Case  1  Network  Design   Abstract     The  company  in  this  case  is  a  small  consulting  firm  whose  specialty  is  providing  their   customers  with  Microsoft  Windows  and  Citrix  networked  business  solutions.     They  believed  their  internal  servers  are  secure  due  to  their  diligence  in  keeping  the   Operating  Systems  up  to  date  with  the  latest  service  packs,  hotfixes  and  patches.  Virus   signatures  and  scanning  software  is  also  kept  current.  Your  security  company  has  been   given  the  task  of  evaluating  the  security  of  the  network  perimeter  and  to  make   recommendations  for  securing  our  network  perimeter  and  Internet  connection.     Examination  of  the  perimeter  infrastructure  showed  the  network  to  be  virtually   defenseless.  There  is  no  Firewall  installed  and  very  little  filtering  of  inbound  or   outbound  Internet  traffic  on  either  the  router  at  the  corporate  office  or  the  router  at   the  branch  office.  The  Linux,  Help  Desk,  Mail  server  and  the  two  Active  Directory  servers   had  direct  network  links  to  both  the  internal  network  and  the  Internet  making  them   prime  targets  for  intruders.  Your  proposal  is  to  completely  redesign  the  network   perimeter  to  provide  a  layered  Defense  in  Depth.       Current  Network  design       The  original  perimeter  network  design  included  two  Cisco  routers  and  five  publicly   addressed  servers,  four  of  which  were  Windows  based  and  the  fifth,  RedHat  Linux.  As   stated,  the  network  did  not  have  a  Firewall  device  and  the  perimeter  routers  performed   extremely  limited  inbound  packet  filtering.  The  corporate  router  is  configured  with  a   serial  interface  for  connection  to  the  Internet,  an  Ethernet  interface  for  the  public   network,  and  an  Ethernet  interface  for  the  internal  (private)  network.  The  branch  office   router  had  a  serial  interface  to  the  Internet  and  an  Ethernet  interface  to  their  internal   network  (diagram  1).       The  branch  and  corporate  routers  were  connected  by  VPN  tunnel  over  the  Internet.  The   various  network  devices  at  the  corporate  office,  both  internal  and  external,  were   connected  via  three  casc ...

1. Case
1
Network
Design
Abstract
The
company
in
this
case
is
a
small
consulting
firm
whose
specialty
is
providing
their
customers
with
Microsoft
Windows
and
Citrix
networked

2. business
solutions.
They
believed
their
internal
servers
are
secure
due
to
their
diligence
in
keeping
the
Operating
Systems
up
to
date
with
the
latest
service
packs,
hotfixes
and
patches.
Virus
signatures
and

3. scanning
software
is
also
kept
current.
Your
security
company
has
been
given
the
task
of
evaluating
the
security
of
the
network
perimeter
and
to
make
recommendations
for
securing
our
network
perimeter
and
Internet
connection.

4. Examination
of
the
perimeter
infrastructure
showed
the
network
to
be
virtually
defenseless.
There
is
no
Firewall
installed
and
very
little
filtering
of
inbound
or
outbound
Internet
traffic
on
either
the
router

5. at
the
corporate
office
or
the
router
at
the
branch
office.
The
Linux,
Help
Desk,
Mail
server
and
the
two
Active
Directory
servers
had
direct
network
links
to
both
the
internal
network
and
the

6. Internet
making
them
prime
targets
for
intruders.
Your
proposal
is
to
completely
redesign
the
network
perimeter
to
provide
a
layered
Defense
in
Depth.
Current
Network
design

7. The
original
perimeter
network
design
included
two
Cisco
routers
and
five
publicly
addressed
servers,
four
of
which
were
Windows
based
and
the
fifth,
RedHat
Linux.
As
stated,
the
network
did
not
have
a
Firewall

8. device
and
the
perimeter
routers
performed
extremely
limited
inbound
packet
filtering.
The
corporate
router
is
configured
with
a
serial
interface
for
connection
to
the
Internet,
an
Ethernet
interface
for
the
public
network,
and

