Abstract A secured network is one which is free of unauthorized access, threats and hackers. This paper describes the different levels of network security. A brief overview of the Network Security, its need, different threats and related protection techniques are presented. The paper presents a general overview of the most common network security threat measures and the steps which can be taken to protect an educational institution and to ensure that data travelling across the network is safe and secure. The objective of the paper is to highlight the loopholes in the existing network of computer science department of Geetanjali Institute of Technical Studies. The paper presents the setup of an Ideal Network Defense System in the institute.
Keywords Network Security, IP Sec, VLANs, Firewalls, Antivirus Packages, MAC Filtering, Access Control Lists, Tokens, Security Policies, Intrusion Detection, UTM.Abstract A secured network is one which is free of unauthorized access, threats and hackers. This paper describes the different levels of network security. A brief overview of the Network Security, its need, different threats and related protection techniques are presented. The paper presents a general overview of the most common network security threat measures and the steps which can be taken to protect an educational institution and to ensure that data travelling across the network is safe and secure. The objective of the paper is to highlight the loopholes in the existing network of computer science department of Geetanjali Institute of Technical Studies. The paper presents the setup of an Ideal Network Defense System in the institute.
Keywords Network Security, IP Sec, VLANs, Firewalls, Antivirus Packages, MAC Filtering, Access Control Lists, Tokens, Security Policies, Intrusion Detection, UTM.Abstract A secured network is one which is free of unauthorized access, threats and hackers. This paper describes the different levels of network security. A brief overview of the Network Security, its need, different threats and related protection techniques are presented. The paper presents a general overview of the most common network security threat measures and the steps which can be taken to protect an educational institution and to ensure that data travelling across the network is safe and secure. The objective of the paper is to highlight the loopholes in the existing network of computer science department of Geetanjali Institute of Technical Studies. The paper presents the setup of an Ideal Network Defense System in the institute.
Keywords Network Security, IP Sec, VLANs, Firewalls, Antivirus Packages, MAC Filtering, Access Control Lists, Tokens, Security Policies, Intrusion Detection, UTM.I. INTRODUCTION
The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and educational communications worldwide. The volume of traffic moving over the internet, as well as educational networks, is expanding exponentially every day. This vast network and its associated technologies have opened the door to an increasing number of security threats from which educational institution must protect them. Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness combined together. Network Security refers to “all hardware and software functions, characteristics, feature, operational procedures, accountability measures, access controls, and administrative and management policy required to provide an acceptable level of protection for hardware, software, and information in a network.” [1]
A. Need of Network Security at Geetanjali Institute Of Technical Studies
Institute has a difficult network environment to be secured. Proprietary information must be protected, the network must be available 24x7, yet hundreds of untrusted student-owned computers must be given access. That’s where the problems arises. Network administrator cannot control what students do, or have done, with their laptops and desktops, and that puts the entire network at risk.
As an educational organization, the administration strives to facilitate the open exchange of information. Students, faculty members and librarians all need access to Internet. However, at the same time, the administrator has a responsibility to protect users from network threats, and keep the network up and running. A top security priority is to establish a private network to keep confidential information (student records, scholarships, administrative records, financial information etc.) safe from unauthorized users, hackers, and other threats.
II. OBJECTIVE
Networks in the institution are isolated from each other. It is desired to have a single backbone network. The paper will discuss:
· Users in college.
· Current network plan.
· Drawbacks in the existing network plan.
· Level of defenses in an ideal network system.
· Proposed network plan for the college.
III. CURRENT SCENARIO. USERS
B. College has departments-
Computer Science, Electronics and Communication, Mechanical, Electrical, Automobile, Information Technology, MBA and MCA. Besides these departments internet facility is required by accounts section and administrative department too. All faculty members and students are availing the internet facility.
IV. EXISTING NETWORK PLAN
The network in Geetanjali Institute is divided into three different networks.
C. Block-A
The block-A network includes Computer Science department, MCA department, IT department, Mechanical department and the administrative department. The network plan is as shown in figure.
Fig 1: BLOCK-A NETWORK
D. Block-B
Figure: BLOCK-B Network
E. Accounts
Figure: ACCOUNT Network
V.PROBLEMS IN EXISTING NETWORK
In the college environment, a single unpatched or compromised end-terminal threatens the entire network. It can serve as a backdoor to intruders, a channel for worms and spywares, and it can infect the entire network. The institution tries hard to implement a consistent security policy that defines what’s permitted and what’s prohibited on student end-terminals, but a number of logistical
problems prohibit enforcement of such policies. Major of them include:
A. Wide Range
Implementation and administration of a security policy that efficiently accommodate multiple OS platforms and versions is a tough job.
B. A Limited Time for Registering Devices
Students must have network access when classes begin, making it unfeasible for network administrator to implement uniform security measures on a device-by-
device basis in the limited time available at the beginning of the semester.
C. Difficulty of having to physically touch each device
Limited resources and personnel prohibit effective physical management of each device.
