol/Internet Protocol (TCP/IP) traffic.
The first section provides an analysis of the current state of its network infrastructure.
This includes an assessment of the critical traffic patterns and how they affect the applications.
The current system certainly has some performance and security issues like latency, jitter and
packet loss. The second section provides an assessment of the recommended network
Milestone 1
architecture to implement. This includes an assessment of communication needs and a detailed
look at the network architecture requirements. The third section provides planning and security
recommendations for implementing that new network architecture. This is where
recommendations are listed to deal with the performance and security issues in the current
network.
Current Network
This section provides an analysis of the current network, including applications, OSI model,
devices, traffic patterns, and performance and security issues.
Network Applications
Network applications are software that facilitates, enhances, or interacts with a computer
network and may perform tasks that supplement, enable, or replace end-user software [RAlnd].
SNHUEnergy has different types of network software that provide different services and tools.
These include:
Communications software: SNHUEnergy predominately uses email, Voice
over IP (VoIP) phone system, and videoconferencing for communicating across
its network. Communications software on a network may also include instant
message and teleconferencing.
Security software: SNHUEnergy is using firewall software and may also
be using antivirus, spam filtering, and data-access management applications.
Networking software: This is software that enables the computer network, which
includes an Network Operating System (NOS).
Shared network applications: These are applications that are stored on a central
server and are run from individual client devices. These may include payroll,
billing, accounting, HR, and operations management systems – all of which
could be pieces of an Enterprise Resource Planning (ERP) system. ERP software
integrates back office business processes and facilitate the flow of information so
business decisions may be data-driven.
[RAlnd]. The benefit of network applications as a replacement to desktop software include
centralized management and reduced end-user technical support problems [SNAnd].
Milestone 1
OSI Model
The following correlate an OSI layer with a network component:
Firewall: can work at different OSI layers, including Layer 3 (Network), Layer 4
(Transport), and Layer 7 (Application). Network layer firewalls make their
decisions based on the source address, destination address, and ports in individual
IP packets—taking advantage of the addressing and routing capabilities of layer
3. Transport layer firewalls take advantage of packet transportation. Application
layer firewalls take advantage of application services afforded to programs
interacting with the network.
Router: functions at Layer 3, the Network Layer. This layer defines logical
addressing, routing (forwarding), and the routing protocols used to learn routes.
Switch: switching functions at Layer 2, the Data Link Layer. Layer 2 ensures the
initial connection is setup, divides output data into data frames, and handles
acknowledgments from a receiver. Some switches possess Layer 3 routing
properties.
Servers and workstations: both function at Layer 7, the Physical Layer. This
layer conveys the bit stream through the network at the electrical, optical, or
radio level. It provides the hardware means of sending and receiving data across a
network.
[FIRnd]. The following diagram shows SNHUEnergy’s current network architecture. Each
component is labeled with the corresponding OSI layer on that diagram.
Milestone 1
Visual Representation
The following Visio diagrams are Logical Network Design of the Dallas and Memphis
networks.
Milestone 1
Milestone 1
Physical Network Devices
Devices and media are the physical elements of the network. This hardware comprises of
visible network components such as the switch, end device, wireless access point, router or
Milestone 1
cabling. It also comprises of network components that may not be visible such as wireless media
transmitted through the air using invisible infrared waves or radio frequency. There are three
categories of physical network devices: end devices, intermediary devices, and network media.
End devices
End devices or hosts are the most familiar network devices to end users. These devices
are the interface between users and the underlying network [Exp]. Examples include:
Computers (workstations, laptops, file servers, web servers)
Network printers
VoIP phones
TelePresence endpoints
Security cameras
Mobile devices (smartphones, tables, PDAs)
[Exp].
A host can also act as a client, server, or both. A client is the requesting program or user
in a client-server relationship and displays information obtained from the server [Exp]. The
server centrally manages and shares resources and communications to clients over a local
network or the Internet [Placeholder1]. Servers typically provide file, communication, access and
management services [Placeholder1].
A host device is the source or destination of a message transmitted across the network
[Exp]. Each host is distinguished by a MAC address and an IP address, both of which are used
by intermediary devices to accurately transmit data from source to destination [Exp].
Intermediary devices
Intermediary devices connect end devices and work behind the scenes to ensure that data
flows across the network. These devices can connect multiple individual networks to form an
internetwork [Exp]. Intermediary devices provide the following functions:
Regenerate and retransmit data signals;
Milestone 1
Maintain information about which pathways exist through the network and
internetwork;
Notify other devices of errors and communication failures;
Direct data along alternate pathways when there is a link failure;
Classify and direct messages according to QoS priorities;
Permit or deny the flow of data, based on security settings.
[Exp]. Intermediary devices include network access devices, internetworking devices, and
security devices.
Network access devices.
Switch. Switches provide the linkage points and switching functions on an Ethernet
network [Cis07]. A switch transfers data only to the port that is connected to the destination
device [Netnd1]. It does so by learning the MAC address of all devices connected to it [Netnd1].
Data is transmitted via the switch by one of three methods:
Cut-through transmission: Forwards the packets as soon as they are
received. This method is prompt, but error checking is often overlooked.
Store and forward: The entire packet is received and checked before being
forwarded to its destination. This provides error checking, but this checking
method can slow processing and delivery.
Fragment Free: A greater part of the packet is examined so that the switch can
determine whether the packet has been caught up in a collision. After the
collision status is determined, the packet is forwarded. This combines the best of
cut- through transmission with store and forward’s error checking process.
[Netnd1].
Layer 2 Switches forwards network traffic based on MAC layer addresses, essentially
called switching [Cis07]. It serves as a controller, enabling networked devices to efficiently talk
to each other [Whand5]. Layer 2 switches have three distinct functions:
Address learning: Layer 2 switches remember the source MAC address of
each frame received on an interface. This information is entered on a MAC
address table.
Forward/filter decisions: when a frame is received on an interface, the
switch looks at the destination MAC address and finds the exit interface in the
MAC address table.
Milestone 1
Loop avoidance: if multiple connections between switches are created for
redundancy purposes, network loops can occur. Switches use the Spanning
Tree Protocol (STP) to stop network loops while permitting redundancy.
[Cis07]. Layer 3 switches can perform switching and routing functions [Laynd]. Layer 3
switches improve network routing performance for large local area networks (LANs), especially
for corporate intranets[Placeholder2]
Wireless Access Point. A Wireless Access Point (WAP) act as a central transmitter and
receiver of wireless signals across a wireless local area network (WLAN), using wireless
standards like Wi-Fi or Bluetooth [Bra17]. WAPs feature radio transmitters and antennae,
facilitating connectivity between end devices and the Internet or network [Wirnd]. A WLAN
allows for mobility, meaning employees can work from anywhere there is wireless coverage.
Internetworking devices.
Router. The primary internetworking devices is the router. A router determines the best
way for a packet to be forwarded to its destination—it routes the packet across networks
[Whand5]. They are used to connect dissimilar LANs on the same protocol and can limit the
flow of broadcasts [Netnd1]. Routers can act as the network’s gateway. A gateway is a device
used to connect multiple networks and passes packets from one network to another network,
which is necessary for Internet connection [Netnd1].
Routers process the logical addressing information in the Network header of a packet
[Netnd1]. In a TCP/IP network, that logical address is the IP address [Odond].When a router
receives the data, it determines the destination address by reading the header of the packet,
searches its routing table to determine how to reach the destination, and then forwards the packet
the higher hop on the route [Netnd1]. This hop could be the destination or another router
[Netnd1]. There are two ways in which the router creates and updates a complete routing table:
Milestone 1
Static Routing: the routing information is fed into the routing tables manually. A
manual update is required when a change in the network topology takes place that
uses a statically configure router. This method is time-consuming and prone to
errors—it is most feasible for networks with one or two routers at most.
Dynamic Routing: the routing table information is learned via peculiar routing
protocols. These protocols enable routers to transfer information about its
routing table to other routers—this lets routers build their own routing tables.
This is far more practical for networks with three or more routers.
[Netnd1].
Security devices.
Firewall. The firewall is the primary security device on a network. A firewall is a
hardware or software system that prevents unauthorized access into or out of a network [Karnd].
All data entering or leaving the network pass through the firewall[Karnd]. The firewall examines
each data packet and blocks those that do not meet the specified security criteria [Karnd]. NIST
divides firewalls into three basic types:
Packet filters: the process of passing or blocking data packets at a network
interface based on source and destination addresses, ports, or protocols. This
is typically done with Layer 3 firewalls.
Stateful inspection: monitors the state of active connections and uses this
information to determine which network packets to allow through the
firewall. Also called dynamic packet filtering. This is typically done with
Layer 4 firewalls.
Proxys: combine stateful inspection technology with the ability to perform deep
application inspections as well as analyze layer 7 protocols (i.e. HTTP and
FTP) and monitor traffic for additional signs of attack. The firewall acts as a
proxy by opening a separate connection to the server on a client’s behalf when
that client connects to the firewall. This is typically done with Layer 7 firewalls.
[Miknd1].