9. an
Ethernet
interface
for
the
internal
(private)
network.
The
branch
office
router
had
a
serial
interface
to
the
Internet
and
an
Ethernet
interface
to
their
internal
network
(diagram
1).
The

10. branch
and
corporate
routers
were
connected
by
VPN
tunnel
over
the
Internet.
The
various
network
devices
at
the
corporate
office,
both
internal
and
external,
were
connected
via
three
cascaded
switches.
Each
of
the
external

11. (public)
servers
had
a
direct
link
to
the
internal
network
and
represented
a
significant
danger
if
they
were
compromised.
The
branch
office
network
consisted
of
four
PCs
on
a
hub
connected
to
the

12. router.
A
brief
description
of
each
network
device
follows.
Routers
Corporate
Router
The
Cisco
router

13. at
the
corporate
office
provided
Network
Address
Translation
(NAT)
for
outbound
Internet
connections.
The
five
public
servers
were
assigned
static
NAT
addresses.
All
other
traffic
is
given
the
public
address
of
the
serial
interface

14. by
the
NAT
“overload”
feature
of
the
Cisco
Internetwork
Operating
System
(IOS).
The
router
also
acted
as
one
end
of
a
point-­‐to-­‐point
VPN
tunnel
to
the
branch
office
router.
This
provided
secure
access

15. to
the
corporate
Microsoft
Active
Directory
servers
and
other
network
resources.
The
serial
interface
had
an
inbound
access
list
to
block
port
1433
(SQL
Server)
traffic
to
a
single
internal
server.
All
other
traffic,

16. inbound
and
outbound
is
permitted.
Branch
Office
Router
The
Branch
office
router
is
configured
to
provide
NAT
for
outgoing
Internet
traffic,
in
addition
to
a
VPN
tunnel

17. to
the
corporate
router.
An
inbound
access
list
is
applied
to
the
serial
interface
making
it
somewhat
more
secure.
The
access
list
is
designed
to
block
packets
with
spoofed
private
network
addresses.
No
other

18. security
measures
were
in
place.
Public
Servers
Help
Desk
Server.
This
is
a
Windows
2003
server
providing
web
based
Help
Desk
services

19. to
clients
and
staff.
It
runs
Microsoft
Internet
Information
Server
(IIS)
and
Microsoft
SQL
to
support
the
Help
Desk
application.
There
were
two
network
interfaces
installed,
one
connected
to
the
public
network,
the

20. other
connected
to
the
private
network.
The
patch
levels
and
virus
signatures
on
this
server
were
kept
up
to
date.
Mail
Server
The
second
server
is
also
Windows

21. 2003
based.
It
acts
as
a
mail
server
using
Microsoft
Exchange
and
provides
file
and
print
services
to
the
internal
network
through
a
second
network
interface.
Mail
sent
to
this
server
is
forwarded
to

22. the
internal
Exchange
mail
server,
storing
it
if
the
internal
server
is
unavailable.
This
server
also
acted
as
a
public
NFuse
front
end
to
the
internal
Citrix
server.
Linux
Server

23. The
Linux
server
runs
the
Redhat
9.2
operating
system
and
Apache
web
server
software.
This
server
has
a
total
of
five
network
interfaces.
One
public,
one
private,
and
three
others
used

24. to
provide
routing
and
Internet
gateway
services
to
other
companies
in
our
building
for
a
monthly
fee.
There
is
a
minimal
host
firewall
in
place,
allowing
the
three
companies
to
access
the
Internet,
but

25. preventing
them
from
accessing
the
other
networks
in
the
building.
All
Internet
traffic
inbound
or
outbound
is
permitted
to
their
networks
with
no
additional
filtering.
Our
service
agreement
with
these
clients
does
not

26. require
us
to
provide
any
additional
type
of
security
services.
The
Linux
machine
also
acts
as
a
web
server
providing
portal
access
to
our
internal
servers.
Clients
and
staff
can
access
each
portal
service

