Network Security Plan Essay

Network Security Plan Essay

INTRO (Purpose and Intent) The organization Tech THAT Network Protection Plan determines guidelines because of it practices used on a day to day basis to provide a protected and solid computing environment. These methods are used in order to protect the mission, operation, and reputation of Corporation Technology System and its particular information systems. These program security procedures, standards, and procedures which have been established pertaining to the Corporation Technology System, are intended to comply with the regulations and policies set down by State of Florida, Corporation Tech, as well as the Federal Information Security Management Act (FISMA). SCOPE These standards and procedures apply at all information systems and assets under the control over Corporation Technical, including every computers connecting to the Organization Tech network and all Organization Tech Program employees, contractors, and any other individuals who use and/or administer those systems and computers, particularly these involved with information system management. STANDARD CONDITIONS Corporation Tech IT will manage risk by identifying, considering, controlling, and mitigating weaknesses that are a potential threat towards the data and information devices under their control. End user accounts and passwords are implemented to take care of individual liability for network resource usage. Any user who obtains an account and security password for accessing a Corporation Technology provided resource, is required to retain these qualifications confidential. Users of these devices may only use the accounts and passwords that they have been assigned and authorized to use, and they are prohibited from using the network to access these systems through any other means. This plan likewise prohibits the sharing of private user accounts or passwords for interacting with Corporation Tech or Internet computing assets. In the interest of maintaining account secureness, passwords will probably be changed on a regular schedule or anytime the integrity in the account is at question. Organization Tech THIS network or computing solutions may not be utilized for personal business purposes, for private profit as well as to violate the laws and regulations of the United States or any various other nation, or maybe the laws and regulations of any state, city, region or different local legislation in any materials way. Make use of Corporation Technical resources for any kind of illegal activity may result in loss of network access privileges, official reprimand, suspension or dismissal. Organization Tech will cooperate with any genuine law enforcement agency or request in the research and prosecution of any alleged wrongful activity. Organization Tech’s network or Net facilities will not be used to eliminate or overburden any computer system or network, or to circumvent any system intended to protect the personal privacy or security of another user. Corporation Tech held networking and communications equipment, may only end up being moved simply by Network and Computing Support staff, or authorized real estate agents. Reconfiguration of network components or software, except by designated individuals within THAT, is firmly prohibited. Ahead of connecting any server, network communication or monitoring unit to the Organization Tech Network, approval has to be obtained from Data Center Communications. Attachment of any the next devices towards the Corporation Technology network, besides those presented or given the green light by Network and Computing Support, is strictly prohibited: STATEMENT OF PROCEDURES The types of procedures for conducting a risk assessment as well as for the control and mitigation of risks to the Firm Tech Data Systems incorporate: NETWORK CONTROL Corporation Tech IT has computer software and systems in place which have the ability to monitor and record network, Net and computer usage. This can include monitoring and security systems that are capable of recording network traffic, including traffic to Internet sites, chat rooms, newsgroups and e-mail communications, file servers, telnet lessons and data file transfers into and away of our interior networks. This capability is essential in order to take care of the health of Corporation Tech network operations and identify network related problems. Firm Tech THAT reserves the justification to perform network monitoring without notice. The information accumulated may be used simply by technicians and management to evaluate network utilization and tendencies, and may also be provided to upper supervision or various other authorities as evidence as part of any research of supposed policy infractions. Corporation Technology IT stores the right to carry out periodic port scans, part sweeps, and vulnerability reads on all network sections. Network operations, functions, and resources, that happen to be not required as part of the normal and approved job duties or perhaps projects by Corporation Technology, may be band width limited or blocked by network control devices in order to protect the integrity and availability of the general system. Company Tech It may well suspend network access to virtually any location or system that disrupts usual network businesses or devices that break Corporation