Study Wireless Security Deployment - PKL

Wireless Security Deployments - PKL

2500

Revision A

Contents

Executive summary

1. Assumption statement

2. Vulnerabilities/Risk identified on PKL Autoparts Supply Network

2.1 Service Set Identifier (SSID) Broadcast

2.2 Lack of Firewall

2.3 Lack of VPN (Remote access)

2.4 Dictionary attack can be done to guess Wi-Fi password and traffic injections is possibility because of WEP security Wi-Fi

2.5 Users De-authenticated from the Wi-Fi

2.6 Lack of Dynamic Host Configuration Protocol Spooping configuration (DHCP)

2.7 Lack Change Management Procedure

2.8 Lack network segmentations/ VLAN

2.9 Man in the middle attacked is possible

2.10 No DHCP relay configure

2.11 Lack Intrusion Detection/ Prevent system (IDS/IPS)

2.12 Lack of MAC address filter/block

2.13 Lack of subnetting

2.14 Lack of naming convention for all network assets

2.15 Lack of file and printer server

2.16 Lack of Domain Controller (DC)

2.17 Lack of Domain name server – DNS

2.18 Lack mail server identify

2.19 Waste of private IP addresses 91. 72.16.0.0/16) – possibility of broadcast storm attack

2.20 No encryption of data on the network – mail or file server

2.21 No network audit tools or technique – to determine who does what on the network

2.22 Lack of SQL server

2.23 No specific Phone system

2.24 Lack of Critical Infrastructure policy

2.25 Lack of Physical server protection

2.26 Lack of Incident Response Team

2.27 Lack backup/ Disaster Recovery Procedure

Page ii

Student Name: Aaron ND Sawmadal Wireless Security Deployment – PKL

2.28 Lack Universal Power Supply (UPS)

2.29 Lack Network Redundancy

2.30 Weak Wi-Fi security configure

2.31 Poor network diagram – this can lead unauthorised use circumventing the network without network administrator being able to track

2.32 Lack of well-define encryption for file server

2.33 Software on the network not specify – Server OS and Work stations OS

3. Restructured PKL Network Topology

3.1 Physical Building location and number of users

3.2 Physical Network Topology

3.3 Subnetting of PKL Network

4. Hardware and Software Selection for the Network

5. Policies

5.1 Wireless - PDA/Smart Devices Policy

5.2 Overview

5.3 Purpose

5.4 Scope

5.5 General Requirements

5.6 Home Wireless Device Requirements

5.7 Compliance Measurement

5.8 Exceptions

5.9 Non-Compliance

5.10 Related Standards, Policies and Processes

6. Remote access Policy

6.1 Overview

6.2 Purpose

6.3 Scope

6.4 Remote Access Tools

6.5 Policy Compliance

6.6 Exceptions

6.7 Non-Compliance

7. Server Security Policy

7.1 Overview

7.2 Purpose

7.3 Scope


Page iii


7.5 Resource Community

7.6 Configuration Requirements

7.7 Monitoring

8. Password Protection Policy

8.1 Overview

8.2 Purpose

8.3 Scope

8.4 Password Creation

8.5 Guidelines

8.6 Consensus Policy Resource Community

8.7 Password Change

8.8 Password Protection

8.9 Application Development

8.10 Use of Passwords and Passphrases


8.12 Exceptions

8.13 Non-Compliance

9. References

Page iv


Executive summary

This report provides solution on a network breach which occurred at PKL Autoparts Supplies. PKL has four sites which are located in Hillarys, Melville, Alexander Heights, Kewdale and Osborne Park as a warehouse. PKL has a turnover revenue of $100 million per year. As of the result of the network breach the network administrator was removed from the office by police and since then the network infrastructure has never function correctly resulting into huge loss to PKL business and its partner companies. This consultant’s report encapsulates solutions to address the problems faced by PKL and also provide policies to prevent future re-occurrence of such breach. As an optimal solution; the four sites plus the warehouse (Osborne Park office) have been put onto separate subnets to stop network broadcast storm. This will enable the future network administrator to be able to triage the network problems and to provide troubleshooting to the entire network. Furthermore, a Cisco ASA firewall has been put in place to detect and prevent any intrusions in and out of the network. Alert system has been activated to notify the IT Manager plus all members of the change management team in case there’s a future network breach.

