The document provides information about Life Academy, a higher education institute with two branches that maintains all student and staff data in a centralized database. It discusses the need for computer security and cryptographic methods used to secure online transactions and data, including symmetric and asymmetric cryptography. Physical security threats to Life Academy are analyzed and access control tools and techniques that could be implemented, like facial recognition systems, to monitor and control access are described. Recommendations are provided.

1. ix
Scenario
“Life Academy” is a well-established higher education institute, having two branches
island wide. Equipped with modern high tech labs, free Wi-Fi zones and well
experienced staff have made the campus popular among students.Life Academy is
planning to open a new branch in near future .Some senior staff members can access
their office logins and do their work while they are at home. All data records(Student
details ,marks, grades , payments , staff details ) are maintained in a centralized
database and there are separate logins for students and Staff. Students can download
course materials and upload their assignments through the website.

2. x
Table of Contents
List of figures.................................................................................................................. xii
1. Introduction.............................................................................................................. 1
1.1. Life Academy.....................................................................................................2
2. Task 03 ..................................................................................................................... 3
2.1. Cryptographic....................................................................................................3
2.1.1. Cryptography Methods............................................................................... 4
2.2. Online Transactions ........................................................................................... 9
2.2.1. Secure of Online Transaction System......................................................... 10
2.2.2. Http and Https ............................................................................................... 12
2.2.3. SSL and TSL ....................................................................................................... 14
3. Task 04....................................................................................................................... 15
3.1. Physical Security................................................................................................... 15
3.1.1. Physical Security Definition............................................................................. 15
3.1.2. Risk Analysis .................................................................................................. 15
3.2. How Life Academy Avoid Their Physical Treats....................................................... 16

3. xi
3.2.1. How avoid those threats................................................................................. 18
4. Task 05 ................................................................................................................... 20
4.1. Security Policy ................................................................................................. 20
4.1.2. Security Policy for the Life Academy................................................................ 22
5. Task 06....................................................................................................................... 26
5.1. What is Access Control.......................................................................................... 26
5.2.Tools and Techniques of Access Monitoring and Control.......................................... 27
5.2.1. Router Based Monitoring Techniques.............................................................. 28
5.2.2. Non-Router Based Monitoring Techniques ...................................................... 31
5.2.3. Access Control Tools....................................................................................... 35
5.1.2 Monitor and Access Control in Life Academy .................................................... 38
Recommendations.......................................................................................................... 44

4. xii
List of figures
Figure 1 Cryptography Diagram.................................. Error! Bookmark not defined.
Figure 2 Example for Cryptographic ........................... Error! Bookmark not defined.
Figure 3 Life Academy student’s payment website..... Error! Bookmark not defined.
Figure 4 Online transaction diagram............................................................................12
Figure 5 Physical Treats of Life Academy ..................................................................17
Figure 6 Facial Reorganization System .......................................................................22
Figure 7 Mechanism of Facial Reorganization System ...............................................24
Figure 8 ESSL iFace 302 System ................................................................................24
Figure 9 Setup plan of ESSL iFace 302 System..........................................................25
Figure 10 Simple Network Monitoring Protocol (SNMP) ..........................................28
Figure 11 Netflow .......................................................................................................29
Figure 12 Remote Monitoring (RMON)......................................................................31
Figure 13 Active Monitoring .......................................................................................32
Figure 14 Passive Monitoring......................................................................................33
Figure 15 Bradford Networks’ Network Sentry ..........................................................35
Figure 16 Bradford Networks sentry options...............................................................38
Figure 17 Usual network architecture employed in Life academy ..............................39
Figure 18 Proposed network architecture ....................................................................40

5. 1
1. Introduction
Commentating Computer security is not negligible. The deprival lies in amplifying an
exposition that is wide full well to be valid heedless of the system being described, yet
distinctive full well to point out what security verily is. In an ordinary sense, security
is independence from risk or crash. In the context of computer technology, security is
the arrestment of, or tenability against.
 Entry to information by unauthorized receivers.
 Studied but unauthorized destruction or diffraction of that information.
The initial mission of an information security scheme is to certify that systems and
their components remain the same. Establishments disburse hundreds of millions of
dollars or rupees and numerous human-hours to keep and maintain their information
systems. If menaces to information and systems didn’t exist, these prosperities could
be used to ameliorate the systems that help the information. However, assaults on
information systems are a diurnal happening, and the need for information security
burgeons along with the sophistication of like that assaults.
The improvement of security has a military origin. The US (American) monarchy has
been a main force behind security experiment and technology because it has
information on indigenous guard and intelligence. Encryption was used to guard data
stored in computer memory on stand-by media. The unclassified data became assured
by data encryption. Currently, though, most residences in cradled countries have at
least one computer. Document sharing and stealing are whacking more ordinary.
Computers machines are also interrelated.
This assignment accomplishes clear overview of computer security needs and
ameliorates a sound access to the choice of timely security controls. Accomplish
descriptive implementation modus operandi for security controls for auditing the
security of distinctive systems. Conversely, to colloquy the betterments of diverse
computer security

6. 2
1.1. Life Academy
Life Academy was established in year of 2000. Life Academy opened their doors to
500 scholars in Life Academy institute in Ohio. Presently, they offer both
undergraduate and postgraduate degrees, and give occasion to over 3000 students,
including international students from diverse countries in the universe. More than
8000 alumni have graduated from their faculties: Business, Computer, Engineering
and medical. They take great haughtiness in producing graduates who make purposive
contributions to their people and vocations.

