Network Components and Security Measures for Businesses

Adam HessDepartment of Computer Science

University of Wisconsin -- Plattevillehessad@uwplatt.edu

Abstract

Computer networks have become main-stream in business activities. Network Administrators must be concerned with setting up a secure network in order to protect employee information, confidential business operations, and the infrastructure of a computer network. With the mass majority of Americans owning a computer or device that can access computer networks, the need for security controls is paramount. Wired local area networks (LAN) have been around since the invention of Ethernet in the mid-1970s; however, with the development of wireless local area networks (WLAN), the threats to computer systems have never been more prevalent. To prevent such threats to a business’s computer network, one must construct a safe and reliable network using the proper equipment and countermeasures.

Vulnerabilities in Local Area Networks

When Ethernet was developed to establish interconnections between computers and networks, it was an enormous breakthrough. The power of computing comes when computers can work in teams. As it is in the real world, when you are by yourself you are limited as to what you can accomplish, but when you are in a team you can share ideas and resources. With computers being able to communicate with each other and send information via interconnections, one can see that the possibilities are endless. Businesses could now allow multiple computers to share printers, storage, and information.

Once these opportunities were presented, network administrators needed a way to protect the information on the network and prevent uninvited guests from using the company’s resources. One can certainly discover several possible problems when it comes to sharing information over a computer network. For example, vulnerabilities include Ethernet ports, routers and switches, and even the cables themselves. Conceivably, someone could just simply walk into a business, plug their computer into the Ethernet port and be able to access the network. How can one address these concerns?

The answer is using security controls. The most basic way of protecting the hardware is to conceal it, which is an example of a physical security control. Servers, routers, switches, and any other important hardware is normally found inside a closet with a locked door to only permit certain personnel to enter. Ethernet cables could be hidden in walls, ceilings, or floors and just

2

have a port accessible to the end user. Sometimes a deterrent security control, such as a sign on the door to the closet concealing the sensitive hardware to beware of unauthorized access, is used to deter intruders from entering. As one can see, you will need more than just an external physical means of protecting your network. When businesses began to realize the risks, software was developed to handle the situation. Using preventive security controls, such as firewalls, a business could potentially block unauthorized network connections while using detective security controls, such as an alarm, to sense and report an undesired event. Some software security controls include operating systems, database management systems, and network software, which are all internal to the network and can be protected even more so than the physical aspects of the network. [9]

Over the years, businesses have developed ways to construct secure and reliable networks by utilizing security controls. Although these security controls are effective, they are still vulnerable; however, they greatly reduce the risk of a security breach.

Vulnerabilities in Wireless Local Area Networks

Wired networks are still the norm for computer networks. Once the infrastructure is constructed and the hardware in place, it gets the company what it needs—interconnections between the computers allowing shared access to resources. Lately however, with laptops, cell phones, and wireless devices, wireless access to the internet and networks has become ubiquitous. Companies are now spending lots of time, effort, and resources to vamp up their network to accommodate for wireless connections. The reason it requires so much time and effort to create a stable and safe wireless network is because the risks of intrusions to the network are now increased significantly. With wired networks, there were physical security controls to keep the hardware and software from being accessed by everyday visitors. Now if the network becomes wireless, then it can be accessed from anywhere within a certain radius of the network access point, or hotspot. The wireless network gives way to the wired network, so if one were to gain access through the wireless access point, then he or she could conceivably have access to the network and what it has to offer. When companies caught onto the risks of wireless networks, they had to develop ways to deal with the vulnerabilities. [5]

The critical exposures to these wireless networks are the access points, the authentication methods, and the system network management protocol. When software is bought from a vendor and set up for the first time, configurations are geared to ease-of-deployment and ease-of-use. This means that the security configurations are probably quite vulnerable to attack. The network administrator should modify these configurations and update them frequently to ensure protection. [3] A software approach to dealing with protecting the data on wireless networks is to use cryptographic integrity check. Businesses can set up a list of devices that are allowed to access the wireless network. For example, a MAC Address Access Control List (ACL) will limit access to the network by only allowing authorized wireless cards. A problem with this is that the packets containing the MAC addresses are sent in clear text; so an unauthorized user could potentially obtain these and gain access to the access point. Usually, the access point has the factory configuration for username and password, so the intruder could potentially change this configuration. [5]

3

Firewalls

A firewall can be a software or hardware-based network security system. The firewall’s job is to block ports (or doors) so that only the ports you want information to come in on are open. There are 65,536 ports that a network can use to communicate to the Internet or outside the network. Stateful firewalls can control the incoming and outgoing network traffic and analyzes the data to determine whether it should be allowed through. They do this by keeping memory of previous packets and hold several attributes of each connection in dynamic state tables. Firewalls can be configured; the network administrator can create a rule set to check the incoming and outgoing data on whether or not it can pass through.