27. by
providing
their
name
and
password.
Credentials
are
passed
to
the
internal
Active
Directory
server
for
validation
using
LDAP.
Active
Directory
Servers
The
Primary
and
Secondary
Active

28. Directory
Servers
had
two
interfaces
each,
one
connected
to
the
internal
network
and
the
other
to
the
Internet.
The
reason
for
the
dual
attachment
is
to
provide
Active
Directory
services
to
the
PCs
in

29. the
branch
office
over
the
VPN.
Without
the
internal
interface,
the
branch
office
is
unable
to
browse
the
corporate
network.
Vulnerability
Assessment
The
network
does
not
have
a

30. Firewall
installed
for
protection
against
outside
probes
or
attacks.
This
is
a
critical
weakness
because
even
the
most
well
patched,
up
to
date
operating
system
is
vulnerable
to
a
determined
attack.
The
same
is

31. true
of
web
services
and
other
applications.
Compromised
resources
on
our
network
could
be
used
to
unknowingly
participate
in
a
Distributed
Denial
of
Service
(DDOS)
attack
launched
against
another
network.

32. There
is
insufficient
filtering
on
the
routers.
As
with
the
lack
of
firewall,
this
leaves
the
network
wide
open
to
attack
and
exploitation.
Logs
are
not
kept
of

33. the
types
or
frequency
of
Internet
traffic.
Without
logs
there
is
no
way
to
determine
if
the
network
is
being
probed
or
attacked.
Each
of
the
public
servers
also
had
links
to

34. the
company’s
internal
network.
If
any
of
these
machines
were
compromised,
they
could
act
as
gateways
to
the
rest
of
the
company’s
data
and
servers.
The
Linux
server
is
built
and

35. is
maintained
by
one
of
the
consulting
engineers.
Patches,
bugfixes
and
other
administrative
tasks
were
performed
whenever
his
schedule
allowed.
There
is
no
one
else
in
the
company
familiar
enough
with
Linux
to
assume

36. this
responsibility.
There
are
no
written
policies
concerning
the
frequency
or
responsibility
for
maintaining
the
security
levels
of
hardware
and
software.
Wireless and Remote connectivity Challenge – Sanford
University
Sanford University is a medium-sized university in the outskirts

37. of Philadelphia. Formed
in 1966, it has grown steadily through the incorporation of
additional colleges and
further education providers, but retains an emphasis on
engineering, science and
technology.
Today, it numbers around 15,000 students and 2,000 staff.
As part of a five-year strategic plan, the university’s “Open
Kingdom” project aims to
create a consistent user experience across the campus, including
the provision of
wireless network access. This last issue became critical in the
summer of 2012, when
the Students body insisted on wireless access for all residential
buildings before starting
negotiations on 2013 rents.
“We’d traditionally viewed wired as good enough for
everybody,” says John Patrick.
network and data center manager for the University. “What
became very clear was that
wired wasn’t good enough for our students. Wired wasn’t their
typical network
experience. They expect the same experience on campus as they
have at home.
Students wanted to do their computing anywhere, anyhow, on
the go, inside the
campus, outside the campus. They didn’t want to be a slave to
the cable.”
Patrick and his team needed a solution in place before the
January 2013 deadline.
The solution needs to provide wireless access coverage in the 7

38. buildings across
campus, four of them residential, and for the solution to provide
a robust remote access
system (VPN) for faculty and staff.
The solution should not discriminate between devices; students
would be free to use
smartphones, games consoles or tablets on the network, for
work or play. However, the
network needed to differentiate between staff, students,
conference visitors and guests,
granting the appropriate access to services. Ultimately, with
thousands of users bringing
their own devices onto the network, it needed to maintain the
security of the university’s
systems.
Sanford University layout
Residential buildings - 6 stories with 25 rooms per floor
Classroom / conference building - 4 stories and 40 classrooms
per floor. Auditorium
and Cafeteria located on ground floor.
Classroom / Admissions / Library building - 7 stories with 20
offices or classrooms per
floor.
Data center on campus - provides IT services to the entire
campus.