Study Wireless Security Deployment - PKL

Wireless Security Deployments - PKL
2500
Revision A

Page ii
Student Name: AaronND Sawmadal Wireless Security Deployment – PKL
Contents
Executive summary v
1. Assumption statement 1
2. Vulnerabilities/Risk identified on PKL Autoparts Supply Network 1
2.1 Service Set Identifier (SSID) Broadcast 1
2.2 Lack of Firewall 1
2.3 Lack of VPN (Remote access) 2
2.4 Dictionary attack can be done to guess Wi-Fi password and traffic injections is
possibility because of WEP security Wi-Fi 2
2.5 Users De-authenticated from the Wi-Fi 2
2.6 Lack of Dynamic Host Configuration Protocol Spooping configuration (DHCP) 3
2.7 Lack Change Management Procedure 3
2.8 Lack network segmentations/ VLAN 3
2.9 Man in the middle attackedis possible 4
2.10 No DHCP relay configure 4
2.11 Lack Intrusion Detection/ Prevent system (IDS/IPS) 4
2.12 Lack of MAC address filter/block 4
2.13 Lack of subnetting 5
2.14 Lack of naming convention for all network assets 5
2.15 Lack of file and printer server 5
2.16 Lack of Domain Controller (DC) 5
2.17 Lack of Domain name server – DNS 6
2.18 Lack mail server identify 6
2.19 Waste of private IP addresses 91. 72.16.0.0/16) – possibility of broadcast storm
attack 6
2.20 No encryption of data on the network – mail or file server 7
2.21 No network audit tools or technique – to determine who does what on the
network 7
2.22 Lack of SQL server 7
2.23 No specific Phone system 7
2.24 Lack of Critical Infrastructure policy 8
2.25 Lack of Physical server protection 8
2.26 Lack of Incident Response Team 8
2.27 Lack backup/ Disaster Recovery Procedure 8
2.28 Lack Universal Power Supply (UPS) 9

Page iii
2.29 Lack Network Redundancy 9
2.30 Weak Wi-Fi security configure 9
2.31 Poor network diagram – this can lead unauthorised use circumventing the
network without network administrator being able to track 9
2.32 Lack of well-define encryption for file server 9
2.33 Software on the network not specify – Server OS and Work stations OS 10
3. Restructured PKL Network Topology 10
3.1 Physical Building location and number of users 10
3.2 Physical Network Topology 11
3.3 Subnetting of PKL Network 12
4. Hardware and Software Selection for the Network 14
5. Policies 14
5.1 Wireless - PDA/Smart Devices Policy 14
5.2 Overview 14
5.3 Purpose 15
5.4 Scope 15
5.5 General Requirements 15
5.6 Home Wireless Device Requirements 16
5.7 Compliance Measurement 16
5.8 Exceptions 16
5.9 Non-Compliance 16
5.10 Related Standards, Policies and Processes 16
6. Remote access Policy 16
6.1 Overview 16
6.2 Purpose 17
6.3 Scope 17
6.4 Remote Access Tools 17
6.5 Policy Compliance 18
6.6 Exceptions 18
7. Server Security Policy 18
7.1 Overview 18
7.2 Purpose 18
7.3 Scope 18
7.4 General Requirements 18
7.5 Resource Community 19

Page iv
7.6 Configuration Requirements 19
7.7 Monitoring 19
8. Password Protection Policy 20
8.1 Overview 20
8.2 Purpose 20
8.3 Scope 20
8.4 Password Creation 20
8.5 Guidelines 20
8.6 Consensus Policy Resource Community 21
8.7 Password Change 21
8.8 PasswordProtection 21
8.9 Application Development 22
8.10 Use of Passwords and Passphrases 22
8.11 Policy Compliance 22
8.12 Exceptions 22
9. References 23

Page v
Executive summary
This report provides solution on a network breach which occurred at PKL Autoparts Supplies.
PKL has four sites which are located in Hillarys, Melville, Alexander Heights, Kewdale and
Osborne Park as a warehouse. PKL has a turnover revenue of $100 million per year. As of the
result of the network breach the network administrator was removed from the office by police
and since then the network infrastructure has never function correctly resulting into huge loss
to PKL business and its partner companies. This consultant’s report encapsulates solutions to
address the problems faced by PKL and also provide policies to prevent future re-occurrence
of such breach. As an optimal solution; the four sites plus the warehouse (Osborne Park office)
have been put onto separate subnets to stop network broadcast storm. This will enable the future
network administrator to be able to triage the network problems and to provide troubleshooting
to the entire network. Furthermore, a Cisco ASA firewall has been put in place to detect and
prevent any intrusions in and out of the network. Alert system has been activated to notify the
IT Manager plus all members of the change management team in case there’s a future network
breach.

