Assignment 1 – Defense in Depth
Logan W. Burroughs
CIS534
Professor – Moses Cowan
May 30, 2014
DEFENSE IN DEPTH
1
Introduction
The objective of this paper is to visually display a defense in depth model and explain
features that will encourage an overall layered defense tactic to strategically mitigate against
potential threats. The network is comprised of a corporate site in Chicago where all servers are
located to include: Web server, file server, print server, mail server, and ftp server. This
connection to the Internet has a speed of 50 mbps with 300 employees that have access to the
Internet, as well as local and corporate resources. There is also one remote site that is 8 miles
away with 20 employees that need access to all resources at corporate as well as an Internet
connection with the limitation of 3mbps. In this design all network devices will be utilized to
include: routers, switches, hubs, firewalls, VPN’s, and proxies. Along with the devices being
displayed the interconnections between these devices will be shown, the end user (client) devices
(desktops, laptops), and the Internet cloud, which will generically be shown to represent the
network’s interface to the Internet.
In addition to the design this discussion will review the flow of data throughout the
network to reveal security features that create that in depth design to protect any organization
with similar requirements. I will first review the network diagram with physical features,
locations, and Internet speeds; then discuss in depth, security features from each of the seven
network domains (user, workstation, Local Area network (LAN), LAN-to-Wide Area Network
(WAN), Remote Access, WAN, and Systems/Applications) and how they will be incorporated
throughout the design and infrastructure of the network.
The objective is to implement these features to enforce the confidentiality, integrity,
availability, privacy, authenticity, authorization, non-repudiation, and accounting. (Stewart, J.
M., 2011).
DEFENSE IN DEPTH
2
Network Design, Data Flow, and Security Features
The network design features the corporate headquarters site in Chicago that includes
within the Information Technical (IT) department is a database server, an FTP server, application
server, web server, email server, print server, and 30 workstations. The database server utilizes
role-based access features as well as two-factor authentication for server and user access
(Common Access Card and username/password). The FTP server utilizes the TCP protocols and
is within the internal network with additional firewall rules, routing policies that limit open ports,
and internal training on how to locate potential threats for the IT department to monitor. The
Webserver must be held in the DMZ to allow additional port access to utilize the Internet. The
email and print servers are also located within the internal network.
Outside of the IT Department, this organization has six departments that are on three
floors that include 45 workstations and 5 printers per department. Each department is
interconnected to corporate resources via CAT5 cables and a 48 port switch connections, allows
for 10Gbps, and is housed in an Intermediary Distribution Facility (IDF) on each floor. The 1st
and 4th department are on the bottom (1st) floor with one IDF, the 3rd and 6th department are on
the top (3rd) floor that houses another IDF, and the 2nd and 5th department are on the middle (2nd)
floor, which interconnects both IDF’s via a fiber cable. The IDF’s house cables on the floor it is
associated with and the MDF can house cables as well as server racks, patch panels, routers, and
switches. However, in this case the server racks, routers, and switches are in a separate locked
room to limit access and secure the servers. (E., 2011, February 17).
All departments switches are connected to one router that connects to two separate
routers; one router is protected via a firewall that connects the departments to the IT resources;
the other router leads to the De-Militarized Zone (DMZ) and out onto the network. The DMZ
DEFENSE IN DEPTH
3
provides a space within the network to have points of less secure features. For instance, the Web
server and Virtual Private Network (VPN) Gateway is in the DMZ along with firewalls and
routers. The firewalls and routers in the DMZ can be configured to have specific open ports
versus the routers outside of the DMZ which may have only the necessary ports open.
Continuing the network design, the Web server within the DMZ has four routers surrounding it
with firewalls from the routers to a VPN Gateway or the Internet. One VPN Gateways connects
to the internal network via a router and the other VPN Gateway leads to the Internet access then
from the Internet via a firewall Remote access is available. Remote access is available via Virtual
Machines (VM) on personal devices that use the VLAN to utilize the VPN. Within the DMZ two
of the routers surrounding the Web server are protected via two firewalls on either side with
access to the Internet via a 3 Mbps. This connection is through the cable Internet Service
Provider (ISP) and divided into three connections by three different cable Internet Service
Providers. The reason for three cable connections is if one connection is not available due to
weather for instance, the other providers can provide constant service and lessons the chance of a
single point of failure.
This network design is set up in such a manner to compartmentalize information based on
the sensitivity levels, risk tolerance levels, and threat susceptibility levels of specific resources.