D. Three Separate Networks
There are three different existing networks in the college- ‘A’ block, ‘B’ block and Network of accounts department. It is difficult to monitor the separate networks then having a centralized network for the entire institution.
E. Mesh Network
There is no planning in the current network set-up. All the end-terminals and switches are arranged in a disorganized manner. The side effects of this network are:
· More amount of cabling is required.
· Detection of point of fault is difficult.
· More effort is required in installing, modifying and maintaining the network devices.
No Load Balancing
There is no provision of switching between the alternate channel if the primary channel is blocked or damaged.
F. Server Location
Server is located outside the college premises. It is maintained by the host outside the college.
G. No Network Facility in Hostel
There is no internet facility for the students residing in the college hostel.
H. No Proxy Servers
There are no proxy servers, resulting in the increased chances of entry of viruses and worms. And hence the features provided by this such as firewalling and filtering, connection sharing and caching are not available.
I. No Physical Security
There is no proper physical security for server room and terminals.
VI. LEVEL OF DEFENSES
We have an extensive choice of technologies, ranging from antivirus software packages to dedicated network security hardware, such as firewalls and intrusion detection systems, to provide protection for all areas of the network. Further tools can be deployed that periodically detect security vulnerabilities in the network providing
ongoing, proactive security. With all these currently options available, it is possible to implement a security infrastructure that allows sufficient protection quick access to information. A network requires multiple layers of protection to be truly secure.
Table 1: LEVEL OF DEFENSES
Security Level | Applicable Security Measure | |
5. | Network Level | Access Control Lists Intrusion Detection/Prevention Systems |
4. | Switch Level | MAC Filtering |
3. | Server Level | Security Policies VLANs Tokens |
2. | PC Level | Antivirus Packages IP Sec Folder Guards |
1. | Physical Level | Lock and Key Protected Server Room |
VII. PHYSICAL LEVEL SECURITY
Physical security is an initial concern when designing a secure network. The easiest and best means of protecting important machines like servers is to secure them under a lock and key. Next, make sure to use wiring that is susceptible to eavesdropping and snooping. Copper wiring can be connected with greater ease than other types of cables, and is thus more vulnerable.
· Install UPS (uninterruptible power supply) systems for mission-critical hardware.
· Deploy backup generator systems for mission-critical disaster recovery if feasible.
· Test and maintain UPS or generators based on the manufacturers' suggested preventative maintenance schedule.
· Monitor and alarm power-related parameters at the supply and device level.
· Use filtered power and install redundant power supplies on mission-critical devices.
VIII. PC LEVEL SECURITY
This level of defense includes technologies as Antivirus
Software Packages, IP Sec, host Firewalls, Folder
Guards etc.
A. Antivirus Packages:
Virus protection software is packaged with most computers and can counter most virus threats if the software is regularly updated and correctly maintained. The package includes a virus database that helps it to identify known viruses when they attempt to strike. To keep updates and maintenance costs to a minimum, all the computers on a network should be protected by a same antivirus package. It is essential to update the antivirus package on a regular basis.
B. IPSec:
It is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network that functions at the layer 3 of the OSI model [2]. The two primary security protocols used by IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP). The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication. AH does not offer any encryption services. ESP protocol provides Confidentiality (through the use of symmetric encryption algorithms like DES or 3DES), Data origin authentication and connectionless integrity, Anti-replay service (it is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number. When the hacker nicks a copy of an authenticated packet and transmit it later to the intended destination, it can disrupt services. The sequence Number field is designed to foil this type of attack), Traffic flow (for this, Tunnel Mode have to be selected. In tunnel mode, the entire IP packet is encapsulated in the body of a new IP packet with a completely new IP header. It is most effective if implemented at a security gateway, thus company machines in a network do not have to be aware of IPSec).
C. Firewall:
A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules [3]. The firewall creates a protective layer between the network and the outside world. In effect, the firewall replicates the network at the point of entry so that it can receive and transmit authorized data without significant delay. However, it has built-in filters that can disallow unauthorized or potentially dangerous material from entering the real system. It also logs an attempted intrusion and reports it to the network administrators.
D. Folder Guards:
Folder Guard is a computer security software tool that lets you password-protect, hide, or restrict access to files and folders of your choice, and also restrict access to other Windows resources, such as Control Panel, Start Menu, Desktop, and more. You can configure the protection so that only specific users would be restricted, on both stand-alone and networked computers.
IX. SERVER LEVEL SECURITY
This level of defense includes Port Blocking, Service Authentication, VLANs, Tokens, and Security Policies etc.
A. Security Policies:
Security policies are rules that are electronically programmed and stored within security equipment to control such areas as access privileges [4]. These are also written or verbal regulations by which an organization operates. The policies that are implemented should control who has access to which areas of the network and how unauthorized users are going to be prevented from entering restricted areas. The security policy management function should be assigned to people who are extremely trustworthy and have the technical competence required.