1. Assumption statement
The following assumptions are made in this document:
i. No Exchange server
ii. No Domain controller (DC)
iii. No SQL server
iv. No File server
v. No Phone system
vi. PKL infrastructure is a workgroup environment
vii. ISP – iinet will provide active internet connection for the network backbone
viii. Redundancy network link will be leased through AMCOM
2. Vulnerabilities/Risk identified on PKL Autoparts Supplies Network
Infrastructure
Vulnerability is a flawed or weakness when exploited or acted on can cause serious
consequences a network infrastructure. Below list the vulnerabilities identified and counter
measurements.
2.1 Service Set Identifier (SSID) Broadcast
SSID sent the network traffic in a plaintext and can be transmitted via broadcast beacon.
Sniffer/hackers use SSID as the primary back door to get into a wireless network.
Network administrator must develop some specific techniques of preventing unauthorised
access to the network.
i. Network administrator must endeavour to hide SSID from unauthorised users’
access.
ii. All users should authenticate via valid username and password – usually Active
Directory (AD) credential.
2.2 Lack of Firewall
This is the first line of defence for any network infrastructure. This controls incoming and
outgoing network traffic. Host based firewall - workstation and network based firewall – control
from the server. Network administrator can decide to use hardware based firewall or software
based firewall. Hardware option is very robust but expensive.
i. By default deny all (UDP/TCP) traffic through the network.
ii. Allow the specific traffic that are needed once approved by the change management
procedure.

iii. Use zonealarm / Microsoft Endpoint Security Point (software base firewall) – These
are both antivirus and firewall.
2.3 Lack of VPN (Remote access)
Remote access increase productivity within any company. This is very vital to every company
in the 21st century especially as there are more than 7.7 billion mobile users worldwide “7.7
Billion Mobile Devices Among 7.1 Billion World Population By The End Of 2014”; from
http://dazeinfo.com/2014/04/29/7-7-billion-mobile-devices-among-7-1-billion-world-
population-end-2014/ ).
Many of these mobile users will want to access the corporate network via their mobile devices.
Therefore specific techniques by which these users must communicate needs to be clearly
stipulated and approved by the change management procedure.
i. Implementation of a site-site remote access VPN will be necessary for PKL Auto
parts supplies
ii. All user will authenticate to the network using their AD credential.
iii. Only users that have been connected to the PKL internal network in 30 days will be
allowed to authenticate via VPN.
iv. Otherwise, users will be redirected to call PKL Service Desk for VPN reactivate
2.4 Dictionary attack can be done to guess Wi-Fi password and traffic injections is
possibility because of WEP security Wi-Fi
It is evident that the PKL network infrastructure was exposed to a dictionary attack – this is
when hacker or program use pre-defined wordlist until the password is found from a network
router. This is commonly used because not many people are aware of this techniques. Never set
password to “admin”, “admin01”,”password”; etc. The below articulate the strategies to
mitigate this attack:
i. All users should authenticate via valid username and password – usually Active
ii. Removed all default login admin username/password from the access point (AP)
iii. Disable all services that are not needed on the network in the AP.
iv. Enable SNMP monitoring on the AP to warn administrator once there’s an
unauthorised login attempt(s).
2.5 Users De-authenticated from the Wi-Fi
Due to the poor network encryption (WEP) on the wireless network users can easily be de-
authenticated from the network. This will be detrimental to the business.
i. Network must actively be monitored by the network using some type of network
monitor tools (i.e, Wireshark or net flow, etc.)

ii. Enable SNMP monitoring on the AP to warn administrator once there’s an
iii. Get an AP that is backward compatible with 802.11a/b/g network
iv. Enable WAP2 Enterprise on the network with AP that has 802.11N backward
compatible with older network card
v. Remove all the network cards that will not be compatible with 802.11N
2.6 Lack of Dynamic Host Configuration Protocol Spooping configuration (DHCP)
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers – if this
is configured and a DHCP offer is detected on an untrusted port, that port/s will be shut down.
In today’s wireless network within a corporate network it is very important to have DHCP
Snooping.
i. This technique as elaborated is a layer 2 techniques that ensure IP integrity on layer
2 switch domain is maintained.
ii. This prevents DHCP spoofing – that is when a hacker attempts to get a DHCP
requests from a DHCP server.
2.7 Lack Change Management Procedure
Change management procedure/process is very critical – this is a process that keep track of all
changes made in network and these changes are recorded in the change management database.
If PKL had one, when the administrator was removed, it would be easy to refer to the change
management database to know what the last made changes were. The change procedure would
be as follows:
i. Only IT manager or CTO can approve all changes
ii. Every change request must have a change requestor
iii. Once there change is made, there should be post incident review (PIR)
iv. Change management procedure will be supervised by the IT manager and Chief
Technical Officer (CTO).
2.8 Lack network segmentations/ VLAN
Network segmentations or VLAN trucking prevent broadcast traffic on the network. This is a
classic way of splitting a network into smaller chunks.
i. Split the network into different departmental level (HR, Admin, Commercial, etc)
ii. Enable all network files or resources vial users VLAN access