Tech policy. In this event, an attempt will be built to contact the responsible person to resolve the problem. DHCP SERVICES Corporation Technology IT provides centralized and redundant DHCP and DNS solutions for Company Tech. As a result of nature of those services, also because of the potential disruption of service and possible security breaches as a result of incorrect installation of additional systems, attachment of unauthorized DHCP or DNS servers can be prohibited. This guidelines has to be followed when ever requesting or using virtually any DHCP or DNS services: • Systems requiring an IP address must support DHCP and be capable of obtaining DHCP talk about information from of the on the inside administered School DHCP machines. • Using DHCP, devices requesting a great IP address will be assigned a dynamic pool address from your subnet where the device is usually attached. Devices with effectively assigned IP addresses may have their treat change. • Static IP addresses needed for server course machines or perhaps specialized clients must be requested from the Data Center Sales and marketing communications Team via a Help Desk ticket. DNS SERVICES User workstations, which were assigned a dynamic pool IP address, could have an linked DNS term assigned by the network. Any DNS term or domain that is to become associated with Company Tech network, must be wanted from and/or registered through Web Companies. DNS brands ending in corptech. com are made available upon request Corporation Technical approved companies. Requests pertaining to assignment of DNS brands must be intended for valid Corporation Tech related purposes. DNS names to get domains other than corptech. com, and which are to be organised by Organization Tech systems, must be requested from World wide web Services. Virtually any charges to get initial or perhaps ongoing enrollment of the wanted name will be the responsibility from the requestor. DNS names, certainly not in the corptech. com domain name, will be dealt with on a case by case basis. Corporation Tech It can work with any user requesting appropriate to identify the right and available name, however Corporation Tech IT has final approval for all DNS name assignments. WI-FI NETWORK PROVIDERS Because cellular networks can be used to provide use of the same resources and solutions as born network devices, the same standard procedures that are used in a " cable " network environment can also be applied in a wi-fi network environment. However , due to the nature of wireless networks, additional secureness and control mechanisms are needed in order to maintain the secureness, operation and inter-operability of both traditional and wi-fi systems. Cellular routers aren't allowed within the Corporation Technology network until they have been given the green light by Corporation Technical IT. Usage of the Corporation Technology Wireless network is limited to individuals who have a Corporation Tech accounts except in locations where guest network is available. The Corporation Tech Customer Network can be segregated through the internal servers and resources used by authenticated users to keep the network secure. The organization Tech Guests Network is only available in accepted areas, and require a demand to be expanded into any other areas. Users of the Company Tech Customer Network must provide a valid cell phone number to be able to authenticate. Destruction and Removal of Information and Devices Limited information has to be disposed of in such manner as to assure it may not be retrieved and recovered by simply unauthorized persons. When giving, selling, moving, surplusing or perhaps disposing of computer systems or removable media (such as DVDs), the proper methods to make data unreadable on those mass media will be taken. Acceptable types of procedures are detailed on ISSP-009, “Medial Removal. ” NETWORK ACCESS Anyone that uses the organization Tech calculating environment will need to have appropriate status (e. g. management, employee, staff, or perhaps authorized third party) and must be effectively authenticated when ever required. Get will be offered to distributors and or other Corporation Tech partners throughout the sponsored VIP account method, as referred to on http://www.corptech.com/it/services/vip.aspx. VIP accounts are evaluated and restored on six month intervals to see if access continues to be needed. For the employee leaves the organization accounts will be impaired once TERM status can be updated, and individual departments must accept re-activation of account gain access to. USER COMPUTERS Users are in charge of for the safety and ethics of Firm Tech data stored on the workstation, consisting of controlling physical and network access to the equipment. Users may well not run or else configure software program or hardware that may enable access simply by unauthorized users. Anti-virus computer software must be installed on all work stations that connect with the Corporation Technical Network. Corporation Tech Pcs may not be used to copy, distribute, share, download, or publish any copyrighted material without the permission in the copyright owner. PHYSICAL GAIN ACCESS TO Access to Organization Tech THAT Data Center should be limited to those responsible for operation and maintenance. Get by non-IT personnel is not acceptable unless they can