Page v


1. Assumption statement

The following assumptions are made in this document:

i. No Exchange serverii. No Domain controller (DC)iii. No SQL server iv. No File server v. No Phone system vi. PKL infrastructure is a workgroup environment vii. ISP – iinet will provide active internet connection for the network backboneviii. Redundancy network link will be leased through AMCOM

2. Vulnerabilities/Risk identified on PKL Autoparts Supplies Network Infrastructure

Vulnerability is a flawed or weakness when exploited or acted on can cause serious consequences a network infrastructure. Below list the vulnerabilities identified and counter measurements.

2.1 Service Set Identifier (SSID) Broadcast

SSID sent the network traffic in a plaintext and can be transmitted via broadcast beacon. Sniffer/hackers use SSID as the primary back door to get into a wireless network.

Network administrator must develop some specific techniques of preventing unauthorised access to the network.

i. Network administrator must endeavour to hide SSID from unauthorised users’ access.

ii. All users should authenticate via valid username and password – usually Active Directory (AD) credential.

2.2 Lack of Firewall

This is the first line of defence for any network infrastructure. This controls incoming and outgoing network traffic. Host based firewall - workstation and network based firewall – control from the server. Network administrator can decide to use hardware based firewall or software based firewall. Hardware option is very robust but expensive.

i. By default deny all (UDP/TCP) traffic through the network.

ii. Allow the specific traffic that are needed once approved by the change management procedure.

Page 1


iii. Use zonealarm / Microsoft Endpoint Security Point (software base firewall) – These are both antivirus and firewall.

2.3 Lack of VPN (Remote access)

Remote access increase productivity within any company. This is very vital to every company in the 21st century especially as there are more than 7.7 billion mobile users worldwide “7.7 Billion Mobile Devices Among 7.1 Billion World Population By The End Of 2014”; from http://dazeinfo.com/2014/04/29/7-7-billion-mobile-devices-among-7-1-billion-world-population-end-2014/ ).

Many of these mobile users will want to access the corporate network via their mobile devices. Therefore specific techniques by which these users must communicate needs to be clearly stipulated and approved by the change management procedure.

i. Implementation of a site-site remote access VPN will be necessary for PKL Auto parts supplies

ii. All user will authenticate to the network using their AD credential.

iii. Only users that have been connected to the PKL internal network in 30 days will be allowed to authenticate via VPN.

iv. Otherwise, users will be redirected to call PKL Service Desk for VPN reactivate

2.4 Dictionary attack can be done to guess Wi-Fi password and traffic injections is possibility because of WEP security Wi-Fi

It is evident that the PKL network infrastructure was exposed to a dictionary attack – this is when hacker or program use pre-defined wordlist until the password is found from a network router. This is commonly used because not many people are aware of this techniques. Never set password to “admin”, “admin01”,”password”; etc. The below articulate the strategies to mitigate this attack:

i. All users should authenticate via valid username and password – usually Active Directory(AD) credential.

ii. Removed all default login admin username/password from the access point (AP)

iii. Disable all services that are not needed on the network in the AP.

iv. Enable SNMP monitoring on the AP to warn administrator once there’s an unauthorised login attempt(s).

2.5 Users De-authenticated from the Wi-Fi

Due to the poor network encryption (WEP) on the wireless network users can easily be de-authenticated from the network. This will be detrimental to the business.

i. Network must actively be monitored by the network using some type of network monitor tools (i.e, Wireshark or net flow, etc.)

Page 2


http://dazeinfo.com/2014/04/29/7-7-billion-mobile-devices-among-7-1-billion-world-population-end-2014/

http://dazeinfo.com/2014/04/29/7-7-billion-mobile-devices-among-7-1-billion-world-population-end-2014/

ii. Enable SNMP monitoring on the AP to warn administrator once there’s an unauthorised login attempt(s).

iii. Get an AP that is backward compatible with 802.11a/b/g network

iv. Enable WAP2 Enterprise on the network with AP that has 802.11N backward compatible with older network card

v. Remove all the network cards that will not be compatible with 802.11N

2.6 Lack of Dynamic Host Configuration Protocol Spooping configuration (DHCP)

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers – if this is configured and a DHCP offer is detected on an untrusted port, that port/s will be shut down. In today’s wireless network within a corporate network it is very important to have DHCP Snooping.

i. This technique as elaborated is a layer 2 techniques that ensure IP integrity on layer 2 switch domain is maintained.

ii. This prevents DHCP spoofing – that is when a hacker attempts to get a DHCP requests from a DHCP server.