2.9 Man in the middle attacked is possible
As a name goes, this is secret technique used by unauthorised access to secretly obtain data
from a network or to disrupt an entire network.
i. All users should authenticate via valid username and password – usually Active
ii. Disable all services that are not needed on the network in the AP.
iii. Enable SNMP monitoring on the AP to warn administrator once there’s an
2.10 No DHCP relay configure
Unfortunately, there was no DHCP relay configured on the network. This is used to forward
DHCP packets between clients and servers that are not physically located on the same physical
server.
i. Physically all the users within PKL network infrastructure are not located on the
same server.
ii. Configure DHCP relay between the five sites using Osborne Park is the main
routing.
iii. Use Spanning Tree protocol to complete the configuration – this will rebuild any
downtime except in the process of faulty hardware.
2.11 Lack Intrusion Detection/ Prevent system (IDS/IPS)
IDS is used to examine/monitor network packets as it transvers through the network hops by
matching the known signature of intrusions that have been identified by intrusion databases.
IPS works in similar manner but it prevents that traffic from passing through the network.
IDS/IPS can be divided into host based and network base. It is important to know that one must
understand the benefits and back draws of network/host based IDS/IPS before implementing it.
i. Cimtrak, as both IPS/IDS will be implemented in the PKL network. Cimtrak is a
host based IPS. However it can also function as an IDS. However, there is a debate
that Cimtrak is either an IPS/IDS because it performs both function.
2.12 Lack of MAC address filter/block
Mac address filtering is a line of defense that allow network administrator to define all the
physical address of each network device on the network within the AP. However, this is a just
a first line of defense; it has no security benefits and also difficult to maintain.
i. Implementation of WAP2 Enterprise and WAP 2 Personal should be considered in
PKL network.

2.13 Lack of subnetting
i. Subnetting – allows for IP packet to be delivered to the correct site as in the case of
PKL that has 5 different sites.
ii. Allows for packet to be forwarded to the corrected subnetwork
iii. Allows packet to be delivered to the correct host/workstations or server
iv. Allows the creation of VLAN that prevent network broadcast storm
v. PKLnetwork will be subnetting as follows Osborne Park - 172.16.1.0/25; Alexander
- 172.16.2.0/25; Melville -172.16.3.0/25;Hilary's - 172.16.4.0/25 and Kewdale -
172.16.5.0/25.
2.14 Lack of naming conventions for all network assets
PKL network was under serious network threat even before the administrator was removed.
The company had no Naming Conventions by which its hardware can be recognised on the
network.
i. Implementation of a unique naming standard of hardware should be followed in
PKL network
ii. Server/Router/Switches/Printers – PKL-site-prefix by the function of the server and
followed the numerical value. PKL-KD-DC01, PKL-KD-R01,PKL-KD-SW01,
PKL-KD-PR01
iii. Workstations- should be serial number followed by numerical following, i.e. PC-
S/N.
2.15 Lack of file and printer server
The lack of file and printer servers indicates that the network was also under intense breaches
as anyone could store their data local on the network and also print it in whatever function they
like. Data is one of the most critical resources any company can have and it must be prevented
at every level within the business.
i. Implementation of file server user windows integrity server
ii. Implementation of printer server hosted on the same server as the file server.
iii. Implementation of Distributed File System (DFS) to enable all site have replicated data.
2.16 Lack of Domain Controller (DC)
Domain Controller (DC) is a server that must respond to security authentication requests in and
out of the network infrastructure. DC can eventually be used as logging event, checking
permission; either accept or deny users login to the network resources.

i. Implementation of parent DC to be hosted in Osborne Park whilst other sites will
have child DC
ii. DC will allows successful implementation of DFS
2.17 Lack of Domain name server – DNS
This is what the computer use on the network to identify. “How Domain Name Servers Work”
from http://computer.howstuffworks.com/dns.htm
Figure 1
2.18 Lack mail server identify
Just at DC was absent from PKL network; there has also being no mail server in PKL network
infrastructure. What impact does this have? It means that users can decide the format of how
he/she will send their emails and not what the network administrator decides. The put the data
of the business at a very high risk of being captured by man in the man attack.
i. Implementation of Exchange server 2012 to be implementation
ii. Using Office365 Exchange as a backup solution to the Exchange server
iii. This can be hosted offshore to save cost
2.19 Waste of private IP addresses 91. 72.16.0.0/16) – possibility of broadcast storm
attack
i. To allow network broadcast storm attack - PKL network will be subnetting as
follows:
a. Osborne Park - 172.16.1.0/25
b. Alexander - 172.16.2.0/25
c. Melville -172.16.3.0/25
d. Hilary's - 172.16.4.0/25
e. Kewdale - 172.16.5.0/25

