Document Sample
Intranet Powered By Docstoc
					     Intranet Security

     Catherine Alexis
CMPT 585- Computer and Data Security
     Professor: Dr Stefan Robila
Intranet Security

Table of Contents                                 Page

    I. Abstract                                   3
   II. Definition                                 3
  III. Architecture (Fig1)                        3

Intranet Components
  IV. Introduction                                4
   V. Security Within the Organization            4
          i.Physical Security                     4
         ii.Domain Controller                     4
       iii.Web Server                             4
        iv.File Server                            4
         v.Mail Server                            4
        vi.Print Server                           5
       vii.Application Server                     5
      viii.Database Server                        5
        ix.Security and Monitoring Server         5
         x.Workstations                           5
        xi.Switches                               7

Security Components of the Intranet

 VI. Security Against the Extranet
       i.Routers                                  7
      ii.Firewall                                 7
     iii.DMZ                                      8
     iv.NAT Connection                            8

VII. Conclusion                                   9

Montclair State University            2                  Fall2004

                               Catherine Alexis
Intranet Security

   I. Abstract
While much importance is given for protecting one’s data and confidential information
from outside one’s boundaries little is talked about the risks involved inside the
organization. Users inside an organization had direct physical access to confidential
information and are well aware of the resource access controls. Hence securing the
intranet from its trusted users becomes critical. Statistics show that 80% of all computer
frauds is committed by internal end users.

This paper briefly explains the definition and the architecture of the intranet and
discusses the physical security of the intranet components and also security of the
organizations data both from the internal users and also from the outside world (Internet).

  II. Definition
The web defines intranet as a private network inside a company or organization, which
uses software like that used on the Internet, but is for internal use only, and is not
accessible to the public. Companies use Intranets to manage projects, provide employee
information, distribute and share data and information.

 III. Intranet Architecture

                             Fig 1- Showi ng the Intranet Architecture

Montclair State University                       3                                Fall2004

                                        Catherine Alexis
     Intranet Security

IV. Introduction
    Fig 1 shows the various components in the Intranet Architecture and how each
    component is connected to various other components in the network. The security of each
    component physically as well as the policies and practices that make these components
    secure from within the organization and the components that protect the Intranet from the
    outside world (Internet) are analyzed and discussed in detail in the rest of this paper.

V. Security within the Organization
    i. Physical security
      This security is easy to implement. The servers and network devices are protected in a
      safe room with security locks or swipe card access and only authorized personnel are
      allowed entry. On the overall the entire building is protected and guarded by a security
   ii. Domain Controller
      Domain Controller is a concept used in the Microsoft, UNIX, and Linux operating
      systems whereby a user maybe granted access to a number of computer resources with
      the use of unique user name and password combination. It also takes care of IP address
      assignment for workstations and servers. This server is protected by the following
           Creating domain security policy and implementing on the server. It means that
              only the administrator can access this server locally and remotely.
           Installing antivirus software and definitions
           Installing security patches and service pack
           Disabling unwanted devices like USB device, parallel port device from the server.

  iii. Web server
      The organizations website is hosted on the web server. Internally it is protected from the
      users via folder rights. Only the administrator or the webmaster has the rights to change
      the contents of the website. It is protected from the external world by firewall and the
      DMZ network via web filter techniques. Symantec, MacAfee, checkpoint and etc can be
      used as web filter software to monitor and prevent hackers from destroying the web

  iv. File server
     All the user’s files are saved on this server. Usually it has three levels of security.
     (Personal single user access), group (department access) and public (access to all
     departments in the company). It is protected by antivirus software, through updated
     security patches, and by frequent backup. Access from outside the company is achieved
     through Virtual Private Network and protected through firewall and DMZ. As always the
     system administrator has full access to this server for maintenance and backup.

   v. Mail server
     The user’s emails are stored in some encrypted format in the mail server. Only the
     administrator has the rights to access and perform maintenance on the mail server locally
     or remotely. The users have access only to their email folders. The mail server is

     Montclair State University                  4                                     Fall2004

                                         Catherine Alexis
   Intranet Security

   protected from the outside through the firewall and DMZ network. The mail filter in the
   DMZ network filters spam and unwanted email attempts both from outside and from
   inside the organization. Example if the user from the inside sends a resume or unwanted
   emails or tries to visits pornographic websites it is blocked through the mail filter. The
   mail filter also scans email for viruses, worms and Trojan horses thus protecting the mail
   server and the user workstations.