This portion of the design secures the confidentiality of data. This includes specific parts of
domains; for instance, the remote domain will have a different data flow of information than the
LAN and workstation domains within the corporate office and the remote sites. The next stage in
the design is to limit access based on the principle of least privilege which means creating a Role
Based Access Control list for all employees in every department to ensure that each user has only
the privilege necessary for his or her duties. The next phase is to provide high availability
DEFENSE IN DEPTH
4
through the implementation of redundant configurations of links and devices on the network path
between the user and mission critical resources. This prevents a single point of failure and
provides the user with insurance of use throughout outages. Also, to encourage this policies such
as ‘Separation of Duty’, which states important tasks should be performed by two or more
employees and ‘Job Rotation,’ which dictates that employees in important positions should
rotate. (Stawowski, M., 2009, October).
The objective is to eliminate single points of failure, this is true throughout the dataflow
process as well. Data that is to be sent between networks from an internal resource to a resource
outside of the network begins at the network layer of the Transmission Control Protocol/Internet
Protocol. The network layer is where physical addresses (device address, logical network
address, and the source address) are used in message routing. This address is attached to the
packet (data) that will be sent. Next the packet will move into the data link layer which adds an
additional physical address (device address) and attempts to locate the destination device. If the
destination device is on a separate network the source device will locate the next physical
address in the patch, which is a router. The router reviews the destination address at the network
layer and eliminates the data link physical address, then notices that the next link in the network
path is another router therefore, repackages the message at the data link layer and attaches its
own physical address as the source address and the next routers address as the destination. The
next router re-assembles that packet at the data link layer and sends it to the destination address
where it reaches the physical layer. (Jois, S., 2013, January 21).
Throughout this process the information must maintain confidentiality, integrity, and
authentication. This is completed via avoiding a single point of failure, previously mentioned and
protecting assets by dividing and conquering. This network utilizes physical securities to include:
DEFENSE IN DEPTH
5
gates, security guards, and cameras, access cards to enter specific portions of the building,
Uninterrupted Power Supplies (UPS), and servers with encryption certificates available.
Additional security features include the use of Internet Protocol version 6 (IPv6) for applications
that offers default encryption transmissions, the use of an encryption tunneling protocol, IPSec,
security policies such as an access policy, accountability policy, authentication policy, private
policy, computer-technology purchasing guideline policy, training policies and procedures. In
addition to security procedures, operations, disaster recovery plan and a plan to maintain the
security. (Oppenheimer, P., 2010, October 04).
Conclusion
In conclusion, materials discussed include the design of a network with a corporate site
that includes: servers, a 50 mbps connection to the Internet, and 300 employees that need access
to corporate resources and the Internet. In addition, the design includes one remote site with 20
employees with a 3 mbps Internet access and require access to corporate resources and the
Internet as well. A review of the physical layout of the design as well as how data flows
throughout the network and ways to ensure the confidentiality, integrity, and authentication of
information via physical security measures, utilizing cryptography, ensure network design, and
implementing a policies and procedures to mitigate against threats.
DEFENSE IN DEPTH
6
References
E. (2011, February 17). Physical Network Segmentation. Retrieved May 04, 2014, from
http://www.youtube.com/watch?v=cLNCYg5RorY
Jois, S. (2013, January 21). How Data Flow Between Network.wmv. Retrieved May 4, 2014,
from https://www.youtube.com/watch?v=SnFau2xFD4A
Oppenheimer, P. (2010, October 04). Developing Network Security Strategies. Retrieved May
04, 2014, from http://www.ciscopress.com/articles/article.asp?p=1626588
Stawowski, M. (2009, October). The Principles of Network Security Design. Retrieved May 04,
2014, from http://www.clico.pl/services/Principles_Network_Security_Design.pdf
Stewart, J. M. (2011). Network Security, Firewalls, and VPNs . Sudbury, MA: JONES &
BARTLETT LEARNING.
DEFENSE IN DEPTH
7
Defense-in-Depth Design:
(3mbps)
connection
Workstations
(X45)
Remote Access
Printer
(x5)
Internet
Remote Site
(8 miles away)
(50mbps)
connection
Firewal
Off-site
Internet
Firewal
DMZ
Firewal
Firewal
VPN Gateway
Dept 1
Workstations
(X45)
Dept 2
Workstations
(X45)
Firewal
Router
Router
VPN Gateway
Web
Server
Router
Router
Firewal
Printer
(x5)
Printer
(x5)
Switch
10Gbps
Router
Router
Workstations
(X45)
Printer
(x5)
Switch
10Gbps
Workstations
(X45)
Switch
10Gbps
Printer
(x5)
Printer
(x5)
Switch
10Gbps
Router
Workstations
(X45)
Printer
(x5)
Firewall IDS/IPS
Database FTP Application
Server
Server
Server
Web
Server
Email
Server
Print
Server
Workstation
(x30)
IT Department
Corporate Site (Chicago)
Database FTP Application
Server
Server
Server
Dept 4
Dept 5
Firewal
Router
Dept 3
Workstations
(X45)
Switch
10Gbps
Switch
10Gbps
Web
Server
IT Department
Email
Server
Print
Server
Dept 6
Introduction
The objective of this paper is to visually display a defense in depth model and explain
features that will encourage an overall layered defense tactic to strategically mitigate against
potential threats. The network is comprised of a corporate site in Chicago where all servers are
located to include: Web server, file server, print server, mail server, and ftp server. This
connection to the Internet has a speed of 50 mbps with 300 employees that have access to the
Internet, as well as local and corporate resources. There is also one remote site that is 8 miles
away with 20 employees that need access to all resources at corporate as well as an Internet
connection with the limitation of 3mbps. In this design all network devices will be utilized to
include: routers, switches, hubs, firewalls, VPN’s, and proxies. Along with the devices being
displayed the interconnections between these devices will be shown, the end user (client) devices
(desktops, laptops), and the Internet cloud, which will generically be shown to represent the
network’s interface to the Internet.