7. 3
2. Task 03
2.1. Cryptographic
Cryptography is addicted to guarding data and communications well protected. It is a
subject area at the center of information and communication technologies and
compounds mathematics, computer technology, and engineering. Personals and
establishments vicinity the universal depend on the competence to avouch data and
communications systems are protect and faithful. Information security makes room
users to use services, confirm the identities of other users and establishments, and
authenticate the genesis of software and other data.
For instance, all time an online transaction befalls, like that a buy or a bank transfer,
users authenticate their uniqueness with one another,
Confirm assents to admittance precious services and manufactures, and communicate
data conveyed to a protect encryption system. This scheme is enabled by occult
passwords, communication protocols, and an encryption system antitype on
arithmetical teasers believed to be too difficult for existent computers to crack. These
systems guard us from security threats like a viruses, cheat, and identity thievery.
Staying on the sharpening bevel of the next ancestry of cryptographic technologies
and threats is critical to keeping our safeties.

8. 4
2.1.1. Cryptography Methods
 Secret Key Cryptography (Symmetric): Uses a single key for both encryption
and decryption
 Public Key Cryptography (Asymmetric): Uses one key for encryption and
another for decryption
 Hash Functions: Uses a mathematical transformation to irreversibly "encrypt"
information
 Secret Key Cryptography (Symmetric Cryptography)
With secret key cryptography, a one key is used for two encryption and decryption.
The sender uses the key to encrypt the plaintext and sends the cipher letter to the
subscriber. The subscriber prepares the same key to decrypt the message and recover
the plaintext, because a one key is used for both affairs. Secret key cryptography
processes are usually assorted as being either stream ciphers or block ciphers. Stream
ciphers perform on a one-bit at a time and activate some form of feedback scheme so
that the key is frequently differing. A block cipher is this one because the program
encrypts one block of data at a time using the idem key on each block.

9. 5

10. 6
Secret Key Cryptography has divers algorithms, those are
 Data Encryption Standard (DES):DES is a block-cipher employing a 56-bit
key that performs on 64-bit blocks. DES has a mixed set of rules and
transformations that were designed specifically to yield fast hardware
implementations and slow software implementations.
 Advanced Encryption Standard (AES):The algorithm can use a variable
block length and key length; the latest specification allowed any combination
of keys lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256
bits.
 CAST: CAST is named for its developers, Carlisle Adams and Stafford
Tavares and is available internationally.
 International Data Encryption Algorithm (IDEA): 64-bit SKC block cipher
using a 128-bit key. Also available internationally.
 Rivest Ciphers: Named for Ron Rivets. Series of algorithms are RC2, RC3,
RC4, and RC5.
 Blowfish: Optimized for 32-bit processors with large data caches, it is
significantly faster than DES on a Pentium/PowerPC-class machine. Key
lengths can vary from 32 to 448 bits in length.
 Twofish: A 128-bit block cipher using 128-, 192-, or 256-bit keys. Designed
to be highly secure and highly flexible, well-suited for large microprocessors,
8-bit smart card microprocessors, and dedicated hardware.
 Camellia:a 128-bit block size, support for 128-, 192-, and 256-bit key lengths,
and suitability for both software and hardware implementations on common
32-bit processors as well as 8-bit processors.
 GPRS (General Packet Radio Service):GSM mobile phone systems use
GPRS for data applications, and GPRS uses a number of encryption methods,
offering different levels of data protection. GEA/0 offers no encryption at all.
GEA/1 and GEA/2 are proprietary stream ciphers, employing a 64-bit key and
a 96-bit or 128-bit state.
 Public Key Cryptography (Asymmetric)

11. 7
Asymmetric cryptography(public-key cryptography) is cryptography in which a dyad
of keys is used to encrypt and decrypt a word so that it approaches securely. A
network user receives a public and private key dyad from an assurance comptroller.
Any other user who needs to send an encrypted word (massage)can get the purposed
acceptor’s public key from a public catalog. They use this key to encrypt the message,
and they send it to the acceptor.
Public Key Cryptography (Asymmetric) Cryptography has divers algorithms, those
are
 RSA: RSA present used in hundreds of software products and can be used for
key transfer, digital seals, or encryption of little blocks of data. RSA uses a
changeable gauge encryption block and a change a league key. The key-duplet
is derived from a whacking broad amount that is the manufacture of couple of
basal numbers chosen in the track of to distinctive terms; these primes may be
hundred or more digits in length each, yielding an n with coarsely twice as
many digits as the basal constitutive.
 Daffier-Hellman: Daffier and Hellman came up with their self-algorithm. D-
H is used for occult –key, key commute only, and not for affirmation or digital
seals.
 Digital Signature Algorithm (DSA):This affords digital salability for the
affirmation of messages.
 Elliptic Curve Cryptography (ECC):PKC algorithm based upon oval
curves. ECC possible offer stages of security with little keys comparable to
RSA and different PKC process. It was designed for applications with
narrowed calculate capacity and/or memory, such as smartcards.
 Cramer-Shoepac public-key cryptosystem proposed by R. Cramer and V.
Shop of IBM in 1998.

12. 8
 Hash Functions
Hash functions, as well as called message codes and single-way encryption, and are
algorithms that, in some catchword, use no key. On behalf of, a fixed-length hash
value is computed foundation upon the plaintext that amends it incapable for either
the inclusions or length of the plaintext to be recovered. Hash function algorithms are
naturally used to accomplish a digital fingerprint of a file's inclusions, time and again
used to avouch that the file has not been modified by an intruder, hackers or virus.
Hash functions algorithms are as well as hackneyed employed by whacking working
systems to encrypt passwords. Hash functions algorithms, thereupon, accomplish a
measure of the sincerity of a file. Hash algorithms varieties are
 Message Digest (MD) algorithms: A series of byte-oriented algorithms that
produce a 128-bit hash value from an arbitrary-length message. MD2, MD4
and MD5.
 Secure Hash Algorithm (SHA): SHA has three divers’ algorithms. Those are
SHA1, SHA2 and SHA3.
 RIPEMD: Optimized for 32-bit processors to replace the then-current 128-bit
hash functions. Other versions include RIPEMD-256, RIPEMD-320, and
RIPEMD-128.
 Whirlpool: Whirlpool operates on messages less than 2256 bits in length, and
produces a message digest of 512 bits.

13. 9
2.2. Online Transactions
OLTP (online transaction processing) is a group of software schemes able of assisting
transaction-oriented apps on the Internet. Naturally, online transaction processing
systems are used for order access, monetary transactions, consumer relationship
management (CRM) and retail sales. Such systems have an ample count of users who
regulate curt transactions. Database queries are normally cut and dry, necessitate sub-
second retroaction times and return relatively several documentaries.
Life Academy is make room to students (customers) to make their payments
(registration Fees, lab fees, School tax credits and more) online through university
website system. Institute betterment include excessive healthiness, no more bounced

14. 10
checks, dislodgement of false (little human intervention), and abate transaction
outlays. As with any information processing system, defense and credibility are
considerations. Online transaction systems are normally more permissive to straight
invasion and abuse than their offline counterparts. When establishments select to
repose confidence on online transaction processing, like any other technology,
activities can be forcefully conflicted by reliability teasers. In addition, some systems
necessitate offline sustentation which more over affects the worth -gain analysis.
2.2.1. Secure of Online Transaction System.
Formerly sending any molecular or monetary details online, you need to understand
that you are communicating with a well-protected site. Well-protected sites make
unquestionable all details you send is encrypted or protected as it visits across the
Web. The https address caption and your browser's security logo are two signs
representation you are on a well-protected site.
Https
HTTPS stands for Hypertext Transfer Protocol over SSL (Secure Socket Layer). It is
a TCP/IP protocol used by Web servers to switching and set out Web inclusion
securely. The data shifted is encrypted therefore that it impossible be read by anyone
except the receiver. HTTPS is used by certain Web site that is gathering sensory
consumer data such as banking detail or buying detail. If you are making a deal
online, you should make indisputable that it is done over HTTPS so that the data
collects well protected.(Rouse, 2006)
Security alerts and the SSL certificate
Secure sites have an SSL guarantee. A Secure Socket Layer guarantee does binary
things. Primo loco, it performs like a true passport or birth certificates. Two, it
authorizes encryption. If a site does not have a Secure Socket Layer guarantee, the
address will start with http on behalf of https, and your browser will not show a lock
logo. If it has a Secure Socket Layer guarantee, you can entry it by clicking browser's
lock.

15. 11
Encryption in Secure Electronic Transaction
Secure Electronic Transaction (SET) is an accredited protocol for securing credit card
transactions over suspicious networks, specifically, the Internet. Secure Electronic
Transaction is a batch of terms and legislations that authorize users to operate
monetary dealings through present payment system over suspicious wireless network
(internet) in much well protected and trust worthy mode. Secure Electronic
Transaction is an app to accomplish diverse security services as in privately, data
rectitude and veracity for all electronic transactions over the internet. SET is
fundamental for the victorious electronic transaction over the wireless network in
privately is necessary to ensconce the sensory data from unauthorized user, data
rectitude is necessary to avouch that overall details is transferred without any
emendation through intruder, and affirmation is required to avouch the inductor and
acceptor that the performed transaction is valid and genuine.
How SET work
The consumer opens a Visa bank account or MasterCard. Some issuer of a credit card
is any kind of bank. The consumer accepts a digital bill. This electronic document
functions as a credit card for online buys or other transactions. It comprises public key
with an ending date. It has been through a digital switch to the bank to avouch its
validity. Usually third-party traders also accept bills from the bank. These bills
comprise the trader’s public key and the bank's public key. The consumer places an
order over a Web folio, by phone. The consumer’s browser accepts and validates from
the trader’s guarantee that the traders is valid. The browser remits the order details.
This message is encrypted with the trader’s public key, the charge details, which is
encrypted with the bank's public key, and details that avouch the charge can only be
used with this significant order. The trader confirms the consumer by inspecting the

16. 12
digital seal on the consumer’s bill. This haply done by referring the guarantee to the
bank or to a third party confirmer. The trader remits the order message along to the
bank. This comprises the bank's public key, the consumer’s fare detail (which the
trader cannot discern), and the merchant's certificate. The bank verifies the merchant
and the message. The bank applies the digital seal on the bill with the message and
confirms the fare section of the message. The bank digitally signs and remits
allowance to the trader, who can then complete the order.
Figure 1Online transaction diagram
2.2.2. Http and Https
 Http

17. 13
Http (Hyper Text Transfer Protocol)The communications protocol used to conflate to
Web servers on the Internet or on a local network (intranet). Its basal affair is to
install a connection with the server and deliver HTML folios back to the user's
browser. It is also used to download documents from the server either to the browser
or to any other petitioning application that uses Hyper Text Transfer Protocol.
 Https
HTTP (Hypertext Transfer Protocol) is the seeming protocol used by the World Wide
Web (WWW). Hypertext Transfer Protocol commentate show messages are outlined
and transmitted, as well as what behaviors Web servers and browsers should include
reaction to diverse commands. For instance, when you insert a URL (Uniform
Resource Locator) in your browser, this verily sends a Hypertext Transfer Protocol
command to the Web server directing it to bring and transmit the invited Web site.
Specialty betwixt Http and Https
Excessively web addresses start with “HTTP,” which is a name for “Hyper Text
Transfer Protocol.” It’s the protocol used to make room you to communicate with
web sites. “HTTPS” confronts for “Hyper Text Transfer Protocol Secure.” It signifies
that information transferred between user and a web site is encrypted and cannot be
snitched by someone who might want to technically eavesdrop when user type a
credit card figure, a password, or any other person private information. The matter of
the email is to promote user to inspect for the “Hyper Text Transfer Protocol Secure”
before user give monetary information. Most web sites are not HTTPS, but when you
click a link to make a purchase, many of them will direct you to a Hyper Text
Transfer Protocol Secure site. A controller of Internet infrastructure services, Secure
Socket Layer Encryption is a technology that defends Web sites and makes it simple
to ameliorate trust by means of an “SSL guarantee that authorizes encryption of
penetrating information betwixt online transactions. Authenticated information about
the guaranty proprietor and a guaranty comptroller approves the identity of the
guaranty proprietor when it is issued. Just because a website uses such Secure Sockets
Layer, encryption does not preserve internet users from phishing and other programs.
When touring websites that assent monetary details online it is frequently a practice to

