The best network design to ensure the security of Corporation Techs internal access while retaining public Web site availability consists of several layers of defense in order to protect the corporation’s data and provide accessibility to employees and the public. The private-public network edge is considered particularly vulnerable to intrusions, because the Internet is a publicly accessible network and falls under the management purview of multiple network operators.
For these reasons, the Internet is considered an entrusted network. So are wireless Lana, which-without the proper security measures In place-can be hijacked from outside the corporation when radio signals penetrate Interior walls and spill outdoors. The network infrastructure Is the first line of defense between the Internet and public facing web servers. Firewalls provide the first line of defense in network security Infrastructures. They accomplish this by comparing corporate policies about users’ network access rights to the connection information surrounding each access attempt. Seer policies and injection information must match up, or the firewall does not grant access to network resources; this helps avert break-ins. Network firewalls keep communications between internal network segments in check so that internal employees cannot access network and data resources that corporate policy dictates are off-limits to them. By partitioning the corporate intranet with firewalls, departments within an organization are offered additional defenses against threats originating from other departments.
In computer networks, a DMZ (demoralized zone) Is a computer host or small network Inserted as a “neutral zone” between a Meany’s private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ Is an optional and more secure approach to a firewall and effectively acts as a proxy server as well. Implicit trust to an Internet of pervasive distrust. In network security, no packet can be trusted; all packets must earn that trust through a network device’s ability to inspect and enforce policy.
Clear text (unencrypted data) services represent a great weakness in networks. Clear text services transmit all information or packets, including user names and passwords, in unencrypted format. Services such as file transfer protocol (FTP), email, telnet and basic HTTP authentication all transmit communications in clear text. A hacker with a sniffed could easily capture user names and passwords from the network without anyone’s knowledge and gain administrator access to the system.
Clear text services should be avoided; instead secure services that encrypt communications, such as Secure Shell (SSH) and Secure Socket Layer (SSL), should be used. The use of routers and switches will allow for network segmentation and help defend against sniffing Corporation Tech may want to have their own web or email server that is accessible to Internet users without having to go to the expense and complexity of building a DMZ or other network for the sole purpose of hosting these services.
At the same time they may want to host their own server instead of outsourcing to an ISP (Internet Service Provider) or hosting company. Corporation Tech can use NAT (Network Address Translation) to direct inbound traffic that matches pre-defined protocols to a specific server on the internal or private LANA. This would allow Corporation Tech to have a single fixed public IP address to the Internet and use private IP addresses for the web and email server on the LANA. Network Diagram and Vulnerabilities Network infrastructure using Class C network address 192. 68. 1. 0. The Main Servers using Virtual Machine software was configured with a static IP address of 192. 168. 50. 1. This server controls DDCD, DNS and Active Directory. The Web Server is located outside the network in the DMZ. Internal network is configured on separate Flan’s to separate department traffic and manage data access. Cisco Internal firewall as installed and configured to manage the internal network on the LANA. The Cisco firewall 2 implemented to manage remote traffic entering the LANA. This provides layered security to the network.
Several ports have been identified as vulnerabilities in the Corporation Techs network that allowed information to be transferred via clear text and as such they have been closed. Additional ports that could be used for gaming, streaming and Peer to Peer have been blocked or closed to reduce unauthorized access to the network. All ports known to be used for malicious purposes have been closed as a matter of best practices. All standard ports that do not have specific applications requiring access have been closed.