be escorted by simply an authorized THIS staff member. Laptop installations should certainly provide reasonable security procedures to protect the computer system against natural disasters, accidents, reduction or varying of electrical power, and sabotage. Networking and computing components are placed in secure and appropriately cooled down areas intended for data integrity and security NETWORK HARDWARE Network hardware will be housed at the rear of a locked door to guard physical usage of switches and other network equipment. Access is only allowed although card access or with a examined key. All switches and network hardware are pass word protected at the very least via a community account create on the device itself, these kinds of passwords are changed occasionally as administrators leave the corporation. Subnets in order to authenticate with switch supervision will be restricted, to create tighter control of after sales administration. Professional level gain access to Timeouts implemented on Gaming system and VTY lines, to ensure that any idle sessions will be terminated instantly. All switches are time synced using NTP, in order that incidents may be tracked and correlated towards the proper timeframe. SERVER SURROUNDINGS All web servers are subject to a security examine and analysis before they are really placed into development. Administrative access to servers must be password safeguarded and use two-factor authentication whenever possible. Servers should be literally located in an access-controlled environment. All internal servers deployed at Corporation Tech should be owned simply by an functional group that may be responsible for system administration. Machines must be authorized with the THAT department. At a minimum, the following information is required to absolutely identify the purpose of speak to: Services and applications that will not be used has to be disabled in which practical. Access to services should be logged and/or protected through access-control ways to the extent possible. The newest security areas must be installed on the system when practical. Will not use manager or underlying access every time a non-privileged account can be used. Happy access has to be performed over secure stations, (e. g., encrypted network connections using SSH or IPSec). EXCEPTIONS All demands for conditions to these criteria and procedures will be taken care of by obtain, and will comply with these guidelines: • Has to be submitted on paper to and approved by the CIO or with the right authority. • Will be analyzed on a case by circumstance basis. NETWORK SECURITY Corporation Tech network design is created around three principles, Defense-in-Depth, Compartmentalization of Information and Principle of Least Privilege. Our first step was to take a look at what we will be protecting, which is ultimately our business and clients data and information. To ensure a sound architecture we started the design of our network with scalability at heart. It is important that each of our design can be flexible enough to meet foreseeable future needs. The threats we understand about and face today may not be people we encounter tomorrow. Whilst developing reliability requirements pertaining to our THIS system assets, we is going to determine if they are mission-critical or perhaps data-sensitive solutions. This will allow all of us to determine wherever data privacy and ethics are the most important requirements, or where the top priority is continuity of procedure (availability). DEFENSE-IN-DEPTH Network safeguards offer the first protection obstacle of IT system resources against threats beginning outside the network. These hazards can be as intruders or malicious code. Our network design provides layered defenses. What this means is the security layers go with each other; what one does not show for the different catches. This will likely be accomplished by locating reliability defenses in different places during our THAT system, along with not applying two of a similar types of safeguards. Although this may improve the complexity of our security system and may potentially generate management and maintenance more challenging and high priced, we believe the protection of the IT system methods should be depending on the security. With defense-in-depth in mind, the first layer of our network security program starts with each of our network edge security. The principle network security defense are firewalls, intrusion recognition and reduction systems (IPS/IDS), VPN defenses and articles inspection devices like anti-virus, anti-malware, anti-spam and LINK filtering. The traditional first brand of defense against attacks is typically the firewall, which is designed to allow/deny traffic by source/destination IP, interface or process. It’s incredibly straight forward, both traffic is allowed or it’s blocked. With the creation of Next Generation firewalls, which can contain application control, identity awareness and other features such as IPS, web filtering, and advanced malware diagnosis, all of these features can be managed by one particular device. COMPARTMENTALIZATION OF INFORMATION Firm Tech may have IT program resources based on a sensitivity amounts or several risk threshold levels and threat susceptibilities. These resources should be positioned in different reliability zones. The concept is to hide the data or perhaps information and make it available only to those systems where it is very important for doing system duties. Examples of this kind of are: • E-mail, World wide web and DNS servers are located in the DMZ behind the perimeter fire wall. • Directories servers just like SQL servers are located in the Database Zone, within the interior firewall/IPS. • Intranet servers, file web servers and end user workstations happen to be in the LAN zone within the internal firewall. • The Internet is located in the net zone lurking behind the edge firewall. Rule of Least Privilege Corporation Tech facilitators and users will have little privileges essential for proper functioning inside the organization. This rule can be applied also to data and services made available for exterior users. An extension to this guideline is the “Need-To-Know” principle which will says that users and administrators of Corporation Technology IT system have access to the particular information highly relevant to their role and duties performed. Other parts of security that individuals will addresses in our network services availableness is the single point of failure rule, the parting of work and work rotation rules. The network paths among users and mission-critical THIS system resources, all the backlinks, devices (networking and security) as well as the servers will be deployed in unnecessary configurations. The purpose of the splitting up of obligation and task rotation secret is to limit an employee’s ability to forget and break the THIS system’s secureness policy. Splitting up of obligation dictates that important tasks/functions should be performed by two or more employees. Job rotation states that there should be rotation of employees in important positions. NETWORK SOLIDIFYING For each part of security, we will ensure they are jogging the most up-to-date software and operating systems, and that the equipment are configured properly. SECURITY ZONES Intrusion Prevention (IPS) devices are responsible for discovering and blocking penetrations and attacks executed by thieves and destructive malware applications. We recommend an IPS be mounted in the network path between potential threat sources and sensitive THIS system assets. Attacks through encrypted SSL sessions are a potential weeknesses so we all recommend decrypting the sessions prior to this reaching the IPS device to be able to inspect unencrypted packets. The IPS will probably be properly enhanced and supervised to get attackers that contain slipped beyond the first protection (firewall/router). Inside networks will not have direct access online so a Trojan provided for a user’s workstation through a phishing attack would not allow the intruder to connect to the external network. Internet services are available for internal users only through company email and HTTP Proxy web servers. ENABLE SAFEGUARDED NETWORK GAIN ACCESS TO We will certainly install a VPN that is designed to allow encrypted communication to the network from the outside. Utilizing two-factor authentication, ensuring the sincerity of the users making the request. This is certainly external-facing to the network and allows users to canal into each of our LAN externally once the appropriate measures happen to be taken to safeguarded access. SEGMENTED DMZ You will see a front end firewall to get the exterior traffic and a back-end firewall to get the internal visitors. Firewall guidelines will be maximized and stiffened on all publicly offered systems to allow traffic to only the necessary ports and companies living in the DMZ. Firewall rules had been created to only allow the origin IP addresses and interface to the particular servers and proxies have been completely added in the network from which administrators happen to be allowed usage of the devices. Systems within just different VLANs (with a layer three or more switches) have already been configured to help isolate and respond to incidents if a machine in the DMZ is compromised. Authentication within the LAN is required before usage of the DMZ is also attempted. This kind of prevents permitting complete control of these systems at any given time. DEVICE INTEGRITY All software and hardware will be purchased only from the maker or by resellers whom are authorized and authorized by the gear manufacturer. Untouched physical extremite on network devices will be shut down. Get lists that allow simply those protocols, ports and IP address that are required by network users and services will be implemented. Everything else is refused. Network unit configuration document are protected from unauthorized disclosure. Actions have been delivered to avoid plaintext passwords inside the configuration data files. This has been achieved by using security and/or a salted hash with iteration to protect the confidentiality of passwords in configuration data. Change passwords/keys immediately if the network system configuration record is transmitted in the obvious (or is definitely otherwise exposed) while made up of non-encrypted passwords/keys. Secure protocols will be used once transmitting network device setup files. Every unneeded solutions on network devices must be shut down. Log files will be analyzed regularly to find an in depth comprehension of normal network behavior. Any kind of irregularity will probably be reported and investigated. SECURE MANAGEMENT Simply secure protocol standards (SSHv2; IKEv2/IPsec; TLS v1. 0+) will be used when performing remote administration of network devices. Default usernames and/or passwords are not used. The network system security coverage should establish password duration and intricacy requirements. Assessment the network infrastructure secureness policy. This kind of policy pinpoints who is allowed to log in to network facilities devices and who is allowed to configure network devices, and defines a strategy for upgrading network device firmware at scheduled time periods. PORT VULNERABILITES Port 25 – Is used for SMTP (Simple Snail mail Transfer Protocol). It uses both equally tcp and udp protocols. This slot used for email routing among mail servers and is susceptible to many well-known Trojan’s. We are keeping this port in a closed condition. Port 80 – Is utilized for website traffic Hyper Textual content Transfer Process (HTTP). It uses both tcp and udp protocols. Port 80 udp is also used by some games, just like Alien as opposed to Predator. Code Red and Nimda worms also propagate via TCP port 70 (HTTP). Likewise, a number of trojans/backdoors use these ports. We are keeping this kind of port in a closed condition. Port 139 – Is employed for NetBIOS. NetBIOS is a protocol utilized for File and Print Posting under every current editions of House windows. By default, when File and Print Sharing is enabled it binds to anything, including TCP/IP (The Internet Protocol), instead of just the regional network, that means your distributed resources are available over the whole Internet pertaining to reading and deletion, until configured correctly. Any equipment with NetBIOS enabled but not configured correctly should be considered at risk. The best protection is to turn off File and Print Posting, or prevent ports 135-139 completely. All of us will keep this slot in an open up state but will turn off record and printing sharing capabilities. Port early 1900s – Can be used for SSDP, UPnP. UPnP discovery/SSDP, is known as a service that runs automatically on WinXP, and makes an right away exploitable secureness vulnerability for almost any network-connected system. It is vulnerable to denial of service and buffer overflow attacks. Microsoft SSDP Allows discovery of UPnP devices. We are keeping this interface in a closed state. Slot 2869 – Is IANA registered intended for: ICSLAP. By using both tcp and udp protocols and is also used for Ms Internet Connection Fire wall (ICF), Internet Connection Sharing (ICS), SSDP Discover Service, Microsoft Universal "plug and play" (UPnP), and Microsoft Function Notification. We will leave this dock in an open state. Interface 5357 – Is used simply by Microsoft Network Discovery, and really should be strained for general public networks. It uses both tcp and udp protocols. It is additionally IANA authorized for: Internet Services for Devices (WSD) – a network plug-and-play experience that is similar to installing a UNIVERSAL SERIAL BUS device. WSD allows network-connected IP-based gadgets to advertise their particular functionality and offer these providers to customers by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP slot 5358), and multicast to UDP interface 3702. We will close this interface and reroute traffic to HTTPS (TCP slot 5358). Slot 6839 – This interface is not associated with virtually any particular companies and should end up being closed until it is connected and used. Port 7435 – This kind of port is not linked to any particular services and should be sealed unless it can be associated and used. Ports 9100, 9101 and 9102 – These TCP jacks are is employed for printing. Port numbers 9101 and 9102 happen to be for seite an seite ports a couple of and several on the three-port HP Jetdirect external print servers. It is used for network-connected printing devices. These kinds of ports should certainly remain available to allow produce services. You will discover no listed vulnerabilities associated with these ports. Port 9220 – This kind of port is for raw checking to peripherals with IEEE 1284. 4 specifications. In three interface HP Jetdirects, the check out ports will be 9290, 9291, and 9292. It is utilized for network-connected produce devices. This kind of port ought to remain ready to accept allow print services. There are no listed vulnerabilities associated with this slot. Port 9500 – TCP Port 9500 may use a definite protocol to communicate depending on application. In our case we could using port 9500 to reach the ISM Server. The ISM Machine is used intended for exchanging back-up and restoration information among storage equipment. This port should continue to be open while services are in use. You will discover no outlined vulnerabilities linked to this port. Port 62078 – This port is utilized by iPhone while syncing. The Interface used by UPnP for multi-media files sharing, also used for synchronizing iTunes files between devices. Slot 62078 has a known weeknesses in that a service named lockdownd sits and listens on the iPhone about port 62078. By connecting to this slot and speaking the correct process, it’s feasible to spawn a number of different companies on an i phone or apple ipad tablet. This slot should be blacklisted or shut when support is not required on the gadget.

Related Essays