2.7 Lack Change Management Procedure

Change management procedure/process is very critical – this is a process that keep track of all changes made in network and these changes are recorded in the change management database. If PKL had one, when the administrator was removed, it would be easy to refer to the change management database to know what the last made changes were. The change procedure would be as follows:

i. Only IT manager or CTO can approve all changes

ii. Every change request must have a change requestor

iii. Once there change is made, there should be post incident review (PIR)

iv. Change management procedure will be supervised by the IT manager and Chief Technical Officer (CTO).

2.8 Lack network segmentations/ VLAN

Network segmentations or VLAN trucking prevent broadcast traffic on the network. This is a classic way of splitting a network into smaller chunks.

i. Split the network into different departmental level (HR, Admin, Commercial, etc)

ii. Enable all network files or resources vial users VLAN access

Page 3


2.9 Man in the middle attacked is possible

As a name goes, this is secret technique used by unauthorised access to secretly obtain data from a network or to disrupt an entire network.

i. All users should authenticate via valid username and password – usually Active Directory(AD) credential.

ii. Disable all services that are not needed on the network in the AP.

iii. Enable SNMP monitoring on the AP to warn administrator once there’s an unauthorisedlogin attempt(s).

2.10 No DHCP relay configure

Unfortunately, there was no DHCP relay configured on the network. This is used to forward DHCP packets between clients and servers that are not physically located on the same physical server.

i. Physically all the users within PKL network infrastructure are not located on the same server.

ii. Configure DHCP relay between the five sites using Osborne Park is the main routing.

iii. Use Spanning Tree protocol to complete the configuration – this will rebuild any downtime except in the process of faulty hardware.

2.11 Lack Intrusion Detection/ Prevent system (IDS/IPS)

IDS is used to examine/monitor network packets as it transvers through the network hops by matching the known signature of intrusions that have been identified by intrusion databases. IPS works in similar manner but it prevents that traffic from passing through the network.

IDS/IPS can be divided into host based and network base. It is important to know that one must understand the benefits and back draws of network/host based IDS/IPS before implementing it.

i. Cimtrak, as both IPS/IDS will be implemented in the PKL network. Cimtrak is a host based IPS. However it can also function as an IDS. However, there is a debate that Cimtrak is either an IPS/IDS because it performs both function.

2.12 Lack of MAC address filter/block

Mac address filtering is a line of defense that allow network administrator to define all the physical address of each network device on the network within the AP. However, this is a just a first line of defense; it has no security benefits and also difficult to maintain.

i. Implementation of WAP2 Enterprise and WAP 2 Personal should be considered in PKL network.

Page 4


2.13 Lack of subnetting

i. Subnetting – allows for IP packet to be delivered to the correct site as in the case of PKL that has 5 different sites.

ii. Allows for packet to be forwarded to the corrected subnetwork

iii. Allows packet to be delivered to the correct host/workstations or server

iv. Allows the creation of VLAN that prevent network broadcast storm

v. PKL network will be subnetting as follows Osborne Park - 172.16.1.0/25; Alexander - 172.16.2.0/25; Melville -172.16.3.0/25;Hilary's - 172.16.4.0/25 and Kewdale - 172.16.5.0/25.

2.14 Lack of naming conventions for all network assets

PKL network was under serious network threat even before the administrator was removed. The company had no Naming Conventions by which its hardware can be recognised on the network.

i. Implementation of a unique naming standard of hardware should be followed in PKL network

ii. Server/Router/Switches/Printers – PKL-site-prefix by the function of the server and followed the numerical value. PKL-KD-DC01, PKL-KD-R01,PKL-KD-SW01, PKL-KD-PR01

iii. Workstations- should be serial number followed by numerical following, i.e. PC-S/N.

2.15 Lack of file and printer server

The lack of file and printer servers indicates that the network was also under intense breaches as anyone could store their data local on the network and also print it in whatever function they like. Data is one of the most critical resources any company can have and it must be prevented at every level within the business.

i. Implementation of file server user windows integrity server

ii. Implementation of printer server hosted on the same server as the file server.

iii. Implementation of Distributed File System (DFS) to enable all site have replicated data.

2.16 Lack of Domain Controller (DC)

Domain Controller (DC) is a server that must respond to security authentication requests in and out of the network infrastructure. DC can eventually be used as logging event, checking permission; either accept or deny users login to the network resources.

