Network Plan for ABC Corp

Network Plan for ABC Corp

Scenario

ABC Corporation has just recently installed new routers onto the network and intends to design the appropriate network security to prevent the malicious and unwanted activities from occurring. Since there are several malicious attacks occurring in the contemporary it environment, it is very critical for ABC Corporation to protect newly installed router from the malicious attack. The paper creates the access control lists (ACL) to provide security devices for the company network.

Fundamental objective of this paper is to create access control lists (ACLs) to prevent unwanted traffic from occurring onto the traffic. The paper creates and justifies the usage of the ACL created and its implementation for the new security features. Additionally, the paper specifies the type of access control lists created and its applications. The paper will also prevent all traffics not part of the internal network from travelling out of the Ethernet interface, as well as preventing host 172.16.5.35 from getting access onto the internet. The technical paper will also make considerable effort to prevent ftp, and Telnet to ping from outside network. The paper further prevents access to the 17.16.3.0 because the segment houses all the sales information. Fig 1 reveals the network infrastructure of ABC Corporation. The company has installed server, router, PC and cloud for the organization network infrastructure. With all these network devices in place, the organization can communicate effectively. Despite the benefits that ABC Corporation could derive from this network infrastructure, the company has not yet provided adequate security devices to protect the company network infrastructure and without the security devices, malicious users can get access onto the network and steal valuable information. Thus, the paper uses Access Control Lists to prevent attack onto the network infrastructure of ABC Corporation.

Fig 1: Network of ABC Corporation without ACL

Access Control List (ACL)

Malicious users often attempts to gain access onto the management console of an organizational network device in order to alter the network configuration and to use the network for their advantages. To prevent the unwanted traffic from gain access onto the network, it is critical to control the physical access of the network device. Access Control Lists are becoming attractive to protect and provide security onto the network. ACL protect the routers from various risks that might emanate from various malicious users. Typically, ACL is used as infrastructural protection that denies access from external sources. ACL is a network security-filtering infrastructure used to control which routing packets or updates are permitted. Typically, ACLs are specifically used by network administrator to filter network traffic as well as providing extra security for the network infrastructures. ACL is also used to protect the ingress point in the network. Typically, "ACLs deny access from external sources to all infrastructure addresses, such as router interfaces. At the same time, the ACLs permit routine transit traffic to flow uninterrupted and anti-spoof filtering." (Cisco, 2010 P. 1).

Within organizational network operations, vast majority of traffic pass through a router for its ultimate destination. One of the major features of ACL is to deny or allow packets based on the filtering rules. The packet-filtering device makes rules to permit or deny IP addresses or other traffic, and the ACL is used to define these rules.

Network Security Devices for ABC Corporation using ACL

ACL network security device is used for the network security of the ABC Corporation. To enhance greater understanding on the ACL devices to use for the protection of ABC network infrastructure, the paper provides different types of ACL.

Standard access-list

This type of ACL is used for server-based filtering and it distinguishes routes of the networks to be controlled using network IP address. Standard access-list is effective to control a list of IP addresses to be permitted into the network and network to be denied from the network.

Extended access list

Extended access list is used to create filters based on port number, source addresses, protocol, destination addresses, and other features used for packet-based filtering.

Edge filtering ACLs

Edge filtering combines standard access lists and extended access list by creating explicitly filters traffic that goes to infrastructure address space. This type ACL denies the malicious traffic from entering the network infrastructures as well as the router interface. Moreover, the Edge filtering ACL permits traffic to enter into the network infrastructure uninterrupted. The infrastructure edge filtering erects edge barriers to block unwanted IP traffic from accessing network ingress port. Based on the advantages of Edge filtering ACLs, the paper uses the Edge ACL infrastructure for the protection of ABC Corporation.

Standard Access-List Security Devices for ABC Corporation

In using Edge filtering ACL for the protection of ABC Corporation, the paper using standard access lists and extended access lists. The two ACL devices provide basic network security by restricting IP related traffic based on the configured filters.

The following commands are used to create Standard Access Lists for the network security of ABC Corporation.

access-list acl_permit permit ip 172.16.3.0

access-list acl_permit permit ip 172.16.5.0

access-list acl_permit permit ip 172.16.3.1/16

access-list acl_permit permit ip 172.16.3.254/16

access-list acl_permit permit ip 172.16.5.254/16

access-list acl_permit permit ip 172.16.0.254/16

access-list acl_permit permit ip 172.16.5.35/16

access-list 110 deny ip host 172.16.0.0 / 16

access-list 110 deny ip host 172.16.5.35

access-list 110 deny Telnet any echo access-list 110 deny ftp any echo

Description of Each Purpose

Based on the ACL command listed above, the paper has created standard access lists for ABC Corporation network devices. In the standard access lists, the paper lists all the IP host address that will be allowed onto the network. From the standard access lists created, the following IP addresses are allowed into the ABC Corporation network devices:

IP 172.16.3.1/16

IP 172.16.3.254/16

IP 172.16.5.254/16

The major reason for allowing the above named IP address in the standard access control lists is that they are the only IP addresses allowed by the organization, and these IP addresses are used by the ABC Corporation for business purpose. For example, the 17.16.3.0 segment houses all the sales information of the company and it is critical to permit this IP in the Standard ACL. Moreover, 17.16.3.1/16 segment house the company server, and the server is very critical for the proper functioning of the company network. Thus, it is critical to allow this segment into the company network infrastructure. There are other three IPs configured to the company network router. They are 172.16.3.254/16, 172.16.5.254/16 and 172.16.0.254/16, and it is critical to permit all these IP addresses in Standard ACL based on the importance of router for the proper functioning of the organizational network infrastructure. Network router is a piece of network device that forward and route data along the network. Router ensures that information goes to the appropriate destination and does not go to the wrong route. The router of ABC Corporation joins different network together. For example, the router of ABC Corporation joins the following network together:

172.16.3.1/16

172.16.3.254/16

172.16.5.254/16

172.16.0.254/16

172.16.5.35/16

There are various reasons to allow the above named segments into the networks. First, IP 172.36.5.35/16 is the IP of personal computer (PC) of ABC Corporation, and employee of ABC organization will communicate via email and Ethernet using PC within the organization. To enhance effective communication with the organization, it is very critical to permit 172.36.5.35/16 into the company network. Moreover, segment 172.16.3.1/16 is the IP of the company server. Typically, server is a computer device that manages network resources. Server of the ABC organization allows employees to exchange files on the network. Additionally, the server of ABC Corporation will be able to manage multiple printers to allow employee to print out hard copy. Moreover, the server will allow ABC Corporation to store data in the database. With the importance of server for ABC Corporation, the ACL permits segment 172.16.3.1/16 into the company network.

More importantly, ACL permits segment 172.16.00 into the network parameter of ABC network infrastructure. The segment 172.16.00 is cloud computing. ABC organization uses cloud computing to transmit software and other information over the network. Typically, cloud computing allows application, and data over the company network. Cloud computing allows the company to deliver better service. With importance of cloud computing to ABC organization, the ACL allows 172.16.00 into the company network. (National Institute of Science and Technology, 2011, Techtarget, 2009 ).

To enhance the company network security infrastructure, the following IP addresses are not allowed to gain access into the network of ABC Corporation:

172.16.0.254/16

172.16.5.35/16

Additionally, the paper configures ABC Corporation network to prevent Telnet, and ftp to be ping from the outside network.

The paper further creates Extended Access Lists for ABC Corporation for the protection of the company network infrastructure.

Extended Access Lists for ABC Corporation

Major objective for creating extended ACLs for ABC Corporation is check the sources of the organizational network packet address, protocols, destination and port numbers. The extended ACLs provide a greater range of control for the ABC corporation network devices as well providing additional security solution. One of the benefits of extended ACLs is that it provides more precise traffic-filtering control for the network of ABC Corporation.

The paper creates Extended Access Control Lists for ABC Corporation using Port Numbers.

Extended Access Control Lists for ABC Corporation using Port Numbers

access-list 101 permit tcp 172.16.3.0. 0.0.0.255 any eq 20

access-list 101 permit tcp 172.16.5.0. 0.0.0.255 any eq 21

access-list 101 permit tcp 172.16.3.1/16. 0.0.0.255 any eq 22

access-list 101 permit tcp 172.16.3.254/16. 0.0.0.255 any eq 25

access-list 101 permit tcp 172.16.5.254/16. 0.0.0.255 any eq 35

access-list 101 permit tcp 172.16.0.254/16. 0.0.0.255 any eq18

access-list 101 permit tcp 172.16.5.35/16. 0.0.0.255 any eq19

access-list 101 permit tcp 172.16.0.0/16. 0.0.0.255 any eq39

access-list 101 deny tcp 172.16.0.254/16. 0.0.0.255 any eq26

access-list 101 deny tcp 172.16.5.35/16 . 0.0.0.255 any eq23

Further steps is the configuration of ACL for ABC Corporation. Configuration of Extended Access Control list is critical for the protection of network infrastructures of ABC Corporation.

Configuration of Extended Access Control Lists for ABC Corporation using Port Numbers.

The following commands are used for the configuration of Extended Access Control List for the ABC Corporation network infrastructure.:

R1(config)#access-list 101 permit tcp 172.16.3.0. 0.0.0.255 any eq 20

R1(config)#access-list 101 permit tcp 172.16.5.0. 0.0.0.255 any eq 21

R1(config)#access-list 101 permit tcp 172.16.3.1/16. 0.0.0.255 any eq 22

R1(config)#access-list 101 permit tcp 172.16.3.254/16. 0.0.0.255 any eq 25

R1(config)#access-list 101 permit tcp 172.16.5.254/16. 0.0.0.255 any eq 35

R1(config)#access-list 101 permit tcp 172.16.0.254/16. 0.0.0.255 any eq18

R1(config)#access-list 101 permit tcp 172.16.5.35/16. 0.0.0.255 any eq19

R1(config)#access-list 101 permit tcp 172.16.0.0/16. 0.0.0.255 any eq39

R1(config)#access-list 101 deny tcp 172.16.0.254/16. 0.0.0.255 any eq26

R1(config)#access-list 101 deny tcp 172.16.5.35/16 . 0.0.0.255 any eq23

Based on the configuration of the ACL for ABC Corporation, the paper re-creates the diagram.

Fig 2: Re-create of ACL Diagram for ABC Corporation

With the ACL commands, the paper recreates the diagram, and creates filtering rules for the router to follow. From the diagram in Fig 2, router will filter all hosts 172.16.5.35 from getting access onto the Internet. When host 172.16.5.35 attempts to get access into the internet, the ACL commands will prevent host 172.16.5.35 from getting access. This is very important because some malicious users may want to get access to the internet using these devices. By creating the ACL filtering rules, the host 172.16.5.35 will not be able to get access to the ABC Corporation.

Additional filtering rules that will be implemented based on Fig 2 are that the router will deny all other traffic to get access to 172.16.5.3.0. The router will serve as a guard to prevent other network from getting access to 172.16.5.3.0. In these devices, when a packet arrives onto the network router, and based on the filtering rules, the packet will extract information from the packet and the router will make decision whether to pass the information into the network or deny the information. Based on the filtering rules created, the router will deny other network traffic from getting access to the 172.16.5.3.0.

More importantly, the router will not allow outside traffic to ping telnet and ftp. This is very important for security reason because Telnet does not encrypt the data that come from other network. Thus, it is practical for eavesdropper to extract information from the network if allowing outside traffic to get access to the network. Moreover, there is no authentication that would ensure that there is no interception when the communication is being carried out over the network. Based on the shortcoming of the Telnet, it is very critical for ABC Corporation not to allow outside network from getting access to the Telnet.

Additionally, part of the filtering rules is not to allow outside network to get access to the File Transfer Control (FTP). Typically, FTP is a standard network protocol that is used to transfer files over the network. While FTP may have security devices such as authentication, there are still security loopholes identified with FTP based on the sophisticated method that malicious users tamper with network protocol. Typically, the FTP infrastructure is not designed with security to protect itself against sophisticated it hackers. Thus, FTP could face series of vulnerable problems such as Spoof attacks, Bounce attacks, Port stealing, brute force attacks, and Packet capture sniffing. Based on the security vulnerability of Telnet and FTP, the ACL will not allow outside network to get access to the Telnet and FTP.