CETM30 ASSIGNMENT 2
Name: Istvan Franko
Programme: MSc Cybersecurity
Project Title:
Security Consultation Report
2. Link Between the Exeter and Edinburgh sites
a. The security weaknesses/hazards
b. Security weaknesses with their existing network arrangements
c. Reworked diagrams of the floor plans
a. Recommendations and a design for a workable and secure network
b. Any suitable “added temporary” fittings that might be required.
c. A reworked diagram to support your findings.
There are many aspects to consider when designing an enterprise IT system. Choosing partners with the right technology and knowledge is essential for long-term safe operation. Over the past decades, a company has excelled in the competition and currently supplies about 60% of its enterprise IT networks is Cisco. It is advisable to hire a company that has all the necessary networking units and provides the right support and warranty for your products. Therefore, in this offer we will build on the products currently available from Cisco. This avoids future compatibility and support issues.
2. Link Between the Exeter and Edinburgh sites
The most common way to secure site-to-site connections over insecure channels is to create a VPN (Arif H. 2019). Firewalls should be used to filter data traffic. Cisco ASA (Adaptive Security Appliances) 5500 Series devices are perfect for these tasks. These devices have an operating system and interface similar to routers, but with extra features they provide secure data connection.
Services provided and required by the devices:
• Zone-based Firewalls (separate and manage zones at different levels)
• Dynamic and static Network Address Translation (NAT) to allow access inside and outside the world.
• Generic Routing Encapsulation (GRE) and Enhanced Interior Gateway Routing Protocol (EIGRP) support
• Open Shortest Path First (OSPF) areas interconnected within the network
• Creating a Virtual Private Network (VPN). 5-station data encryption protects communication.
1. Specify “Interesting Traffic”
2. Internet Key Exchange Phase 1 (IKE Phase 1)
3. Internet Key Exchange Phase 2 (IKE Phase 2)
4. Secure data transfer
5. VPN teardown
a. The security weaknesses/hazards
The first major central question is whether or not the company's operation requires the operation of its own servers. Since the company is located in multiple buildings, it is strongly recommended that a central server avoids problems caused by the synchronization of stored data. Current trends are that it is not economical to run local servers, so more and more companies are opting for cloud-based data and file storage. This not only reduces the cost of actual operation, but also ensures safety by professional companies. It is our recommendation to enter into an agreement with a reliable service provider who is capable of performing the required tasks. This can be any of the giant providers, eg. Amazon, IBM, Google, but also Cisco provide this service, and since the network devices will be sourced from them, they may be a good choice for a global deal.
The second central issue is to use a wired or wireless connection within the floors to connect the computers. Experience has shown that the use of a large number of wireless devices in small areas provides fluctuating communication speed and is easier to attack. Therefore, a wired connection is recommended. This can also be done behind false ceilings commonly used in office buildings, or, if this is not possible, the cheapest option is to build an aesthetic, closed cable trunking system that allows for the maintenance of the cables as well. It is recommended to set up one wireless access point per floor so that wireless devices, mobile phones and tablets can connect to the network.
In many cases, the illegal use of IT systems is not done by external attackers, but by internal employees who gain access to colleagues' unlocked computers or obtain their passwords. To avoid this, it is advisable to install a card or biometric access system on each office door. Old numbered door locks are outdated and relatively easier to obtain by visual inspection and should therefore be avoided.
As with any enterprise system, installing a security camera system is recommended. Because of the simpler deployment, state-of-the-art devices are able to communicate through IT networks, eliminating the need for a dedicated system. This is not an eternal need for security, because experience has shown that while they do have preventive benefits, they cannot prevent real-time crimes, but captured footage can greatly assist in detection.
We have the following suggestions for the above floor plan.
• Because of the use of cloud-based servers, it is sufficient to use one server room. At this level there is no one with an entrance that is visible from the front desk, so both should be more general tools, exp. used for storage of cleaning products and consumables.
• The Administration Staff room is the smallest and has a large space loss due to the 3 doors. It would be a good idea to change rooms with the Manager Director, and by closing and closing the two side doors, you can increase the usable space and leave no room for them.
We would also have suggestions for the top floor plan.
• It is recommended to keep server room number 3. Its entrance is not directly accessible to visitors and is close to the technical staff.