Page 5


i. Implementation of parent DC to be hosted in Osborne Park whilst other sites will have child DC

ii. DC will allows successful implementation of DFS

2.17 Lack of Domain name server – DNS

This is what the computer use on the network to identify. “How Domain Name Servers Work” from http://computer.howstuffworks.com/dns.htm

Figure 1

2.18 Lack mail server identify

Just at DC was absent from PKL network; there has also being no mail server in PKL network infrastructure. What impact does this have? It means that users can decide the format of how he/she will send their emails and not what the network administrator decides. The put the data of the business at a very high risk of being captured by man in the man attack.

i. Implementation of Exchange server 2012 to be implementation ii. Using Office365 Exchange as a backup solution to the Exchange server iii. This can be hosted offshore to save cost

2.19 Waste of private IP addresses 91. 72.16.0.0/16) – possibility of broadcast storm attack

i. To allow network broadcast storm attack - PKL network will be subnetting as follows:

a. Osborne Park - 172.16.1.0/25

b. Alexander - 172.16.2.0/25

c. Melville -172.16.3.0/25

d. Hilary's - 172.16.4.0/25

e. Kewdale - 172.16.5.0/25

Page 6


http://computer.howstuffworks.com/dns.htm

ii. Implementation of VLAN to segregate the network into separate departmental level.

2.20 No encryption of data on the network – mail or file server

Encryption is the unique technique that is used to secure the transfer of information between network infrastructures and helps minimizes the chance of data to be intercepted by an unauthorised person.

i. All workstation data will be encrypted using bit locker – a free available encryption available from windows 7/8

ii. SSL for the email server and web server

iii. SSH for all switches and routers

2.21 No network audit tools or technique – to determine who does what on the network

Every network infrastructure administrator must decide to use a specific network auditing tool. The network auditing tools is used in conjunction with vulnerability scanning as a best practice.

i. For the PKL network new design it has been suggested for them to move to GLI LanGuard

ii. LanGuard is effective in network audit both hardware and software

iii. GFI LanGuard has a powerful reporting feature that can pick up security vulnerability and alert the network administrator.

2.22 Lack of SQL server

PKL as a business that rely on inventory of stock it is very important for it to have reliable and robust SQL server

i. There will be an SQL application server located at Osborne Park

ii. All the other four sites will host the instances of the database

iii. This will allow automatically replication cross all sites

iv. Logging will be enable on the SQL server

2.23 No specific Phone system

i. To save cost and to be effective as a consultant to PKL; it suggested that the phone system will be hosted by their ISP (iinet)

ii. Backup phone system will be located on site from other provider – Telstra

Page 7


2.24 Lack of Critical Infrastructure policy

In today’s network infrastructure is it important for every level of the network to have policy that will safeguard how things will be done.

i. Refer to section 5 for all the network infrastructure policies

ii. Policies will be reviewed as change management deemed it fit

2.25 Lack of Physical server protection

i. All critical network equipment, servers, switches, routers, etc. will be located in a Zellabox – sealed with a code

ii. Code will only been know the network administrator

iii. CCTV camera will be placed in all the server rooms

2.26 Lack of Incident Response Team

This team will be responsibility for respond disaster or recovery during or after business hours. Functions will include but not limited to

i. Network disaster

ii. Terrorist or bomb attacks

iii. Internet or computer threats posed by users, whether authorised or unauthorised

iv. Member of this team will be on ad hoc basis with people from different department every quarter

2.27 Lack backup/ Disaster Recovery Procedure

To prevent against data loss or breach of confidentiality – a backup procedure will be implement which includes

i. Backup of all SQL server data will be stored in Osborne park

ii. Backup copy of the network resources including routers and switches configuration will be stored to Data3 datacenter in Malaga

iii. All users files will be store H drive

iv. All H drives will be copy every 2 hours on an incremental basis

v. Shadow copy will enable on file server to enable recover files that are deleted within less than 2 hours from their computer

Page 8


2.28 Lack Universal Power Supply (UPS)

UPS is critical to all network infrastructure

i. All sites server rooms will have Double Conversion on-line UPS system – this is 10KVA power input that will automatically kick up once there’s a loss of power from the main power supply within the offices

ii. UPS will have network monitor set to determine the reliability at all time

2.29 Lack Network Redundancy

This is process through which there is an alternative to network connectivity in the event network devices or path are unavailable.

i. Second fiber line to each site has been purchased as solution

ii. All server all have RAID 5 except the SQL server built RAID 10 to allow data clustering because the database is the mission critical to PKL business

2.30 Weak Wi-Fi security configure

i. Replace WEP encryption on PKL network to WAP 2 enterprise

ii. All users to authenticate with valid domain account

2.31 Poor network diagram – this can lead unauthorised use circumventing the network without network administrator being able to track

i. A new network design has been designed as shown in section 3 Restructured PKL Network Topology.