In addition to the design this discussion will review the flow of data throughout the
network to reveal security features that create that in depth design to protect any organization
with similar requirements. I will first review the network diagram with physical features,
locations, and Internet speeds; then discuss in depth, security features from each of the seven
network domains (user, workstation, Local Area network (LAN), LAN-to-Wide Area Network
(WAN), Remote Access, WAN, and Systems/Applications) and how they will be incorporated
throughout the design and infrastructure of the network.
DEFENSE IN DEPTH
1
The objective is to implement these features to enforce the confidentiality, integrity,
availability, privacy, authenticity, authorization, non-repudiation, and accounting. (Stewart, J.
M., 2011).
Network Design, Data Flow, and Security Features
The network design features the corporate headquarters site in Chicago that includes
within the Information Technical (IT) department is a database server, an FTP server, application
server, web server, email server, print server, and 30 workstations. The database server utilizes
role-based access features as well as two-factor authentication for server and user access
(Common Access Card and username/password). The FTP server utilizes the TCP protocols and
is within the internal network with additional firewall rules, routing policies that limit open ports,
and internal training on how to locate potential threats for the IT department to monitor. The
Webserver must be held in the DMZ to allow additional port access to utilize the Internet. The
email and print servers are also located within the internal network.
Outside of the IT Department, this organization has six departments that are on three
floors that include 45 workstations and 5 printers per department. Each department is
interconnected to corporate resources via CAT5 cables and a 48 port switch connections, allows
for 10Gbps, and is housed in an Intermediary Distribution Facility (IDF) on each floor. The 1st
and 4th department are on the bottom (1st) floor with one IDF, the 3rd and 6th department are on
the top (3rd) floor that houses another IDF, and the 2nd and 5th department are on the middle (2nd)
floor, which interconnects both IDF’s via a fiber cable. The IDF’s house cables on the floor it is
associated with and the MDF can house cables as well as server racks, patch panels, routers, and
switches. However, in this case the server racks, routers, and switches are in a separate locked
room to limit access and secure the servers. (E., 2011, February 17).
DEFENSE IN DEPTH
2
All departments switches are connected to one router that connects to two separate
routers; one router is protected via a firewall that connects the departments to the IT resources;
the other router leads to the De-Militarized Zone (DMZ) and out onto the network. The DMZ
provides a space within the network to have points of less secure features. For instance, the Web
server and Virtual Private Network (VPN) Gateway is in the DMZ along with firewalls and
routers. The firewalls and routers in the DMZ can be configured to have specific open ports
versus the routers outside of the DMZ which may have only the necessary ports open.
Continuing the network design, the Web server within the DMZ has four routers surrounding it
with firewalls from the routers to a VPN Gateway or the Internet. One VPN Gateways connects
to the internal network via a router and the other VPN Gateway leads to the Internet access then
from the Internet via a firewall Remote access is available. Remote access is available via Virtual
Machines (VM) on personal devices that use the VLAN to utilize the VPN. Within the DMZ two
of the routers surrounding the Web server are protected via two firewalls on either side with
access to the Internet via a 3 Mbps. This connection is through the cable Internet Service
Provider (ISP) and divided into three connections by three different cable Internet Service
Providers. The reason for three cable connections is if one connection is not available due to
weather for instance, the other providers can provide constant service and lessons the chance of a
single point of failure.
This network design is set up in such a manner to compartmentalize information based on
the sensitivity levels, risk tolerance levels, and threat susceptibility levels of specific resources.
This portion of the design secures the confidentiality of data. This includes specific parts of
domains; for instance, the remote domain will have a different data flow of information than the
LAN and workstation domains within the corporate office and the remote sites. The next stage in
DEFENSE IN DEPTH
3
the design is to limit access based on the principle of least privilege which means creating a Role
Based Access Control list for all employees in every department to ensure that each user has only
the privilege necessary for his or her duties. The next phase is to provide high availability
through the implementation of redundant configurations of links and devices on the network path
between the user and mission critical resources. This prevents a single point of failure and
provides the user with insurance of use throughout outages. Also, to encourage this policies such
as ‘Separation of Duty’, which states important tasks should be performed by two or more
employees and ‘Job Rotation,’ which dictates that employees in important positions should
rotate. (Stawowski, M., 2009, October).
