Creating a Secure Network

Network Security
This report is the answer to a scenario that was provided as the basis for this assignment. The idea is that a security firm has been awarded a contract for a local government agency. As part of that contract, the author is being asked to provide a number of deliverables. These would include an information flow diagram, an equipment list that would be required so as to make up the network security infrastructure, a maintenance plan to keep the network running and operating in optimal fashion, a list of at least four security measures that could be developed, two physical security vendors that could be used and how human resources could and should figure into all of the above. While there are multiple ways to undergo a network security system plan, there are some options and paths that are more required than others.
Analysis
The network information flow diagram that was asked for as part of this assignment is shown in the appendix. Something that should be clear from that diagram is that there is not just a single barrier, software for physical, when it comes to the network. In terms of the network, there are actually three zones. There is the exterior zone and there is the most secure zone. In between, there is a middle zone. The need for the middle zone comes from the fact that just because some devices are allowed past the external firewall does not mean that they should get full access to anything and everything that is beyond that first firewall. For users that are outside of the network that have permission to access the intranet, they will have the credentials to get through the external and internal firewalls. The virtual private network (VPN) that is nestled in between the two firewalls is just one way for external users to get through. For example, if a worker is at a hotel and is connected to the internet, they can access the intranet and the rest of the internal network by accessing the VPN. Conversely, users that are behind both firewalls are able to use the internet, cloud services and so forth so long as they stay within the network security policies. For example, an authorized computer would be given access to the services and information to which they are entitled per the network and user setup. Unauthorized computers, on the other hand, are restricted or blocked from accessing anything important. In short, the information flows back and forth across the length of the network based on what information is allowed to be accessed, what services are allowed to be accessed and so forth. The proper configuration and arrangement of these services, of course, would be up to the network architects and administrators (gov.uk, 2017).
There are several types of network security devices. In total, there are about four general types. These types would be active devices, passive devices, preventative devices and Unified Threat Management (UTM) devices. Active devices would include firewalls, antivirus scanning devices, content filtering devices and other devices that block surplus traffic on the network. Passive devices would include intrusion detection appliances. These are devices that identify and report on traffic that is unwanted or undesirable. Preventative devices would include penetration testing devices and vulnerability assessment devices, otherwise known as appliance. Those devices scan the networks and help identify potential or verified security problems. The last type, of course, would be the aforementioned UTM devices. These would include firewalls, content filtering, web caching and other sorts of all-in-one security devices. One specific device that would be useful in the case of the local government agency that is the subject of this brief report would be a Cisco ASA 5515-X Firewall Edition Security Appliance. The device has gigabit internet, is rack-mountable and has six ports. That device is a smidge over two thousand dollars. A comparable device to that would be a WatchGuard Firebox M500. Like the Cisco device, it serves as a physical firewall that can protect the network security of the local government agency in question. The device has onboard support for gateways, web content filtering intrusion prevention and other features that are presented and discussed on the network information flow diagram elsewhere in this report. Like the Cisco device, the WatchGuard offering is also in the price range of several thousand dollars, coming in at about $2500 (ITCS, 2017).
Other devices that would be necessary would include end-user computer workstations. Two of the common brands that could be used to meet this end would include Dell and Lenovo. The latter is what used to be the computer division of IBM. Cost per workstation would range from $500 to $2000 per unit, depending on the computing power that is needed. The major things that would drive the price would include the processors in the computers, the amount of RAM, the type and size of hard drive and so forth. Something else that would be necessary is the proper network and patch cabling. So as to keep things as “future-proof” as possible, using Category 7 networking cabling would be the best. If existing infrastructure is present and it is at least Category 6, that can be workable for now. However, anything older should be ripped out and re-ran so that there is the network speed that is needed and necessary for the network. Doing otherwise would create bottlenecks or other network slowness that is easy to avoid with the right network infrastructure. It is also important to have the right combination of wireless network infrastructure. The use of VPN’s and other encryption is a must and using 802.11ac wireless (or at least 802.11n) is a must. The benefit of using the right networking technology and workstations is pretty clear. Infrastructure or equipment that cannot keep up with the modern computing demands will lead to wasted time and motion. It will cost more money up front to buy that equipment. However, it will be a money-saver in the long run (Brown, 2012).
The proper maintenance plan for a network and its components is a must. One thing that will have to be managed very well is the updating of network servers and workstations with the latest security updates. A good real-world example where not applying updates immediately could be a huge problem was the fairly recent exploit of Secure Socket Layer (SSL), known as HeartBleed. Not patching and repairing that problem right away when it was spotted and addressed by the appropriate vendors could have led to information being compromised. When each operating system or other update comes out, it should be applied to the primary systems in the network. It should also be pushed out to the workstations right away. End users should not have the option to bypass the updates. They should only be given enough time to save their work and they should then let the system do its thing. However, such updates should not be done during normal office hours. Network security personnel should keep a watchful eye on the metrics and statistics of the updates to make sure that all computers are receiving them as they should be. The proper systems, software suites, personnel and payroll hours should be allotted to keep up with the maintenance program. No computers should be allowed to fall behind the update schedule. If there are computers that are not updated, it should be investigated as to why that is the case (Mays, 2017).
The physical network security measures that should apply to the local government and its network are fairly basic. First, the server room should be locked up and secured. Only people with a need to be in the room should be given any access whatsoever. Just as with the maintenance of the computers themselves, it should be routinely and constantly tracked to make sure that the room is indeed locked. It should be controlled by badge and/or other access, the door should never be propped or left open and so forth. Beyond that, the interior of the room as well as the area right outside the door should be under constant camera surveillance that is actually monitored and watched at all hours of the day. The servers that are in the server room should be rack-mounted in nature. They should not be units that can simply be picked up and carried away. A fourth and final option that can be used in terms of physical security is to disable USB and other drives on computers. Except for people that need this access, this is just a security exploit waiting to happen. For example, any government agency that deals with private information such as Social Security numbers and so forth should have the writing access on any optical media drive as well as any USB drives disabled. Vendors that sell rackmount devices and infrastructure would include CyberPower, APC and the aforementioned WatchGuard. The aforementioned network firewalls and switches are often sold in rackmount varieties of standard widths. For example, 19 inches is a common width. There are a number of security vendors and options, self-use and external, that could be used to secure the network room (Shinder, 2007).
When it comes to network security, it is important to have strong integration between information technology and human resources. This partnership should be used to grant or rescind access in a timely fashion. For example, if the human resources department knows that someone is fired, they should immediately contact the information technology people so as to have the person’s access disabled. Conversely, if a person is hired, the IT, human resources and hiring department can work together to provision and allow for the proper access to the network. There would also be the need to track and assign the proper equipment. This would include workstations, badges or keys for the doors and so forth (Zielinski, 2014).
Conclusion
The creating and maintaining of a network system, in general terms, is not all that hard. However, that system has to be configured and put together in the right way so that access if given, blocked and filtered in the right way. Both the physical and virtual configuration of the network is important. Doing it right leads to a well-functioning office. Doing it wrong leads to chaos and an inability to get work done.
References
Brown, M. (2012). Who makes the best 802.11ac router? We review the only 5 models available
today. PCWorld. Retrieved 25 November 2017, from
https://www.pcworld.com/article/262148/who_makes_the_best_802_11ac_router_we_re
view_the_only_5_models_available_today.html
Concept Draw. (2017). Network Security Devices. http://www.conceptdraw.com. Retrieved 25
November 2017, from http://www.conceptdraw.com/How-To-Guide/network-security-
devices
Gov.UK. (2017). [Withdrawn] Browser Security Guidance: Google Chrome - GOV.UK. Gov.uk.
Retrieved 25 November 2017, from https://www.gov.uk/government/publications/
browser-security-guidance-google-chrome/browser-security-guidance-google-chrome
ITCS. (2017). Cisco ASA vs WatchGuard XTM | IT Central Station. Itcentralstation.com.
Retrieved 25 November 2017, from https://www.itcentralstation.com/products/
comparisons/cisco-asa_vs_watchguard-xtm
Mays, J. (2017). Update and Patch OpenSSL for Heartbleed Vulnerability | Liquid Web
Knowledge Base. Liquid Web Knowledge Base. Retrieved 25 November 2017, from
https://www.liquidweb.com/kb/update-and-patch-openssl-for-heartbleed-vulnerability/
Shinder, D. (2017). 10 physical security measures every organization should take. TechRepublic.
Retrieved 25 November 2017, from https://www.techrepublic.com/blog/10-things/10-
physical-security-measures-every-organization-should-take/
Zielinski, D. (2014). Integrating HR Systems Can Deliver Rich Rewards. SHRM. Retrieved 25
November 2017, from https://www.shrm.org/hr-today/news/hr-magazine/pages/0514-hr-
systems-integration.aspx
Appendix – Information Flow Diagram

The above diagram is modeled after the diagram found at the following link:
https://www.gov.uk/government/publications/browser-security-guidance-google-chrome/browser-security-guidance-google-chrome