ii. This include logical connection of each port

2.32 Lack of well-define encryption for file server

This is the embodiment of security resources or communication on the network. Network administrator need to specify that sort encryption network that is user to transmitted data or traffic over the network.

iii. As a consultant to PKL, it cannot be over stated how important traffic/data transmission between users in and out of the network needs to be encrypted as to avoid interruption, interception and authorised modification of the data

iv. NTFS encryption as a native windows server will be activated

v. Implement of Distributed Authorising and Versioning (WebDAV) will be consider on the PKL intranet for filer sharing and access

vi. Bit locker Drive encryption enables on all workstations using native hardware BIOs settings (TPM).

Page 9


2.33 Software on the network not specify – Server OS and Work stations OS

i. All servers will be Windows 2012 except;

ii. Web server will be apache using Linux

iii. Workstations OS – Windows 7 Enterprises

3. Restructured PKL Network Topology

A network infrastructure that lacks better physical and logical structure diagram there always exist the possibility of continuous disruption to the network traffic that will subsequent lead to loss of revenue.

3.1 Physical Building location and number of users

PKL has 150 staff. The assumption has been made that there are 30 staff at each of the offices in the new diagram.

There are two wireless access point (AP) located at each office – AP1 for all staff and AP2 for all managers. Authentication is only by AD credential – An extended SSID has been created call PKL-Guest-Wifi – This is only for guest use. Only internet access is available, Facebook, YouTube, or any other social networks spaces are blocked.

Page 10


3.2 Physical Network Topology

Page 11

Redundancy backbone fiber line


3.3 Subnetting of PKL Network

Based on the subnet the new network administrator will draw up the logical network diagram

Subnetting

i. Osborne Park Network

172.16.1.0/25Subnet mask: 255.255.255.128First host – 172.16.1.1 Last host – 172.16.1.126

Router has two controller SSID (AP 1 & AP2) AP 1 – All Staff – address scope .172.16.1.2 – 172.16.1.50Router – 172.16.1.1 Juniper switch 172.16.1.2 (Access switch & caching) Multi-scan printer – 172.16.1.126Reserved: 172.16.1.51 - .100AP 2 – Managers – 172.16.1.101 - 125

Domain control: OP-DC01File/printer: OP-FS01 *** SQL: OP-SQL01 – main SQL server – all SQL server replicate here

ii. Alexander Height

172.16.2.0/25Subnet mask: 255.255.255.128First host – 172.16.2.1 Last host – 172.16.2.126

Router has two controller SSID (AP 1 & AP2) AP 1 – All Staff – address scope .172.16.1.2 – 172.16.1.50Router – 172.16.2.1 Juniper switch 172.16.2.2 (Access switch & caching) Multi-scan printer – 172.16.2.126Reserved: 172.16.2.51 - .100AP 2 – Managers – 172.16.2.101 - 125

Domain control: AH-DC01 File/printer: AH-FS01 SQL: AH-SQL01

Page 12


iii. Melville

172.16.3.0/25Subnet mask: 255.255.255.128First host – 172.16.3.1 Last host – 172.16.3.126Router has two controller SSID (AP 1 & AP2) AP 1 – All Staff – address scope .172.16.3.2 – 172.16.3.50Router – 172.16.2.1 Juniper switch 172.16.3.2 (Access switch & caching) Multi-scan printer – 172.16.3.126Reserved: 172.16.3.51 - .100AP 2 – Managers – 172.16.3.101 - 125

Domain control: AH-DC01File/printer: MV-FS01 SQL: MV-SQL01

iv. Hilary’s

172.16.4.0/25Subnet mask: 255.255.255.128First host – 172.16.4.1 Last host – 172.16.4.126Router has two controller SSID (AP 1 & AP2) AP 1 – All Staff – address scope .172.16.4.3 – 172.16.4.50Router – 172.16.4.1 Juniper switch 172.16.4.2 (Access switch & caching) Multi-scan printer – 172.16.4.126Reserved: 172.16.4.51 - .100AP 2 – Managers – 172.16.4.101 - 125

Domain control: HL-DC01File/printer: HL-FS01 SQL: HL-SQL01

v. Kewdale

172.16.5.0/25Subnet mask: 255.255.255.128First host – 172.16.5.1 Last host – 172.16.5.126Router has two controller SSID (AP 1 & AP2) AP 1 – All Staff – address scope .172.16.4.2 – 172.16.4.50Cisco Router – 172.16.5.1 Juniper switch 172.16.5.2 (Access switch & caching) Multi-scan printer – 172.16.4.126Reserved: 172.16.4.51 - .100AP 2 – Managers – 172.16.5.101 - 125