The objective is to eliminate single points of failure, this is true throughout the dataflow
process as well. Data that is to be sent between networks from an internal resource to a resource
outside of the network begins at the network layer of the Transmission Control Protocol/Internet
Protocol. The network layer is where physical addresses (device address, logical network
address, and the source address) are used in message routing. This address is attached to the
packet (data) that will be sent. Next the packet will move into the data link layer which adds an
additional physical address (device address) and attempts to locate the destination device. If the
destination device is on a separate network the source device will locate the next physical
address in the patch, which is a router. The router reviews the destination address at the network
layer and eliminates the data link physical address, then notices that the next link in the network
path is another router therefore, repackages the message at the data link layer and attaches its
own physical address as the source address and the next routers address as the destination. The
next router re-assembles that packet at the data link layer and sends it to the destination address
where it reaches the physical layer. (Jois, S., 2013, January 21).
DEFENSE IN DEPTH
4
Throughout this process the information must maintain confidentiality, integrity, and
authentication. This is completed via avoiding a single point of failure, previously mentioned and
protecting assets by dividing and conquering. This network utilizes physical securities to include:
gates, security guards, and cameras, access cards to enter specific portions of the building,
Uninterrupted Power Supplies (UPS), and servers with encryption certificates available.
Additional security features include the use of Internet Protocol version 6 (IPv6) for applications
that offers default encryption transmissions, the use of an encryption tunneling protocol, IPSec,
security policies such as an access policy, accountability policy, authentication policy, private
policy, computer-technology purchasing guideline policy, training policies and procedures. In
addition to security procedures, operations, disaster recovery plan and a plan to maintain the
security. (Oppenheimer, P., 2010, October 04).
Conclusion
In conclusion, materials discussed include the design of a network with a corporate site
that includes: servers, a 50 mbps connection to the Internet, and 300 employees that need access
to corporate resources and the Internet. In addition, the design includes one remote site with 20
employees with a 3 mbps Internet access and require access to corporate resources and the
Internet as well. A review of the physical layout of the design as well as how data flows
throughout the network and ways to ensure the confidentiality, integrity, and authentication of
information via physical security measures, utilizing cryptography, ensure network design, and
implementing a policies and procedures to mitigate against threats.
DEFENSE IN DEPTH
5
References
E. (2011, February 17). Physical Network Segmentation. Retrieved May 04, 2014, from
http://www.youtube.com/watch?v=cLNCYg5RorY
Jois, S. (2013, January 21). How Data Flow Between Network.wmv. Retrieved May 4, 2014,
from https://www.youtube.com/watch?v=SnFau2xFD4A
Oppenheimer, P. (2010, October 04). Developing Network Security Strategies. Retrieved May
04, 2014, from http://www.ciscopress.com/articles/article.asp?p=1626588
Stawowski, M. (2009, October). The Principles of Network Security Design. Retrieved May 04,
2014, from http://www.clico.pl/services/Principles_Network_Security_Design.pdf
Stewart, J. M. (2011). Network Security, Firewalls, and VPNs . Sudbury, MA: JONES &
BARTLETT LEARNING.
DEFENSE IN DEPTH
6
Defense-in-Depth Design:
(3mbps)
connection
Workstations
(X45)
Remote Access
Printer
(x5)
Internet
Remote Site
(8 miles away)
(50mbps)
connection
Firewal
Off-site
Internet
Firewal
DMZ
Firewal
Firewal
VPN Gateway
Dept 1
Workstations
(X45)
Dept 2
Workstations
(X45)
Firewal
Router
Router
VPN Gateway
Web
Server
Router
Router
Firewal
Printer
(x5)
Printer
(x5)
Switch
10Gbps
Router
Router
Workstations
(X45)
Printer
(x5)
Switch
10Gbps
Workstations
(X45)
Switch
10Gbps
Printer
(x5)
Printer
(x5)
Switch
10Gbps
Router
Workstations
(X45)
Printer
(x5)
Firewall IDS/IPS
Database FTP Application
Server
Server
Server
Web
Server
Email
Server
Print
Server
Workstation
(x30)
IT Department
Corporate Site (Chicago)
Database FTP Application
Server
Server
Server
Dept 4
Dept 5
Firewal
Router
Dept 3
Workstations
(X45)
Switch
10Gbps
Switch
10Gbps
Web
Server
IT Department
Email
Server
Print
Server
Dept 6
Purchase answer to see full
attachment