 vi. Print Server
    This server networks all the printers within the organization. It monitors all activity and
    keeps a log. It is protected by regular antivirus software updates and security patch
    update. Only the administrator can access this system and do necessary changes.

vii. Application Server
    This server holds all of the application software that are needed by the users. For example
    office, visio etc. The application software can be installed on the workstations by just
    mapping on to the application server. This provides for proper inventory and software
    license maintenance.

viii. Database Server
     The database server holds the database software and the database files. It is protected by
     antivirus software and database security updates.
             I) Internal security
             Every database has several levels of security access.
                           i. Administrator access rights- Can install database software and
                              maintain the database server.
                          ii. Programmer access rights- Limited to their programming needs.
                         iii. Data entry access rights- read and write access to the database
                         iv. User access rights- read only access
             II) External security
             External access takes place through the VPN and is protected by the firewall and
             DMZ network.

 ix. Security and Monitoring Server
    Monitors all the components of the Intranet. It does intelligent updates of antivirus
    software, security patches and service packs on all the servers and workstations. For
    example if there is a service pack update from Microsoft it is installed on this server and
    is then pushed to all other severs and workstations. It also gives a detail report on the user
    activities on the workstation and administrative activities on the servers.

  x. Workstations
   The list below gives some suggestions for security measures that should generally be
   implemented on all workstations, whether new or existing. Further measures may be
   implemented as resources allow. This list only gives some starting points; it is not
   exhaustive. In addition, it only provides information o n what to do, not how to do it.
   Montclair State University                    5                                    Fall2004

                                          Catherine Alexis
Intranet Security

   1. Password security is one of your best defenses. Use strong Administrator
      passwords — i.e. mix upper and lower case, numbers and special characters, and
      make long — with Windows 2000 you can go longer than 14 characters, which
      can have its advantages.
   2. Default password and account policies are practically non-existent. Implement
      better user password and lockout policies — consider using passfilt or an
      alternative for password complexity, set a minimum password length and educate
      your users.
   3. Never make ordinary users members of Administrator groups.
   4. Check for copies of the SAM (Security Account Manager) that everyone can read
      and secure them (e.g. created by backup software.)
   5. Turn on auditing and review your logs regularly.
   6. If possible, implement the following registry key changes —
          Restrictions for Anonymous Users
          LAN Manager Authentication Level
          Send Unencrypted Password to SMB Servers
   7. Where time permits, review NTFS permissions and tighten file system security
      (particularly on WinNT; Win2000 is better.)
   8. Review Share permissions.
   9. Disabled default “Guest" Username.
   10. Confirm that non-common passwords are on every user account. Consider non-
       common user names also.
   11. The Administrator Account cannot be disabled.
   12. Be careful with permissions. Do not use Guests, Everyone or other
       unauthenticated users. The everyone group contains people you don't know.
       Guests, if the account is enabled users from other "trusted" domains can gain
       access. It is indeed better to set up permissions with "Domain Users" or even
       "Authenticated Users". Everyone is a wide-open special group that you have very
       little control over.
   13. Disable file/printer sharing for TCP/IP and use only printer and file server.
   14. When file sharing is necessary, restrict scope and time available. Turn off when
       not necessary
   15. Review Installation and Boot Process in Event Viewer
   16. Set Event Viewer Log Size and Wrap Setting
   17. Disable Unnecessary Services
   18. Set proper Paging File Sizing and Placement.
   19. Keep operating system security hot fixes up to date (but take care and back up
       before applying them.)

Montclair State University                6                                   Fall2004

                                   Catherine Alexis
    Intranet Security

        20. Apply security patches to other major software e.g. IIS, SQL Server, Exchange,
            Virus and etc
  xi. Switches
     A network switch is a device that joins multiple computers together at a low- level
     network protocol layer. Technically, network switches operate at layer two (Data Link
     Layer) of the OSI model. Network switches look nearly identical to hubs, but a switch
     generally contains more "intelligence" (and a slightly higher price tag) than a hub. Unlike
     hubs, network switches are capable of inspecting the data packets as they are received,
     determining the source and destination device of that packet, and forwarding that packet
     appropriately. By delivering messages only to the connected device that it was intended
     for, network switches conserve network bandwidth and offer generally better
     performance than hubs. A network switch offers differing port configurations starting
     with the four- and five-port models, and support 10 Mbps Ethernet, 100 Mbps Ethernet,
     1 GB Ethernet or ALL.