Page 13


Domain control: KD-DC01File/printer: KD-FS01 SQL: KD-SQL01

4. Hardware and Software Selection for the Network

Name Description Unit Cost Total Cost

Cisco UCS 220 Server – Windows 2012 Server built-in

UCS 220 for DC @ 5 sites

$7,048.00 x 5 $35240.00

Cisco 2911 Router Core Router @ 5 sites 2648.00 x 5 $13240.00

Access Cisco Switch Cisco 875 for Internet Gateway @ 5 sites

385.00 x 5 $1925.00

Cisco ASA Fire ASA firewall for Gateway IDS/IPS

$3,639.00 $3,639.00

Total $54,044.00

5. Policies

5.1 Wireless - PDA/Smart Devices Policy

Disclaimer: This policy was created by or for the PKL Autoparts Supply. All or parts of this policy will be reviewed quarterly as to adhere to the overwhelming security challenges pose by smart phones and other handheld devices in the corporate industry. There will be a prior by the IT Change management approval before any change to this document can be initiated. If you would like to contribute any change to this policy or updated version of this policy, please send email to [email protected] .

All Policies Update Status: Updated May 25, 2015

Page 14


mailto:[email protected]

5.2 Overview

With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threat actors.

5.3 Purpose

The purpose of this policy is to secure and protect the information assets owned by PKL Autoparts Supply. PKL Autoparts Supply provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. PKL Autoparts Supply grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.

This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to PKL Autoparts Supply network. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by the Information Security Department are approved for connectivity to a PKL Autoparts Supply network.

5.4 Scope

All employees, contractors, consultants, temporary and other workers at PKL Autoparts Supply, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of PKL Autoparts Supply must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a PKL Autoparts Supply network or reside on a PKL Autoparts Supply site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data.


All wireless infrastructure devices that reside at a PKL Autoparts Supply site and connect to a PKL Autoparts Supply network, or provide access to information classified as PKL Autoparts Supply Confidential, or above must:

Abide by the standards specified in the Wireless Communication Standard. Be installed, supported, and maintained by an approved support team. Use PKL Autoparts Supply approved authentication protocols and infrastructure. Use PKL Autoparts Supply approved encryption protocols. Maintain a hardware address (MAC address) that can be registered and tracked. Not interfere with wireless access deployments maintained by other support

organizations.

a. Lab and Isolated Wireless Device Requirements

Page 15


All lab wireless infrastructure devices that provide access to PKL Autoparts Supply Confidential or above, must adhere to section 4.1 above. Lab and isolated wireless devices that do not provide general network connectivity to the PKL Autoparts Supply network must:

Not interfere with wireless access deployments maintained by other support organizations.

No bring your own device (BYOD) policy is allowed on PKL wireless network to connect using corporate account

Any BYOD should be connected to the Guest Wi-Fi

5.6 Home Wireless Device Requirements

i. Wireless infrastructure devices that provide direct access to the PKL Autoparts Supply corporate network, must conform to the Home Wireless Device Requirements as detailed in the Wireless Communication Standard.

ii. Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements must be installed in a manner that prohibits direct access to the PKL Autoparts Supply corporate network. Access to the PKL Autoparts Supply corporate network through this device must use standard remote access authentication.

5.7 Compliance Measurement

The Change Management team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.8 Exceptions

Any exception to the policy must be approved by the Change Management team in advance.

5.9 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.10 Related Standards, Policies and Processes

Lab Security Policy Wireless Communication Standard

Page 16


6. Remote access Policy

6.1 Overview

Remote desktop software, also known as remote access tools, provide a way for computer users and support staff alike to share screens, access work computer systems from home, and vice versa. Examples of such software include LogMeIn, GoToMyPC, VNC (Virtual Network Computing), VPN, and Windows Remote Desktop (RDP). While these tools can save significant time and money by eliminating travel and enabling collaboration, they also provide a back door into the PKL Autoparts Supply network that can be used for theft of, unauthorized access to, or destruction of assets. As a result, only approved, monitored, and properly controlled remote access tools may be used on PKL Autoparts Supply computer systems.

6.2 Purpose

This policy defines the requirements for remote access tools used at PKL Autoparts Supply

6.3 Scope

This policy applies to all remote access where either end of the communication terminates at a PKL Autoparts Supply computer asset. All remote access tools used to communicate between PKL Autoparts Supply assets and other systems must comply with the following policy requirements.

6.4 Remote Access Tools

PKL Autoparts Supply provides mechanisms to collaborate between internal users, with external partners, and from non-PKL Autoparts Supply systems. The approved software can be found on http://apps.pkl.com.au. This is a self-serf portal, direct line managers must approve before installation option will be available to the user. Because proper configuration is important for secure use of these tools, mandatory configuration procedures are provided for each of the approved tools.

The approved software list may change at any time, but the following requirements will be used for selecting approved products:

i. All remote access tools or systems that allow communication to PKL Autoparts Supply resources from the Internet or external partner systems must require multi-factor authentication. Examples include authentication tokens and smart cards that require an additional PIN or password.

ii. The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.

iii. Remote access tools must support the PKL Autoparts Supply application layer proxy rather than direct connections through the perimeter firewall(s).

iv. Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the PKL Autoparts Supply network encryption protocols policy.

Page 17


http://apps.pkl.com.au/

v. All PKL Autoparts Supply antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.

All remote access tools must be purchased through the standard PKL Autoparts Supply procurement process, and the information technology group must approve the purchase.


5.1 Compliance MeasurementThe Change Management team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

6.6 Exceptions

Any exception to the policy must be approved by the Change Management Team in advance.

6.7 Non-Compliance


7. Server Security Policy

7.1 Overview

Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well.

7.2 Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by PKL Autoparts Supply. Effective implementation of this policy will minimize unauthorized access to PKL Autoparts Supply proprietary information and technology

7.3 Scope

All employees, contractors, consultants, temporary and other workers at Cisco and its Subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by Cisco or registered under a Cisco owned internal network domain.

Page 18


Specifies requirements for equipment on the internal Cisco network. For secure configuration of equipment external to Cisco on the DMZ, see the Internet DMZ Equipment Policy


All internal servers deployed at PKL Autoparts Supply must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by InfoSec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by PKL Auto supply

7.5 Resource Community

Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact:

i. Server contact(s) and location, and a backup contact Hardware and Operating System/Version

ii. Main functions and applications, if applicable iii. Information in the corporate enterprise management system must be kept up to

date.iv. Configuration changes for production servers must follow the appropriate change

management proceduresv. For security, compliance, and maintenance purposes, authorized personnel may

monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

7.6 Configuration Requirements

Operating System configuration should be in accordance with approved Change management team guidelines.

i. Services and applications that will not be used must be disabled where practicalii. Access to services should be logged and/or protected through accessiii. Control methods such as a web application firewall, if possible.iv. The most recent security patches must be installed on the system as soon as

practical, the only exception being when immediate application would interfere with business requirements.

v. Trust relationships between systems are a security risk, and their use should be avoided.

vi. Do not use a trust relationship when some other method of communication is sufficient.

vii. Always use standard security principles of least required access to perform a function.

viii. Do not use root when a non-privileged account will do. ix. If a methodology for secure channel connection is available (i.e., technically

feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).

Page 19


x. Servers should be physically located in an access controlled environment. 4.2.9 Servers are specifically prohibited from operating from uncontrolled cubicle areas.

7.7 Monitoring

All security related events on critical or sensitive systems must be logged and audit trails saved as follows:

i. All security related logs will be kept online for a minimum of 1 week. ii. Daily incremental tape backups will be retained for at least 1 month. iii. Weekly full tape backups of logs will be retained for at least 1 month. iv. Monthly full backups will be retained for a minimum of 2 years. v. Security related events will be reported to Change Management team, who will

review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security related events include, but are not limited to:

vi.a. Port scan attacks b. Evidence of unauthorized access to privileged accounts c. Anomalous occurrences that are not related to specific applications on the host

8. Password Protection Policy

8.1 Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of PKL Autoparts Supply's resources. All users, including contractors and vendors with access to PKL Autoparts Supply systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

8.2 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

8.3 Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any PKL Autoparts Supply facility, has access to the PKL Autoparts Supply network, or stores any non-public PKL Autoparts Supply information.

8.4 Password Creation

All user-level and system-level passwords must conform to the Password Construction

Page 20


8.5 Guidelines

Users must not use the same password for PKL Autoparts Supply accounts as for other non- PKL Autoparts Supply access (for example, personal ISP account, option trading, benefits, and so on).