ii. Implementation of VLAN to segregate the network into separate departmental level.
2.20 No encryption of data on the network – mail or file server
Encryption is the unique technique that is used to secure the transfer of information between
network infrastructures and helps minimizes the chance of data to be intercepted by an
unauthorised person.
i. All workstation data will be encrypted using bit locker – a free available encryption
available from windows 7/8
ii. SSL for the email server and web server
iii. SSH for all switches and routers
2.21 No network audit tools or technique – to determine who does what on the network
Every network infrastructure administrator must decide to use a specific network auditing tool.
The network auditing tools is used in conjunction with vulnerability scanning as a best practice.
i. For the PKL network new design it has been suggested for them to move to GLI
LanGuard
ii. LanGuard is effective in network audit both hardware and software
iii. GFI LanGuard has a powerful reporting feature that can pick up security
vulnerability and alert the network administrator.
2.22 Lack of SQL server
PKL as a business that rely on inventory of stock it is very important for it to have reliable and
robust SQL server
i. There will be an SQL application server located at Osborne Park
ii. All the other four sites will host the instances of the database
iii. This will allow automatically replication cross all sites
iv. Logging will be enable on the SQL server
2.23 No specific Phone system
i. To save cost and to be effective as a consultant to PKL; it suggested that the phone
system will be hosted by their ISP (iinet)
ii. Backup phone system will be located on site from other provider – Telstra

2.24 Lack of Critical Infrastructure policy
In today’s network infrastructure is it important for every level of the network to have policy
that will safeguard how things will be done.
i. Refer to section 5 for all the network infrastructure policies
ii. Policies will be reviewed as change management deemed it fit
2.25 Lack of Physical server protection
i. All critical network equipment, servers, switches, routers, etc. will be located in a
Zellabox – sealed with a code
ii. Code will only been know the network administrator
iii. CCTV camera will be placed in all the server rooms
2.26 Lack of Incident Response Team
This team will be responsibility for respond disaster or recovery during or after business hours.
Functions will include but not limited to
i. Network disaster
ii. Terrorist or bomb attacks
iii. Internet or computer threats posed by users, whether authorised or unauthorised
iv. Member of this team will be on ad hoc basis with people from different department
every quarter
2.27 Lack backup/ Disaster Recovery Procedure
To prevent against data loss or breach of confidentiality – a backup procedure will be implement
which includes
i. Backup of all SQL server data will be stored in Osborne park
ii. Backup copy of the network resources including routers and switches configuration
will be stored to Data3 datacenter in Malaga
iii. All users files will be store H drive
iv. All H drives will be copy every 2 hours on an incremental basis
v. Shadow copy will enable on file server to enable recover files that are deleted within
less than 2 hours from their computer

2.28 Lack Universal Power Supply (UPS)
UPS is critical to all network infrastructure
i. All sites server rooms will have Double Conversion on-line UPS system – this is
10KVA power input that will automatically kick up once there’s a loss of power
from the main power supply within the offices
ii. UPS will have network monitor set to determine the reliability at all time
2.29 Lack Network Redundancy
This is process through which there is an alternative to network connectivity in the event
network devices or path are unavailable.
i. Second fiber line to each site has been purchased as solution
ii. All server all have RAID 5 except the SQL server built RAID 10 to allow data
clustering because the database is the mission critical to PKL business
2.30 Weak Wi-Fi security configure
i. Replace WEP encryption on PKL network to WAP 2 enterprise
ii. All users to authenticate with valid domain account
2.31 Poor network diagram – this can lead unauthorised use circumventing the
network without network administrator being able to track
i. A new network design has been designed as shown in section 3 Restructured PKL
Network Topology.
ii. This include logical connection of each port
2.32 Lack of well-define encryption for file server
This is the embodiment of security resources or communication on the network. Network
administrator need to specify that sort encryption network that is user to transmitted data or
traffic over the network.
iii. As a consultant to PKL, it cannot be over stated how important traffic/data
transmission between users in and out of the network needs to be encrypted as to
avoid interruption, interception and authorised modification of the data
iv. NTFS encryption as a native windows server will be activated
v. Implement of Distributed Authorising and Versioning (WebDAV) will be consider
on the PKL intranet for filer sharing and access
vi. Bit locker Drive encryption enables on all workstations using native hardware BIOs
settings (TPM).

