Deploying Security Facilities
December 21, 2007
Prepared by: Group 1
Table of Contents
Group 1 – Final Project, Phase 2 2
Most organizations (whether financial institutions, manufacturing plants, or
government agencies) have come to depend very heavily on a solid IT
infrastructure. TwoHands is no different in this respect. A firm IT foundation
greatly enables the business to succeed. This report is composed of a series of
recommendations based on the previously completed vulnerability analysis of the
TwoHands corporate infrastructure.
The investment required for these upgrades will more than pay for itself by
increasing the efficiency of the business, improving the customer’s ability to
easily place an order, simplify communication with business partners, and secure
the valuable intellectual property developing within the organizations research
In short, this initial overhead investment will improve the business functions of
TwoHands and reduce the technology maintenance requirements greatly. We
feel that these recommendations will help the business to operate more
smoothly, reduce the technology hindrance placed upon employees, and
consolidate current network appliances and infrastructure devices. Operations
employees will be able to perform their jobs with fewer technology hurdles, IT
employees will face a lighter workload due to reduced helpdesk call volumes, and
executives will appreciate the inexpensive implementation strategy.
In summary, our solution addresses the security and infrastructure concerns of
the TwoHands corporation using a comprehensive but conservatively priced
A firewall is one of the first and most basic forms of network security. Despite
the fact that firewalls have been around for a very long time, and their basic task
has not changed much, they are still invaluable to ensuring the security of data
on the TwoHands network. The type of firewall that will be implemented using
the Cisco ASA appliance is a packet filtering gateway. This common
implementation essentially places the firewall at the edge of the network where
all remote traffic comes in. Placing the firewall in this location ensures that each
packet into and out of the TwoHands systems is evaluated against defined
criteria and determined to be permissible or not.
The firewall, in its simplest form, is a collection of rules that must be abided by
all forms of network traffic. The two most fundamental rules are “permit all” and
“deny all.” Deny all will be implemented within the TwoHands network to ensure
that the only traffic on the network is that which meets rigidly defined criteria.
Group 1 – Final Project, Phase 2 3
For example, the R&D section of the TwoHands network is one of the most
critical to keep secured. This means that most services and ports will not be
available in this portion of the LAN. The network administrator will want to block
incoming port 80 (HTTP) connections, to prevent the intentional or inadvertent
operation of a web server. Therefore, no rule will be created explicitly stating
that port 80 packets are approved, and it will fall under the blanket of deny all.
A service that will be permitted might be ICMP for network diagnostics. However,
ICMP can be used maliciously to knock a server offline, and so the network
infrastructure should also be configured to throttle this type of traffic if it arrives
in bulk. Additional exceptions for each area may be made by network staff on a
case-by-case basis, but in general unless a service is critical to business
operations it should be disallowed. The R&D area, in particular, should be very
strictly locked down to prevent compromising trade secrets.
As stated, the Cisco ASA 5500 is a multifunctional network appliance. Included in
this device is a Cisco PIX-like firewall implementation that will allow for advanced
configuration of firewall preferences. The firewall, coupled with a well-designed
network infrastructure that includes appropriate VLAN designations and well-
placed network hardware, will provide a secure frontline for TwoHands.
The key to a successful firewall implementation is a well-defined network security
policy. This includes stating what specific job roles and areas are and aren’t
permitted to do. This assignment of permissions can then be converted into a
firewall configuration that grants only the access necessary for the network to be
fully functional. User permissions should be assigned in a least-amount-
necessary fashion, giving employees only the access, services, and protocols that
are required in order to complete their jobs.
A well-defined security policy should also be reviewed yearly. If it is found that
an excessive number of exceptions and spontaneous modifications are being
made to allow for successful completion of necessary tasks, then it is likely time
to review the policy driving these changes. It may need to be updated to fit with
the current vision and needs of the company.