Network media
Communication across a network is carried on a medium, which provides the channel
over which a message travels from source to destination [Exp]. Modern networks primarily use
copper, fiber optic or wireless to transmit data [Odond]. The required signal encoding for
Milestone 1
transmission is different for each media type. Copper wires encode data into electrical impulses
that match specific patterns; fiber optic transmissions use pulses of light; and wireless
transmission uses patterns of electromagnetic waves to depict different bit values [Exp].
Critical Traffic Patterns
The following identifies the critical traffic patterns used in the current network. These
traffic patterns are grouped into four categories: Service, Application, Network Management, and
Other.
Service
Packets 2198, 2202, 2204, 2205, 2206, 2207, 2218, 2220, 2222, 2223, 2224, 2226, 2227,
and 2228 are all using Real-time Transport Protocol (RTP). RTP is an application level protocol
that specifies how programs manage the real-time transmission of multimedia data over network
services [Marnd18]. RTP components include:
a sequence number: used to detect lost packets
payload identification: describes the specific media encoding in case it was
adapted to accommodate bandwidth
frame indication: marks the beginning and end of each frame
source identification: identifies the originator of the frame
intramedia synchronization: uses timestamps to detect different delay
jitter within single stream and compensate for it.
[Marnd18]. It is also dependent upon UDP as its transport protocol [Reand].
The Source IP (67.16.104.172) for these packets is an IP phone and the Destination IP
(10.0.6.73) indicates a device outside of SNHUEnergy’s network. The payload ID (ITU-T G.711
PCMU) indicates audio [Reand]. These packets appear to be the same phone call as the sequence
(Seq) are sequential, going from 419 to 420. This also indicates no packet loss in this Wireshark
capture [Reand]. This does not mean that packet loss could not occur. The Wireshark capture
may be showing some delay in the call, albeit imperceptible.
Milestone 1
Application
Packets 2197, 2203, 2210, 2217, 2221, and 2225 are using Transmission Control
Protocol (TCP). TCP determines how to break application data into packets; guarantees delivery
of packets in the same order in which they were sent, manages flow control; and handles
retransmission of dropped or garbled packets as well as acknowledgement of all packets that
arrive [Marnd17]. Acknowledgements are part of a TCP handshake, which enables two hosts to
establish a connection and exchange streams of data [Vannd]. Before the sending device and the
receiving device start exchanging data, both devices need to be synchronized using a three-way
TCP handshake [3wand]
Here is how the handshake should work between 10.0.8.73 and 10.0.8.42:
1. 10.0.8.73 sends a TCP segment with SYN = 1, ACK = 0, ISN (Initial
Sequence Number) = 2000;
2. 10.0.8.42 returns a TCP segment with SYN = 1, ACK = 1, ISN = 5000;
3. 10.0.8.73 sends a TCP segment to 10.0.8.42 that acknowledges receipt of
10.0.8.42’s ISN; and provides SYN = 0, ACK = 1, Sequence number =
2001.
[3wand]. After the handshake, the connection is open and the participant computers start
sending data using the agreed sequence and acknowledge numbers [3wand]
Steps one and two of the handshake process are not shown in this Wireshark capture. Step
three is repeated in packets 2197, 2203, 2210, 2217, 2221, and 2225, perhaps to a response from
10.0.8.42 not listed in this Wireshark capture. 10.0.8.73 intentionally sends duplicate ACKs.
These duplicates indicate that it has received packets out of sequence and there are possibly
packets being dropped [Int08].
Packets 2208, 2209, 2211, 2212, 2213, 2214, 2215, and 2216 use the MySQL protocol to
establish a connection between a MySQL client and a MySQL Server. 10.0.8.73 appears to be
the
Milestone 1
MySQL client requesting a query and 10.0.8.42 appears to be the MySQL Server that provides
the response.
Network Management
Packet 2219 is using Secure Shell (SSH) protocol to remotely login in from 10.06.73 to
10.1.0.248 [SSH17]. SSH is used to:
Provide secure access for users and automated processes;
Provide Interactive and automated file transfers;
Issue remote commands;
Manage network infrastructure and mission-critical system.
[SSH17]. The main benefit to SSH is that it provides several options for strong authentication
and it protects the communications security and integrity with strong encryption [SSH17].
SSH works within the client-server model. The connection is established by the SSH
client, which connects to the SSH server [SSH17]. IP 10.0.6.73 is the SSH client connect to SSH
server 10.1.0.248. The SSH client drives the connection setup process and uses public key
infrastructure to verify the identity of the SSH server [SSH17]. Once setup is complete, the SSH
protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and
integrity of the data that is exchanged between client and server [SSH17].
Other Patterns
Source 127.0.0.1 to Destination 127.0.0.1 is using a loopback address, indicating the
localhost [Bra171]. This connection uses TCP. The loopback address is used to establish an IP
connection to the same end device [127nd]. TCPI/IP checks each message before sending it onto
the physical network and automatically re-routes any message with a 127.0.0.1 destination back
to the receiving end of the TCP/IP stack [Bra171]. Using the loopback interface bypasses any
local network interface hardware [Whand7]. It is helpful when a server offering a requested
resource is running on the machine that made the request.
Milestone 1
If any public switch, router, or gateway receives a packet with 127.0.0.1, it drops the
packet without logging the information [127nd]. Consequently, if a data packet is delivered
outside of the localhost, it will not accidently arrive at a computer which will try to answer
it[127nd]. This helps ensure network security is maintained.
Patterns across the Infrastructure
The following describes common traffic patterns across the infrastructure in relation to
critical network applications, which include VoIP and Videoconferencing, MySQL, Email,
and Enterprise Resource Planning.
VoIP and Videoconferencing
The packets using RTP provide Voice over Internet Protocol (VoIP) services. VoIP
technology allows phone calls to be made over digital computer networks like the Internet[Br17].
VoIP converts analog voice signals into digital data packets and supports real-time, two-way
transmission of conversations using IP [Br17].
Here is the basic voice flow for VoIP:
1. The voice coder-decoder (codec) digitizes the analog signal from the phone
into pulse code modulation (PCM) signals;
2. PCM samples are passed to the compression algorithm;
3. The compression algorithm compresses the voice into a packet format for
transmission across the WAN;
4. The receiving end completes steps 1-3 in reverse order.
[Und06]. A router or gateway usually performs both the codec and compression functions
[Und06]. When a user in the Dallas office makes a call to a user in the Memphis office,
the Dallas user’s IP phone uses RTP and UDP to route through DALLAS_SW_1 then
through DALL-RTR_03 and MEMPHIS_RTR_002 to an IP phone on the Memphis
office.
Videoconferencing is a live, visual connection between two or more people situated in
separate locations for communication [Marnd19]. It can provide static images and text between
Milestone 1
two locations as well as transmission of full-motion video images and high-quality audio
between multiple locations [Marnd19]. Videoconference also takes advantage of RTP, TCP and
UDP protocols. When a Memphis user needs to make a videoconference call outside the
company’s WAN, the videoconferencing device uses RTP, RCP, and UDP protocols to route
packets through MEMPHIS_RTR_002 and DALL_RTR_03 then through the firewall to its
final destination outside the network.
MySQL
MySQL is an open source database that runs on a server [PHPnd]. It uses standard SQL
and is typically used for developing various web-based software applications[PHPnd]. The
MySQL protocol is a stateful protocol with two phases: Connection Phase and Command Phase.
The Connection Phase performs three tasks:
Exchange the capabilities of client and server;
Setup SSL communication channel, if requested;
Authenticate the client against the server.
[Connd]. The Command Phase allows the client make requests of the MySQL server [Clind].
MySQL protocols support features like transparent encryption using SSL, transparent
compression, a connection phase where capabilities and authentication data are exchanged, and a
command phase which accepts commands from the client and executes them [Clind].
Email
Email communication uses protocols to send and receive emails. There are two protocols
for sending emails to choose from: Internet Message Access Protocol (IMAP) and Post Office
Protocol 3 (POP3). IMAP stores emails on an Internet server and when a user accesses their
account, they are connected to the external server and data is transferred from the server to their
local machine [aHo17]. It allows a single account to be operated and managed by multiple users
Milestone 1
[aHo17]. POP3 downloads messages from a mail service to a user’s local computer—all emails
are stored on the user’s local machine[aHo17]. This allows the user to disconnect from the
Internet and retain access to their messages[aHo17]. There is only one protocol for sending and
receiving emails: Simple Mail Transfer Protocol (SMTP)--every email service uses some
variation of SMTP [aHo17]. When a user clicks the send button, the email client connects to the
email provider’s SMTP server using SMTP protocol [aHo17]. SNHUEnergy’s email server sits
at the Dallas Headquarters so all emails for Dallas and Memphis must go through the Dallas
network.
Enterprise Resource Planning (ERP) System
ERP software integrates back office business processes like payroll, billing, accounting,
HR, and operations management while facilitating the flow of information, so business decisions
may be data-driven [Marnd10]. An ERP may be made up of disparate software that are
networked to create a single system. SNHUEnergy’s ERP is spread across several servers that
provide services for functional areas like payroll, accounting, HR, billing, and operations.
Payroll, accounting and HR servers are in Dallas. Billing and operations servers are at the
Memphis Office. ERPs use Electronic Data Interchange (EDI) and XML to exchange business
information between separate computer systems with a standard structured format [Wei07].
