It is essential to design a network for office maintaining sufficient security in order to prevent any loss or leakage of data and/or any third party intrusion.
Network security consists of protecting information and knowledge systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Most organizations follow the CIA information security triad:
• Confidentiality-Confidential information may be accessed by only designated persons , organizations, or processes.
• Integrity – Refers to protecting data from unauthorized alteration. It requires the use of cryptographic hashing algorithms such as SHA.
• Availability-Approved users must have access to essential services and data without interruption.
To ensure safe communications in both public and private networks, you must protect devices including routers, switches, servers, and hosts. A defense-in – depth approach to security is used by most organizations. A combination of networking devices and facilities that work together is required.
The basic requirements for designing a network:
• Modem
• Router
• Firewall
• Switch
• Cable
• Access point
• Ethernet hub
• Network security and management
Network Setup
The internet connection which comes from the local ISP (internet service provider) through a cable is connected to a router. The firewall filters the network traffic channeled through the cable. The cable is then connected to a switch which enables all the devices to connect to the internet.
There is no single security system or piece of technology today that can satisfy all network security requirements. Since there are a range of security systems and tools that need to be incorporated, it is vital that they all work together. When they are part of a system, security appliances are the most effective.
Security appliances are often stand-alone devices, sort of a router or firewall, a card which will be installed into a network device, or a module with its own processor and cached memory. Security appliances also can be software tools that are run on a network device.
Several security devices and services are implemented.
• VPN
• Firewall
• IDS and IPS technologies
• Security Patches
• Protection against malware
• Data encryption
• Add port security
VPN
VPN or Virtual Private network can improve your security level. once you are employing a VPN network, all of your network traffic is tunneled through the VPN server. This VPN server is found elsewhere within the world. Hence, you’ll hide your identity by using VPN software. If you’re employing a VPN, then nobody can track your browsing activity.
There are two ways in which VPN acts as network security:
1. Encryption
2. IP masking
Encryption- a VPN is formed to enable secure connections between two devices over the web . a part of this is often encrypting your information. It happens on your device before sending it to the VPN server, decrypting it there and forwarding it to its online destination.
IP-masking-IP address is the online home address. When VPN is used, it uses the server’s IP address and hides the home IP address preventing any intruder from monitoring or gaining access to the user’s network.
Firewall
A firewall is a system that imposes control on the access policy between networks. Firewalls track and manage the data traffic, depending on the security options that are set.
Firewall allows traffic from:
1. Any external address to the web server
2. FTP
3. SMTP
4. Internal IMAP server.
1. It denies all the incoming:
1. Traffic with network addresses matching internal registered IP-addresses. 2. ICMP echo request traffic
3. MS active directory queries
4. MS domain local broadcasts
5. Traffic to server from external addresses
6. Traffic to MS SQL server queries.
Some common firewalls that are implemented are listed below:
1. Network Layer Firewall
2. Transport Layer Firewall
3. Application Layer Firewall
4. Context Aware Application Firewall
5. Proxy Server
6. Reverse Proxy Server
7. Network Address Translation (NAT) Firewall
8. Host-based Firewall
IDS and IPS technologies
Intrusion detection system and intrusion prevention system are cost effective technologies for tracking and preventing fast paced evolving attacks. These are sensors which are manufactured in the form of various devices. It can detect single or multi-packets.
The steps followed by IPS for handling traffic:
1. Packet sent by hacker to the targeted device.
2. Packet received and evaluated by the IPS against the threats and policies set by the office. 3. Information sent to management console by IPS in the form of log message.
4. Finally, the packet is dropped by the IPS.
Protection against Malware
The most common malware is known as virus. Other malwares include Trojan horse, worm, spyware and adware. The malware protection can be installed in devices such as routers, IPS device etc as well as installed in computers and mobile phones as software which must be updated regularly. The anti-malware software needs to be configured to scan files and web pages automatically and block malicious content. Ensure regular scanning of devices.
Security Patches
A software patch is a series of modifications that are used to upgrade, address security vulnerabilities or enhance functionality, usability or performance in a computer program. It is also used as a synonym for fixing bugs.
The common implementations are:
1. Using only licensed tools in order to prevent third-party access.
2. Install the updates for all software whenever they are available.
3. Remove unsupported files from the device.
Data encryption
Encryption is the process of converting the data into a form where an unauthorized party cannot read it. Only a trusted, authorized person with the secret key or password can decrypt the information and access it in its original form. The encryption itself doesn’t prevent someone from intercepting the data. Encryption will only prevent the content from being displayed or accessed by an unauthorized user.
Software programs are used to encrypt files, folders, and even entire drives. Encrypting filing system (EFS) is a Windows feature which will encrypt data. EFS is directly linked to a selected user account. Only the user that encrypted the information are going to be able to access it after it has been encrypted using EFS.
There are two types of encryption:
1. Symmetric
2. Asymmetric
Symmetric encryption
Symmetric algorithms use an equivalent pre-shared key, also called a secret key, to encrypt and decrypt data. A pre-shared key is known by the sender and receiver before any encrypted communications can happen.
Symmetric encryption algorithms are commonly used with VPN traffic because they use less CPU resources than asymmetric encryption algorithms.
When using symmetric encryption algorithms, the longer the key, the longer it’ll deem someone to get the key. to make sure that the encryption is safe, use a minimum key length of 128 bits.
Asymmetric encryption
Asymmetric algorithms, also called public-key algorithms, are designed in order that the key that’s used for encryption is different from the key that’s used for decryption.
Asymmetric algorithms use a public key and a personal key. The complementary paired key’s required for decryption. Data encrypted with the general public key requires the private key to decrypt. Asymmetric algorithms achieve confidentiality, authentication, and integrity by using this process.
Because neither party features a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or adequate to 1,024 bits are often trusted while shorter key lengths are considered unreliable.
Add port security
Port Security is a capability in most switches that provides a tool permission to use that switch. It helps to control the number of MAC addresses and forwards only the packets from the MAC address that matches. Rests are restricted. When the switch flags a violation, it can automatically stop working by disabling that port to further network access. Port Security allows for the limiting of both the quantity and kind of devices that are allowed on the individual switch ports.
There are two ways to implement port security:
Dynamic locking – This process includes specifying the maximum number of MAC addresses in a port. This process enables the MAC addresses to be learned by another port.
Static locking – The MAC addresses can be specified manually. Dynamically locked addresses can be converted to statically locked addresses.
Lastly, although it does not fall under any technical requirement, to design a secure network, the physical security should also be considered. The employees should be provided with enough knowledge to differentiate between a malicious file and a non-malicious file. A strong security management should be appointed to maintain the organization’s network security and ensure all the technical requirements are being fulfilled on a regular basis.