How to design a secure office network

It is essential to design a network for office maintaining sufficient security in order to prevent any  loss or leakage of data and/or any third party intrusion.  

Network security consists of protecting information and knowledge systems from unauthorized  access, use, disclosure, disruption, modification, or destruction. 

Most organizations follow the CIA information security triad: 

• Confidentiality-Confidential information may be accessed by only designated persons ,  organizations, or processes. 

• Integrity – Refers to protecting data from unauthorized alteration. It requires the use of  cryptographic hashing algorithms such as SHA. 

• Availability-Approved users must have access to essential services and data without  interruption. 

To ensure safe communications in both public and private networks, you must protect devices  including routers, switches, servers, and hosts. A defense-in – depth approach to security is  used by most organizations. A combination of networking devices and facilities that work  together is required. 

The basic requirements for designing a network: 

• Modem 

• Router 

• Firewall 

• Switch 

• Cable 

• Access point

• Ethernet hub 

• Network security and management  

Network Setup

The internet connection which comes from the local ISP (internet service provider) through a  cable is connected to a router. The firewall filters the network traffic channeled through the  cable. The cable is then connected to a switch which enables all the devices to connect to the  internet. 

There is no single security system or piece of technology today that can satisfy all network  security requirements. Since there are a range of security systems and tools that need to be  incorporated, it is vital that they all work together. When they are part of a system, security  appliances are the most effective. 

Security appliances are often stand-alone devices, sort of a router or firewall, a card which will  be installed into a network device, or a module with its own processor and cached memory.  Security appliances also can be software tools that are run on a network device. 

Several security devices and services are implemented. 

VPN 

Firewall 

IDS and IPS technologies 

Security Patches 

Protection against malware 

Data encryption 

Add port security

VPN

VPN or Virtual Private network can improve your security level. once you are employing a VPN  network, all of your network traffic is tunneled through the VPN server. This VPN server is found  elsewhere within the world. Hence, you’ll hide your identity by using VPN software. If you’re  employing a VPN, then nobody can track your browsing activity. 

There are two ways in which VPN acts as network security: 

1. Encryption 

2. IP masking 

Encryption- a VPN is formed to enable secure connections between two devices over the web .  a part of this is often encrypting your information. It happens on your device before sending it to  the VPN server, decrypting it there and forwarding it to its online destination. 

IP-masking-IP address is the online home address. When VPN is used, it uses the server’s IP  address and hides the home IP address preventing any intruder from monitoring or gaining  access to the user’s network.

Firewall

A firewall is a system that imposes control on the access policy between networks. Firewalls  track and manage the data traffic, depending on the security options that are set. 

Firewall allows traffic from: 

1. Any external address to the web server 

2. FTP 

3. SMTP 

4. Internal IMAP server.  

1. It denies all the incoming:

1. Traffic with network addresses matching internal registered IP-addresses. 2. ICMP echo request traffic 

3. MS active directory queries 

4. MS domain local broadcasts 

5. Traffic to server from external addresses 

6. Traffic to MS SQL server queries.  

Some common firewalls that are implemented are listed below: 

1. Network Layer Firewall 

2. Transport Layer Firewall  

3. Application Layer Firewall  

4. Context Aware Application Firewall  

5. Proxy Server  

6. Reverse Proxy Server 

7. Network Address Translation (NAT) Firewall  

8. Host-based Firewall

IDS and IPS technologies

Intrusion detection system and intrusion prevention system are cost effective technologies for  tracking and preventing fast paced evolving attacks. These are sensors which are manufactured  in the form of various devices. It can detect single or multi-packets. 

The steps followed by IPS for handling traffic: 

1. Packet sent by hacker to the targeted device. 

2. Packet received and evaluated by the IPS against the threats and policies set by the office. 3. Information sent to management console by IPS in the form of log message.

4. Finally, the packet is dropped by the IPS. 

Protection against Malware 

The most common malware is known as virus. Other malwares include Trojan horse, worm, spyware and adware. The malware protection can be installed in devices such as routers, IPS  device etc as well as installed in computers and mobile phones as software which must be  updated regularly. The anti-malware software needs to be configured to scan files and web  pages automatically and block malicious content. Ensure regular scanning of devices.  

Security Patches 

A software patch is a series of modifications that are used to upgrade, address security  vulnerabilities or enhance functionality, usability or performance in a computer program. It is  also used as a synonym for fixing bugs.  

The common implementations are: 

1. Using only licensed tools in order to prevent third-party access. 

2. Install the updates for all software whenever they are available. 

3. Remove unsupported files from the device. 

Data encryption 

Encryption is the process of converting the data into a form where an unauthorized party cannot  read it. Only a trusted, authorized person with the secret key or password can decrypt the  information and access it in its original form. The encryption itself doesn’t prevent someone from  intercepting the data. Encryption will only prevent the content from being displayed or accessed  by an unauthorized user.

Software programs are used to encrypt files, folders, and even entire drives. Encrypting filing  system (EFS) is a Windows feature which will encrypt data. EFS is directly linked to a selected  user account. Only the user that encrypted the information are going to be able to access it after  it has been encrypted using EFS. 

There are two types of encryption: 

1. Symmetric 

2. Asymmetric 

Symmetric encryption 

Symmetric algorithms use an equivalent pre-shared key, also called a secret key, to encrypt and  decrypt data. A pre-shared key is known by the sender and receiver before any encrypted  communications can happen. 

Symmetric encryption algorithms are commonly used with VPN traffic because they use less  CPU resources than asymmetric encryption algorithms.  

When using symmetric encryption algorithms, the longer the key, the longer it’ll deem someone  to get the key. to make sure that the encryption is safe, use a minimum key length of 128 bits. 

Asymmetric encryption 

Asymmetric algorithms, also called public-key algorithms, are designed in order that the key  that’s used for encryption is different from the key that’s used for decryption.  

Asymmetric algorithms use a public key and a personal key. The complementary paired key’s  required for decryption. Data encrypted with the general public key requires the private key to  decrypt. Asymmetric algorithms achieve confidentiality, authentication, and integrity by using  this process.

Because neither party features a shared secret, very long key lengths must be used.  Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than  or adequate to 1,024 bits are often trusted while shorter key lengths are considered unreliable. 

Add port security 

Port Security is a capability in most switches that provides a tool permission to use that switch.  It helps to control the number of MAC addresses and forwards only the packets from the MAC  address that matches. Rests are restricted. When the switch flags a violation, it can  automatically stop working by disabling that port to further network access. Port Security allows  for the limiting of both the quantity and kind of devices that are allowed on the individual switch  ports. 

There are two ways to implement port security: 

Dynamic locking – This process includes specifying the maximum number of MAC addresses in  a port. This process enables the MAC addresses to be learned by another port.  

Static locking – The MAC addresses can be specified manually. Dynamically locked addresses  can be converted to statically locked addresses. 

Lastly, although it does not fall under any technical requirement, to design a secure network, the  physical security should also be considered. The employees should be provided with enough  knowledge to differentiate between a malicious file and a non-malicious file. A strong security  management should be appointed to maintain the organization’s network security and ensure all  the technical requirements are being fulfilled on a regular basis.