The use of an integrated appliance for all security functions drastically lowers the
associated costs with operating a secure facility. TwoHands will save thousands
of dollars in hardware by not having to separately operate a NIDS, firewall, and
VPN concentrator autonomously. Additionally, the firewall system provides
enough piece of mind that it would be a worthwhile investment even at a much
higher price. The need for a firewall within a corporate environment is essentially
Group 1 – Final Project, Phase 2 4
nonnegotiable, and the benefit is immeasurable. This piece of the ASA appliance
is a must-have, regardless of cost.
Maintenance & Management:
Maintenance of the firewall should follow a regular schedule. As most functions
of network security are being supplied through a single appliance, firmware
patches and similar updates will be processed as a large group. Individual
updates should be handled with the routine patch schedule, which will likely be
one evening each month during nonpeak operating hours.
In order to prevent exposure of vital network assets, it is best that if the firewall
is down (due to upgrade, repair, or even unexpectedly) the network is taken
offline entirely. While simply taking the system offline is not desirable, it is the
lesser of two evils in a situation where financial assets and other pieces of data
are at risk.
Additionally, as modifications or specific exceptions are made to the security
policy by the network administration team, there may be a need to add
additional rules to the firewall’s filters. These will be handled on a case-by-case
basis but should not result in any downtime as these changes can be made while
the device is still “hot.” Lastly, the Cisco appliance will be setup with a
redundant unit in order to prevent unexpected downtime due to hardware failure
or similar occurrences.
Site to site VPN will be useful for TwoHands if it wishes to connect branch
offices. Through the use of VPN routers, two sites can effectively be combined
into a single network despite the distance between them. The Cisco ASA 5500
series of routers can be used to perform these tasks. These routers have IPsec
(secure IP protocol) and SSL (Secure Sockets Layer) built in for security
purposes. Any sensitive data traveling over the internet must be encrypted to
ensure the data remains confidential. The 5500s have a variety of network
settings. For connecting multiple sites at LAN speed, there is a full network VPN
setting. This technology can easily allow the factory, warehouse, headquarters
and research to be linked together.
The secure communication channel used by the VPN router allows data to travel
to the four different sites without concern. Each connection must be setup using
a shared key to enable the routers to talk to each other. It would seem best if
each connection that should be set up such as headquarters to factory or
research to warehouse should have a different key. There would need to be four
secure connections established: HQ to factory, HQ to research, HQ to warehouse
and warehouse to factory. The router at HQ is used to forward traffic to and
from research. With four different communication keys one compromised key
Group 1 – Final Project, Phase 2 5
would not compromise the security of the entire network. For security reasons,
these keys should also be changed occasionally. After a key is changed any
previous information with regard to the key will be useless.
The VPN routers have other uses as well that TwoHands can take advantage of.
They have built in protocols for media streaming. This means that TwoHands can
connect to a business partner to have a conference or meeting of some variety
without giving that company access to TwoHands’ network infrastructure.
Streaming media is becoming more important, as it is getting cheaper and more
efficient. For example, before streaming media heads of companies would have
to fly to different locations to hold meetings if they were based far from each
other. This consumes time and money that could be better spent on other
things. With streaming media, companies can communicate more quickly than
ever before. Best of all, this data can also be sent using the routers’ built in
encryption schemes, thus any potentially sensitive information will only be
received by parties participating in the information session. Each business
partner that wishes to be part of a communication session will need keys
beforehand to setup the secure channel. These keys like the other should be
changed occasionally to prevent the disclosure of sensitive information.
Another useful feature of VPN is that it can allow remote access to a network.
This can be useful for employees who cannot be in the office for whatever
reason. When properly configured Cisco claims these routers can allow remote
access to users through a Web Browser on any computer. This can mitigate
problems related to client software that the machines would otherwise need to
run. These connections contain all of the security mechanisms of the others as
well. Also, instead of using a previously setup shared key they function using
public key encryption. This allows temporary connections to be setup more
Group 1 – Final Project, Phase 2 6
The diagram below represents the TwoHands network after deployment of the
Cisco ASA 5500 router. This diagram shows the many different possibilities of
connecting to the network. For example, an Account Manager needing to access
the network from home or on a business trip can connect securely with the VPN.