Figure 1: Shows where a firewall can be located in a network. [1]

Having a firewall is crucial to securing a computer network. It can be as strict or lenient as the business pleases. For instance, say the network administrator wishes to access the server from home; he or she could open a specific port on the firewall to allow him or her into the server via the Internet. According to John Stewart, and operations manager for inQuo, Salt Lake City:

For a basic network setup, where the computers may only be performing Internet searches, e-mail, sharing files and printers internally, and would not need access to the network from outside, then a router with a built-in firewall may be just fine. For a business that may be accessing their network from outside, or hosting a Web or application server for clients on the outside, an additional firewall appliance is probably a good idea. [10]

Wi-Fi routers today have built-in firewalls, but they only protect you from a few threats like port scanners. These firewalls are termed hardware firewalls and come in two types, Network Address Translation (NAT) and Stateful Packet Inspection (SPI). Hardware firewalls only monitor incoming traffic from outside the network. The one thing the router’s firewall won’t do is protect you from yourself; they do not monitor access within the network nor do they monitor the computer’s software from accessing the Internet. Employees surf the web, run programs, and download files. These activities can endanger their computers with threats like worms and malware that can initiate communication with the Internet. This is where a software firewall is necessary. These firewalls will constantly scan for application activity that tries to send information to the Internet. If the company accepts credit cards as payment, they may need to check compliance standards set by the companies they are working with. In these cases where

4

the business keeps private financial data or confidential client information, a typical firewall on a router won’t suffice. [10]

Attackers can exploit the absence of firewalls. When network components become less secure through changes of configurations or exceptions for specific and temporary business needs are left in play for longer than expected, hackers can penetrate into the firewall via an electronic gap created by these. Once the attacker gains this access, he or she can intercept or alter data, redirect traffic on the network to a malicious system appearing to be a trusted one, or even hijack a compromised machine on the network. [2]

So how does a company “firm up” its firewall? According to Mathias Thurman, a security manager, “Today, application-based firewalls provide far more flexibility than was available before. The methods of inspecting traffic enable us to allow or deny traffic based on a variety of factors.” [11] Some firewalls offer what is called unified thread management (UTM), which allows the network administrator to exclude a number of appliances and management consoles. Active Directory, which is integrated into newer firewalls, allows network administrators to build application-specific rules based on individual needs. For example, if a business’s remote-access policy didn’t allow an employee to use a certain program, the network administrator could write a rule to enable the use of that program or restrict it to being used only during certain hours of the day. These newer firewalls can do more than just block sites or restrict access to certain sites; the network administrator can define what activities are permissible on some allowed sites. For example, if the business allowed their employees to use Skype, the firewall can be configured to disable file transfers via Skype. Being able to write rules and define what actions are permitted, network administrators can keep the computer network safer and significantly reduce the risk that the company’s intellectual property be exposed. [11]

Routers

Routers are the devices that make communication between networks possible. A router forwards packets and routes the information to a desired destination. A computer has an Internet Protocol (IP) address. Just like your house has a physical street address, the IP address will allow the right information to flow to the right computer. A typical business has more than one computer, so if one wanted multiple computers to connect to the Internet, a router is necessary. The Internet Service Provider (ISP) will give your business a single IP address; this poses a problem since your company uses several computers. A router will take this single IP address and in essence create its own internal network.

When devices are connected to the ports of a switch in the router, the router will assign each of them a unique IP address. If one of the devices requests access to the Internet, the data will go to the router and out to the World Wide Web under the single IP address the ISP gave your company. Then the router waits on the reply. When it gets a reply with the tagged IP Address that it sent out it, then it looks at its table of addresses to see which port to send the information to. It will send the data through the port with the same network address as the IP Address in the tag of the packets of data. After that, the data is sent to the switch, which then takes a look at the Media Access Control (MAC) address which should also be in the tag to see which port in the

5

switch to forward the information. Once the switch looks at its table of MAC addresses and finds the match, it sends the information to the specific port that computer coincides on. [10] Below, Figure 2 shows where the router is located in reference to the firewall and switches in the network.

Figure 2: An illustration of where the router is located in a network. [7]

Consumer-focused Routers vs. Business Routers

That is the basics of how a router works, but not all routers are created equal. The typical person that just needs a router for his or her household to connect a couple computers to the Internet can purchase a consumer-focused router which are normally under $100 in price. These routers typically come with a four-port Ethernet switch, one Wide Area Network port, wireless encryption, built in firewall, and antenna arrays—in essence everything the consumer would need for his or her purposes of a household network. The consumer-focused router has some other features including virtual networks to give guests access to the network, Wi-Fi Protected Setup (WPS) and a security theme like Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA).

A business router is more expensive for obvious reasons with price ranges anywhere from $700 to $2000 or more depending on what the device all entails. They may have some of the features of consumer routers, like the switch, virtual networks, and traffic prioritization for Voice over IP (VoIP) applications. Business-class routers are purposed for security, providing flexible access to the network via remote access, and scalability. These more-secure protocols are often complex to set up and may require a dedicated server. When browsing the market for a business

6

level router, the higher-end ones will provide scalability if your business goals are to expand. Other advantages to having the more expensive routers include multiple WAN ports, a vigorous Virtual Private Network (VPN), Secure Sockets Layer (SSL) portal and tunnel VPNs.

Having multiple WAN ports allows the network to establish connections to multiple ISPs or connecting your business to a partner business or client on a dedicated line via a leased telephone line and not through the Internet. Another option is to have two or more connections to the same ISP for load balancing.

Security Configurations Overview

When designing a secure computer network for a business, the network administrator must ensure the use of standard secure configurations of the operating systems. The images should be hardened versions of the underlying operating system and the applications installed on the system to confirm the setup of a new machine to be efficient and fully secure. Hardened images normally disable unnecessary services, apply patches, construct host-based firewalls, and possibly close unused network ports. Be sure to regulate administrative privileges to few users who have the knowledge and need to change configurations of the underlying operating system. Another idea for security is storing the master images on a secure server that is subject to integrity checks. This ensures that only authorized changes can be done. Using a secure medium to move the master image from an offline machine where it is stored to the destination machine is one way to keep the master image off the network and cuts out the possibility of being accessed via the network. When accessing the server from a remote location, only use secure channels; protocols such as Telnet do not actively support strong encryption. [3]

Keeping your system clean by utilizing file integrity checks on a frequent basis is a necessity. Using automated configuration monitoring systems to measure secure configurations like those compliant with Security Content Automation Protocol (SCAP) will gather configuration vulnerability information and examine changes made to the software, hardware, or network configurations. Another policy in configuration hygiene is installing configuration management tools like Active Directory Group Policy Objects for Microsoft Windows systems to regularly enforce and redeploy configuration settings to the systems. [3]

If your business utilizes mobile devices such as company cell phones, it may be necessary to implement a formal process and management framework to control the configuration settings of these devices. One of the biggest fears for companies that have company cell phones is one of their employees losing it and allowing a complete stranger to have access to that employee’s email, database access, and other company privileges. Having a way to wipe that device clean if it were to be lost or stolen is available with management infrastructures that deal with mobile devices. This type of management also allows for approving or denying applications to be installed on the device. [3]

Some companies will find that diagramming the entities in a network is essential to meet the objectives defined in their security policies. Having a diagram will help organizations identify

7

problems and understand the relationships between the entities. Figure 3 below shows a diagram representing a possible control system for a network. [3]

Figure 3: Shows an example of a control system for a network. [3]

According to SANS.org, “A control system is a device or set of devices that manage, command, direct, or regulate the behavior of other devices or systems.” This example displays the devices and software used to manage consistent configuration settings for the components on the network. The following explain the relationships between the entities in the above diagram:

1) One shows the system images being applied to the computer systems. 2) Two shows the images being stored in a secure place, whether it is an offline machine or

server. Three shows the images being validated by the configuration management system.

3) Four shows the configuration enforcement system scanning the network computers. 4) Five shows the file integrity system monitoring the systems.