Performance Issues
The following lists the primary performance issues common with data networks as well
as those evidenced in the wireshark.
Packet Loss
The primary performance issue in a data network is packet loss, which is the failure of
one or more transmitted packets to arrive at its destination [Marnd20]. SNHUEnergy’s network
Milestone 1
is not immune from packet loss. The multiple ACKs sent by 10.0.8.73 indicate an underlying
problem: lost packets [Int08]. Packet loss creates errors, can cause severe mutilation of received
data, broken-up images, unintelligible speech and even the absence of a received signal
[Marnd20]. The loss of data creates a negative user experience.
Some of the causes of packet loss include:
Link congestion: when data travels through multiple devices and links, it may
come across a link at full capacity. The data must wait its turn but sometimes
the queues are full, and the data is discarded. This usually indicates a lack of
buffering when traffic bursts occur.
Device performance: even if the bandwidth is adequate, a network device may
not be able to keep up with the traffic. For example, traffic reaches a device, but
the device’s CPU or memory is maxed out and not able to handle incoming
traffic.
Software issues: bugs in software used on network devices can cause packet
loss. Specifically, the bugs can cause new features to not work well or can go
undetected and cause noticeable performance issues.
Faulty hardware or cabling: When traffic reports show the links are not over-
utilized and the hardware utilization is within specification, the next issues is with
malfunctioning physical component(s).
Bandwidth issues: Bandwidth is the size of the Internet pipe. It determines the
how many and the size of data packets that move across a network at the same
time. This could mean there is not enough bandwidth, the bandwidth is not
optimized for the critical traffic patterns, or there is a bandwidth outage.
[Mik15].
Delay
Delay in packet arrival is the most common performance issues for VoIP and
Videoconference. There is a variable delay and a fixed delay. Jitter is a variable delay where
packets do not arrive at regular intervals at the receiving station as expected [Und06]. This
inconsistent jitter can result in packet loss [Log16] Latency is a fixed delay in the amount of time
it takes for speech to exit the speaker’s mouth and reach the listener’s ear—it sounds like an echo
[Man06]. High latency can also cause packet loss [Log16]. Delays can occur at any point during
Milestone 1
transmission, including during serialization, queueing, propagation, processing, and handling
[Man06].
Bottlenecking
An additional performance issue in SNHUEnergy’s networks is bottleneck. Internet
connections are increasingly becoming performance bottlenecks since bandwidths is not
controlled properly, particularly with the increase in video streaming [Rennd]. This is
exacerbated by centrally located ISP services and firewall boundaries [Rennd]. All
SNHUEnergy’s data traffic is going through a centrally located firewall and ISP connection,
which is in the Dallas office.
Security Issues
The following are security issues common with the critical network applications and
associate traffic patterns.
VoIP and videoconferencing vulnerabilities
Common threats to VoIP and videoconferencing across a network include the following:
Identity and service theft: service theft is done through phreaking or
eavesdropping. Phreaking is a type of hacking that uses services at the cost of the
company or steals services from the service provider. Hackers use eavesdropping
to steal credentials and other information to gain control over the service. These
can happen when SIP is left unencrypted. SIP controls authentication for VoIP
and videoconference.
Viruses and malware: IP phones and videoconferencing devices utilize
software, which is vulnerable to worms, viruses, and malware. Often this
software is run on user systems (computers, tablets) and can be exposed to
malicious code attacks.
DoS (Denial of Service): A DoS attack denies a network or device service or
connectivity. It is done by consuming the network’s bandwidth or overloading
the network or device’s internal resources. For example, DoS attacks for VoIP
are usually from flooding a target with unnecessary SIP call-signaling messages,
which degrades the service. When the target ceases operation, the attacker can
get remote control of administrative facilities in the network.
Packet injection: the attacker inserts some fraudulent packets at expected times
in the VoIP or video stream; the receiver accepts the fake packets and drops the
Milestone 1
original packets following the RTP protocol. RTP, which both VoIP
and videoconferencing rely upon, is particularly susceptible to this
attack.
[MAd09].
MySQL vulnerabilities
Here are some common database security issues that may affect MySQL:
Failure to scrub SQL queries: this oversite is responsible for the SQL injection
attack, where attackers can submit a malformed query that can wreak havoc on
the system.
Inference: this the ability to ascertain secure information through queries
of insecure and uncritical information.
PEBKAC and unnecessary privileges: An authenticated user with critical
privileges with improper password security can jeopardize the entire database.
Also, a user with more permissions than necessary endangers critical data.
Not separating the web server from the database server: web servers are
susceptible to attacks because they connect to outside the network. When a web
server holds the databases and is compromise, the database is compromised too.
Buffer overflows: this attack involves sending the database more data than it can
process so that the extra spills over into other parts of the program. This creates
an illegitimate access point for any number of functions.
Privilege escalation: various exploits of specific database implementations can
allow an attacker to escalate their privilege and gain access to functionality
reserved for trusted clients or administrators. This attack requires an intimate
knowledge of the database back-end.
[Topnd1].
Email vulnerabilities
Common threats to Email communications across a network include:
SPAM: this junk email is dangerous because the volume of it affects
system availability and it often carries viruses, malicious code,
ransomware, and fraudulent solicitations for private information.
Phishing: the attacker uses psychological manipulation to bait recipients into
disclosing sensitive information that can be sold or exploited for malicious
purposes. These attackers often use an authentic-looking sender and a socially
engineered message that fools users who lack awareness of these type of scams.
Phishing emails can also contain malware attachments and ransomware.
Spoofing: an attacker masquerades as a legitimate source. A spoofed domain can
be used to send malicious emails to other people, causing great damage to
reputation. Spoofed emails are usually used to target employees as entry points
for malware and ransomware.
Milestone 1
Business Email Compromise (BEC): type of social engineering scam where
attackers compromise an executive’s email. The attacker then uses that email to
trick employees to do their bidding. For example, they will convince an
employee in accounting to transfer funds to an account controlled by the
scammer.
[Pam04].
ERP vulnerabilities
Most all business processes are contained in the ERP system. Most all the information a
cybercriminal, industrial spy or competitor might want to steal is stored in the ERP. It is a
prime target with several vulnerabilities:
Unpatched software: not applying updates and patches immediately leads to
software vulnerabilities. ERP systems are particularly vulnerable since
complexity slows down discovery and application of patches.
Poor configuration: improperly setting up and configuring the ERP system.
This often opens the door for attackers as the system is setup without proper
security.
Outdated web interfaces: ERP is a slow-moving beast with little innovation,
making it a target for web-based attacks. SQL injection and web-based attacks
like XSS and XSRF are still popular against ERP systems, especially those with
older versions of web frameworks.
Inadequate access control: failure to properly manage poses a threat to critical
business data. Sometimes companies fail to properly restrict privileges to the
employees, thus ignoring the principle of least privilege where a user gets access
if necessary.
Complex DoS attacks: this security breach shuts down operations and often
brings business to a screeching halt.
[Six17].
Future Network Architecture
This section focuses on requirements and recommendations for the future network
architecture.
Communication Needs
The following summarizes SNHUEnergy’s future communication needs such as
scalability, Quality of Service, and network security.
Milestone 1
Scalability
SNHUEnergy wants a network architecture that will allow the company to grow for the
next ten years. Additionally, the company is expanding to new regional locations in Houston and
Kansas City. While the current total employee count is 120 (90 in Dallas and 30 in Memphis),
the company expects to grow by 50% each year over the next two years. In two years, SNHU
could have 240 employees using the company’s network. The new network architecture will
need to plan for scalability, so the network can grow with the company. Scalability is the
network’s capability to cope and perform under changes in workload without major
modifications [Marnd21]. If the network fails when quantity increases, it does not scale
[Marnd21].
The following are recommendations to scale a network effectively and easily:
Use expandable, modular equipment or clustered devices that can be easily
upgraded to increase capabilities. Device modules can be added to the existing
equipment to support new features and devices without requiring major
equipment upgrades. Some devices can be integrated in a cluster to act as one
device to simplify management and configuration.
Design a hierarchical network to include modules that can be added, upgraded,
and modified, as needed, without affecting other functional areas of the
network.
Create an IPv4 or IPv6 address strategy that is hierarchical, which eliminates the
need to re-address the network to support additional services and users.
Choose routers or multilayer switches to limit broadcasts and filter other
undesirable traffic from the network. Use Layer 3 devices to filter and
reduce traffic to the network core.
[Cis14].
Quality of Service
There are some performance issues inherent to the current network architecture. Many of
these issues are related to bandwidth-intensive applications that stretch network capabilities and
resources. Quality of Service (QoS) techniques help to mitigate performance issues. QoS is an
industry-wide set of standards and mechanisms for ensuring high-quality performance for critical
Milestone 1
applications [Wha03]. The goal of providing preferential delivery service to those critical
applications by ensuring sufficient bandwidth, controlling latency and jitter, and reducing data
loss [Wha03]. QoS guarantees throughput for mission-critical applications, especially with User
Data Protocol (UDP) traffic, which is inherently unreliable [Wha03].
QoS functions through two mechanisms:
Admission control: determines which applications and users are entitled to
network resources. It specifies how, when, and by whom network resources on
a network segment can be used.
Traffic control: regulate data flows by classifying, scheduling, and
marking packets based on priority and by shaping traffic. Also, segregate
traffic into service classes and control delivery to the network.
[Wha03]. For QoS to work as expected, all network devices through which traffic passes must
support QoS – otherwise a network segment may use the standard first-come, first-served
method for dealing with traffic [Wha03].
Network Security
Cybercrime is growing at tremendous rates. There are constant reports of state-sponsored
hacking attacks, denial of service attacks, ransomware, and leaks by malicious insider
threatening entities in every industry [12B17]. Network security revolves around maintaining the
confidentiality, integrity, and availability of information resources. Confidentiality protect
information from unauthorized disclosure and safeguards privacy[Ros14]. Integrity prevents
unauthorized users form creating, modifying, or deleting information[Ros14]. Availability
ensures that authorized users have timely and reliable access to necessary information—this is
the high-availability need [Ros14].
High Availability
Outages in the enterprise network prevent SNHUEnergy from performing normal
activities, resulting in a loss of data, customers, revenue, and opportunities [Cis14]. High
Milestone 1
availability is critical in avoiding outages. The standard of availability is 99.999% availability,
where 100% is never failing [Marnd22]. High availability is dependent upon the reliability of
each network hardware and software component, redundancy choices, protocol attributes,
circuits and carrier option, and environmental and power features [Ami05]. To obtain
99.999% reliability, the network must employ high-end, enterprise-class equipment, which
provide such feature as redundant power supplies and failover capabilities. [Cis14].
A critical part of High-availability is to build redundancy into the network. There are four
key types of redundancy:
Workstation-to-router redundancy: There are several protocols, including
ARP, RDP, RIP, AppleTalk IPX, and HSRP, that provide ways for a workstation
to discover the address of a router on its network segment.
Server redundancy: Some mirroring or duplexing will be necessary for
mission- critical servers, which will require additional storage disks.
Route redundancy: This focuses on load balancing and minimizing network
downtime. Load balancing is keeping bandwidth consistent within the access-
distribution-core layers so that routing protocols converge much faster if multiple
equal-cost paths to a destination network exist. Network downtime is minimized
by using redundant, meshed network designs, which minimize the effect of link
failures. The options are full mesh, which provides complete redundancy and
good performance but is expensive, or partial mesh, which means not every
router has a link to every other router and is more scalable.
Media redundancy: This is important in mission-critical applications,
especially when using redundant links with switches. This redundancy may
result in a broadcast storm, where broadcasts continuously circle the network.
The Spanning-Tree Protocol algorithm prevents this looping by guarantee that
only one path is active between two network stations
[Ant01].
Network Architecture
SNHUEnergy needs an enterprise campus network to support its expanding network
needs over the next 10 years. This network should have an architecture that incorporates the
layers from the hierarchical method within the modules found in an enterprise campus network
architecture.
Milestone 1
Hierarchical design layers.
The hierarchical model is a hub-and-spoke or mesh pattern combined with an architecture
methodology used to guide the placement and organization of modular boundaries in a network
[Den14]. This model provides several benefits, including scalability and flexibility, modularity
that groups common functionality, QoS features to reduce performance issues, consistent
configuration across the network, redundancy at the intermodule level, improved fault isolation,
cost savings and ease of understanding, and appropriate use of bandwidth [Ant01]. Typically,
Hierarchical designs consist of three network layers with narrowly defined purposes within each
layer and along each layer edge: Access Layer, Distribution Layer, and Core Layer. Each layer
focuses on specific functions and can be implemented in routers or switches, represented by
physical media, or combined in a single device—depending on the needs of the network [Dia08].
Access Layer.
The Access Layer provides user access to local segments on the network as well as local
and remote workgroups [Ant01]. Access is only granted to authenticated users or devices to
maintain network integrity and security is controlled at the port level using the data link layer
information [Den14]. The layer uses microsegmentation to provide high bandwidth to
workgroups by dividing collision domains on Ethernet segments with the use of multiple LAN
switches [Ant01]. The layer provides Layer 2 or multilayer switching, broadcast suppression,
protocol filtering, network access, IP multicast, and QoS [Dia08]. This layer also has the
flexibility to add VPNs using IPsec or MPLS, identity and access language, and VLANs to
compartmentalize access [Dia08]. A Wireless access point (AP) can be added to this layer to
expand access to the network via wireless media
Milestone 1
Distribution Layer.
The Distribution Layer provides policy-based connectivity from one local network to
another and incorporates QoS, security, traffic loading, and routing features [Den14]. It provides
forwarding policy and traffic aggregation functions as well as any media transitions that must
occur[Den14]. Filtering is used in this layer to keep unnecessary traffic from the core [Dia08].
Most control plane policy should be configured in this layer but blocking access to specific
services or forwarding plane filtering and policy should not be configured [Den14]. This layer
can also provide redundant connections for access devices [Den14]. Other functions of this layer
include departmental or workgroup access, broadcast/multicast domain definition, routing
between vLANs, redistribution between routing domains and demarcation between static and
dynamic routing protocols.[Ant01]
Core Layer.
The Core Layer is the backbone that provides high-speed transport to satisfy connectivity
and transport needs of the distribution layer devices [Den14]. Its primary function is to forward
traffic between different modules within the distribution layer [Den14]. Little to no control nor
data plane policy should be configure in the core for a three-layer hierarchical design [Den14]. It
should have high reliability, redundancy, load balancing, fault tolerance, scalability, flexibility,
low latency and good manageability [Ant01]. A key consideration with this layer is to ensure
that from any end station to another end station across the backbone, there should be the same
number of router hops—this means the diameter is limited and consistent for predictable
performance and ease of troubleshooting [Ant01].
Milestone 1
Enterprise Architecture
The Enterprise Architecture divides the network into functional components while
incorporating the core, distribution, and access layers [Cis14]. The functional components are
modules that each use the hierarchical layers as needed. These modules are: Enterprise Campus,
Data Center, Enterprise Edge, Service Provider Modules, and Remote Enterprise Modules.
Enterprise Campus.
The enterprise campus is a large site like corporate headquarters or a major office that
provides access to network services and resources to devices spread across one geographic
location[Bal10]. It can span a single floor as well as one or more buildings in an extended
geographic location [Bal10]. Regional offices, SOHOs, and mobile networks generally must
connect to the central campus for data and information[Dia08].
For SNHUEnergy, the Enterprise Campus in Dallas will include a Building Access
Layer, a Building Distribution Layer, and a Campus Core Layer. The Building Access Layer will
use Layer 2 switching with switch port security to control network access. Implementation of
VLANs and trunk links to the building distribution layer occurs at this layer [Cis14]. This layer
will include video-conferencing, IP phones, corporate computers, and end user devices. The
Building Distribution Layer will use multilayer switching with access lists to provide security
and will connect the Building Access Layer to the Campus Core Layer. The Campus Core Layer
will provide high-speed interconnectivity between the distribution layer modules, on-campus
server farms, and the Enterprise Distribution Edge.
Data center.
The Enterprise Data Center is a cohesive and adaptive network architecture that houses
computing systems and associated components [Bal10]. For the SNHUEnergy network, the data
Milestone 1
center is a server farm located at the enterprise campus. It usually contains an internal email
server as well as servers that provide internal user with application, file, print, and Domain Name
System services [Dia08]. The server farm typically supports network management services,
network security, and scalability [Bal10]. The servers are connected to two Layer 3 switches to
enable full redundancy and load sharing. Those switches are cross-connected with the Campus
Core layer switches to ensure high availability. To ensure proper network security, the Server
Farm should use host- and network-based IDS and IPS, private VLANs, access control lists, and
secure password [Dia08].
Enterprise edge.
The Enterprise Edge aggregates connectivity from voice, video, and data services outside
the campus, using service providers and WAN technologies as needed [Bal10]. The
SNHUEnergy network will use at minimum an Internet connectivity module to connect to the
ISP, a Remote Access and VPN to provide secure access to remote locations/workers and a
module for WAN, MAN, and Site-to-Site VPN. These modules will connect to an Edge
Distribution module, which acts as a boundary between the Enterprise Campus and Edge and is
the last line of defense against external attack[Dia08]. The Edge Distribution has a structure like
the Building Distribution Layer and can take advantages of the features available to distribution
layers [Dia08].
The Internet Connectivity module provides internal users with connectivity to Internet
services like HTTP, FTP, SMTP, and DNS[Dia08]. It also provides Internet users with access to
information published on the enterprise’s public servers[Dia08]. This module accepts VPN traffic
from remote users/sites and forwards it to the Remote Access and VPN module, where VPN
termination takes place [Dia08]. Major network devices include SMTP mail servers (relay
Milestone 1
between Internet and internal email server), DNS servers (is the authoritative external DNS
server and relays internal DNS requests to the Internet), public servers (i.e., FTP and HTTP),
firewall routers (provide stateful filtering, network level protection, and forward VPN traffic),
and edge routers (provide basic filtering and multilayer connectivity to the Internet) [Dia08].
