Learning Center
Plans & pricing Sign in
Sign Out

Secure Network Design Software Company


									Secure Network Design
Software Company
Mike Slaugh
Company Overview
   Acme Dental Systems
   Makers of Dental Practice Management
   130 Employees
   $20,000,000 Annual Revenues
   Sales
       Local and Regional Reps
   Accounting
   Development
       In house
       Third Party
   Information Technology
   Human resources
   Training
   Support
Current Network Design
   Group                 Network Access Point
   Employees             Client Workstations
   Customers             Internet
   Vendors               802.11b wireless network
   Traveling Employees   Dial up server
   Remote Sales Agents   Dial up server
   Contractors           Dial up server
External Services
    Service                Used By
    HTTP                   Customers
    FTP                    Customers and Employees
    SMTP                   Customers and Employees
    Wireless Network       Vendors
    Remote Access Server   Employees and Contractors
Risk Assessment
   Risk consists of two factors
       Impact - A measure of the magnitude of loss or
        harm on the value of an asset
       Probability - The chances that an event will occur
        or that a specific loss value will be incurred
        should the event occur.
Potential Risks
Risk                   Probability   Impact
Disgruntled Employee   Low           High
Hacker                 Very Low      High
Spoofing               Low           Low
Scanning               High          Low
Misconfiguration       Medium        Varies
Packet Sniffing        Low           Low
Regulation Violation   Medium        High
Wireless               Medium        High
Virus                  Medium        High
Denial of Service      Low           High
Risk Assessment
   Firewall
       No separation between external and internal servers
       Compromised server to compromise network
Risk Assessment
   Sensitive Data
       Data not properly secured
       Access to data shares open to everyone
Risk Assessment
   Passwords
       Users chose weak passwords
Risk Assessment
   Wireless Network
       No Security Features
       Allows all to connect
Risk Assessment
   SMTP Server
       Routes mail from any source
       Can be used to send spam
Risk Assessment
   Intrusion Detection System
       Network Contained no IDS
Risk Assessment
   Application Product
       Contains private dental information for patients
       Submits information electronically to insurance clearing
       Proprietary database stored in flat files on server
       Supports user names and passwords, but does not force
        strong passwords.
       Pertains to the application product.
       X12 format for transmitting data electronically
       Databases sent in for maintenance must be protected
Security Requirements
   Information Security
       Sensitive information must be limited to appropriate users.
   System Security
       Systems should be hardened to not allow unauthorized access.
        defense in depth is required.
   Physical Security
       Access server room and sensitive data room must be limited to
        appropriate individuals
   Product Security
       Product must be compliant with HIPAA
   Connectivity
       All existing means of connection to the network must remain.
   Intrusion Detection
       Intrusion detection systems must be installed
Proposed Network Design
Proposed Network Design
   Domains of Trust
       External
       VPN
       Internal

   Choke Points
       Statefull Firewalls
       Router with ACL
Proposed Network Design
   External Domain
    of Trust
       HTTP Server
       FTP Server
       Wireless
       SMTP Server
       External DNS
       IDS
   Untrusted
Proposed Network Design
   VPN Domain of
       VPN Server
           IPSec
       Syslog Server
       IDS
   Trusted
Proposed Network Design
   External Domain
    of Trust
       HTTP Server
       FTP Server
       IDS
       External SMTP
       External DNS
Proposed Network Design
   Wireless Network
       WPA Security
       Accessed by
       Only allow access
        to External
        Domain of Trust
Proposed Network Design
   VPN Domain of
       IPSec VPN server
       Syslog Server
           All systems log
            data in the Syslog
           All system clocks
       IDS
Proposed Network Design
   VPN Domain of
       Site to Site VPN
           Contractors
       Remote VPN
        server (Software)
           Employees
Proposed Network Design
   Internal Domain of
   Internal DNS
   Internal SMTP
Physical Security
   ID Cards must be worn at all times
   Hand Geometry unit controls access to Server
       Discreet Duress Signal
   Sensitive Data room has minimum occupancy
       N Man Rule
Information Security
   Sensitive data on file shares restricted
   Access to “Everyone” group removed
   Users must have valid reason to access data on
   Implement Password Policy
       Letters (ABC)
       Number (123)
       Symbols (!@#)
   All computers will run Anti Virus software with
    current definitions.
Product Security
   Use commercial database engine
   Encrypted data transfer in X12 format
   Build support for strong passwords
   All add/change/delete activities should be
Email Security
   Internal and External SMTP Server
   External only routes incoming mail to the
    internal server
   Sender Policy Framework
       All Domains publish MX records
       Reverse MX record called SPF record
       Others will know valid senders for domain
   Secure Email and Digital Signatures
Migration Strategy
   Phase 1 – Security Infrastructure
       Create Domains of Trust
       Move firewalls
       Upgrade wireless network
       Internal and External servers
Migration Strategy
   Phase 2 – Network Services
       Create VPN
       Implement Secure Email and Digital Signatures
       Implement Proper file permissions
       Anti-Virus Software
Migration Strategy
   Phase 3 – Post Implementation
       Install IDS
       Create Syslog Server
       Implement Physical and Information Security
   Define the two components of risk, and
    describe how they can be used to determine
    the level of risk?
   Compare and contrast Hardware and Software
    VPNs. Give an deployment example for each
   Any Questions?
Current Network Design
Proposed Network Design

To top