2.33 Software on the network not specify – Server OS and Work stations OS
i. All servers will be Windows 2012 except;
ii. Web server will be apache using Linux
iii. Workstations OS – Windows 7 Enterprises
3. Restructured PKL Network Topology
A network infrastructure that lacks better physical and logical structure diagram there always
exist the possibility of continuous disruption to the network traffic that will subsequent lead to
loss of revenue.
3.1 Physical Building location and number of users
PKL has 150 staff. The assumption has been made that there are 30 staff at each of the offices
in the new diagram.
There are two wireless access point (AP) located at each office – AP1 for all staff and AP2 for
all managers. Authentication is only by AD credential – An extended SSID has been created
call PKL-Guest-Wifi – This is only for guest use. Only internet access is available, Facebook,
YouTube, or any other social networks spaces are blocked.
Alexander
Height
Osborne Park
warehouse
Hilary’s
1) Tills System
2) AP 1 – All Staff
3) AP 2 – Managers
Users – 30
Melville
1) Tills System
4) Users – 30
1) Tills system
2) Warehouse Inventory
database via wifi
3) AP1 – All staff
5) T1 – leased line (512Kbits)
6) Users – 30
1) Tills system
2) Inventory database
via wifi to Osborne
3) AP1 – All staff
5) Users – 30
Kewdale
1) Tills system
3) AP 2 - Manager
4) Users – 30

3.2 Physical Network Topology
Redundancy backbone fiber line
Main backbone fiber cable

3.3 Subnetting of PKL Network
Based on the subnet the new network administrator will draw up the logical network diagram
Subnetting
i. Osborne Park Network
172.16.1.0/25
Subnet mask: 255.255.255.128
First host – 172.16.1.1
Last host – 172.16.1.126
Router has two controller SSID (AP 1 & AP2)
AP 1 – All Staff – address scope .172.16.1.2 – 172.16.1.50
Router – 172.16.1.1
Juniper switch 172.16.1.2 (Access switch & caching)
Multi-scan printer – 172.16.1.126
Reserved: 172.16.1.51 - .100
AP 2 – Managers – 172.16.1.101 - 125
Domain control: OP-DC01
File/printer: OP-FS01
*** SQL: OP-SQL01 – main SQL server – all SQL server replicate here
ii. Alexander Height
172.16.2.0/25
Subnet mask: 255.255.255.128
First host – 172.16.2.1
Last host – 172.16.2.126
Router – 172.16.2.1
Reserved: 172.16.2.51 - .100
AP 2 – Managers – 172.16.2.101 - 125
Domain control: AH-DC01
File/printer: AH-FS01
SQL: AH-SQL01
iii. Melville
172.16.3.0/25
Subnet mask: 255.255.255.128
First host – 172.16.3.1
Last host – 172.16.3.126

Router – 172.16.2.1
Reserved: 172.16.3.51 - .100
AP 2 – Managers – 172.16.3.101 - 125
Domain control: AH-DC01
File/printer: MV-FS01
SQL: MV-SQL01
iv. Hilary’s
172.16.4.0/25
Subnet mask: 255.255.255.128
First host – 172.16.4.1
Last host – 172.16.4.126
Router – 172.16.4.1
Reserved: 172.16.4.51 - .100
AP 2 – Managers – 172.16.4.101 - 125
Domain control: HL-DC01
File/printer: HL-FS01
SQL: HL-SQL01
v. Kewdale
172.16.5.0/25
Subnet mask: 255.255.255.128
First host – 172.16.5.1
Last host – 172.16.5.126
Cisco Router – 172.16.5.1
Reserved: 172.16.4.51 - .100
AP 2 – Managers – 172.16.5.101 - 125
Domain control: KD-DC01
File/printer: KD-FS01
SQL: KD-SQL01

4. Hardware and Software Selection for the Network
Name Description Unit Cost Total Cost
Cisco UCS 220 Server –
Windows 2012 Server
built-in
UCS 220 for DC @ 5
sites
$7,048.00 x 5 $35240.00
Cisco 2911 Router Core Router @ 5 sites 2648.00 x 5 $13240.00
Access Cisco Switch Cisco 875 for Internet
Gateway @ 5 sites
385.00 x 5 $1925.00
Cisco ASA Fire ASA firewall for
Gateway IDS/IPS
$3,639.00 $3,639.00
Total $54,044.00
5. Policies
5.1 Wireless - PDA/Smart Devices Policy
Disclaimer: This policy was created by or for the PKL Autoparts Supply. All or parts of this
policy will be reviewed quarterly as to adhere to the overwhelming security challenges pose
by smart phones and other handheld devices in the corporate industry. There will be a prior by
the IT Change management approval before any change to this document can be initiated. If
you would like to contribute any change to this policy or updated version of this policy, please
send email to servvicedesk@pklautopartrs.com.au .
All Policies Update Status: Updated May 25, 2015
5.2 Overview
With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost
a given at any organization. Insecure wireless configuration can provide an easy open door for
malicious threat actors.