The Remote Access and VPN module terminates VPN traffic and dial-in connections
from external users [Dia08]. Additionally, it uses the Internet Connectivity module to initiate
VPN connections to remote sites [Dia08]. Major components include: dial-in access
concentrators (terminate dial-in connections and authenticate individual users); Adaptive
Security Appliances (ASA, terminate IPsec tunnels, authenticate indivual remote users, and
provide firewall and intrusion prevention services); Firewalls (network-level protection and
stateful traffic filtering); and NIDS appliances (Layer 4 to 7 monitoring) [Dia08].
The WAN and MAN and Site-to-Site VPN module uses WAN technologies to route
traffic between remote sites and the main Campus [Dia08]. This module uses traditional media
(i.e., leased lines), circuit-switched data link technologies (i.e., Frame Relay and ATM), and
physical layer technologies (i.e., Synchronous Digital Hierarchy (SDH), cable, DSL, MPLS,
Metro Ethernet, wireless, and VPNs [Dia08].
Service provider modules.
The Service Provider functional area is not implemented by SNHUEnergy. Rather it is
controlled by the service provider but it enables communication between networks by using a
variety of WAN technologies and Internet service providers (ISP). There are three modules:
Internet Service Provider (represents connection to the Internet); PTSN module (represents
dialup infrastructure for accessing the enterprise network using ISDN, analog, and cellular
technologies [Dia08].
Milestone 1
Remote Enterprise Modules.
There are two modules that support remote enterprise locations recommended for the
SNHUEnergy network: The Enterprise Branch and the Enterprise Teleworker.
Enterprise Branch/WAN.
The Branch/WAN, also called remote site/office, contains the routers, switchers, etc. to
interconnect headquarters to branch offices and remote locations/users [Bal10]. This extends the
enterprise by providing each location with a resilient architecture that has integrated security and
wireless mobility, and can support VoIP and Video conferencing [Dia08]. It must be able to
connect to the central access company data, which is done via high-speed Internet access, VPN
connectivity to corporate intranets, telecommuting technologies for work-at-home employees,
videoconferencing, and PTSN voice and fax calls over managed IP networks [Dia08]. The
branch employs a simplified version of the Campus infrastructure.
The Enterprise Branch can provide security, switching, network analysis, caching, and
converged voice and video services into integrated services routers (ISRs) in the branch—new
services can be deployed without buying new routers [Bal10]. It also can provide secure access
to voice, mission-critical data, and video applications at anytime, anywhere [Bal10]. And it can
provide high levels of resilience in each branch through advanced routing, VPNs, redundant
WAN links, application [Bal10].
Enterprise Teleworker Module
The Enterprise Teleworker module provides users in geographically disparate locations
with secure access to central-site applications and network services [Dia08]. Solutions in this
module provide simple and safe access for teleworkers, anywhere and anytime. Productivity can
Milestone 1
be increased by adding an IP phone at the teleworker’s location, thus providing cost-effective
access to a centralized IP communications system [Dia08].
Future Visual Representation
The first diagram shows the overview of the Enterprise Network Architecture design.
Each subsequent diagram provides more detail of specific modules.
Milestone 1
Milestone 1
Milestone 1
Milestone 1
Planning and Security
The following provides recommendations for mitigating performance security issues, for
network management tools, the types of security devices to install, changes to existing devices,
and the challenges and risks of implementing the network recommended in the previous section.
Milestone 1
Performance and Security Issues
The following provides best practices for mitigating the performance and security issues
discussed above.
Mitigate performance issues
The best practice for mitigating performance issues is to implement QoS techniques,
which include the following:
Classification and marking: Classification means identifying applications and
groupings of applications. In Cisco technology, this is performed by Access-lists
and NBAR. Marking means coloring/tagging identified groups as per
requirement. These requirements determine what priority is applied to the
marking.
Congestion Avoidance: Congestion avoidance techniques monitor network traffic
loads to anticipate/avoid congestion at common network bottlenecks before it
becomes an issue. These are designed to provide priority to designated traffic
under congestion while concurrently maximizing network throughput and
capacity utilization as well as minimizing packet loss and delay.
Policing and Shaping: Traffic policing propagates bursts. When the traffic rate
reaches a set maximum rate, excess traffic dropped or remarked. This provide a
saw-tooth output rate with crests and troughs. Shaping retains excess packets in a
queue and then schedules the excess for later incremental transmission. This
provides a smooth packet output.
Queuing: A queue can be setup on a device’s interface to manage how packets are
queued to be sent through that interface. This technique is primarily used for
managing traffic congestion on interfaces. They determine the priority in which to
send packets when there is more data than can be sent immediately.
[QoS10].
Mitigate Packet Loss.
The first step in mitigating packet loss is to accurately measure its existence across the
enterprise network. There are two methods:
Pinging: ICMP pings are one of the most common methods to detect packet
loss. This involves sending one ping per second between hosts, then counting
how many times the request is lost. It is prone to inaccurate measures.
Sequencing: A program sequences each packet with a number and knows
exactly which numbers are expected at the receiving end. If there is a missing
number in
Milestone 1
the sequence, the packet is lost. This provides more precise monitoring in real-
time and historically.
[Hownd2].
The next step is to apply techniques to overcome lost or out of order packets in real-time.
QoS can be used as well as the following:
Adaptive Forward Error Correction (FEC): packet-level FEC reconstitutes
lost packets at the far end of a link, avoiding delays common with multiple-round-
trip transmissions. This enables the network to easily recover form packet loss
due to any number of network layer issues, including queue overflows and
constrained bandwidth. FEC overhead can be dynamically adjusted in response to
changing link conditions for maximum effectiveness in environments with high
packet loss.
Real-time Packet Order Correction (POC): packets can be re-sequenced on the
far end of a link on the fly to avoid retransmissions that occur when packets
arrive out of order. This functionality provides the scalability needed to handle
high volume, high throughput data streams with minimal latency. It is performed
in real-time and across all IP traffic patterns, regardless of the transport protocol
used.
[Hownd2]. Many of these techniques can be implemented into the hierarchical layers and
enterprise modules within the network.
Mitigate Delay.
The common method for mitigating jitter is to use jitter buffers. This buffer temporarily
stores arriving packets to minimize delay variations[5Cu151]. If packets arrive too late, they are
discarded [5Cu151]. The primary method for mitigating latency is to use prioritize the traffic.
The prioritization techniques include network management, bandwidth reservation, Type of
Service, Class of Service, and Multi-Protocol Label Switching (MPLS) [5Cu151].
Mitigate Bottlenecking.
Besides QoS, virtual LANs can be used to prevent bottlenecking in an affordable way.
VLAN is a logical subnetwork that can group together multiple devices from different physical
LANs[Bra172]. Often client devices that communicate with each other the most frequently are
Milestone 1
grouped together [Bra172]. They can also bring additional security benefits by allowing greater
control over which devices have local access to each other[Bra172].
Mitigate security issues
The top practice for network security is to implement a secure topology in the network
architecture. The core of a secure topology is the firewall, which protects one network from
another untrusted network through a pair of mechanisms, one blocks traffic and the other permits
traffic [Ant01]. The following are additional best practices for mitigating security issues:
Encrypt the data: encryption is essential to protecting sensitive data and to
help prevent data loss due to equipment loss or theft.
Use digital certificates: save the certificates to network devices and not on the
web server as is tradition. Obtain certificates from a trusted authority.
Implement DLP and auditing. use data loss prevent and auditing to
monitor, alert, identify, and block the flow of data in and out of the network.
Implement a removable media policy: restrict the use of removable media as
they facilitate security breaches coming into or leaving the network.
Secure websites: Use SSL scan the company website daily for malware, set the
Secure flag for all session cookies, use SSL certificates with Extended
Validation.
Use spam filters on email servers: a trusted spam filter can remove unwanted
email before entering users’ inboxes and junk folders. Also, teach users how
to identify junk mail even if it is from a trusted source.
Network-based security hardware and software: use gateway antiviruses,
intrusion detection devices, honey pots, and monitoring along with firewalls
to screen for DoS attacks, viruses, unauthorized intrusion, port scans, and
other security breach attempts.
Maintain security patches: some antivirus programs update almost daily. It is
critical that software and hardware defenses are up to date with new antimalware
signatures and the latest patches.
Educate the users: an informed user is one who behaves more responsibly and
takes fewer risks with valuable data, especially email.
[KHe13].
Network Management Tool
One of the top network monitoring and analysis tools is GFI LanGuard. It is a network
security and vulnerability scanner that helps with patch management, network and software
audits, and vulnerability assessments [GFInd]. It can also integrate with multiple-third-party
Milestone 1
security applications and provides an interactive dashboard and reporting [Feand] . The top
benefits of network monitoring include:
Staying ahead of network outages: Network outages can be cause by human
error, configuration issues, and environmental factors. Network monitoring can
prevent these outages form happening in the first place It provides live network
performance that helps identify potential causes for outages.
Fix issues faster: Network monitoring simplifies and speeds up problem-
solving. It helps quickly get to the bottom of the issue. Network automation tools
can help identify problems and fix them automatically no system admin
needed.
Get immediate ROI: IT departments often face heavy loads and increasingly
complex projects without the necessary time, staff or budget. Network
monitoring replaces the manual work of analyzing network performance as well
as providing the issue of the source quickly and reducing troubleshooting time.
