Designing Compliance Within the LAN to WAN Domain

In order to ensure compliance within the LAN-to-WAN domain it is vital to have protective and security layers. Firewalls, intrusion detection systems, virus scanners, and other protective software would provide assurance that the security policies for the organization are implemented and adhered. Having multiple locations, there will be huge amounts of data that is transmitted between the four locations and this should not be interfered with in order to ensure that employees are able to perform their duties. Therefore, the security solutions implemented should also have a public key to encrypt and decrypt the data. Securing the four locations and allowing for data transmission will require an innovative and secure layout at all locations. Compliance within the four locations will ensure that the facilities are secure and they are operating within the laid-out security policy.
Proposed Solution
The firewall will act as the first layer of protection and filtering for all the network traffic and data being transmitted at any of the four locations. Firewalls will have certain parameters defined within them that are used to analyze all the traffic that passes through the network (Kaur, Kaur, & Gupta, 2016). Having a properly configured firewall will ensure that any undesirable network traffic is filtered out and not allowed to reach the LAN. All the rules and policies of the organization will be configured into the firewall in order to also protect against network traffic leaving the organization that does not adhere to the laid-out policy. This will guard against employees sending or transmitting data without following the correct procedures, which will ensure that all the data sent out from the organization is properly encrypted. In order to properly configure the firewall, there is need to first identify the network components and evaluate the risks that are posed by these components. The router will also have the capability of blocking the internal IP addresses and ensures that any external network node will only see the public IP address that is configured on the router.
All the data transmitted by a node within the LAN will be first scanned by the firewall in order to ensure that it meets the AUP for the organization before the data can be transmitted (Budka, Deshpande, & Thottan, 2014). This will guard against an internal attacker being able to corrupt or infect other computers within the network or WAN. All the endpoints within the organization are uniquely identified by the firewall and when they are transmitting data, the firewall will check to ensure that the data is not infected and it should be transmitted. Once the data has been transmitted the receiving location firewall will check to see that the data has not been interfered with during transmission. Only after the data has passed the analysis test will it be allowed to enter the LAN to the required endpoint.
Any unwanted network traffic from the WAN will be blocked from entering to the LAN and directed to the DMZ zone. DMZ stands for demilitarized zone, which is basically a physical subnetwork that will contain and expose the organization's external facing services to an untrusted network like the internet. A DMZ will add an additional layer of security to the organization's LAN in that an external network node will only be able to access what is placed in the DMZ (Nagendra, Yegneswaran, & Porras, 2017). By using a DMZ, the organization is able to trap attackers and monitor their activities in order to determine what their intentions are for the attacks. Any untrusted outside traffic will be directed to the DMZ where it will access certain organization services. The applications that are placed within the DMZ will then access the trusted internal network and prevent the outsider from directly getting to the internal network.
A public key infrastructure (PKI) is a set of policies, roles, and procedures that are required to create, manage, distribute, store, use and revoke digital certificates, and to also manage public-key encryption. A PKI will facilitate for the secure transmission of information between a range of network devices and network activities. When transmitting information between the four locations it will be necessary for the data to be encrypted to ensure that even if an intruder manages to intercept the data they will not be able to read it without the required decryption key (Basin et al., 2014). This will protect the privacy of the information and ensure confidentiality of the data being transmitted. Using the PKI will also ensure that all the data transmitted from any of the facilities is secure and safe and they it is not possible for the data to be corrupted during transmission.
It is vital to ensure that the operating system and system components are regularly updated in order to have the up-to-date security features installed at all times. Updating of the operating system should be carried out when there is little or no data transmission taking place to ensure that there will be no loss of data or failure in transmission. For this reason, all operating system updates should only be scheduled for night time at all the locations. Some updates will take time to install and this might require the systems to be taken down. Therefore, it would be necessary to take the system down for some time in order to conduct the update. Taking down the system is not the recommended action, but there might be times when it is necessary. After the system has been updated it is vital to check and confirm that all services are running as expected and that the system is working as expected. If there are backup systems, then the main system can be taken down and leave the backup systems running to facilitate continuation of services. Once the system has been updated the backup systems can then be taken down and also updated. Major system updates will demand for the system to be taken down for a couple of hours and it is necessary to inform all the employees of the timelines for the update. This will give the employees ample time to plan and know in advance that the system will not be available at a certain time.


References
Basin, D., Cremers, C., Kim, T. H.-J., Perrig, A., Sasse, R., & Szalachowski, P. (2014). ARPKI: attack resilient public-key infrastructure. Paper presented at the Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.
Budka, K. C., Deshpande, J. G., & Thottan, M. (2014). Network Security Communication Networks for Smart Grids (pp. 209-225): Springer.
Kaur, K., Kaur, S., & Gupta, V. (2016). Software defined networking based routing firewall. Paper presented at the Computational Techniques in Information and Communication Technologies (ICCTICT), 2016 International Conference on.
Nagendra, V., Yegneswaran, V., & Porras, P. (2017). Securing Ultra-High-Bandwidth Science DMZ Networks with Coordinated Situational Awareness. Paper presented at the Proceedings of the 16th ACM Workshop on Hot Topics in Networks.