Where possible, users must not use the same password for various PKL Autoparts Supply access needs.

User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges.

Where Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of public and private.

8.6 Consensus Policy Resource Community

System and must be different from the passwords used to log in interactively. SNMP community strings must meet password construction guidelines.

8.7 Password Change

All system-level passwords (for example, root, enable, NT admin, application administration accounts, and so on) must be changed on at least a quarterly basis.

i. All user-level passwords (for example, email, web, desktop computer, and so on) must be changed at least every three months. The recommended change interval is every four months.

ii. Password cracking or guessing may be performed on a periodic or random basis by the Change management team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with the Password Construction Guidelines.

8.8 Password Protection

Passwords must not be shared with anyone. All passwords are to be treated as sensitive,

Confidential PKL Autoparts Supply information. Corporate Information Security recognizes that legacy applications do not support proxy systems in place. Please refer to the technical reference for additional details.

i. Passwords must not be inserted into email messages, Alliance cases or other forms of electronic communication.

ii. Passwords must not be revealed over the phone to anyone.

iii. Do not reveal a password on questionnaires or security forms.

Page 21


iv. Do not hint at the format of a password (for example, "my family name").

v. Do not share PKL Autoparts Supply passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members.

vi. Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.

vii. Do not use the "Remember Password" feature of applications (for example, web browsers).

viii. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

8.9 Application Development

Application developers must ensure that their programs contain the following security precautions:

i. Applications must support authentication of individual users, not groups.ii. Applications must not store passwords in clear text or in any easily reversible

form. iii. Applications must not transmit passwords in clear text over the network.iv. Applications must provide for some sort of role management, such that one user

can take over the functions of another without having to know the other's password.

8.10 Use of Passwords and Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks." A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: "The*?#>*@TrafficOnThe101Was*&#!#ThisMorning" All of the rules above that apply to passwords apply to passphrases.

Page 22



The Change management team will verify compliance to this policy through various methods, including but not limited to, periodic walk-through, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

8.12 Exceptions

Any exception to the policy must be approved by the Change management Team in advance.

8.13 Non-Compliance


9. References

Datacentrehttp://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

Cisco learning portalhttps://learningnetwork.cisco.com/thread/67229

ASA Firewall http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.html

Workstation securityhttps://www.sans.org/security-resources/policies/server-security#workstation-security-for-hipaa-policy

Policies www.sans.org

Cimtrak https://www.cimcor.com/cimtrak-vs-idsips?keyword=ids%20ips%20software&matchtype=b&creative=57777838497&source=SearchNetwork&gclid=CLeS-aX-78UCFQIrvQoddiIANg

Why You Shouldn’t Use MAC Address Filtering On Your Wi-Fi Router?; http://www.howtogeek.com/204458/why-you-shouldn%E2%80%99t-use-mac-address-filtering-on-your-wi-fi-router/

Page 23


http://www.howtogeek.com/204458/why-you-shouldn%E2%80%99t-use-mac-address-filtering-on-your-wi-fi-router/

http://www.howtogeek.com/204458/why-you-shouldn%E2%80%99t-use-mac-address-filtering-on-your-wi-fi-router/

https://www.cimcor.com/cimtrak-vs-idsips?keyword=ids%20ips%20software&matchtype=b&creative=57777838497&source=SearchNetwork&gclid=CLeS-aX-78UCFQIrvQoddiIANg



http://www.sans.org/

https://www.sans.org/security-resources/policies/server-security#workstation-security-for-hipaa-policy

https://www.sans.org/security-resources/policies/server-security#workstation-security-for-hipaa-policy

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.html

https://learningnetwork.cisco.com/thread/67229

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html

How Domain Name Servers Workhttp://computer.howstuffworks.com/dns.htm

GFI LanGuard http://www.gfi.com/sites/LanGuard/Website/land/adv/network-auditing-sm?adv=13755&loc=6&kwd=9&gclid=CPXGp5-788UCFdgnvQod57gA1A

Page 24


http://www.gfi.com/sites/LanGuard/Website/land/adv/network-auditing-sm?adv=13755&loc=6&kwd=9&gclid=CPXGp5-788UCFdgnvQod57gA1A

http://www.gfi.com/sites/LanGuard/Website/land/adv/network-auditing-sm?adv=13755&loc=6&kwd=9&gclid=CPXGp5-788UCFdgnvQod57gA1A

http://computer.howstuffworks.com/dns.htm

Study Wireless Security Deployment - PKL

Documents

Transcript of Study Wireless Security Deployment - PKL