B. VLANs:
A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcast onto the network are only switched between the ports logically grouped within the same LAN. It allows network administrator to have total control over each port and user plus whatever resources each port can access. VLANs can be created in accordance with the network resources a given user requires.
C. Tokens:
A security token can be a physical device that an
authorized user of computer resources is given to ease authentication. They are used to prove one’s identity electronically. Hardware tokens typically store cryptographic keys, such as digital signature, or biometric data, such as finger-print minutiae. The simplest security tokens do not need any connection to a computer. Other tokens connect to the computer using wireless techniques. The new form of tokens are mobile devices which are communicated with out-of-band channel (like voice, sms etc.). Disconnected tokens have neither a physical nor logical connection to the client computer. They use a built-in screen to display the generated authentication data, which the users enter manually via keyboards. Connected tokens are tokens that must be physically connected to the client computer. These tokens automatically transmit the authentication info to the client computer once the physical connection is made, eliminating the need for the user to manually enter the authentication info. [5]
X.SWITCH LEVEL SECURITY
This level of defense includes VLANs, MAC policies and MAC filtering.
D. MAC Filtering:
MAC filtering refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of black lists and white lists. While giving a wireless network some additional protection, MAC filtering can be circumvented by scanning a valid MAC and then changing the own MAC into a validated one.
XI. ROUTER LEVEL SECURITY
This level of defense includes Access Control Lists.
A. Access Control Lists:
It is a list of conditions through which router can control (permit or deny) the packet on the basis of sources and destination address and protocols. Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not applied to any more access list statements. Because of this, the order of the statements within any access list is significant. Access lists can be applied as inbound or outbound access lists. Inbound access lists process packets as they enter a router's interface and before they are routed. Outbound access lists process packets as they exit a router's interface and after they are routed.
B. Intrusion Detection/Prevention Systems:
Intrusion Detection is the process of monitoring the events occurring in a computer systems or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies or standard security practices. Intrusion Detection System (IDS) is software that automates the intrusion detection process. An Intrusion Prevention System (IPS) is software that has all the capabilities of IDS and can also attempt to stop possible incidents [6].
XII. PROPOSED NETWORK
We have discussed techniques for preventing network security threats. Now we are in a position to design a strategy for designing a secure network. Network Security must follow three fundamental percepts [7]. First, a secure network must have integrity such that all of the information stored therein is always correct and protected against fortuitous data corruption as well as willful alterations. Next, to secure a network there must be confidentiality, or the ability to share information on the network with only those people for whom the viewing is intended. Finally, network security requires availability of information to its necessary recipients at the predetermined times without exception.
Additionally, certain preliminary steps must be taken in order to access the need for and overall level of network security. First, an appraisal of the dependency on the information within the network must be performed to know the level of security necessary to protect that information. Next, measurements must be taken of any foreseeable weakness in the current network structure as well as the design for future network security. In addition, it must be realized that security is a continuous task. Network security is not purchased once; instead it must be continually monitored and managed. Finally, network security should be an evolutionary process whereby its progression and subsequent protection occur in stages.
XIII. FEATURES OF THE PROPOSED PLAN
· Centralized Network
· Redundancy
· Multiple ISPs (Internet Service Provider)
· Network with Load Balancing
A. CENTRALIZED NETWORK
We have discussed the mesh network in college so we are going to propose a centralized network that can be implemented using UTMs (Unified Threat Management).
Centralized computer network system in which all the resources are stored and managed at one place. Centralization is easy for system administrator to keep all that resources consistent and in accurate form. While in distributed system all the sites containing the data and resources need to be managed separately. We can easily back up the data that is stored only at one place. It is also very much easy to protect the system from unauthorized access because there is only site on the network that needs protection.
B. REDUNDANCY
Redundancy is the internetworking, the duplication of connections, devices or services that can be used as a backup in the events like the primary connections or service failure.
C. MULTIPLE ISPs
Multiple ISP solution addresses more than alternate pathways and disaster recovery. It can also provide a solution for network traffic jams or supply network isolation for specific applications.
A. NETWORK WITH LOAD BALANCING
Load Balancing, a clustering technology enhances the scalability and availability of mission-critical, TCP/IP-based services, such as Web, Terminal Services, virtual private networking, and streaming media servers. Network Load Balancing distributes IP traffic across multiple cluster hosts. It also ensures high availability by detecting host failures and automatically redistributing traffic to the surviving hosts. The unique and fully distributed architecture of Network Load Balancing enables it to deliver very high performance and failover protection.
Fig 4: REDUNDANT NETWORK WITH LOAD BALANCING
I. CONCLUSION
Network must be secure in order to prevent against threats to their integrity, otherwise the loss or misuse of information can be catastrophic. The paper set upon defining the role of network security and hoped to explain further how to achieve that role. The changing strategy for developing a secure network coincides with the creation of new threats; therefore, it is an evolutionary process constantly changing to meet new requirements. In conclusion, computers and software are now the part of world-wide-network, making them more susceptible to threats and thus demanding Network Security.
No comments:
Post a Comment