18. 14
make sure the online firm is reasonable, has a beneficial fame in consumer service
and uses Secure Sockets Layer encryption in their dealings.
2.2.3. SSL and TSL
 SSL
SSL (Secure Sockets Layer) is a covenanted security technology for restitution an
encrypted links betwixt a server and a client, naturally web server (website) and a
browser, or a mail server and a mail client. Secure Sockets Layer authorizes scientific
details such as credit card figures, social security figures, and login credentials to be
transmitted safely. Generally, data sent betwixt browsers and web servers is sent in
plain text, leaving you accident-prone to eavesdropping. If an assailant is capable to
block all data being sent betwixt a browser and a web server, they can view and
utilization that details.
 TLS
TLS (Transport layer security) is a protocol that affords communication security
betwixt client/server app that communicates with one another over the Internet. It
authorizes privacy, probity and conservation for the data that's transmitted betwixt
diverse products on the Internet. Transport layer security is a successor to the secure
socket layer method.
Specialty betwixt SSL and TSL
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are methods that
afford data encryption and certification betwixt applications and servers in scenarios
where that data is being gone to rest across a treacherous network, like a checking
email. The rules Secure Sockets Layer and Transport Layer Security are time and
again used convertible or in conjunction with one another (TLS/SSL), but single is in
cause the pioneer of the other — SSL 3.0 served as the foundation for TLS 1.0 which,
as an effect, is sometimes referred to as SSL 3.1. It used to be trusted that TLS v1.0

19. 15
was marginally safer than SSL v3.0, its pioneer. SSL v3.0 is performance low as a
beneficial security protocol. Places that yet make room its use for web hosting as
placing their “well protected web sites” at uncertainty; establishments that make room
SSL v3 use to survive for other protocols should take stages to set aside that
assistance at the soonest software update window’s sustentation.
3. Task 04
3.1. Physical Security
3.1.1. Physical Security Definition
Physical security means measures structured to avouch the physical security of IT
assets like amenities, materials, workforce, prosperities and other wealth from
breakdown and unauthorized physical entry. Physical security measures are taken in
order to defend these estates from physical damages including larceny, robbery, fire
and unforced adversities.
Physical security is exclusively responsible for IT prosperities, as their proper
operation urgency that the hardware assets and infrastructure they are running on be
kept away from anything that could counteract their activities. This comprises
tampering by unauthorized workforce and unexpected occurrences like emergencies
and unforced breakdowns.(Shinder, 2007)
3.1.2. Risk Analysis

20. 16
Security risk analysis (risk assessment) is essential to the security of any
establishment. It is fundamental in assuring that controls and outlay are deeply
commensurate with the risks to which the establishment is exposed. Security in any
system should be adequate with its risks. The process to ascertain which security
conducts are appropriate and price effective is quite repeatedly a complex and
sometimes a subjective matter. One of the elementary activities of security risk
analysis is to put this scheme onto a more objective substratum.
3.2. How Life Academy Avoid Their Physical Treats
Whacking establishments would like to have a save IT ambience but very often this
need comes into conflict with other priorities. Ventures often discover the duty of
keeping the firm activities aligned with the security scheme highly challenging. When
economic periphery looks dangerous, it is cut and dry to turn security into an
inventory figure that keeps being pushed reverse. Every security menaces of
establishments shown below.

21. 17
Figure 2Physical Treats of Life Academy

22. 18
3.2.1. How avoid those threats
 Construct on the proper place: Be sure the structure is some gap from head
office (10 miles is typical) and at least 100 feet from the main road. Airports,
chemical facilities, power plants. Tsunami fault lines and areas prone to
hurricanes and inundation, and scrap the university sign.
 Have redundant utilities: Institutes need two sources for utilities, such as
electricity, water, voice and data. Trace electricity sources back to binary
discontinuous substations and water back to binary diverse main lines. Lines
should be under the floor and should come into diverse areas of the building, with
water discontinuous from other availabilities. Use the Institute’s anticipated power
usage as advantage for getting the electric firm to supply the structure’s special
needs.
 Windows: If Institute building must have windows, limit earthquake to the break
labs or administrative area, and use crack -resistant laminose windows.
 Use landscaping for safety: Mountains, Trees, rocks can conceal the building
from passing cars, misty security accessories like railings, and assist keep vehicles
from getting too close.
 Keep a 100-foot buffer zone around the site: Where landscaping does not
defend the Institute building from vehicles, use noise -proof preventatives instead.
Bollard cultivators are less conspicuous and more comely than other accessories.
 Use crash preventatives at vehicle access points: Conduct entry to the parking
lot and loading dock with a personnel janitor point that acquit oneself the
retractable bollards. Use a raised entrance and a green light as apparent cues that
the bollards are down and the driver can go onward. In status when more over
security is needed, have the preventatives left up by default, and lowered only
when somebody has compliance to pass via.

23. 19
 Restriction access points: Conduct entry to the Institute building by restoration
one foremost entry.
 Make fire gates for exit only: For exits required by fire codes, set up gates that
do not have conducts on the outside. When any of these gates is opened, a noisy
alarm should noise and trigger a retroaction from the security command post.
 Use numerousness of security cameras: Security cameras should be infixed
around the perimeter of the Institute building, at all entries and outlets, and at
every entry point throughout the Institute building. A combination of motion-
disclosure accessories, low-light cameras, pan-tilt-zoom cameras and standard
fixed cameras is best.
 Cosset the building's machine tools: Protect the mechanical area of the Institute
building, which houses environmental systems, computer hardware and power
supplies. If generators are outside, use metal cage or concrete walls to secure the
place.
 Set for safe air handling: Make sure the warm up, air conditioning systems can
be set to recalculate air rather than drawing in air from the outside. This could
assistant to keep people and materials if there were some kind of vital or chemical
substance blast or heavy smoke spreading from a beside fire.
 Avouch nothing can conceal in the walls and any place: In shelter areas of the
Institute, make sure intra parapets run from the slab roof all the way to subflooring
where wire drawing is typically housed. As well as, make sure drop-down ceilings
do not afford occult access places.
 Use couple of factor affirmation: Biometric recognition is becoming standard
for entry to some areas of Institute building, with hand geometry or fingerprint
scanners currently carefully neap invasive than retinal scanning. In other places,

24. 20
Institute organization may be capable to get away with neap -pricey entrance
cards.
 Set up guest rest rooms: Make sure to comprise bathrooms and lavatories for use
by guests and delivery people who do not have entry to the secure areas of the
building.
 Shut off food in the computer labs: Afford a public area where people can feed
on without getting food on computer fittings.
 Guard the exits: Not only for the dominant convenience but for more sensitive
areas of the convenience as well. It will assist keep track of who was where when.
4. Task 05
4.1. Security Policy
A security policy is a methodical proclamation of the terms through which general
public are given entry to an organization’s technology, system and information
wealth. The security policy explains what commercial, security aims, and objectives
management anticipations.
Security policy is the essential foundation on which approvable and omnipresent
security scheme can be developed. This essential component of the whole security
architecture, but, is often overlooked. A security policy is the initial way in which
management’s anticipations for security are converted into particular and measurable

25. 21
aims and ambitions. It is essential to take a top down access based on a well-stated
policy in order to improve provable security plan.
An Information Technology (IT) Security Policy defines the terms and modus
operandi for all personals accessing and using an institution’s IT properties and
wealth. Active IT Security Policy is a model of the institution’s growth, in which
terms and modus operandi are driven from its workers’ entry to their information and
work. Therefore, approvable IT security policy is a unique document for each
institution, how they see and worth their details, and the resulting availability that
they exert of that details. Many firms will discover an IT security policy unsuitable
due to its deficit of consideration for how the establishment’s(institution)people really
use and impart information among them and to the communal. The IT Security Policy
is an existing letter that is always updated to adapt with developing business and
information technology wants.(Shimonski, 2008)
The functions here are based upon the following aims.
 Avouch the availability of data and processing resources.
 Afford insurance for the confidentiality and sincerity of consumer data and
make room for the compartmentalization of uncertainty for consumers and
establishment.
 Avouch the sincerity of data processing action sand save them from
unauthorized use.
 Avouch the privately of the consumer’s and your processed data, and shut off
unauthorized apocalypse or access.
 Avouch the sincerity of the consumer’s and your processed data, and shut off
the unauthorized and undetected alteration, replacement, and defacement of
that database.
The aim of the security policy is to convert, explicate and notify management’s
point on security as defined in high-level security terms. The security policies

26. 22
perform like footbridge between these stewardship objectives and essential
security wants.
4.1.2. Security Policy for the Life Academy
Facial Reorganization System
Face recognition defines a dare teaser in the subject of image analysis and computer
outlook. The security of details is becoming very important and hard. Security
cameras are currently reputed in Military bases, Offices, University, Bank and in any
locations with a security system. Face recognition is a biometric system used to
identify or verify a person from a digital image. Facial Reorganization system is used
in security. Facial Reorganization system should be possible to self-ascertain face in
an eidola picture. This involves extracts its physiognomy and then come to know it,
heedless of countenance, lighting, face color, ageing, metamorphosis (translate and
scale eidola picture) and pose, which is an arduous job.
Facial Reorganization is one of the experiments in area pattern identification &
computer view due to its divers experimental applications in the area of biometrics,
Information security, access control, rule enforcement, smart cards and guarding
system.
Figure 3Facial Reorganization System

27. 23
How Works Facial Reorganization System
Facial recognition analyzes the physiognomy of an individual’s face eidola picture
input through a digital video camera. It measures the facial outline, including gaps
between eyes, nose, mouth, and jaw heights. These surveying are stored in a database
and used as reconciliation when a user stands before the camera. This biometric has
been on a large scale, and perhaps on a large scale, touted as an amazing system for
recognizing possible menaces(insurgent, hackers, or any transgressor) but so far has
not seen broad acceptance in high-level usage. It is projected that biometric facial
recognition scheme will apace overtake fingerprint biometrics as the most fames form
of user affirmation.
The following few-stages process explains the way biometric systems perform:
Capture: an elemental or behavioral swatch is captured by the system during
registration.
Extraction: data is extracted from the swatch and a template is created.
Reconciliation: the template is then reconciliation with a new swatch.
Matching: the system then determines if the appearances extracted from the neo
swatch are matching or not.
When the user faces the camera, standing about two half of meter from the machine.
The system will install the user's face and bring to pass matches against the claimed
sameness or the facial database. It is able that the user will need to move and
reattempt the verification based on his facial posture. The system normally comes to a
verdict in neap than 5 seconds.

28. 24
Figure 4Mechanism of Facial Reorganization System
ESSL iFace 302 System
Figure 5ESSL iFace 302 System
The iFace 302, users can cognizance or verify themselves either by face, finger, ID
card or PIN/password. The TFT (Thin Film Transistor) color touch screen of iFace
302 provides ease of use and a rich user experience. The iFace 302 uses state of the
art 3D (three-dimensional)imaging technology while aslo providing hygienic 100%
touch-free biometric authentication. The iFace 302 can one too many match up to 500
faces and 3000 fingerprints.
When users look straight into the camera, it captures the relative spot, scale, size, and
shape of the user's eyes, nose, cheekbones, and jaw. These parameters are then used to

29. 25
build a biometric mold, which is then used to afterwards verify or cognizance each
consumer.
Figure 6Setup plan of ESSL iFace 302 System
Benefits of Using Facial Reorganization System
 Correct Identification: While conventional security systems are reliant on
watchwords, individual smart cards or identification numbers (PINs), life
academy can realize a high level of correctness with biometrics systems. If life
academy have install the system properly, life academy can use biological features
like fingerprints and iris scans, which bestow you incomparable and correct
identification schemes.
 Facile and Safe for handle: The best thing about using biometrics for
identification is that latest systems are built and created to be Facile and safe to
use. Biometrics technology gives correct results with lowest invasiveness as a
definite scan or a photograph is normally all that is essential. The software and
hardware can be handily used and firm can have them located without the need for
additional practice.

30. 26
 Time reducing: Biometric identification is deeply fast, which is another benefit it
has over other conventional security systems. A person can be identified or
rejected in a matter of seconds. For firms ‘proprietors that make of the worth of
time management the use of this system can only be useful to office earnings by
exceeded productivity and deducting outlay by eliminating cheat and prodigality.
 User Amicable Technology: Owners can have biometrics systems situate rather
handily and after that, they do their work actively, trust worthy and in the same
way. Firm will need only a lowest amount of practice to get the system
operational and there is no need for precious password administrators. If firm use
ranking capacity systems, it will also mean firm’s upkeep outlays are deduct to
minimize the charges of maintaining a progressive system.
 Security: This system has is that they cannot be inference or thieve; so, they will
be a lasting long security solution for life academy institute. The teaser with
industrious watchword systems is that there is often an order of numbers,
syllables, and logos, which makes them tough to remember on a methodical basis.
The teaser with tokens is that they can be handily light fingered or lost – both
these conventional methods involve the crash of things being shared. As a result,
you can’t ever be verily forsooth as to who the correct user is. That won’t be the
case with biometric appearance, and you won’t have to deal with the teaser of
sharing, transcription, or cheat.
 Facility: It’s willfully to be a convenient security settlement because people don’t
have to remember watchwords, or additional badges, drafts, or identification
cards. Students or employees forget passwords and identification cards are lost,
which can be a great trouble with conventional security systems.
5. Task 06
5.1. What is Access Control

31. 27
Access Control means measures and conducts that precinct or detects access to crucial
information wealth. This can be fulfilled through software, biometrics machines, or
physical access to an administrated area.
The law of combining weights Access Control System verily mentions to systems
officially referred to as point monitoring and access control systems because they not
only control electronic locks on doors, control access on escalator (lift)and beyond,
but also monitor alarums. While there are some little panel-based alarm systems that
also regulate card readers on gates, to the grand PC based point monitoring and access
control machines.
Most of these are mighty systems. Even the little of the dominant systems used in
biggest universities is normally able of meeting the needs of whacking biggest
establishments handily by unlocking features in the software or upgrading the server
to one a scruple more powerful. Some universities have made the bloomer of
purchasing less pricey access control systems because they appear to do the same
things as the more costly leading species and because they are mighty for the
universities today and prospects needs.
5.2.Tools and Techniques of Access Monitoring and Control
 Router Based: Router based Monitoring activities that are built-into the routers in
person and do not necessitate extra fixation of hardware or software are referred to
as Router Based system method.
 Non-Router Based: on-Router Based Techniques necessitate extra hardware and
software to be fixation and accomplish excessive pliancy.

32. 28
5.2.1. Router BasedMonitoring Techniques
Router Based Monitoring Techniques are heavy coded into the routers and so then
offer small pliability. A short annotation of the most famously used monitoring
technique methods is shown below.
 Simple Network Monitoring Protocol (SNMP).
 Sflow / Net flow.
Simple Network Monitoring Protocol (SNMP)
Figure 7Simple Network Monitoring Protocol (SNMP)
Simple Network Monitoring Protocol (SNMP) stands for simple network
management protocol. It is a way that servers can share details about their existing
position, and also a channel through which an controller can convert former -
commentate values. While the protocol idem is much simpler, the framework of

33. 29
schemes that activate Simple Network Monitoring Protocol can be very
miscellaneous.
Simple Network Monitoring Protocol is a protocol that is activated on the application
layer of the networking stack (The protocol stack is an implementation of a computer
networking protocol suite). The protocol was manufacture as a way of collecting
details from very distinct systems in a consistent forma. However, it can be used in
connection to a variant array of schemes, the method of enquiring details and the
paths to the relevant details are standardized.
 Netflow
NetFlow is a networking protocol, that was created by Cisco Systems for logging and
recording the flow of traffic received and sent within a network. NetFlow was created
in cooperation with Enterasys Switches. It affords network traffic statistics by
gathering relevant data from empower routers and switches. NetFlow may also be
called Cisco IOS NetFlow.
Figure 8Netflow

34. 30
 Remote Monitoring (RMON)
Remote monitoring and control mentions a subject of technical automation that is
accessing a modern age with the improvement of wireless sensing accessories.
Initially finite to SCADA (supervisory control and data acquisition) technology
method, remote monitoring and control mentions the dimension of incongruous
accessories from a network operations headquarters or control center and the
capability to alteration the operation of these accessories from that primary office.

35. 31
Figure 9Remote Monitoring (RMON)
5.2.2. Non-Router BasedMonitoring Techniques
Non-router based techniques refers to still finite in their capabilities they do offer
more pliancy than the router based techniques systems. These methods are graded as
either active or passive.

36. 32
 Active Monitoring
 Passive Monitoring
 Combinational Monitoring
Active Monitoring
Active monitoring refers to the way to cumulate the measures betwixt twain endpoints
in a divers network. Adaptability, Packet delay, Routes, Jitter and Bandwidth are the
parameters used by active monitoring. Intervening into the network to inspect its
activity is the teaser that exists in active monitoring due that the normal traffic details
appears to be questioning the validity of the network details.
Figure 10Active Monitoring

37. 33
Passive Monitoring
Passive monitoring refers to in deficit of a trial and more of a beholding study. In lieu
of injecting factitious traffic into network, passive monitoring entails monitoring
traffic that is already on the network. This can be finished with exceptional probes
manufactured to catching network data or with built-in possibilities on switches or
other network accessories. Passive network monitoring can gather ample volumes of
data and from that; we can derive a broad range of details. For instance, TCP
(Transmission Control Protocol) headers comprise details that can be used to derive
network topology, identification of services and working systems running on
networked accessories.
Figure 11Passive Monitoring

38. 34
Combinational Monitoring
Passive and Active monitoring schemes have demerits of their own; to suppress that
issue the combination of both passive and active monitoring is advanced. The
combinational monitoring appends the superb forma of both active and passive
monitoring. It contains of duo techniques such as Watching Resources from the Edge
of the Network (WREN) and Self-Configuring Network Monitor (SCNM).
Watching Resources from the Edge of the Network (WREN): This technique uses
a combination of active and passive monitoring techniques by astir monitoring when
traffic is feeble and passively monitoring ad interim superior traffic times. It monitors
traffic at both the base and terminus end host which make room for more exact
surveying. Watching Resources from the Edge of the Network (WREN) uses packet
traces from current application traffic to surveying the available bandwidth.
Self-Configuring Network Monitor (SCNM): SCNM refer to a monitoring
accessory that uses a combination of passive and active surveying to gather details at
layer 3 ingress and egress routers and at other important materials within the network
being monitored. The Self-Configuring Network Monitor ambience contains of both
hardware and software accessories.

39. 35
5.2.3. Access Control Tools
Bradford Networks’ Network Sentry/NAC
Bradford Networks is one of the age long NAC merchants; the firm’s latest solution is
a Network Sentry/NAC. Bradford Networks’ important benefits are the available
combinations into most other systems. The Network Sentry/NAC manufacture has a
footing in the education phase.
Figure 12Bradford Networks’ Network Sentry

40. 36
View of Network Infrastructure: Conversant the makeup of user’s frequently
turning network, hubs, routers, switches, and wireless access points, is foremost to
making doubtless it is well protected. Network Sentry/NAC affords real-time insight
of user’s intense network infrastructure affirming that user can ascertain and preclude
any commutes that would introduce uncertainty.
Endpoint Assent: The average number of accessories per user is on the build-up.
This transaction criminal also growths the incursion front face of your network.
Confirming the sincerity of wired and wireless accessories before they connect to
your network lowers the uncertainty of vulnerabilities and the spread of exploits and
malware. Network Sentry, with agent less, dissolvable agent, or a persistent agent,
validates the endpoint’s outline as it tries to involve the network. If the outline is not
acquiescent, for instance, patch missing, and old-fashioned antivirus then connections
can be counteracted or users can be cautioned until the endpoints are remediated.
Appliance Profiling, Fingerprinting and Facial Reorganization: With the
proliferation of individual and mobile computing Appliances in firms, the multiplicity
and the proprietorship of the Appliances is difficult to conduct. Network Sentry/NAC
assists to identify and categorize each genre of Appliance on your network, identify if
it is confederate issued or worker-owned, and identify the user on the Appliance to
empower role-based network access standpoints.
Network Provisioning: Fragmenting a network and categorizing data are twain
rattling practices for data tenability. Network Sentry/NAC, with role-based access
control standpoints (policies), affirms the correct users on the correct Appliances gain
access to the correct fascicle of network segments. Users on confederate issued
Appliances, because they are centrally conducted by IT, may have more entry on
confederate issued Appliances than individually owned Appliances.
Guest Management and Self-Registration: Regulating the on boarding of visitors
and workers laptops, tablets pc, and Smartphone to your network, can be a labor deep
and error-prone affair.

41. 37
Smooth Connect: Outlining an endpoint such as a tablet computer, laptop or
Smartphone, for wireless access can be a challenging affair. Even with well-
documented stages for end users, the scheme can be error prone frustrating the end-
user and the personnel that take the helps calls. Network Sentry’s Smooth Connect
symptoms allows establishment to instantly and safely connect private or corporate
issued wireless accessories to users network.
Flexible licensing options for wired and wireless networks.

42. 38
Figure 13Bradford Networks sentry options
5.1.2 Monitor and Access Control in Life Academy
Computer laboratories at the Life Academy are used in tri mutual status: experimental
demonstrations, personal task by students on projects and bringing examinations.
Depending on the distinctive use-cases for each situation, various access approvals are
required, various network install is required, access to online information should be
authorized, and in most status such adjustments should be accomplished by the
lecturer, without any network mastery knowledge and equipment access.
Imaginary, the verdict would be thoroughly automated and steam ahead as a section
of an integrated details and control system.

43. 39
Network architecture
Generally, universities employ network design similar to the one shown in Figure On
the left is the network block with all computer laboratories, on the right is the publicly
accessible servers block. On occasions, L3 switches are used. In order to save
conveyed public IP address space and keep from straight external invasions, the
laboratories are generally behind a little router/firewall that uses NAT/PAT (Port
Address Translation/network address translation) which then amalgamates them into
the Life academy’s network. Maybe, university isolates the laboratories in divided
VLANs (virtual LAN), if they have helps for this in the rising network and the
router/firewall in the head lab.
Figure 14Usual network architecture employed in Life academy
There are few issues with the usual networking design, which counteract some of the
use-cases they have as requirements.
 If VLANs (virtual LAN) are not used in life academy, computers from various
laboratories can communicate with one another, and in this way there is no
isolation of one computer laboratory from another which is material when
having computer examinations in one laboratory and having the other

44. 40
laboratory open for every scholars to use. Student in the open laboratory can
communicate and assist another student taking an examination or practical in
the other laboratory.
 When having some exceptional lectures, for instance a course on Computer
network architecture or a System services course, the scholars in one
laboratory can implement a DHCP (Dynamic Host Configuration Protocol
server), make loops in the network, or open other incongruous services with
the rest of the infrastructure.
 Stewardship system or e-testing system does not know the accurate IP
addresses of the users entering it from computer laboratories, which might be
essential when there are examinations and scheduled times.
Best Network Architecture
Figure 15Proposed network architecture
This architecture is based on the following premises.
1. The network is in return breaking in couple of blocks

45. 41
 Inside a confidentially addressed computer laboratories block, with a
discontinuous VLAN (virtual LAN) and IP class for each computer laboratory
(colored lines).
 Exterior publicly addressed servers block (black lines).
2. The laboratories firewall that is substratum on Linux has the following
liabilities.
 That is a fixed router among diverse pieces of the computer laboratories block.
 NAT/PAT (Port Address Translation and network address translation)
concealment the inside network from the communal internet.
 Hosts a custom software response for switching on or off entry to divers
network terminus chosen by lecturers.
 Domain Name System (DNS)server for resolving the server names existing in
the inside block, so that every computers in the laboratories will get only an
interior IP for them.
3. Computer laboratories exist an existence only in the inside block; each
laboratory is in a discontinuous VLAN.
4. Certain servers can have existence in both blocks, the factor is
 Computers in the laboratories should be possible to access such servers even if
Internet entry is disabled.
 The servers should know the address of each laboratory computer that is
entering it.
5. Entry from the inside block to the outside block is only route the Linux-
based laboratories firewall.

46. 42

47. 43
 Computer labs firewall
Firewall is a dominant point of an IT security subject, a Linux-based server is used for
the expectance of a firewall, running the Clear OS distribution. It is installed on a
virtual server, with whacking virtual interfaces connected to divers’ pieces of the
network and the respective VLANs. This empowers easier conduct of the terms of the
NAT and the router in order to realize the described use-case scenarios, by
amendment of the enchains tables. However, such configurations can be provide for
and loaded manually by the comptroller, a distinctive application called Zone Alarm-
Firewall can be used, to present smooth -to-use web interface enterable to all the
lecturers. With this application, lecturers can acquaint /set aside some distinctive
terms in the routing tables without any system guardianship talents or Linux learning.
 Zone Alarm Firewall control application
Zone Alarm -Firewall is a Tapestry5-based Java web application for use at the Faculty
of Computer Engineering in Skopje. This application is purposed to be used by
lecturers, enabling them to control and block network traffic in the computer
laboratories.
 Access to various services Auditing
The DNS server in the laboratory’s firewall determined the names of every services
that have a existence in the inside block, thus that request for resolution of such
servers will effect in a personal IP address from the inside block. All servers are
affixed via trunk links, thus that they have presence and IP address in every computer
laboratory VLANs in the inside block. In that way it is certified that:
 Entry to any well protected service from within the computer laboratories
in the inside block, will be served by the service running on an interior IP
address and will be logged by the related service as an entry from an
interior IP address of the correct laboratory computer, without hiding
behind the NAT/PAT public address.

48. 44
 Entry to inside services will not get routed through the firewall, thus will
be all out.
 Monitoring application
Now we talk about a how life academy monitor their access control system
applications. A simple application can be used to assist with monitoring scholar
functions while doing assignments, exams and practical. The appliance is a web-based
JSP (Java Server Pages) application, so it necessitates any Java web application server
to perform (FCSE uses Apache Tomcat).It is up to the web comptroller what kind of
access security to employ, and to what extent. On average – entry to the public should
be averted.
Recommendations
Here are little future recommendation words that can be used to drive IT security
affairs in industrial control system circumstances.
Security policies should be advanced for the administrative systems network and its
individual accessories, though they should be re inquiry every now and then to
incorporate the present threat circumstance, system functionality, and necessary stage
of security. Blocking access to resources and services technique is usually employed
on the network by the use of circumference accessories with access control lists such

49. 45
as proxy servers or firewalls. It can be empowered on the host via host-based firewalls
and antivirus software. Disclosure functions of crummy affair can be networked or
host-based and normally necessitate systematic monitoring of log files by conversant
controllers. IDS are the public means of identifying teasers on a network, though can
be preoccupied on single hosts as well. Auditing and occurrence logs should be
empowered on single hosts when feasible. In whacking cases, vulnerability may have
to be existent because elimination of the vulnerability may effect in an inoperable or
incapable system. Loosening makes room comptrollers to control access to
vulnerability in like a fashion that the vulnerability unable be exploited. Empowering
technical workarounds, fixation filters, or running services, devices and applications
with distinctive configurations can time and again do this. The resolution of center
security teasers well nigh every now and then requires updating, enhance, or patching
the software vulnerability or ejecting the vulnerable application. The software sap
cavity can reside in any of the three layers (networking, operating system, or
application). When available, the loosening should be afforded by the seller or
developer for comptrollers to engage.