• When ordering a new broadband connection, you must request that the new modem be placed in Server Room 3, but in the future Server Room 1.
• Although the current cable connection to the other building will be terminated, Server Room 3 is the closest to installing an outdoor unit on a roof or sidewall.
• Lawyers offices are scattered across the two buildings. By splitting Office 1 into two, it would be possible to move Accountancy Office 3 to one side and Insurance Office 3 to the other. This would combine the same departments into one building. This would be much more reasonable in terms of network construction.
Changes to the 11th level of the new building.
• Server Room 4 is well located if local and building regulations allow the installation of an outdoor antenna on the side wall of the building, as this level may be approximately the same height as the roof of the old building. This solution ensures the minimum playback distance. If the antenna cannot be located on the sidewall, it is advisable to move this server room to the upper unused storage room, as this is where the rooftop antenna is more easily accessible.
• Accountancy Office 3 is moving to one half of the Lawyers office, which is split into an old building. Half of the staff there will move to their place, bringing the Lawyers into a building.
• At the Fire Escape door, make sure that it can only be opened from the outside in the event of a fire or emergency. As well as unjustified inside opening, it is advisable to signal the reception with an audible signal to avoid uncontrolled passage.
Proposed changes to the 12th floor of the new building.
• Server room 4, which will be number 2, will probably be moved upstairs to this unused storage room.
• Insurance Office 3 will also relocate to the Lawyers office in the old building, and 4 people will move from the Lawyers office.
• Fire Escape Doors should be provided with the same conditions as the lower level.
b. Security weaknesses with their existing network arrangements
The current highest data rate in the UK is provided by BTnet leased line connection. It is definitely advisable for such a company to use a similar service and the current Infinity 2 modem is not suitable for this, but you can also request a fully managed Cisco Router from BT for this service. The maximum transmission speed of this service is up to 10Gbps.
In the current network, the Internet is accessed through a server, which is likely to act as a firewall. Firewall functions should not be provided through software but through a dedicated device such as Cisco ASA 5000 routers.
The current network also includes 2 Linksys N300 E1700 routers, which are designed for home use and are not suitable for industrial use. And they are already very slow with a maximum speed of 300 Mbps. They also need to be replaced with more appropriate and secure devices. Such devices include Cisco's mid-range 550/560 Series Wireless Access Point, which provides 450 Mbps as our radio, but can also be connected to Cluster for greater coverage and speed.
The connection between the two buildings is described in section d.
Other existing Cisco Switches can be used to build a new network after professional maintenance and authentication, thus reducing investment costs.
The following schematic diagram illustrates how it is possible to solve the connection between the two buildings and the networks on each floor.
c. Reworked diagrams of the floor plans
Revised floor plan for 9th level.
Proposed draft for 10th level.
Planned changes to 11th Level.
Revised floor plan for 12th level.
d. Recommendations including any building/network design alterations and any additional network/system hardware or software
Some of the complete network architecture suggestions are in the b. and c. points as a solution for weak points. We do not intend to describe them again at this point, because it is more straightforward to offer a solution to a problem immediately. this also avoids unanswered questions. Therefore, at this point, we propose a solution to connect only the two Exeter buildings.
Due to the physical characteristics of Exeter buildings, the simplest network connection can be achieved through a wireless solution. The most up-to-date wireless networks are based on the MESH system, with the most important advantages being that it is easily scalable, all devices are directly connected to other members of the network, but in the event of a failure, the connection can still be provided through other members of the network.
Cisco Aironet 1552 Mesh Access Point
Of the Cisco products, the AP 1500 series is the best choice for this wireless connection. From the technical point of view, it is important for us to have several types of operation, such as: Root Bridge, Non-root Bridge, Work group Bridge. That is, they can be used to establish a direct Point to Point connection.
Autonomous Deployment
Each of the two radio frequencies is capable of covering a range of 75 meters in any mode, as the range you can provide in any connection mode is up to 160 meters.
