Infrastructure and Security, Research Paper Example

For designing a network for the second building of the company requires a fit for purpose scalable network that will address future goals of the company. Currently we are assuming a head office building with one floor and in the future there may be three buildings, i.e. the network needs to be scalable and secure. We are proposing a three floor network proposal, as critical assets of the company are located at the ground floor and the company is located near river banks, there is a high probability of natural disasters i.e. floods etc. However, in case of configuring a wireless network, IEEE-802.11g compliant will be recommended for covering the distance of 250 meters. Figure 1.1 demonstrates the proposed network architecture for the organization.

Proposed Network Design

As the organization is planning to expand from one floor to three floors, the network design must meet the expansion requirements as well as compatibility issues with network devices. In fig 1.1, we have proposed a networked solution for the organization, starting from the Internet connectivity. It depends what will be the bandwidth requirements for the organization. If the organization is planning to open new offices after establishing the second and third floor, a high speed MPLS + Internet connectivity will be recommended. The MPLS servers as a high speed local area network between distant and remote offices of the organization. Whereas, Internet will provide access to websites and any other business processes that may require Internet access. Likewise, this connection will serve as a substantial cost saver for bandwidth along with high availability of data. Moreover, MPLS is highly reliable and provides end to end encryption this will server solid network security when exchanging information between remote offices. The router available that is operational at the organization has a built-in functionality of performing NAT (Network Address Translation). The NAT also serves as a baseline security control for any organization, as it hides all the private or local IP addresses that are configured within the organization. Apart from the firewall, an extra layer of security is added within the proposed network solution.  Likewise, a firewall filter data packets based on the rules defined, but the intrusion detection system will work in a different way comparatively. The intrusion detection system has two types up till now i.e. anomaly based intrusion detection system and signature based intrusion detection system. The anomaly based IDS notify the relevant stakeholders if any kind of anomaly or abnormal network behavior is detected. As a result, lot of false positives is generated and it is difficult to sort thousands of alerts that are generated on hourly basis. Whereas, signature based IDS can identify only those unknown patterns of behavior that are already defined within its database. The advantage of signature based IDS is low network performance overhead but at the same time there is one risks of any anomaly that cannot be identified due to its unavailability in the signature database. As per the network diagram, a DMZ is defined along with the existence of the screened subnet. If any hacker tries to penetrate within the network, the first level of breach will be limited to the server placed in the DMZ i.e. the proxy server. As the IDS are located there to detect any anomalies, the relevant stakeholders can be informed at an early stage. Moreover, the screened subnet will also become a massive challenge for the hacker, as the attack will be established with a single IP address and the screened subnet has two different subnets with different subnetting schemes configured i.e. one for internal network and one for the external networks. Moreover the switch distributed to the switches, that are internally located, is connected to the interior router, as shown in fig 1.1. Furthermore, the wireless access points are connected to the 32 port manageable switches.

There is a requirement of a powerful vulnerability assessment and management tool that will facilitate the network security team in crises situations. Moreover, there is one more challenge for the network administrators i.e. they are not able to find traces for the threat that has already penetrated into a distributed network environment. Likewise, distributed network is a merger of two or more networks and may be operational on a broad spectrum. Moreover, the existing network security controls are not capable to detect the worm, as the distributed network is connected to one or more networks; it is difficult to analyze specific anomalies and patterns of unknown activity on the distributed network. Furthermore, the combination of infinite data packets can construct a major impact on the network because they all have the same frequency and are associated with the same domain that is similar to the current scenario. For addressing this issue, powerful vulnerability detection and assessment tools are required for detecting threats on a distributed network. Tools supporting pattern detection for distributed network environment provides a network wide correlation analysis associated with instant parameters along with anomalous space extraction, instant amplitude and instant frequency. We will discuss tools that are available for vulnerability assessment and can be utilized by the network administrator for enabling instant amplitude and instant frequency so that transmission of data packets on the network can detect unknown activities or patterns on the network. Moreover, these tools will also facilitate to categorize data packets in to time and frequency domains distinctly. Furthermore, network administrators can also implement a methodology, subset of the current methodology, which is called as anomalous space extraction based on predictions of network traffic or transmission of data packets.

Successful information security management involves an amalgamation of prevention, detection and response in order to deploy a strong security defense. Security has become an encircling issue for designers and developers of the digital world. A system should also be able to counter incidents and raise proper procedures in case an information security incident occurs. Information security incident handling takes a stride forward in the information security management procedure. The aim is to provide a reference for the management, administration and other technical operational staff. If considering the enterprise government, focus on executing management actions is required to support the strategic goals of the organization. It has been calculated approximately half of the breaches to the security of the information systems are made by the internal staff or employee of the organization.

Security incident management facilitates the development of security incident handling and planning including preparation for detection and reply to information security issues. The standard of the incident management primarily relates to ensure the existence of processes rather than the contents of these procedures.  The security incident of different computing systems will have dissimilar effects and escort to different consequences, bureau, departments the organization need to tailor the security incident handling plan according to specific operational requirements.  In order to do so, the security staff must equip with tools for vulnerability detection and assessment. The internal and the external threats are controlled by utilizing hardware firewall on the global router at the root site. But by placing additional domain controllers on each and every site, that can be located in future, thus making the site independent, the risk of site link failure can be minimized. If the file server turns offline without any reason, the offline files are accessible to the other online sites. For this reason, the sites are made independent and do not require any extra file servers on site with every other site. For the additional servers, the company must form a huge network but for these types of networks there is no need for any other additional servers. Moreover, a switch is given at each site that helps to connect the hosts to the network if needed. For accessing any branch, separate routers are proposed that connects these three branches separately with each other on the network.

Security Policy and Acceptable Use for the Organization

Purpose

The purpose of the information security policy is to provide direction and support for all information security activities in accordance with business requirements and relevant laws and regulations.

Scope

This policy covers establishment of a complete Information Security Management System, including related documentation, implementation and regular monitoring, both through planned audits and through reporting of any security incidents. Adherence to the policy is mandatory for all permanent and contractual employees, consultants and other workers, including all personnel affiliated with third parties.

Policy

It is the policy of the organization to implement an Information Security framework within the scope of its geographically distributed BPO operations providing information processing services to various sectors including Mortgage, Title Insurance, Oil & Gas and Governmental sectors.

The organization aims that:

A management structure shall be established to initiate and control the implementation of information security within the Company.

Access to the Company’s information and associated processing facilities shall be controlled.

Information shall be classified to indicate the need, priority and degree of protection required.

All requirements related to Human Resource security shall be fulfilled at the recruitment stage, and, thereafter, all information security responsibilities as defined in the Company’s information security policies and procedures shall be monitored during an individual’s employment.

All staff shall be trained in security procedures and the correct use of information systems facilities.

Incidents affecting security shall be reported promptly through the defined management structure.

Business information and information processing facilities shall be protected from security threats and environmental hazards in a manner commensurate with the associated risks. Business information and information processing facilities supporting critical or sensitive business activities shall be housed in secure areas with appropriate entry controls.

Responsibilities and procedures shall be established for the management and operation of all information processing facilities.

Projections of future capacity shall be made and operational requirements of new systems shall be established, documented and tested prior to their acceptance and use.

Controls shall be established to prevent and detect viruses and other malicious software.

Routine procedures shall be established for taking back-up copies of information and system software, logging events and faults (e.g. all type of server logs, etc) and, where appropriate, monitoring the equipment installed for this purpose (e.g. camera recording and its audit logs, etc.).

Information within networks and passing over public networks shall be secured and protected from unauthorized access.

Procedures shall be established for the proper handling, storage and disposal of documents and computer media.

Controls shall be established to protect exchanges of information and software with other organizations including information transfer through FTP or CD’s.

Security shall be applied on operating system to restrict unauthorized access to computer resources.

All security control systems shall be monitored to detect deviation from access control policy.

All information systems and related facilities shall be regularly monitored to identify the deviations, violations and inconsistencies with defined information security policies and procedures.

Controls shall be established to mitigate the additional security risks associated with mobile computing and wireless networks.

Security requirements shall be identified and agreed prior to the processing of information system activities.

Business continuity plans shall be established to protect critical business processes from the effects of major failure or disasters.

All legal, regulatory, contractual requirements shall be identified and adhered by management.

Information systems shall be audited for compliance.

Effectiveness of implemented security controls shall be measured and shared with the stakeholders.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment