Level O f Defenses In Network Security

Level of Defenses In Network Security- A Case Study Of Geetanjali Institute of Technical Studies, Dabok
Naveen Malkani#1, Bhavesh Jain*2, Kritika Soni*3, Kunal Singhvi*4
1

Executive Director, Microsystems, Udaipur, India

director@micro-system s.org

2, 3 , 4

Department Of Computer Science and Engineering Geetanjali Institute of Technical Studies, Dabok

sonikritika569@ gmail.com, 3shaan01jain@g mail.com , 4ku nal.singhvi. 1987@gmail.c om

Abstract A secured network is one which is free of unauthorized access, threats and hackers. This paper describes the different levels o f network security. A brief overview of the Network Security, its need, different hreats and related pro tection techniques are presented. The paper presents a general overview of the most common network security threats and the steps which can be taken to p o tect an educatio nal institution and to ensure that data travelling across the network is safe and secure. The objective of the paper is to highlight the loopholes in the existing network of computer science department of Geetanjali Institute of Technical Studies. The paper presents the setup of an Ideal Network Defense System in the institute. Keywords Network Security, IP Sec, VLANs, Firewalls, Antivirus Packages, MAC Filtering, Access Control Lists, Tokens, Security Policies, Intrusion Detection.

administrative and management policy required to provide an acceptable level of protection for hardware, software, and information in a network. [1]

A. Need of Network Security at Geetanjali Institute of Technical Studies

Institute has a difficult network environment to secur . Proprietary information must be protected, the network must be available 24x7, yet hundreds of untrusted studentowned computers must be given access. Thats where the problem arises. Network administrator cannot control what students do, or have done, with their laptops and desktops, and that puts the entire network at risk. As an educational organization, the administration strives to facilitate the open exchange of information. Studen s, faculty me mbers and librarians all need access to Internet. However, at the same time, the administrator has a responsibility to protect users from network threats, and keep the network up and running. A top security priority is to establish a private network to keep confidential information (student records, scholarships, administrative records, financial information etc.) safe from unauthorized users, hackers, and other threats. II. Objective

I.

Introduction

The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal d educational communications worldwide. The volume of traffic moving over the internet, as well as education networks, is expanding exponentially every day. This vast network and its associated technologies have opened the door to an increasing number of security threats from which educational institution must protect them. Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness combined together. Network Security refers to all hardware and software functions, characteristics, feature, operational procedures, accountability measures, access controls, and
Ridhima ,Sheela Bhatt ,Amandeep et.al. (Eds.): ICOACCE 2010 Geetanjali Institute Of Technical Studies , Udaipur.

Networks in the institution are isolated from each other. It is desired to have a single backbone network. The paper will discuss:

Users in college.

Current network plan. Drawbacks in the existing network plan. Level of defenses in an ideal network system.
Proposed network plan for the college.

Naveen Malkani, B havesh Jain, Kritika Soni, Kunal S ing

IV.

Current Scenario
A. Users

College has departments - Computer Science, Electronics and Communication, Mechanical, Electrical, Automobile, Information Technology, MBA and MCA. Besides these departments, internet facility is required by accounts section, administrative department and director sir. All faculty me mbers and students are availing the internet

facility. B. Existing Network Plan

The network in Geetanjali Institute is divided into three different netw orks.

1) BLOCK-A
The block-A network includes Computer Science department, MCA department, IT department, Mechanical department and the administrative department. The networ k plan is shown in figure.
Figure: BLOCK- B Network

3) ACCOUNTS

F igure: ACCOUNT Network

C.

Problems in Existing Network

Fig 1 : BLOCK -A NETWORK

In the college environment, a single unpatched or compromised end-terminal threatens the entire network. It can serve as a backdoor to intruders, a channel for worms and spywares, and it can infect the entire network. The institution tries hard to implement a consistent security policy that defines w hats permitted and whats prohibited on student end-terminals , but a number of logistical problems prohibit enforcement of such policies. Major of the m include:

2) BLOCK-B
The block-B network includes Electronics department, Electrical department and MBA department. The network

1) Wide Range of Operating Systems and Versions

Implementation and administration of a security policy that efficiently accommodate multiple OS platfo rms and versions is a tough job .

plan is shown in figure.

Level O f Defenses In Network Security

2) A Limited Time for Registering Devices

Students must have network access when classes begin, making it unfeasible for network administrator to implement uniform security measures on a device-bydevice basis in the limited time available at the beginning of the semester. V.

Level of Defenses

3) Difficulty of having to physically touch each

device Limited resources and personnel prohibit effective physical management o f each device.

4) Three Separate Networks

There are three different existing networks in the col egeA block, B block and Office netw orks. It is difficult to monitor the separate networks then having a centralize network for the entire institution.

We have an extensive choice of technologies, ranging fro m antivirus software packages to dedicated network security hardware, such as firewalls and intrusion detection systems, to provide protection for all areas of the network. Further tools can be deployed that periodically detect security vulnerabilities in the network providing ongoing, proactive security. With all these currently options available, it is possible to implement a security infrastructure that allows sufficient protection quick access to information. A network requires multiple layers of protection to be truly secure.

Security Level
5. Network

Applicable Security Measure Access Control Lists Intrusion Detection/Prevention Systems MAC Filtering Security Policies VLANs Tokens

5) Mesh Network
There is no planning in the current network set-up. All the end -terminals and switches are arranged in a disorganized manner. The side effects of this topology are:

Level
4. 3.

Switch Level
Server Level

More amount of cabling is required. Detection of point of fault is difficult. More effort is required in installing, modifying and maintaining the network devices.

2.

PC Level

Antivirus Packages IP Sec

Folder Guards Lock and Key Protected Server Room

6) No Load Balancing
There is no provision of switching between the alternate

1.

Physical Level

channel if the primary channel is blocked or damaged. 7) Server Location

Server is located outside the college premises. It is maintained by the host outside the college.
Tab le: LEVEL OF DEFENSES

A.

Physical Level Security

8) No Network Facility in Hostel

There is no internet facility for the students residing in the

college hostel. 9) No Proxy Servers

There are no proxy servers, resulting in the increased

Physical security is an initial concern when designing a secure network. The easiest and best means of protecting important machines like servers is to secure them under a lock and key. Next, make sure to use wiring that is le st susceptible to eavesdropping and snooping. Copper wiring can be connected to with greater ease than other types of cables, and is thus more vulnerable.

chances of entry of viruses and worms. 10) No Physical Security

There is no proper physical security for server room and

terminals.

Install UPS (uninterruptible power supply) systems for mission-critical hardware. Deploy backup generator systems for missioncritical disaster recovery if feasible. Test and maintain UPS and/or generators based on the manufacturers' suggested preventative maintenance schedule.

Ridhima ,Sheela Bhatt ,Amandeep et.al. (Eds.): ICOACCE 2010 Geetanjali Institute Of Technical Studies , Udaipur.

Naveen Malkani, B havesh Jain, Kritika Soni, Kunal S ing

Monitor and alarm power-related parameters at the supply and device level. Use filtered power and install redundant power supplies on mission-critical devices. B. PC Level Security

This level of defense includes technologies as Antivirus Softw are Packages, IP Sec, host Firewalls, Folder

Guards etc.
Antivirus Packages:

through it, and denies or permits passage based on a s of rules[3]. The firewall creates a protective layer between the network and the outside world. In effect, the fire all replicates the network at the point of entry so that it can receive and transmit authorized data without significa delay. However, it has built-in filters that can disallow unauthorized or potentially dangerous material from entering the real system. It also logs an attempted intrusion and reports it to the network administrators.

Folder Guards:

Virus protection softw are is packaged with most computers and can counter most virus threats if the software is regularly updated and correctly maintained. The package includes a virus database that helps it to identify known viruses when they attempt to strike. To keep updates and maintenance costs to a minimum, all the computers on a network should be protected by a same antivirus package. It is essential to update the antiv rus package on a regular basis.

Folder Guard is a computer security software tool that lets you password-protect, hide, or restrict access to files and folders of your choice, and also restrict access to ot er Windows resources, such as Control Panel, Start Menu, Desktop, and more. You can configure the protection so that only specific users would be restricted, on both d-

alone and networked computers.

C. Server Level Security

IPSec:

This level of defense includes Port Blocking, Service Authentication, VLANs, Tokens, and Security Policies

It is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network that functions at the layer 3 of the OSI model [2 ]. The two primary security protocols used by IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP). The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication. AH does not offer any encryption services. ESP protocol provides Confidentiality (through the use of symmetric encrypti n algorithms like DES or 3DES), Data origin authenticati n and connectionless integrity, Anti-replay service (it is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number. When e hacker nicks a copy of an authenticated packet and transmit it later to the intended destination, it can disrupt services. The sequence Number field is designed to foi this type of attack), Traffic flow (for this, Tunnel Mode have to be selected. In tunnel mode, the entire IP pac et is encapsulated in the body of a new IP packet w ith a completely new IP header. It is most effective if implemented at a security gateway, thus company machines in a network do not have to be aw are of IPSec).

etc.
Security Policies:

Security policies are rules that are electronically programmed and stored within security equipment to control such areas as access privileges [4]. These are also written or verbal regulations by w hich an organization operates. The policies that are implemented should control who has access to which areas of the network and how unauthorized users are going to be prevented from entering restricted areas. The security policy management function should be assigned to people who are extremely trustworthy and have the technical competence required.

VLANs:

Firewall:

A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing

A VLAN is a logical grouping of network users and resources connected to administratively defined ports a switch. A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcast onto t network are only switched between the ports logically grouped within the same LAN. It allows network administrator to have total control over each port and user plus whatever resources each port can access. VLANs can be created in accordance with the network resources a given user requires.

Level O f Defenses In Network Security

Tokens:

A security token can be a physical device that an authorized user of computer resources is given to ease authentication. They are used to prove ones identity electronically. Hardware tokens typically store cryptographic keys, such as digital signature, or biometric data, such as finger-print minutiae. The simplest security tokens do not need any connection to a computer. Other tokens connect to the computer using wireless techniques. The new form of tokens are mobile devices which are communicated with out-of-band channel (like voice, sms etc.). Disconnected tokens have neither a physical nor logical connection to the client computer. They use a builtin screen to display the generated authentication data, which the users enter manually via keyboards. Connected tokens are tokens that must be physically connected to e client computer. These tokens automatically transmit the authentication info to the client computer once the physical connection is made, eliminating the need for e user to manually enter the authentication info. [ 5] D. Switch Level Security

statements. Because of this, the order of the statements within any access list is significant. Access lists can be applied as inbound or outbound access lists. Inbound access lists process packets as they enter a router's interface and before they are routed. Outbound access lists process packets as they exit a router's interface and after they are routed.

Intrusion Detection/Prevention Systems:

Intrusion Detection is the process of monitoring the e occurring in a computer systems or network and analyzing the m for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies or standard security practices. Intrusion Detection System (IDS) is software that automates the intrusion detection process. An Intrusion Prevention System (IPS) is software that has all the capabilities of IDS and can also attempt to stop possible incidents [6].

VI.

Proposed Network

This level of defense includes VLANs, MAC policies and MAC filtering.

MAC Filtering:

MAC filtering refers to a security access control methodology whereby the 48 -bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of black lists and white lists. While giving a w ireless network ome additional protection, MAC filtering can be circumvented by scanning a valid MAC and then changing the own MAC into a validated one. E. Router Level Security

We have discussed techniques for preventing network security threats. Now we are in a position to design a strategy for designing a secure network. Network Security must follow three fundamental percepts [7 ]. First, a secure network must have integrity such that all of the information stored therein is always correct and protected against fortuitous data corruption as well as willful alterations. Next, to secure a network there must be confidentiality , or the ability to share information on the network with only those people for w hom the viewing is intended. Finally, netw ork security requires availability of information to its necessary recipients at the

predetermined times without exception.