8

5) Six shows a white-listing tool monitoring systems’ configurations. 6) Seven shows the SCAP scanner validating the configurations. 7) Eight, nine, and ten shows the file integrity assessment system, white-listing tool, and

SCAP scanner respectively sending abnormalities to the alerting system. 8) Finally, eleven and twelve show where management reports are addressed. [3]

Statistics Concerning Data Loss and Network Security

When thinking about how critical data security is in today’s world, one can only imagine what happens when some data is leaked. Top secret government files, personal financial records, or even medical documents all hold key information about us or our interests. So it’s not hard to understand why hackers want to get this information; they want to exploit the material and use it for their own self gain. Several societies around the world would relish the opportunity to have their enemies’ secrets and use it against them. According to Identity Theft Resource Center (ITRC) 447 breaches in the United States were documented, exposing 17,317,184 records just last year alone. So far in 2013, 48 percent of reported data breaches in the United States have been in the medical/healthcare industry. [4]

Network Security Challenges Faced by Universities

While corporations face threats to their network security, universities face some unique challenges that corporations do not. Each year, new students arrive at colleges and bring with them their laptops and other mobile devices. More often than not, these devices are not up to the security levels that would be acceptable. Many times the computers have little to no security like firewalls and anti-virus software. On top of that, the devices could be housing malware and other viruses. At Bridgewater State College in Massachusetts, the IT department is making it a goal to bring the students’ laptops up to a certain minimum level of health. Using a Network Access Control (NAC) can help protect information resources on the network. Three basic approaches to NAC exist: Infrastructure-Based, Endpoint Software-Based, and Network Security Appliance-Based. [8]

At Bridgewater State College, the university uses a Cisco Network Admission Control as the Infrastructure-Based NAC. Infrastructure-Based NAC focuses on upgrading a network to store integrated NAC functionality through a single vendor, in this case Cisco. The campus is also using an Endpoint Software-Based NAC by having a gateway that makes the users type in his or her credentials and validates that the user’s computer has the latest copy of anti-virus software and firewall enabled. Endpoint Software-Based NACs protects clients through scans and validating software. Bridgewater State College’s IT department has been pleased with the success of this approach; having spent over $75,000, they believe it was a great investment for providing the campus with the protection it needs. [8]

Network Security Appliance-Based NACs are for highly distributed budget-constrained environments. They offer ease of deployment and a cost savings over the infrastructure-based deployment, but at the cost of being less vigorous and offering fewer features. [8]

9

Conclusion

In summary, developing a secure computer network system has several areas that must be addressed. More and more companies are expanding their IT department because of the ubiquitous mobile device movement. When it comes to wireless security, one must use scrutiny when purchasing routers, access points, firewalls, and security software. Being a network administrator comes with a great responsibility of protecting the network from attacks and keeping the information from being leaked to unwelcome guests. In a world where nearly everything is kept in computer databases and servers, maintaining the distribution of this information and keeping it secure are very important.

10

References

[1] (2013, October 16). Retrieved October 20, 2013, from Wikipedia website: http://upload.wikimedia.org/wikipedia/commons/5/5b/Firewall.png

[2] Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches ." . (n.d.). Retrieved October 16, 2013, from SANS website: http://www.sans.org/critical-security-controls/control.php?id=10

[3] Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers . (n.d.). Retrieved October 10, 2013, from SANS website: http://www.sans.org/critical-security-controls/control.php?id=3

[4] Data Breach Trends & Stats. (2013). Retrieved October 10, 2013, from http://www.indefenseofdata.com/data-breach-trends-stats

[5] Dhull, S. (2010). Study of Vulnerabilities in Wireless Local Area Networks (WLAN). International Journal of Education Administration, 2(4), 727-731. Retrieved from http://www.ripublication.com/ijea.htm

[6] Network and Computer Systems Administrators. (2012, March 19). Retrieved October 16, 2013, from Occupational Outlook Handbook website: http://www.bls.gov/ooh/computer-and-information-technology/network-and-computer-systems-administrators.htm

[7] Positioning Network Agent in the network. (n.d.). Retrieved October 25, 2013, from Websense website: http://www.websense.com/content/support/library/deployctr/v77/dic_ws_na_loc.aspx

[8] Powers, V. (2008, March). Keeping an Eye on the Network. University Business, 55-58. Retrieved from http://www.badgerlink.net/

[9] Purcell, J. E. (n.d.). Security Control Types and Operational Security. Retrieved October 10, 2013, from Risk website: http://risk1.net/Security-Control-Types-and-Operational-Security-James-E.-Purcell-pdf-e2182.html

[10] Stewart, J. (2011, June 6). June tech tips - firewalls, routers, and switches. The Enterprise. Retrieved from http://www.slenterprise.com/

[11] Thurman, M. (2011, March 7). Firming Up Firewall Protection. Security Manager's Journal, 24.