Logical Diagram

Main Objective

To have a better security design for the company for a lower cost. Sensitive information must not be seen nor intercepted by unauthorized people. Improve companys security strength to reduce public doubts on company. To prevent or minimize web server downtime. Able to investigate any attack on any system real time, cause, source and able to mitigate it fast enough to reduce damage.

Wide Area Network(WAN) Connectivity

Connection
Although lease line are more secure but it is costly, we will be replacing lease line with Internet Protocol Security(IPsec) and Site to Site Virtual Private Network(VPN) on the connection to act as a private line, it is secure like lease line and cheaper than lease line.

Routers
- We have disabled telnet and enabled SSH for management to router from any location because telnet is not secure. - We recommend setting up security on the routers such as setting passwords on the console.

Wide Area Network(WAN) Connectivity

Mobile Users
Since most the of staff in Everest Pte Ltd are mobile in order to get business for the company, we will setup remote access VPN for mobile users to securely connect back to HQ to access the resources.

Equipment

New Equipment/Software Antivirus - Symantec endpoint protection 12.1.2 (Cost $54.18usd for one license a year.) Firewall appliances - Fortinet fortigate 100d (Cost $1,560.00usd) Snort Network Access Control Windows Server Update Service

Security

Antivirus
We have implemented Symantec endpoint protection to replace the freeware antivirus because Symantec endpoint protection will be able to protect against virus(Even against zero day attack) and it even has an intrusion prevention system to protect PCs and prevent data from being stolen or corrupted.

Firewall
We will be using the firewall feature which comes with Symantec endpoint protection along with Fortigate 100D physical firewall together with the built in firewall in Windows.

Security

Central Control
We have implemented central control by integrating Network access control(NAC) and Windows server update services(WSUS) to enhance the security deployment and push updates and patches to computers using windows server update services to keep computers up to date with the latest patch.

Web Server
We will implement redundancy and frequent backups on the webserver to reduce downtime, we will also implement Intrusion Prevention System(IPS) to prevent DoS attack and will have a monitoring service to notify Everest immediately if the server went down.

Security

Intrusion Prevention System(IPS) and Intrusion Detection System(IDS)

We will be installing Snort which is an IPS/IDS to prevent intrusion and DoS attacks. Snort is an Open Source IDS/IPS which fits the requirement to reduce the cost without compromising security.

Security administrator
We encourage Everest to hire a network security administrator to handle the security concerns and enforce policy among staffs as well as to send the staffs to accredited academy for basic security training.

Staffs

Enforce Staffs Security

- Rules and Regulations set to prevent unauthorized access. - Configure security policy to quarantine or allow depending on whether their laptops or PCs meet the requirements set. - Staffs should be informed not to download freeware using companys network. - Staffs should be enforced to use companys mail system for exchanging companys information and not personal mail as data might be leaked if the email is hacked. - Personal laptop should be protected with password to prevent information theft if laptop is lost or stolen. - Staffs should be caution of social engineering when working in public areas, such as caf or park.

Q&A

Q: What is Zero Day Virus/Exploit ? A: A zero-day (or zero-hour or day zero) attack or threat is an attack
that exploits a new vulnerability in a computer application during the first 24 hours of it's first appearances.

Q:What is IPsec ? A: IPsec is a commonly used protocol to secure Internet Protocol

versions 4(IPv4).y