Another scenario is communications between business partners. If a supply
partner needs access to the network at TwoHands they can connect securely
through the “tunnel” that the VPN creates over the internet. Using a properly
configured Cisco ASA 5500 can ensure the following:
• Confidentiality - Make sure it is hard for anyone but the receiver to
understand what data has been communicated. Keeping passwords and
other sensitive data is private is crucial.
• Integrity - Guarantee that the data does not get changed along the way.
This is important for tasks that require exact amounts and precision.
• Authenticity - Sign your data so that others can see that it is really you
who sent it. This is helpful in trusting the documents being used.
• Replay protection - Need a way to ensure a transaction can only be
carried out once there is an authorization to repeat it.
Group 1 – Final Project, Phase 2 7
The Cisco ASA 5500 Series of routers can lower the total cost of network
management significantly. It takes many different security solutions and tightly
integrates them into one appliance. The built-in firewall and VPN capabilities
make this a great choice for an expanding business like TwoHands.
Company Savings with VPN Connectivity
1.VPN lowers costs by eliminating the need for expensive long-distance leased
lines. With VPNs, an organization needs only a relatively short dedicated
connection to the service provider. This connection could be a local leased line
which is significantly less costly than a long-distance line.
2.VPNs reduce costs is by decreasing the need for long-distance telephone
charges for remote access. To provide remote access service, VPN clients need
only call into the nearest service provider's access point. In some cases this may
require a long distance call, but in many cases a local call will work.
3.VPNs may lower costs is through offloading of the support burden. With VPNs,
the service provider rather than the organization must support dial-up access, for
example. Service providers can in theory charge much less for their support than
it costs a company internally because the public provider's cost is shared
amongst potentially thousands of customers.
Compared to leased lines, Internet-based VPNs offer greater global reach, given
that Internet access points are accessible in many places where dedicated lines
are not available. The ability to share files and printers also makes for less
dedicated money to upkeep and hardware and a decrease in data redundancy.
TwoHands will benefit with a higher output in productivity and seamless
integration of user and the company intranet.
The staff in charge that manages IT and network security will handle the
maintenance of the VPN configurations and settings. Staff must always be
alerted to any threats or malfunctions that occur with the VPN connection.
Having redundant ASA 5500 routers will help the company get instantly back
online if a problem occurs with the appliance currently in operation during the
There are a few key points to regard before deployment of any VPN solution.
The following must be maintained on a regular basis due to the constantly
increasing and evolving network security demands:
There must be an efficient way of adding/removing users from the system. It is
best to have an automated approach so that there is not one point of reference
for the user to contact if there are questions about using the VPN solution. In
general, the VPN solution will be maintained on the infrastructure end. User-
Group 1 – Final Project, Phase 2 8
related calls should be few and far between, and will likely be of a technical
support nature (i.e.: I am unable to connect to the VPN, the network, or other
resources). Therefore, these types of calls will be handled in the routine way that
all help desk calls are. Infrastructure-related calls (i.e.: Remote Site A cannot
access HQ network resources) will be handled by a network engineer or
administrator, as they are more critical to business operations and will also
require greater access to hardware and configuration changes in order to
The burden of constantly changing passwords to gain access to the network
needs constant attention. This is critical because only users with permissions to
access the system should be on the network. A password management system
should ideally include a single-sign on solution to simplify the user experience.
This means that a user has one ID and password that are propagated
throughout the network whenever changes are made, allowing the use of the
same set of credentials for checking e-mail, signing into the VPN, logging into a
workstation, or other tasks that utilize network resources.
The system should also include an expiration period that depends on the
criticality of the user role. For example, a team lead in research and design might
need to change their password once each month, while an employee with a less
vital role may only need a new password every six months.
TwoHands must be prepared to handle the hardware and software maintenance
of the VPN platform itself. As the system is composed of a single in-line
appliance, there will likely be an upgrade schedule, or pathway, that sets a
definite date for the device to be retired and replaced with an improve model.