Identify security threats: Network monitoring can provide tier 1 security. The
primary benefit is the baseline that this monitoring provides. Performance can be
compared to the baseline to quickly spot something out of the ordinary. These
can be done through Intrusion Detection Systems (IDS) and Intrusion Prevent
Systems (IPS), which are reporting tools on vulnerabilities.
Justify equipment upgrades: Network monitoring provides a historic report on
how equipment has performed over time. That report can be used to recommend
equipment upgrades.
[Top17].
Security Devices
There are four types of security devices: active, passive, preventative, and Unified Threat
Management (UTM) devices.
Active devices
Active security devices focus on blocking unwanted traffic and include firewalls, proxy
servers, antivirus scanning devices, and content filtering devices (ConceptDraw Network
security Devices). The firewall is the primary security device for the network perimeter. The
best practice for firewalls is to use a Three-Part Firewall System which has three specialized
layers:
another router that acts as an outside packet filter between the isolation and the
outside internetwork;
an isolation LAN that buffers between the corporate internetwork and the outside
world, also called the demilitarized zone (DMZ) and
Milestone 1
a router that acts as an inside packet filter between the corporate internetwork and
the isolation LAN
[Ant01]. Next-Generation Firewall (NGFW), which expands the security capabilities of a
firewall. It can detect and block sophisticated attacks by enforcing security policies at the
application, port, and protocol level [Marnd26]. The NGFW integrates the three-part firewall
with an intrusion prevention system and application control [Marnd26]. And it brings additional
Web application context to the firewall’s decision-making process [Marnd26]. NGFW
combines first-gen firewall capabilities like packet filtering, network address translation (NAT),
URL blocking, and virtual private networks (VPNs) [Marnd26].
The proxy server sits between the internet and the network and provides user
authentication, web filtering, data loss prevention, and VPN concentration [Marnd25]. The
primary advantage is that its cache can serve all users and log its interactions for easier
troubleshooting [Marnd25]. The following are some types of proxies:
Forward proxies: these send requests of a client to a web server. Users access
this proxy by directly surfing to a web proxy address or via Internet settings
configuration. This proxy allows circumvention of firewalls and can increase
the privacy and security of a user. However, it can allow the download of illegal
materials (i.e. copyrighted materials.
Reverse proxies: transparently handle all requests for resources on destination
server without requiring an action from the requester. These proxies are used to
enable indirect access when websites do not allow direct connections as a security
measure. They also allow for load balancing between servers, streaming internal
content to Internet users, for disabling access to a site.
Transparent proxies: usually found near the exit of a network and
centralize network traffic. This proxy is often associated with the gateway
server and a firewall. It helps with monitoring and administering network
traffic.
[Marnd25].
Antivirus scanning devices scans the network for viruses and other harmful items
[Antnd]. Antivirus scanners rely on a virus database that needs to be updated over time [Antnd].
As more viruses and malware programs are developed, anti-virus software developers
Milestone 1
incorporate them into the scanner [Antnd]. Without an updated database, this scanner is much
less likely to successfully quarantine newer viruses on the network [Antnd].
Content filtering devices screen and exclude from access or availability Web pages or e-
mail that is deemed objectionable [Mar11]. The filtering works by specifying character strings
that when matched indicate undesirable content that is screened out. Content filter is divided into
web-filtering for screen of web sites or pages, and email screen for screening e-mail for spam or
other objectionable content.
Web filters screen incoming web pages to determine whether some or all of it should not
be displayed to a user. These filters check the origin or content of a Web page against a set of
rules provided by the system administrator [Mar2005]. Some of these devices provide reporting
to see what kind of traffic is being filtered and the user who requested it [Mar2005]. The web
filter is usually part of a proxy server and firewall
A popular spam filter is the Bayesian Filter. The Bayesian filter uses Bayesian logic to
evaluate the header and content of an incoming e-mail message and determine the probability
that it is spam [Mar05]. This filter can be fine-tuned over time to categorize email into “trusted”
and “suspected” groups—it improves over time in finding spam [Mar05].
Passive devices
Passive security devices identify and report on unwanted traffic and include intrusion
detection appliances. Intrusion Prevention Systems (IDS/IPS) monitor communications, provide
an alert method for detected attacks, and can take some action to automatically stop the attack
[Sea15]. The Next-Generation IPS is available with the following features:
Network Awareness: knowledge of the devices existing on the network. This
network awareness feature can be configured to provide alerts when a device is
functioning out of the norm.
Milestone 1
Application Awareness: knowledge of the applications running on the
network. This feature can also be configured to provide alerts when an
application is functioning outside the norm. It also allows policies that control
which applications are allowed and which are not, by whom and to what level.
Identity Awareness: gathers identity information for devices and
applications attached to the network and for transmitted traffic.
Behavior Awareness: establishes and monitors the baseline behavior of network
devices. This information can be used to analyze usage patterns and determine
those that are below or above baseline behavior.
Automatic Tuning: the platform can dynamically tune itself based on the
information gathered, reducing the amount of changes made to rules by the
network administrator.
[Sea15].
Preventative devices
Preventative security devices scan the network and identify potential security threats,
which includes penetration testing devices [htt1]. Penetration testing is the evaluation of IT
infrastructure security through the safe exploitation of vulnerabilities [Whand3]. Such
assessments are useful in determining application flaws, improper configurations, and risky end-
user behavior as well as validating the efficacy of defensive mechanisms and user adherence to
security policies [Whand3]. There are three types of pen tests:
Comprehensive pen tests: this test mimics an attacker seeking to access
sensitive assets by exploiting security weaknesses existing across multiple
systems.
Application pen tests: this test evaluates both custom and standard applications,
including web apps, antivirus, embedded applications, and other system
applications.
Wireless pen tests: this test focuses on penetrating wireless services to provide
an assessment of specialized wireless solutions.
[Whand3].
Pen tests are usually performed using manual or automated technologies to systematically
compromise servers, endpoints, web applications, wireless networks, network devices, and other
points of access [Whand3]. Once a vulnerability has been exploited, testers attempt to use the
compromised system to launch subsequent exploits on other internal resources [Whand3]. Pen
Milestone 1
tests allow administrator to effectively manage vulnerabilities, avoid the cost of network
downtime, meet regulatory requirements and avoid fines, and preserve corporate image and
customer loyalty [Whand3].
Unified Threat Management (UTM) devices
UTM devices provide a layered defense that integrates multiple technologies into one
strategy that protects against a wide variety of security challenges [Unind]. UTM may also
include more advanced features such as identity-based access control, load balancing, QoS, and
SSL and SSH inspection [Mar14]. UTM is especially useful against blended threats where a
combination of different types of malware and attacks simultaneously target separate parts of the
network [Whand10]. UTM provides a single point of defense in a single console, making it much
easier to deal with varied threats much easier [Whand10].
Changes to Existing Devices
The network should take a combined feature approach, which means implementing a
UTM that integrates all the necessary security devices. UTM provides convenience in network
security management as well as a reduction in security incidents, improved security rollouts;
reduction in infrastructure, software and labor costs, and minimized latency [Unind]. So, the
hardware-based UTM appliance may need to be installed in place of the firewall. The UTM
should include at minimum a Next-Generation Firewall, Next-Generation IPS, content
filtering tools, and antivirus scanner device.
The UTM does create a single-point of failure so a second software-based perimeter may
be necessary to stop any attack that gets through the UTM [Whand10]. A software-defined
perimeter is a security framework designed to provide on-demand, dynamically provisioned
secure network segmentation. It dynamically creates one-to-ne network connections between the
Milestone 1
user and the accessed resources—while everything else is invisible, including the system
[JGa17].
Challenges
The biggest challenges of networks is supporting multi-site offices is the complexity
and costliness of onsite telecommunications systems [Lar16]. The IT department must remotely
manage an intricAnother challenge is ate mix of storage and server resources, routers, and
security-related entities [Lar16]. SNHUEnergy’s network certainly has multiple server farms,
routers, layer 3 switches, etc.
One of the best ways to meet the challenges of implementing a new network is to have a
project plan. The following is a waterfall method with five phases for implementing a new
network:
Phase 1: Planning
Establish a planning team. This should include developing a good team
structure. The model’s recommended planning team structure is shown in figure
8.
Identify the purpose, goals, and timelines for the impacted system.
Define functional and technical requirements. This includes identifying key
stakeholders, creating the business case for system replacement, and getting
input from stakeholders and end users to ensure that the system meets the needs.
Document the requirements in a Functional Requirements Document (FRD)
Phase 2 – Acquisition:
Create a budget that includes capital and operating costs for the VSAT remote
sites.
Identify the method of procurement; procurement is typically done via sole
sourcing or bidding.
Assess purchasing options, which include vendor options and lease purchase
options
Phase 3 – Implementation:
Create an implementation plan
Install new/upgraded system
Test the system to validate it works and fix any deficiencies
Milestone 1
Train users on operating and maintain the system
Go live, which includes systems acceptance testing
Phase 4 – Support and Maintenance:
1 Establish maintenance procedures; these should address hardware and software;
2 Establish support procedures; this should address hardware, software and users;
3 Establish operational standards, including standards for normal, backup,
emergency and regional operations
Phase 5 – Refreshment:
System assessment; a full life cycle planning process includes continual
reassessment of the system. This includes assessing the ongoing
operational suitability, operational stability, potential failure, and cost
analysis.
Technology/system refreshment. This can include incorporating
technological innovations or replacing outdated equipment
[Eme111].
Overall Risk
SNHUEnergy can avoid security risks with regular patching and support services despite
the price, time or complexity of this venture. A patch is a small piece of software used to correct
a problem in an application [Tim17]. Security risks are increasing for complex IT environments
with products from multiple vendors in a heterogeneous environment, each of which provide
varying levels of support, maintenance, and security [JMand]. As such, security is on the onus of
the organization. Security leaks and hacks lead to lost revenue, sullied reputation, and
dissatisfied customers – organizations cannot afford to bypass a rigorous software security and
maintenance program [JMand]. External threats are ongoing and ever increasing in sophistication
—thus requiring ongoing vigilance and maintenance [JMand].
A regular patching schedule is essential to business and compliance. Often companies
will engage in software patching and maintenance as needed—when there is degradation in
performance, functionality, or reliability [JMand]. This ad hoc approach often fails to ensure
Milestone 1
protection against new and sophisticated threats. Timing for the patches and updates highly
depends upon the software—where some can be performed during regular business hours and
others are performed after hours or overnight [JMand]. Automation tools can simplify the
patching process. Most vendors for security devices provide automated tools and support for
patching and upgrades [JMand]. Automation can help a company maintain a rigorous patching
and upgrade schedule with a smaller IT staff [JMand].
A key component of the patch and update management program is the intake and vetting
of information on security issues and patch releases [JCh04]. At least one IT staff member
should keep up-to-date on such issues and releases [JCh04]. The program should also define the
patch cycle for standard patch releases and updates from the vendor as well as have a procedure
for handling critical updates and hotfixes [JCh04]. The program should include a patch testing
plan that is used in both the standard patch cycle and the critical patch cycle [JCh04]. Once a
patch or update has been verified, it is placed into a testing environment, where the appropriate
testing techniques are completed [JCh04]. All patches should also go through the organization’s
change management process to ensure no surprises for key stakeholders [JCh04]. Lastly, the
program should have procedures for patch installation and deployment [JCh04].
Milestone 1
References
12 Best Cyber Security Practices in 2017. (2017, February 22). Retrieved from Ekran System:
https://www.ekransystem.com/en/blog/best-cyber-security-practices
127.0.0.1 – What Are its Uses and Why is it Important? (n.d.). Retrieved from Tech-
FAQ: http://www.tech-faq.com/127-0-0-1.html
3 way handshake, TCP Three-way handshake, TCP Synchronization. (n.d.). Retrieved from
OmniSecu.com: http://www.omnisecu.com/tcpip/tcp-three-way-handshake.php
5 Curable Causes of Poor VoIP Call Quality. (2015, May 15). Retrieved from Voip-info.org:
https://www.voip-info.org/wiki/view/5+Curable+Causes+of+Poor+VoIP+Call+Quality
Adams, M., & Kwon, M. (2009). Vulnerabilities of the real-time transport (RTP) protocol for
voice over IP (VoIP) traffic. Retrieved from RIT:
http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=1071&context=other
Allen, R. (n.d.). What Is Networking Software? Retrieved from
Techwalla: https://www.techwalla.com/articles/what-is-
networking-software
Anti-Virus Scanner. (n.d.). Retrieved from techopedia:
https://www.techopedia.com/definition/27417/anti-virus-scanner
Austin, S. N. (n.d.). Types of Network Software. Retrieved from
Techwalla: https://www.techwalla.com/articles/types-of-network-
software
Beal, V. (n.d.). TCP - Transmission Control Protocol. Retrieved from webopedia:
http://www.webopedia.com/TERM/T/TCP.html
Bhatia, M., Davidson, J., Kalidindi, S., Mukherjee, S., & Peters, J. (2006, October 20). VoIP:
An In-Depth Analysis. Retrieved from Cisco:
http://www.ciscopress.com/articles/article.asp? p=606583
Milestone 1
Bruno, A., & Kim, J. (2001, November 16). Cisco Network Topologies and LAN Design.
Retrieved from Cisco: http://www.ciscopress.com/articles/article.asp?p=24101
Chan, J. (2004, January 31). Essentials of Patch Management Policy and Practice. Retrieved
from PatchManagement.org: http://www.patchmanagement.org/pmessentials.asp
Chapple, M. (n.d.). How Do Proxy Servers and Proxy Firewalls Differ? Retrieved from
TechTarget: http://searchsecurity.techtarget.com/answer/How-do-proxy-servers-and-
proxy-firewalls-differ
Cisco Layer 2 Switch Functions. (2007, November 18). Retrieved from debian
Admin: http://www.debianadmin.com/cisco-layer-2-switch-functions.html
Cisco Network Academy. (2014, April 17). Cisco Networking Academy's Introduction to Scaling
Networks. Retrieved from Cisco: http://www.ciscopress.com/articles/article.asp?
p=2189637&seqNum=4
Client/Server Protocol. (n.d.). Retrieved from MySQL: https://dev.mysql.com/doc/dev/mysql-
server/latest/PAGE_PROTOCOL.html
Cocca, P. (2004, September 20). Email Security Threats. Retrieved from SANS Insistute:
https://www.sans.org/reading-room/whitepapers/email/email-security-threats-1540
Connection Phase. (n.d.). Retrieved from MySQL: https://dev.mysql.com/doc/dev/mysql-
server/latest/page_protocol_connection_phase.html
Donohue, D., & White, R. (2014, May 12). The Art of Network Architecture: Applying
Modularity. Retrieved from Cisco: http://www.ciscopress.com/articles/article.asp?
p=2201795
Emergency Communications System Life Cycle Planning Guide. (2011, August). Retrieved from
DHS:
Milestone 1
https://www.dhs.gov/sites/default/files/publications/Emergency+Communications+Syste
m+Life+Cycle+Planning+Guide-+August+2011.pdf
Exploring the Modern Computer Network: Types, Functions, and Hardware. (2013, December
9). Retrieved from Cisco: http://www.ciscopress.com/articles/article.asp?
p=2158215&seqNum=6
Features. (n.d.). Retrieved from GFI Software: https://www.gfi.com/products-
and- solutions/network-security-solutions/gfi-languard/specifications
Firewalls. (n.d.). Retrieved from Firewall.cx: http://www.firewall.cx/networking-
topics/firewalls.html
Fisher, T. (2017, March 23). What is a Patch? Retrieved from
Lifewire: https://www.lifewire.com/what-is-a-patch-2625960
Garbis, J. (2017, November 1). What is a Software-Defined Perimeter? Retrieved from
Cyxtera: https://www.cyxtera.com/blog/what-is-a-software-defined-perimeter
Gattine, K. (n.d.). Types of firewalls: An introduction to firewalls. Retrieved from
TechTarget: http://searchnetworking.techtarget.com/tutorial/Introduction-to-
firewalls-Types-of- firewalls
GFI LanGuard. (n.d.). Retrieved from sectools.org: http://sectools.org/tool/gfi/
Hess, K. (2013, March 4). 10 Security Best Practice Guidelines for Businesses. Retrieved from
ZDNet: http://www.zdnet.com/article/10-security-best-practice-guidelines-for-businesses/
Horton, a. (2017, August 6). What Protocols Send & Receive Email With The Mail Server?
Retrieved from servermania: https://blog.servermania.com/what-protocols-send-receive-
email-with-the-mail-server/
Milestone 1
How to Properly Measure and Correct Packet Loss. (n.d.). Retrieved from Silver Peak:
https://www.silver-peak.com/sites/default/files/infoctr/silver-peak_wp_measuringloss.pdf
Hurley, M. (2015, April 28). 4 Causes of Packet Loss and How to Fix Them. Retrieved from
Annese: http://www.annese.com/blog/what-causes-packet-loss
InfoSec Guide: Mitigating Email Threats. (2017, January 30). Retrieved from Trend
Micro: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-
digital- threats/infosec-guide-email-threats
Interpreting Packet Traces with Wireshark (Part 1 of n). (2008, December 26). Retrieved
from ApplieTrust: https://www.appliedtrust.com/blog/2008/12/interpreting-packet-
traces- wireshark-part-1-n
Layer 3 versus Layer 2 Switch for VLANs. (n.d.). Retrieved from Meraki:
https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_versus_Layer_2_Sw
itch_for_VLANs
Madden, J. (n.d.). Avoiding Security Risks with Regular Patching and Support Services.
Retrieved from Ovum: https://www.oracle.com/us/assets/ovum-avoid-security-risks-
2235176.pdf
Millman, R. (n.d.). What's Slowing Down Your Network and How to Fix It. Retrieved from
ComputerWeekly.com: http://www.computerweekly.com/feature/Whats-slowing-down-
your-network-and-how-to-fix-it
Mitchell, B. (2017, June 9). Here's Why Your Network Might Need a Layer 3 Switch. Retrieved
from Lifewire: https://www.lifewire.com/layer-3-switch-817583
Mitchell, B. (2017, March 23). VoIP - Voice over Internet Protocol. Retrieved from
Lifewire: https://www.lifewire.com/voice-over-internet-protocol-816496
Milestone 1
Mitchell, B. (2017, May 5). What is a Server in Computer Networking? Retrieved from Lifewire:
https://www.lifewire.com/servers-in-computer-networking-817380
Mitchell, B. (2017, August 12). What is a Virtual LAN (VLAN)? Retrieved from Lifewire:
https://www.lifewire.com/virtual-local-area-network-817357
Mitchell, B. (2017, February 24). What Is a Wireless Access Point? Retrieved from
Lifewire: https://www.lifewire.com/wireless-access-point-816545
Mitchell, B. (2017, June 9). What Purpose Does the 127.0.0.1 IP Address Serve? Retrieved from
Lifewire: https://www.lifewire.com/network-computer-special-ip-address-818385
Network Devices. (n.d.). Retrieved from Certiology:
http://www.certiology.com/computing/computer-networking/network-devices.html
Network Security Devices. (n.d.). Retrieved from ConceptDraw:
http://www.conceptdraw.com/How-To-Guide/network-security-devices
Nohling, L. (2016, september 20). Multi-Site Network Architexture: Handling Challenges
that Lie Ahead. Retrieved from Edge Water Networks:
https://www.edgewaternetworks.com/blog/multi-site-network-architecture-challenges-
ahead
Odom, W. (n.d.). Cisco: CCENT/CCNA (ICND1 100-105) Official Cert Guide. Retrieved from
uCertify: http://www.ucertify.com/?action=cover
OSI (Open Source Interconnection) 7 Layer Model. (2012, July 13). Retrieved from
Cisco: https://learningnetwork.cisco.com/docs/DOC-15624
PHP MySQL Database. (n.d.). Retrieved from
w3schools.com:
https://www.w3schools.com/php/php_mysql_intro.asp
Milestone 1
Preimesberger, C. (2017, January 30). Email Security Threats to Watch Out for in 2017.
Retrieved from eWeek: http://www.eweek.com/security/email-security-threats-to-watch-
out-for-in-2017
QoS Techniques. (2010, August 9). Retrieved from Start
networking: http://www.startnetworks.info/2010/08/qos-
techniques.html
Ranjbar, A., & Hutton, K. (2005, March 18). CCDP Self-Study: Designing High-Availability
Services. Retrieved from Cisco: http://www.ciscopress.com/articles/article.asp?
p=375501&seqNum=2
Real-time Transport Protocol (RTP). (n.d.). Retrieved from Wireshark:
https://wiki.wireshark.org/RTP?highlight=%28rtp%29
Rivenes, L. (2016, March 8). What are the Causes of Packet Loss? Retrieved from
Datapath.io: https://datapath.io/resources/blog/causes-of-packet-loss/
Rivenes, L. (2016, June 15). What is Bandwidth? Retrieved from Datapath.io:
https://datapath.io/resources/blog/what-is-bandwidth/
Rosenblatt, H. J. (2014). Systems Analysis and Design. Boston: CENGAGE Learning.
Rouse, M. (2005, September). Bayesian Filter. Retrieved from TechTarget:
http://whatis.techtarget.com/definition/Bayesian-filter
Rouse, M. (2005, September). Web Filter. Retrieved from
TechTarget:
http://searchsecurity.techtarget.com/definition/Web-filter
Rouse, M. (2011, January). Content Filtering (Information Filtering). Retrieved from
TechTarget: http://searchsecurity.techtarget.com/definition/content-filtering
Rouse, M. (2014, June). Unified Threat Management (UTM). Retrieved from TechTarget:
http://searchmidmarketsecurity.techtarget.com/definition/unified-threat-management
Milestone 1
Rouse, M. (2015, January). Proxy Server. Retrieved from
TechTarget: http://whatis.techtarget.com/definition/proxy-
server
Rouse, M. (n.d.). Client. Retrieved from TechTarget:
http://searchenterprisedesktop.techtarget.com/definition/client
Rouse, M. (n.d.). Data Link Layer. Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/Data-Link-layer
Rouse, M. (n.d.). ERP (Enterprise Resource Planning). Retrieved from
TechTarget: http://searcherp.techtarget.com/definition/ERP-enterprise-
resource-planning
Rouse, M. (n.d.). High Availability (HA). Retrieved from TechTarget:
http://searchdatacenter.techtarget.com/definition/high-availability
Rouse, M. (n.d.). Load Balancing. Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/load-balancing
Rouse, M. (n.d.). Next-Generation Firewall (NGFW). Retrieved from TechTarget:
http://searchsecurity.techtarget.com/definition/next-generation-firewall-NGFW
Rouse, M. (n.d.). OSI Reference Model (Open Systems Interconnection). Retrieved from
TechTarget: http://searchnetworking.techtarget.com/definition/OSI
Rouse, M. (n.d.). Packet Filtering. Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/packet-filtering
Rouse, M. (n.d.). Packet Loss. Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/packet-loss
Rouse, M. (n.d.). Real-Time Transport Protocol (RTP). Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/Real-Time-Transport-Protocol
Milestone 1
Rouse, M. (n.d.). Scalability. Retrieved from TechTarget:
http://searchdatacenter.techtarget.com/definition/scalability
Rouse, M. (n.d.). Stateful Inspection. Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/stateful-inspection
Rouse, M. (n.d.). TCP (Transmission Control Protocol). Retrieved from TechTarget:
http://searchnetworking.techtarget.com/definition/TCP
Rouse, M. (n.d.). Video Conferencing. Retrieved from TechTarget:
http://searchunifiedcommunications.techtarget.com/definition/video-conference
She, W., & Thuraisingham, B. (2007). Security for Enterprise Resource Planning Systems.
Retrieved from taylor & Francis Group:
https://www.utdallas.edu/~bxt043000/Publications/Journal-
Papers/DAS/J46_Security_for_Enterprise_Resource_Planning_Systems.pdf
Sivasubramanian, B., Frahim, E., & Froom, R. (2010, July 15). Analyzing the Cisco Enterprise
Campus Architecture. Retrieved from Cisco:
http://www.ciscopress.com/articles/article.asp?p=1608131
Six ERP Security Risks to Watch. (2017). Retrieved from Toolbox.com:
http://it.toolbox.com/blogs/inside-erp/six-erp-security-risks-to-watch-76217
SSH Protocol. (2017, August 29). Retrieved from SSH communications security:
https://www.ssh.com/ssh/protocol/
Stephens, J. (2011, June 1). The Network Layer: Understanding layer 3 of the OSI Model.
Retrieved from Computerworld:
https://www.computerworld.com/article/2469896/network-hardware-solutions/the-
network-layer--understanding-layer-3-of-the-osi-model.html
Milestone 1
Teare, D. (2008, June 12). Structuring and Modularizing the Network with Cisco Enterprise
Architecture. Retrieved from Cisco: http://www.ciscopress.com/articles/article.asp?
p=1073230
Top 10 Database Security Issues to Avoid. (n.d.). Retrieved from we build databases:
https://webuilddatabases.com/database-articles/top-10-database-security-issues-to-avoid/
Top Benefits of Network Monitoring. (2017, August 30). Retrieved from helpsystems:
https://www.helpsystems.com/resources/articles/top-benefits-network-monitoring
Understanding Delay in Packet Voice Networks. (2006, February 2). Retrieved from Cisco:
https://www.cisco.com/c/en/us/support/docs/voice/voice-quality/5125-delay-details.html
Unified Threat Management Devices: Understanding UTM and its Vendors. (n.d.).
Retrieved from TechTarget:
http://searchsecurity.techtarget.com/essentialguide/Unified-threat- management-
devices-Understanding-UTM-and-its-vendors
Unuth, N. (2017, June 13). Security Threats In VoIP. Retrieved from
Lifewire: https://www.lifewire.com/security-threats-in-voip-3426532
What is a localhost? (n.d.). Retrieved from What is
MyIPAdress?: http://whatismyipaddress.com/localhost
What Is a Network Switch vs. a Router? (n.d.). Retrieved from Cisco:
https://www.cisco.com/c/en/us/solutions/small-business/resource-center/connect-
employees-offices/network-switch-what.html
What is Penetration Testing? (n.d.). Retrieved from Core
Security:
https://www.coresecurity.com/content/penetration-testing
What Is QoS? (2003, March 28). Retrieved from TechNet: https://technet.microsoft.com/en-
us/library/cc757120(v=ws.10).aspx
Milestone 1
What is Unified Threat Management (UTM)? (n.d.). Retrieved from Kaspersky
lab: https://usa.kaspersky.com/resource-center/definitions/utm
Wilkins, S. (2015, October 14). A Guide To Intrusion Detection And Intrusion Prevention
Systems (IDS/IPS). Retrieved from Toms IT Pro:
http://www.tomsitpro.com/articles/intrusion-detection-intrusion-prevention-systems-ids-
ips,2-959.html
Wireless Access Point (WAP). (n.d.). Retrieved from Techopedia:
https://www.techopedia.com/definition/13538/wireless-access-point-wap
Zorabedian, J. (2014, January 28). UTM and Next-Gen Firewalls: What's the difference?
Retrieved from Sophos News: https://news.sophos.com/en-us/2014/01/28/utm-and-next-
gen-firewalls-whats-the-difference-infographic/
Students also viewed