The difference between the two buildings needs to be accurately measured because the Vertical Beamwidth of the AP1500 series is 29 ° at 2.4 GHz and 15 ° at 5 GHz. Therefore, if the difference between the two roofs is more than 15 °, two solutions are possible. Either one of the Access Points must be placed on the side wall of the taller building, or an AIR-ACC1530-PMK2 mounting kit can be used to mount up to 90 ° so that the two antennas face each other directly. Placing two or more pairs of antennas can increase data transmission security and prevent loss of connection due to malfunction or damage and is supported by MESH. (Cisco 2019)
AIR-ACC1530-PMK2= - Wall/Pole mount bracket with tilt mechanism, orderable as an add-on
One of the key aspects of designing for a multi-site or expanding company is that systems can be standardized, reproducible. All regulations that are consistent with those of all countries concerned should be taken into account as far as possible. This avoids incompatibilities from different systems and allows employees to move easily between sites if they get used to a system. Based on the above, it is recommended that the criteria for Exeter building levels be applied here at Edinburg headquarters.
a. Recommendations and a design for a workable and secure network
The floor plan of the current building is shown above. Because each change must be reversible, only the most important changes should be made. The floor plan is individual to the standard layout of an office building and therefore does not require major changes.
There are some changes that you might want to make.
• It would be advisable to have two windows in the security room for the eternal view and for the visitors to see, thus avoiding inattention. On the front door side, it is advisable to set up a communication system that can communicate with employees or guests.
• It is advisable to move the Branch Manager office door to the front of the Reception so that it can be visually inspected by the front desk and security eternity.
• If the Inner Floyer double door is opaque, replace it with a larger, transparent sliding door so that all important entrances can be seen through.
• A card access system must be installed on each room door to prevent unauthorized access. Not only visitors can cause problems, but also employees who want to carry out illegal activities in others' offices.
• The storage space next to the toilet is only recommended for storage of non-essential consumables. Records containing sensitive information must be stored in the other adjacent to the Reception Area if they are to be used for such purposes.
b. Any suitable “added temporary” fittings that might be required.
Because a major change or a temporary change is not recommended, final changes should be made as soon as possible. Setting up temporary systems would only increase costs without any real benefit.
c. A reworked diagram to support your findings.
The appendices received for the preparation of the plans revealed that the company has not paid sufficient attention to the safe construction and operation of its IT networks in the recent past, so changes are necessary. The above is a list of changes that are necessary and sufficient to operate the company of its current size. However, due to the modular nature of the scalable and recommended devices, design was a consideration, they can be combined with newer devices and do not need to be replaced if the company develops as planned.
Arif Hidayat (2019) ‘Analysis and Distance Access Design Far with Vpn Technology in Bmt Office. Mentari East Lampung’, IJISCS (International Journal of Information System and Computer Science), (2), p. 64. Available at: http://search.ebscohost.com/login.aspx?direct=true&db=edsdoj&AN=edsdoj.3e8d9de59b240d4bf77103e3841d8ed&site=eds-live&scope=site (Accessed: 1 January 2020).
Carugi, M. and De Clercq, J. (2004) ‘Virtual private network services: scenarios, requirements and architectural constructs from a standardization perspective’, IEEE Communications Magazine, Communications Magazine, IEEE, IEEE Commun. Mag, 42(6), pp. 116–122. doi: 10.1109/MCOM.2004.1304246.
Cisco. 2019. Cisco Small Business 550/560 Wireless Access Points Data Sheet. [Online]. [19 December 2019]. Available from: https://www.cisco.com/c/en/us/products/collateral/wireless/small-business-500-series-wireless-access-points/data_sheet_c78-727995.html
Cisco. 2019. Enterprise Mobility 81 Design Guide. [Online]. [18 December 2019]. Available from: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/Chapter-8.html
Cisco. 2019. Next-Generation Firewalls. [Online]. [20 December 2019]. Available from: https://www.cisco.com/c/en_uk/products/security/firewalls/index.html
Ensign. 2019. Point to Point (WiFi) Wireless. [Online]. [16 December 2019]. Available from: https://www.ensign-net.co.uk/point-to-point-wireless.html
Statista. 2019. Market share of enterprise network vendors worldwide from 2015 to 2019. [Online]. [16 December 2019]. Available from: https://www.statista.com/statistics/540779/enterprise-network-market-share-by-vendor/
The following pages provide full-size graphics of the plotted charts in landscape layout for easier viewing.