5.3 Purpose
The purpose of this policy is to secure and protect the information assets owned by PKL
Autoparts Supply. PKL Autoparts Supply provides computer devices, networks, and other
electronic information systems to meet missions, goals, and initiatives. PKL Autoparts Supply
grants access to these resources as a privilege and must manage them responsibly to maintain
the confidentiality, integrity, and availability of all information assets.
This policy specifies the conditions that wireless infrastructure devices must satisfy to connect
to PKL Autoparts Supply network. Only those wireless infrastructure devices that meet the
standards specified in this policy or are granted an exception by the Information Security
Department are approved for connectivity to a PKL Autoparts Supply network.
5.4 Scope
All employees, contractors, consultants, temporary and other workers at PKLAutoparts Supply,
including all personnel affiliated with third parties that maintain a wireless infrastructure device
on behalf of PKL Autoparts Supply must adhere to this policy. This policy applies to all wireless
infrastructure devices that connect to a PKL Autoparts Supply network or reside on a PKL
Autoparts Supply site that provide wireless connectivity to endpoint devices including, but not
limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless
communication device capable of transmitting packet data.
5.5 General Requirements
All wireless infrastructure devices that reside at a PKL Autoparts Supply site and connect to a
PKL Autoparts Supply network, or provide access to information classified as PKL Autoparts
Supply Confidential, or above must:
 Abide by the standards specified in the Wireless Communication Standard.
 Be installed, supported, and maintained by an approved support team.
 Use PKL Autoparts Supply approved authentication protocols and infrastructure.
 Use PKL Autoparts Supply approved encryption protocols.
 Maintain a hardware address (MAC address) that can be registered and tracked.
 Not interfere with wireless access deployments maintained by other support
organizations.
a. Lab and Isolated Wireless Device Requirements
All lab wireless infrastructure devices that provide access to PKL Autoparts Supply
Confidential or above, must adhere to section 4.1 above. Lab and isolated wireless devices that
do not provide general network connectivity to the PKL Autoparts Supply network must:

 Not interfere with wireless access deployments maintained by other support
organizations.
 No bring your own device (BYOD) policy is allowed on PKL wireless network to
connect using corporate account
 Any BYOD should be connected to the Guest Wi-Fi
5.6 Home Wireless Device Requirements
i. Wireless infrastructure devices that provide direct access to the PKL
Autoparts Supply corporate network, must conform to the Home Wireless
Device Requirements as detailed in the Wireless Communication Standard.
ii. Wireless infrastructure devices that fail to conform to the Home Wireless
Device Requirements must be installed in a manner that prohibits direct
access to the PKL Autoparts Supply corporate network. Access to the PKL
Autoparts Supply corporate network through this device must use standard
remote access authentication.
5.7 Compliance Measurement
The Change Management team will verify compliance to this policy through various methods,
including but not limited to, periodic walk-throughs, video monitoring, business tool reports,
internal and external audits, and feedback to the policy owner.
5.8 Exceptions
Any exception to the policy must be approved by the Change Management team in advance.
5.9 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
5.10 Related Standards, Policies and Processes
 Lab Security Policy
 Wireless Communication Standard
6. Remote access Policy
6.1 Overview
Remote desktop software, also known as remote access tools, provide a way for computer users
and support staff alike to share screens, access work computer systems from home, and vice

versa. Examples of such software include LogMeIn, GoToMyPC, VNC (Virtual Network
Computing), VPN, and Windows Remote Desktop (RDP). While these tools can save
significant time and money by eliminating travel and enabling collaboration, they also provide
a back door into the PKL Autoparts Supply network that can be used for theft of, unauthorized
access to, or destruction of assets. As a result, only approved, monitored, and properly
controlled remote access tools may be used on PKL Autoparts Supply computer systems.
6.2 Purpose
This policy defines the requirements for remote access tools used at PKL Autoparts Supply
6.3 Scope
This policy applies to all remote access where either end of the communication terminates at a
PKL Autoparts Supply computer asset. All remote access tools used to communicate between
PKL Autoparts Supply assets and other systems must comply with the following policy
requirements.
6.4 Remote Access Tools
PKL Autoparts Supply provides mechanisms to collaborate between internal users, with
external partners, and from non-PKL Autoparts Supply systems. The approved software can
be found on http://apps.pkl.com.au. This is a self-serf portal, direct line managers must approve
before installation option will be available to the user. Because proper configuration is
important for secure use of these tools, mandatory configuration procedures are provided for
each of the approved tools.
The approved software list may change at any time, but the following requirements will be used
for selecting approved products:
i. All remote access tools or systems that allow communication to PKL Autoparts Supply
resources from the Internet or external partner systems must require multi-factor
authentication. Examples include authentication tokens and smart cards that require an
additional PIN or password.
ii. The authentication database source must be Active Directory or LDAP, and the
authentication protocol must involve a challenge-response protocol that is not
susceptible to replay attacks. The remote access tool must mutually authenticate both
ends of the session.
iii. Remote access tools must support the PKL Autoparts Supply application layer proxy
rather than direct connections through the perimeter firewall(s).
iv. Remote access tools must support strong, end-to-end encryption of the remote access
communication channels as specified in the PKL Autoparts Supply network encryption
protocols policy.
v. All PKL Autoparts Supply antivirus, data loss prevention, and other security systems
must not be disabled, interfered with, or circumvented in any way.
All remote access tools must be purchased through the standard PKL Autoparts Supply
procurement process, and the information technology group must approve the purchase.