Additionally, certain preliminary steps must be taken in order to access the need for and overall level of network security. First, an appraisal of the dependenc on the information within the network must be performed t know the level of security necessary to protect that information. Next, measurements must be taken of any foreseeable weakness in the current network structure as well as the design for future network security. In addition, it must be realized that security is a continuous task. Network security is not purchased once; instead it mus be continually monitored and managed. Finally, network security should be an evolutionary process whereby its progression and subsequent protection occur in stages.

This level of defense includes Access Control Lists.

Access Control Lists:

It is a list of conditions through which router can control (permit or deny) the packet on the basis of sources an destination address and protocols. Access lists are processed in sequential, logical order, evaluating packets from the top dow n, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not applied to any more access list
Ridhima ,Sheela Bhatt ,Amandeep et.al. (Eds.): ICOACCE 2010 Geetanjali Institute Of Technical Studies , Udaipur.

Naveen Malkani, B havesh Jain, Kritika Soni, Kunal S ing

Features of the proposed plan

Centralized Network
Redundancy Multiple ISPs (Internet Service Provider) Netw ork with Load Balancing

A. Centralized Network We have discussed the mesh network in college so we are

going to propose a centralized network that can be implemented using UTMs (Unified Threat Management). Centralized computer netw ork system in which all the resources are stored and managed at one place. Centralization is easy for system administrator to keep all that resources consistent and in accurate form. Wh le in distributed system all the sites containing the data and resources need to be managed separately. We can easily back up the data that is stored only at one place. It is also very much easy to protect the system from unauthorized access because there is only site on the network that needs

Fig 4: REDUN DANT N ETWORK WITH LOAD BALANCING

VII. Conclusion Network must be secure in order to prevent against threats to their integrity, otherwise the loss or misuse of information can be catastrophic. The paper set upon defining the role of network security and hoped to explain further how to achieve that role. The changing strategy for developing a secure network coincides w ith the creation of new threats; therefore, it is an evolutionary process constantly changing to meet new requirements. In conclusion, computers and software are now the part of world-wide -network, making them more susceptible to threats and thus demanding Network Security. REFERENCES
[1]. Shaffer, S teven L., and Alan R. S imon, Network S ecurity, Academic Press, 1994. [2]. C isco Certified N etwo rk Associate, S tud y Guid e, Tod d Lammle, 6 th edition. [3]. M icrosystems Networking and Security S olutio ns. URL : http ://www.i2 sc.org [4]. A Beginners Guide to Netwo rk S ecurity, C isco S ystem. [5]. Security Tokens, W ik ipedia. URL : http ://en.wik iped ia.o rg/wiki/Security_tok en. [6 ]. Alexander, M ichael, The U nderground Guid e to Co mputer S ecurity, Addison- Wesley P ub lishing Company, 1996. [7]. G uide To Intrusio n Detectio n And P reventio n S ystems(IDPS ), recommendation o f National Institute Of Standards and Techno logies (Special Pub licatio n 800-94) . URL: csrc.nist.go v

protection. B.
Redundancy

Redundancy is the internetworking, the duplication of connections, devices or services that can be used as a backup in the events like the primary connections or service failure.

C. Multiple ISPs (Internet Service Provider) Multiple ISP solution addresses more than alternate
pathways and disaster recovery. It can also provide a solution for network traffic jams or supply network isolation for specific applications .

D. Network with Load Balancing

Load Balancing, a clustering technology enhances the scalability and availability of mission-critical, TCP/IPbased services, such as Web, Terminal Services, virtual private networking, and streaming media servers. Network Load Balancing distributes IP traffic across multiple cluster hosts. It also ensures high availability by detecting host failures and automatically redistributing traffic to the surviving hosts. The unique and fully distributed architecture of Network Load Balancing enables it to deliver very high performance and failover protection.