The normal schedule of rotation for this type of hardware is three to five years,
depending on industry trends, availability of funds within IT budget, desire for
expansion, and overall performance needs. Therefore, TwoHands should
schedule replacement of this appliance to take place a maximum of five years,
and a minimum of three years from implementation. The exact time within this
range should be decided by the chief network architect based on the
Overall, the company will greatly benefit from the use of the Cisco ASA 5500. Its
multiple uses and high level of efficiency will make for a more productive and
well-established company network. Maintenance is an on-going process that is
very important to the performance of the VPN. While a Virtual Private Network is
a great way to keep a network secure, it can not be the only method
implemented. The internet is a wild place, many security measures need to be
Group 1 – Final Project, Phase 2 9
taken. Once all factors are considered and actions are taken to handle any
emergencies dealing with the VPN, TwoHands should deploy the Cisco ASA 5500
Intrusion Detection Systems
Intrusion Detection Systems are critical in minimizing risks and the likelihood of a
successful cyber attack against TwoHands’ Information Systems. If an attacker
breaks into the systems, they can access and manipulate any data on the
systems. Through IDS, one can examine and monitor intrusions and prevent
similar attacks from occurring in the future. Intrusion Detection Systems can
assist in decreasing the probability of significant security problems and possible
financial loss for TwoHands. Intrusion Detection Systems identifies and responds
to successful intrusions, and then takes action to mitigate the damage. IDS will
aid in protecting TwoHands’ accounting, payroll, purchasing, and other important
information systems on the company’s network. TwoHands wants to protect their
Accounting systems because this is where they store their information on the
amount of money they have at the end of each day and records all of their
money transactions. The company’s payroll systems are also important because
it maintains records on personnel data and assist in distributing paychecks and
pay stubs. Purchasing systems are quite crucial to TwoHands’ business because
it is used to determine which products to produce and how much of that product.
Another important system that needs to be protected is their Research and
Development systems because this is where all the information on their new and
improved products is stored. To protect these information systems and prevent
any future intrusions, three types of Intrusion Detection Systems will be
implemented. The three Intrusion Detection systems are: Network-based, Host-
based, and Application-based.
Network-based Intrusion Detection System
A Network-based Intrusion Detection System inspects network traffic for
malicious packets. NIDS monitors incoming or outgoing packets to try and find
any suspicious or anomalous behavior. The packets are usually gathered by
packet sniffing with the network interface set to promiscuous mode to capture all
traffic in real-time as they pass through the network. NIDS tries also to detect
any malicious activity, such as denial service attacks and port scans.
Based on TwoHands’ Network Topology, the Network-based Intrusion Detection
System would be installed where the Accounting, Payroll, Purchasing, Research
servers connect to the internet. The reason for installing NIDS at these particular
locations is because that is where the incoming and outgoing traffic pass through
the company’s network, so you want to make sure that only trusted users have
access. Signature-based intrusion detection would be used to analyze the audit
data and compare the packets on the network to a signature database of known
malicious threats. There are three signatures that the system will look for: port
Group 1 – Final Project, Phase 2 10
signatures, string signatures, and header signatures. This will determine whether
there was any indication of an intrusion attempt on the network. If the intrusion
detection does find something suspicious an alarm will be triggered and the
event would be logged so the event can be investigated further. Below is a Cost
and Benefit analysis of installing NIDS on TwoHands’ information systems:
Cost and Benefits of NIDS
• The cost of implementing the • Effective in detecting attacks
detection system at each server. from the outside.
• NIDS is not effective in detecting • Detects abnormal behavior.
trusted insider attacks. • Great for known attacks.
• If NIDS is used to scan both • It is easy to evaluate the alerts,
incoming and outgoing traffic, it since the activity is logged.
will slow down the network.
• Signature-based IDS are unable
to detect unknown attacks.
• Signature database has to be
Host-based Intrusion Detection System
A Host-based Intrusion Detection System monitors and analyzes suspicious
activity on a particular host. HIDS does this by going thorough the stored
information in the operating-system audit trails, system logs, and so forth. HIDS
will also record each user’s activity on a host and create an audit trail for each. It
will examine the audit trails from time to time to look for any anomalies. It will
look at each session within an audit trail of a user to identify whether or not a
session is not typical of the user. To do this the Intrusion Detection System will
look at CPU time, the number of files used, and the number of commands used.
HIDS can detect which programs accesses certain resources or files. It is also
capable of detecting any modification to any files or programs by potential
attackers. Usually, HIDS will use a database of system objects that it ought to
monitor. If the Host-based Intrusion Detection System finds anything unusual, it
will report it in logs. HIDS will also record each user’s activity and create and
audit trail for each.
In terms of TwoHands’ Information Systems, the Host-based Intrusion Detection
System would be installed on the computers in Human Resources (Payroll
Systems), the Accounting Systems, Purchasing Systems, and the Research and
Development Systems. HIDS would be installed on these systems because these
are where the companies most valuable information are held and a HIDS will
make sure that only authorized users have access to this information. The Host-
Group 1 – Final Project, Phase 2 11
based Intrusion Detection system will be anomaly-based to detect intrusions and
misuse by looking for abnormal behavior of a user. The anomaly-based system
will keep a profile of activities that are considered normal, so it will be able to tell
when an activity is atypical. Here is a cost and benefit analysis of installing HIDS:
Cost and Benefits of HIDS
• Initial Cost of implementing • Effective in detecting internal
HIDS on TwoHands computers. attacks (disgruntled employees).
• Vulnerable to attacks, such as • Great for detecting new or
Denial of Service. unknown attacks.
• Consumes processing time, • Works along with NIDS, so
storage and memory. anything that NIDS misses,
• It is difficult to analyze alerts HIDS might detect.
with Anomaly-based IDS
because they are not detailed
• Anomaly-based IDS are more
prone to false positives.
Application-based Intrusion Detection System
An Application-based Intrusion Detection System monitors specific applications or
services. It detects any suspicious activity at the application level and any
packets that are directly communicating with applications. AIDS can detect and
track malicious attacks, such as SQL injections just by analyzing application logs.
AIDS looks for any interaction between the users and application programs and
data. The Application-based Intrusion Detections System analyzes application’s
transaction log files for any anomalies. Within TwoHands Information Systems,
the Application-based Intrusion Detection System would be implemented on each
computer in: Accounting, Human Resources (Payroll), Research, and Purchasing.
The AIDS would focus on certain applications on these computers. For example,
on the Human Resources computers, AIDS would monitor the applications that
handle the payroll systems, to make sure that no one has altered the amount of
money that is being distributed to employees. The IDS would be anomaly-based.
Below is a cost and benefit analysis of implementing AIDS:
Cost and Benefits of AIDS
• Initial costs of installing AIDS. • Useful in discovering
• Vulnerable to attack vulnerabilities at the application-
Group 1 – Final Project, Phase 2 12
• Consumes a significant amount level.
of application and host • Can work with encrypted data,
resources. using application-based
encryption and decryption
• Can track unauthorized activity
by an individual user.
Overall Cost and Benefit of Using IDS
Intrusion Detection Systems are very helpful in examining intrusions and
preventing them from happening again, which makes them very beneficial. One
of the many benefits of IDS is that they can detect many types of malicious
behaviors that can jeopardize the security and integrity of a computer system.
Intrusion Detection Systems will help to protect the company’s assets by
protecting their information systems. The biggest cost with IDS is the initial
amount to install the systems. But, it will be well worth it, since it is important to
protect the company’s information systems, which would be more costly if it was
compromised. Using all three intrusion detection systems: NIDS, AIDS, and HIDS
in conjunction with other security mechanisms, such as firewalls, is a sure fire
way in securing ones computer systems from potential attackers. Having just a
firewall is not the best way to secure your information because firewalls cannot
identify any of the attack signatures or analyze any anomalies from the traffic
that they monitor or from log files. Intrusion Detection Systems are capable of
examining and interpreting the contents of log files from firewalls, routers,
servers, and other forms of network devices. If IDS finds anything suspicious, it
activates an alert and can take preventative actions, such as shutting down
specific servers or attempt to trace back the activity to identify an attacker. This
makes IDS a valuable system to have as a part of a company’s risk management
Intrusion Detection Post-Deployment Plan
Deployment of an intrusion detection system is only the first step. A plan for
managing the system post-deployment is imperative to ensure it works
effectively and efficiently for TwoHands Corporation. The plan includes
monitoring, incident response, and management and maintenance of the IDS
after the system has be installed on TwoHands’ network.
Important information about users of the network should be recorded, in order
to effectively monitor an intrusion detection system. It is essential to determine
what kind of information is being sent through the network, who is sending this
information, and where it is going. Monitoring packets can help an IDS determine
whether or not there is suspicious activity on the network. In addition to
Group 1 – Final Project, Phase 2 13
monitoring packets on the network, audit information regarding host access
should be recorded in order to produce an anomaly-based intrusion detection
system. Suspicious activity regarding a host can be determined by irregular
behavior of a user. Also, a similar technique can be used to monitor applications.
Audit data is important to protect applications from intrusions that may alter
Should there be a detection of an intrusion on TwoHands’ network, hosts, or
applications, it is imperative to have an incident response plan in place to handle
the intrusion and mitigate the damage that it may cause. There are a number of
steps that should be followed to ensure that the incident is resolved and will not
occur again in the future. These include the following:
1. Respond to the activity. This step includes the mitigation plan. It is
important for this plan to mention who should be notified if an attack or
intrusion is detected by one of the IDS. The hardware has real-time
system monitoring with an alert system should any unusual activity be
detected by it. If there is anomalous activity on the network, the system
will respond in one of two ways. If it is a critical alert, a message will be
sent to the primary lead via a pager or cell phone that notifies him of the
issue. If the primary lead does not respond, the message will then be sent
to a secondary lead or the individual who is designated on-call. If it is a
minor concern, the alert will be added to the alert queue and dealt with at
a later time. After notifying the proper individuals about critical issues, a
quick-fix should be determined to minimize the damages that the intruder
may cause to the data he gained access to during the intrusion.
2. Investigation of the incident. After the initial response to the intrusion, a
full-scale investigation of the incident should be completed by the
intrusion detection specialist. Initially, time should be spent gathering
information on the intrusion. Information, such as the port number the
intruder used to access the network, should be recorded in order to
determine a solution for the vulnerability the intruder was able to utilize
for his intrusion. It is crucial to determine the cause of the vulnerability
during this step. A thorough investigation of the intrusion should be
conducted in order to prevent a future exploit of the vulnerability. After
the cause is investigated and determined, it is important to diagnose the
problem. Formulating a plan to eliminate the vulnerability on TwoHands’
network is essential to protect it from a future intrusion. Upon the
completion of analyzing the information gathered about the intrusion, a
report should be written that details the nature of the attack and the
information gathered during the investigation. This report will be useful in
the future if an intrusion of the same nature occurs again. Information
Group 1 – Final Project, Phase 2 14
technology professionals can use the report to help determine the cause
of a similar attack. Creating records of past intrusions can aid the
company in determining other vulnerabilities and it can also help
determine the solution during or after a future intrusion.
3. Rectify the problem. This step is extremely important if an intrusion
exploits vulnerability on the system and is then expected to be prevented
in the future. Money spent on an intrusion detection system would be
wasted if vulnerabilities determined by the system were left as they are
instead of eliminating them. In order to prevent a future intrusion,
operating system security patches should be installed on the network,
hosts, and applications. Signatures used by the IDS should be updated to
reflect the newly determined vulnerability. Any open ports that are not
being used should be closed and access should be restricted to prevent an
Proper incident response can save TwoHands Corporation a significant amount of
money and can help prevent the loss of assets in the form of electronic data. An
intrusion detection system is only as effective as its incident response plan.
Without an effective plan, the IDS would be useless to the company. Although
intrusions could be detected, the inability to handle these intrusions could lead to
catastrophic damages monetarily for TwoHands.
Management and Maintenance
Management and maintenance of an IDS are as important as having a strong
incident response plan. In order to have an effective IDS, the system should be
managed by a professional who specializes in IDS management. An IT Intrusion
Detection Specialist will be hired to manage and maintain the IDS. This individual
will be responsible for managing and maintaining the system, as well as
investigating incidents and rectifying issues.
The IT Intrusion Detection Specialist will be responsible for ensuring that the
signatures are up-to-date with the latest known vulnerabilities. He will also be
responsible for making sure that updates to the system are completed in a timely
manner in order to prevent the exploitation of known vulnerabilities. Scanning
and vulnerability testing are essential for a successful IDS. It is important that
the network, hosts, and applications be scanned and tested daily by a third-party
to determine vulnerabilities.
In addition to ensuring that the software that manages the IDS is up-to-date, it
is important that the hardware be tested daily to ensure its functionality.
Hardware should be maintained and replaced when it no longer can perform the
tasks of the IDS effectively. Thorough research on new technologies that may
Group 1 – Final Project, Phase 2 15
increase security within TwoHands’ network should be completed often to ensure
the most effective detection is taking place.
Authentication is essential for everyday users let alone businesses. Most
businesses have information in their databases that they don’t want customers or
even competitors to know or find out about. For this reason we are implementing
an authentication program that will secretly hide the users ID and Password from
the outside world. The main program used is Kerberos and they act as an
intermediary. User IDs and Passwords are sent through Kerberos, which checks
and makes sure the user is who they say they are, and lets them have access to
the database/server if their User ID and Password match what they have for
them on file. Another strong suite of Kerberos is that it can be directly
implemented into the company.
We will be using Kerberos version 5, which is a protocol for authentication of
users and services (collectively called principals.). Each principal has a
symmetric (secret) key (The Users’ keys are hashed passwords and the Service
keys are random bit-strings). All keys are known by the Key Distribution Center
(KDC). Keys are used to decrypt short messages from the KDC. Knowledge of a
key proves identity. Kerberos does not send passwords over the network; that
would be too risky. Rather, session keys are sent, encrypted under user and
For individuals unfamiliar with the Kerberos protocol, the benefits of deploying it
in their network may not be clear or needed. However, all administrators are
familiar with the problems Kerberos was designed to mitigate.
• Password sniffing
• Password filename/database stealing
• The high level of effort necessary to maintain a large number of account
A properly deployed Kerberos Infrastructure will help us address these problems.
It will make our enterprise more secure. The use of Kerberos will prevent
plaintext passwords from being transmitted over the network. The Kerberos
system will also centralize your username and password information which will
make it easier to maintain and manage this data. Kerberos will also prevent you
from having to store password information locally on a machine, whether it is a
workstation or server, thereby reducing the likelihood that a single machine
compromise will result in additional compromises.
To summarize, in a large enterprise, the benefits of Kerberos will translate into
reduced administration costs through easier account and password management
Group 1 – Final Project, Phase 2 16
and through improved network security. In a smaller environment, scalable
authentication infrastructure and improved network security are the clear
benefits (Kerberos Infrastructure HOWTO).
The diagram below is what the TwoHands network will look like after deployment
of the Kerberos software.
As you can see, there are several parts to the Authentication system. The only
way to gain access to the server would be to go though Kerberos through the
KDC. From there you will be sent to the Trusted Realm if and only if your User ID
and Password check out. Since Kerberos can be accessed anywhere over the
internet, the Trusted Realm can also be easily reached anywhere over the
The initial cost to use Kerberos might be steep but in the long run it will save our
company a lot of money and heartaches for several reasons.
• Kerberos is a secure authentication protocol that is almost impossible to
Group 1 – Final Project, Phase 2 17
• They don’t send any personal information out over the internet, they even
create session keys which are sent out in the place of passwords (then
encrypted with the user/services keys)
• Kerberos saves a lot of labor as well. Since Kerberos is automated, we
don’t have to hire anybody to watch over it.
Due to the fact that Kerberos operates as an application on a Linux or Unix
platform, the initial cost of establishing a Kerberos realm is not very significant.
However, it is important to ensure that a powerful enough server is chosen to
operate this critical service, and that the application is properly configured to
function within the network. An estimated $10,000 should be allotted for the
initial server installation and configuration to ensure that it is configured
correctly, fully functional, and maintainable.
The Kerberos system and its features are largely automated. Any anticipated
downtimes would be as a result of hardware failure or scheduled updates. Due to
the critical nature of the system in our network environment, any hardware
failure would be considered a “red” flag and would take priority in the repair
queue. These occurrences should be minimal, and will hopefully allow the
Kerberos service to meet the five nines network goal (99.999% uptime) at
TwoHands. The application, and the host operating system that it runs on, will
follow a routine patch schedule (typically once per month, during evening hours)
to ensure they are resistant to new security vulnerabilities and compatible with
emerging software and hardware.
Cost of Implementation
The table below illustrates the estimated cost for implementation of the four
security tools previously mentioned including labor. Monitoring and maintenance
will be handled using full time equivalents (FTE). Two FTEs will be employed for
application management (One for firewall and IDS, one for VPN management
and network administration). ½ FTE will be hired for Kerberos management and
½ FTE will be hired for patch and change management. The total cost reflects
the cost for implementation plus the first year of monitoring and maintenance.
Group 1 – Final Project, Phase 2 18
Hardware Costs 28,000
Cisco ASA 5500 4,000
VPN Licenses 10,000
Kerberos server 10,000
Redundancy hardware 4,000
Monitoring and Maintenance $140,000
FTE for firewall, IDS 45,000
FTE for VPN, Network Admin 45,000
½ FTE for Kerberos 22,500
½ FTE for patch/change mgmt 22,500
Misc. Costs 5,000
Total Cost $185,000
Security is essential on today’s networks. Companies are at risk to a number of
different malicious attacks. Without the proper mechanisms to secure their
networks, they are putting assets, money, and private information at the
fingertips of hackers. The plan developed for the TwoHands Corporation utilizes
a variety of tools for securing the company’s network. Installing Firewall, VPN,
IDS, and Authentication tools on the network is the minimum amount of effective
security for a company wishing to move their business online. The plan was
developed to be cost effective and utilize the most up to date technologies.
Integrating these security tools into TwoHands’ network will offer the company
the ability to use the Internet to increase income for the company without the
risk of losing money due to security breaches.
Division of Labor
• Jonathon Ben – Wrote section on firewalls
• Chris Hinnerschietz – Wrote section on VPN
• Jimmy Mesta – Wrote section on VPN
• Ashley McCully – Wrote section on Intrusion Detection System
• Chris Pierce – Wrote section on Authentication
• Brad Shively – Wrote section on firewalls
• Shanieke Walters – Wrote section on Intrusion Detection System
Group 1 – Final Project, Phase 2 19
Bradley, Tony. “Introduction to Intrusion Detection Systems.” About.com. The
New York Times Company. <http://netsecurity.about.com/cs/hackertools/
Gong, Fengmin. “Deciphering Detection Techniques: Part II Anomaly-Based
Intrusion Detection.” Network Associates. March 2003. McAfee.
“Kerberos Infrastructure HOWTO”. Retrieved: December 4, 2007 Website:
Shimonski, Robert J. “What you need to know about Intrusion Detection
System.” Windows Security. 18 November 2002.
Wikimedia Foundation. “Host-based Intrusion Detection System.” Wikipedia. 30
October 2007. <http://en.wikipedia.org/wiki/Host-
Wikimedia Foundation. “Intrusion Detection System.” Wikipedia. 1 December
Wikimedia Foundation. “Network Intrusion Detection System.” Wikipedia. 3
Group 1 – Final Project, Phase 2 20