6.5 Policy Compliance
5.1 Compliance Measurement
The Change Management team will verify compliance to this policy through various methods,
including but not limited to, periodic walk-throughs, video monitoring, business tool reports,
6.6 Exceptions
Any exception to the policy must be approved by the Change Management Team in advance.
6.7 Non-Compliance
7. Server Security Policy
7.1 Overview
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors.
Consistent Server installation policies, ownership and configuration management are all about
doing the basics well.
7.2 Purpose
The purpose of this policy is to establish standards for the base configuration of internal server
equipment that is owned and/or operated by PKL Autoparts Supply. Effective implementation
of this policy will minimize unauthorized access to PKL Autoparts Supply proprietary
information and technology
7.3 Scope
All employees, contractors, consultants, temporary and other workers at Cisco and its
Subsidiaries must adhere to this policy. This policy applies to server equipment that is owned,
operated, or leased by Cisco or registered under a Cisco owned internal network domain.
Specifies requirements for equipment on the internal Cisco network. For secure configuration
of equipment external to Cisco on the DMZ, see the Internet DMZ Equipment
Policy
7.4 General Requirements
All internal servers deployed at PKL Autoparts Supply must be owned by an operational group
that is responsible for system administration. Approved server configuration guides must be

established and maintained by each operational group, based on business needs and approved
by InfoSec. Operational groups should monitor configuration compliance and implement an
exception policy tailored to their environment. Each operational group must establish a process
for changing the configuration guides, which includes review and approval by PKLAuto supply
7.5 Resource Community
Servers must be registered within the corporate enterprise management system. At a minimum,
the following information is required to positively identify the point of contact:
i. Server contact(s) and location, and a backup contact
Hardware and Operating System/Version
ii. Main functions and applications, if applicable
iii. Information in the corporate enterprise management system must be kept up to date.
iv. Configuration changes for production servers must follow the appropriate change
management procedures
v. For security, compliance, and maintenance purposes, authorized personnel may
monitor and audit equipment, systems, processes, and network traffic per the Audit
Policy.
7.6 Configuration Requirements
Operating System configuration should be in accordance with approved Change management
team guidelines.
i. Services and applications that will not be used must be disabled where practical
ii. Access to services should be logged and/or protected through access
iii. Control methods such as a web application firewall, if possible.
iv. The most recent security patches must be installed on the system as soon as practical,
the only exception being when immediate application would interfere with business
requirements.
v. Trust relationships between systems are a security risk, and their use should be
avoided.
vi. Do not use a trust relationship when some other method of communication is
sufficient.
vii. Always use standard security principles of least required access to perform a
function.
viii. Do not use root when a non-privileged account will do.
ix. If a methodology for secure channel connection is available (i.e., technically
feasible), privileged access must be performed over secure channels, (e.g., encrypted
network connections using SSH or IPSec).
x. Servers should be physically located in an access controlled environment. 4.2.9
Servers are specifically prohibited from operating from uncontrolled cubicle areas.
7.7 Monitoring
All security related events on critical or sensitive systems must be logged and audit trails
saved as follows:
i. All security related logs will be kept online for a minimum of 1 week.
ii. Daily incremental tape backups will be retained for at least 1 month.

iii. Weekly full tape backups of logs will be retained for at least 1 month.
iv. Monthly full backups will be retained for a minimum of 2 years.
v. Security related events will be reported to Change Management team, who will
review logs and report incidents to IT management. Corrective measures will be
prescribed as needed. Security related events include, but are not limited to:
vi.
a. Port scan attacks
b. Evidence of unauthorized access to privileged accounts
c. Anomalous occurrences that are not related to specific applications on the host
8. Password Protection Policy
8.1 Overview
Passwords are an important aspect of computer security. A poorly chosen password may result
in unauthorized access and/or exploitation of PKL Autoparts Supply's resources. All users,
including contractors and vendors with access to PKL Autoparts Supply systems, are
responsible for taking the appropriate steps, as outlined below, to select and secure their
passwords.
8.2 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change.
8.3 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or
any form of access that supports or requires a password) on any system that resides at any PKL
Autoparts Supply facility, has access to the PKL Autoparts Supply network, or stores any non-
public PKL Autoparts Supply information.
8.4 Password Creation
All user-level and system-level passwords must conform to the Password Construction
8.5 Guidelines
Users must not use the same password for PKL Autoparts Supply accounts as for other non-
PKL Autoparts Supply access (for example, personal ISP account, option trading, benefits, and
so on).
Where possible, users must not use the same password for various PKL Autoparts Supply
access needs.
User accounts that have system-level privileges granted through group memberships or
programs such as sudo must have a unique password from all other accounts held by that user
to access system-level privileges.

Where Simple Network Management Protocol (SNMP) is used, the community strings must be
defined as something other than the standard defaults of public and private.
8.6 Consensus Policy Resource Community
System and must be different from the passwords used to log in interactively. SNMP
community strings must meet password construction guidelines.
8.7 Password Change
All system-level passwords (for example, root, enable, NT admin, application administration
accounts, and so on) must be changed on at least a quarterly basis.
i. All user-level passwords (for example, email, web, desktop computer, and so on)
must be changed at least every three months. The recommended change interval is
every four months.
ii. Password cracking or guessing may be performed on a periodic or random basis by
the Change management team or its delegates. If a password is guessed or cracked
during one of these scans, the user will be required to change it to be in compliance
with the Password Construction Guidelines.
8.8 Password Protection
Passwords must not be shared with anyone. All passwords are to be treated as sensitive,
Confidential PKL Autoparts Supply information. Corporate Information Security recognizes
that legacy applications do not support proxy systems in place. Please refer to the technical
reference for additional details.
i. Passwords must not be inserted into email messages, Alliance cases or other forms
of electronic communication.
ii. Passwords must not be revealed over the phone to anyone.
iii. Do not reveal a password on questionnaires or security forms.
iv. Do not hint at the format of a password (for example, "my family name").
v. Do not share PKL Autoparts Supply passwords with anyone, including
administrative assistants, secretaries, managers, co-workers while on vacation, and
family members.
vi. Do not write passwords down and store them anywhere in your office. Do not store
passwords in a file on a computer system or mobile devices (phone, tablet) without
encryption.
vii. Do not use the "Remember Password" feature of applications (for example, web
browsers).

viii. Any user suspecting that his/her password may have been compromised must report
the incident and change all passwords.
8.9 Application Development
Application developers must ensure that their programs contain the following security
precautions:
i. Applications must support authentication of individual users, not groups.
ii. Applications must not store passwords in clear text or in any easily reversible form.
iii. Applications must not transmit passwords in clear text over the network.
iv. Applications must provide for some sort of role management, such that one user can
take over the functions of another without having to know the other's password.
8.10 Use of Passwords and Passphrases
Passphrases are generally used for public/private key authentication. A public/private key
system defines a mathematical relationship between the public key that is known by all, and the
private key, that is known only to the user. Without the passphrase to "unlock" the private key,
the user cannot gain access.
Passphrases are not the same as passwords. A passphrase is a longer version of a password and
is, therefore, more secure. A passphrase is typically composed of multiple words. Because of
this, a passphrase is more secure against "dictionary attacks."
A good passphrase is relatively long and contains a combination of upper and lowercase letters
and numeric and punctuation characters. An example of a good passphrase:
"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"
All of the rules above that apply to passwords apply to passphrases.
8.11 Policy Compliance
The Change management team will verify compliance to this policy through various methods,
including but not limited to, periodic walk-through, video monitoring, business tool reports,
8.12 Exceptions
Any exception to the policy must be approved by the Change management Team in advance.
8.13 Non-Compliance

9. References
Datacentre
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-
os/security/configuration/guide/sec_nx-os-cfg/sec_dhcpsnoop.html
Cisco learning portal
https://learningnetwork.cisco.com/thread/67229
ASA Firewall
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmo
te.html
Workstation security
https://www.sans.org/security-resources/policies/server-security#workstation-security-for-
hipaa-policy
Policies
www.sans.org
Cimtrak
https://www.cimcor.com/cimtrak-vs-
idsips?keyword=ids%20ips%20software&matchtype=b&creative=57777838497&source=Sea
rchNetwork&gclid=CLeS-aX-78UCFQIrvQoddiIANg
Why You Shouldn’t Use MAC Address Filtering On Your Wi-Fi Router?;
http://www.howtogeek.com/204458/why-you-shouldn%E2%80%99t-use-mac-address-
filtering-on-your-wi-fi-router/
How Domain Name Servers Work
http://computer.howstuffworks.com/dns.htm
GFI LanGuard
http://www.gfi.com/sites/LanGuard/Website/land/adv/network-auditing-
sm?adv=13755&loc=6&kwd=9&gclid=CPXGp5-788UCFdgnvQod57gA1A

Study Wireless Security Deployment - PKL

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Study Wireless Security Deployment - PKL

Similar to Study Wireless Security Deployment - PKL (20)

Study Wireless Security Deployment - PKL