VI. Security Against The Extranet

   i. Routers
     A device that forwards data packets along networks. A router is connected to at least two
     networks, commonly two LANs or WANs or a LAN and its ISP’s network. Routers are
     located at gateways, the places where two or more networks connect. Routers use headers
     and forwarding tables to determine the best path for forwarding the packets, and they use
     protocols such as ICMP to communicate with each other and configure the best route
     between any two hosts. Very little filtering of data is done through routers.
     A router is often included as part of a network switch. Routing is a function associated
     with the Network layer (layer 3) in the standard model of network programming, the
     Open Systems Interconnection (OSI) model. A layer-3 switch is a switch that can
     perform routing functions. An edge router is a router that interfaces with an asynchronous
     transfer mode (ATM) network. A brouter is a network bridge combined with a router. For
     home and business computer users who have high-speed Internet connections such as
     cable, satellite, or DSL, a router can act as a hardware firewall. This is true even if the
     home or business has only one computer. Many engineers believe that the use of a router
     provides better protection against hacking than a software firewall, because no computer
     Internet Protocol address are directly exposed to the Internet. This makes port scans (a
     technique for exploring weaknesses) essentially impossible. In addition, a router does not
     consume computer resources as a software firewall does. Commercially manufactured
     routers are easy to install, reasonably priced, and available for hard-wired or wireless

  ii. Fire wall
     The term "Firewall" originally meant, and still means, a fireproof wall intended to
     prevent the spread of fire from one room or area of a building to another. The Internet is a
     volatile and unsafe environment when viewed from a computer-security perspective
     therefore "Firewall" is an excellent metaphor for network security. Some of the very

    Montclair State University                   7                                     Fall2004

                                         Catherine Alexis
  Intranet Security

  famous commercial products available are Checkpoint firewall, Cisco Pix fire wall, Nokia
  Firewall and Symantec firewall. Firewall can be configured by the administrator using
  security policy option in it to block traffics like FTP, HTTP, TCP/IP ports and protocols
  depending on the requirement. Some of the enterprise version of the firewall provide
  options to filter and block Trojans. Adwares, spamware and spyware.

iii. DMZ Zone
    Short for demilitarized zone, is a computer or a small sub network that sits between a
    trusted internal network, such as a corporate private LAN, and an un trusted external
    network, such as the public Internet. Typically, the DMZ contains devices accessible to
    Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e- mail) servers and
    DNS servers. The term comes from military use, meaning a buffer area between two

iv. NAT Connection
   Network Address Translation (NAT) is a network standard that enables a local area
   network (LAN) to use one set of IP addresses for intranet traffic and a second set of
   addresses for external traffic (Extranet Traffic). All necessary IP address translations
   occur where the LAN interfaces with the broader Internet. NAT converts the packet
   headers (and in some cases the port numbers in the headers) for incoming and outgoing
   traffic and keeps track of each session. This does mean, however, that NAT overrides
   "Internet transparency", a practice in which packets remain intact throughout their
   transmission. NAT is also provided with Windows Internet Connection Sharing.

  NAT accomplishes these key purposes:

         It acts as a firewall by hiding internal IP addresses.

         It enables an enterprise to use more internal IP addresses, since there is no
          possibility of conflict between its internal-only IP addresses and those used by
          other organizations. Essentially, an organization can present itself to the Internet
          with fewer IP addresses than used on its internal network, which conserves public
          IP addresses.

         It allows an enterprise to bundle multiple ISDN/T1 connections into one Internet

  Montclair State University                     8                                   Fall2004

                                        Catherine Alexis
     Intranet Security

VII. Conclusion

     All the security features and policies described in this paper are some of the preventive
     measures that must be taken to protect an organization from the disaster of losing its
     valuable information. Apart from having all these policies and security features it
     becomes necessary to educate the users about the value of the information because
     security frauds often happen because of neglect and lack of knowledge of the user about
     the importance of securing of information.

     By securing the Intranet the organization can
                o Minimize potential economic loss
                o Decrease potential exposures
                o Ensure organizational stability
                o Provide an orderly recovery
                o Minimize insurance premiums
                o Reduce reliance on certain key individuals
                o Protect the assets of the organization
                o Ensure safety of personnel
                o Minimize decision-making during a disastrous event
                o Minimize legal liability

     Montclair State University                  9                                   Fall2004

                                         Catherine Alexis

Shared By: