SMITH AND JONES AUCTIONEERS NETWORK SECURITY
By (Student Name)
The Name of the Class (Course)
Professor (Tutor)
The Name of the School (University)
The City and State where it is located
The Date
Smith and Jones Auctioneers Network Security
As technology evolves, most companies are shifting their business transactions online over the Internet. The increasing reliance on technology means that companies must work on securing all their online business transactions and critical business information. According to the British insurance firm Lloyds, businesses lose close to 400 billion dollars every year from cybercrime. Therefore, network security is today one of the most critical business decisions to make as we migrate our businesses online. This paper describes Network Security and Cryptography best practices for an online auction firm Smith and Jones Auctioneers.
Task 1: Risk Assessment
Smith and Jones Auctioneers’principal business involves public online auctions across multiple cities. Therefore, the company holds various electronic information assets distributed across multiple sites. The most crucialinformation asset for Smith and Jones isits Web server that enables online auctions. The database that contains the products to be auctioned and their metadata, such as price and specifications, is also integral to the company’s operations. The database storing bidders’ information is also a critical asset since more than half of the bidders participate online. Their data should never be compromised; this ensures a good user experience. Smith and Jones employees’ database is also a valuable information asset. This data should not be accessible to the public to protect the integrity of their public auctions. All the company’s files containing information such as the network structure, system design, employee emails, and the internal organizational structure are critical information assets. The company’s financial data is also a valuable asset, owing to the nature of its business operations, this information should be secure and only accessible to the right personnel.
Risk assessment table
Asset | Threat | CIA | Likelihood | Impact | Risk |
Auction Products Database | System Failure, e.g., server failure, natural disasters | A | Low | High | Medium |
Malicious Attacks e.g. DDoS, SQL & NoSQL Injections | I | Medium | Medium | Medium | |
Human Interference, e.g.,Employee theft, accidental deletions | C | Medium | Low | Low | |
Clients and Employees Database | System Failure, e.g., server failure, natural disasters | A | Low | Medium | Low |
Malicious Attacks e.g. DDoS, SQL & NoSQL Injections | I | Medium | Medium | Medium | |
Human Interference, e.g.,Employee theft, accidental deletions | C | Medium | Low | Low | |
Company Web services | System Failure, e.g., server failure, natural disasters | A | Low | Low | Very low |
Malicious Attacks, e.g.,DDoS, MitM, Malware | I | Medium | Medium | Medium | |
Human Interference, e.g., Employee theft, accidental deletions | C | Medium | Low | Low | |
Company’s Financial Data | Human Interference,e.g., unauthorized access, accidental deletions | I | Low | Low | Very Low |
Company Internal files | Human Interference, e.g., Employee theft, accidental deletions | I | Low | Low | Very Low |
Task 2: Controlling the risks
The main risks to Smith and Jones Auctioneers are server failures and malicious attacks, which would affect its web processes and databases containing products’ information and client data. Owing to the company’s online operations, the inability to control these risks could lead to substantial financial losses, loss of customers, and a bad reputation. Therefore, the necessary steps to manage these risks are as below.
Server failures are either caused by internal or external threats. Internal threats include cases such as fires in the data center, power outages, hardware failures, and human errors. External threats include malicious attacks such as a distributed denial of service (DDoS), network infiltration, malware attacks, or natural disasters such as flooding and earthquakes(Vacca, n.d.). To control the risks associated with server failures, the company should implement preventive measures.
Network design and configuration are vital in preventing server failures from physical influences such as floods, power outages, and fires. The server rooms should have fire protection systems. These include fire detection sensors, automatic fire extinguishers, and the use of insulation material. Server rooms are prone to overheating; therefore, to prevent failure, there needs to be robust ventilation and cooling system. The use of standby generatorshelps bridge supply gaps caused by power failures from the primary electricity grid, therefore mitigating server failures(Stallings, 2017).
High availability refers to the availability of an extra piece of every component in a computer system to cater for failure scenarios. High availability is achieved by creating redundancies for elements such as processors, memory, storage disks, and input and output units. High availability prevents server failures caused by faulty components. Also, it is advisable to implement a failover system consisting of a secondary standby server. This replication allows for business continuity when the primary server fails.
The likelihood of malicious attacks leading to server failures or data integrity is higher compared to physical failures. Therefore, to ensure smooth business operations, Smith and Jones should implement defense systems and high availability systems. To keep hackers and unauthorized users from the company’s network, web server, and databases, there should be an Intrusion Detection System (IDS), multiple firewalls, and a demilitarized zone. Intrusion detection systems allow us to monitor our network and servers continuously. The detection systems prevent malware attacks based on global pattern recognition and statistical analysis of similar malware. IDS can be configured to provide alerts when there is an automated software attack on our network or any unauthorized access to the network—hence allowing the network security team to take cautionary measures to mitigate possible attacks. An example of an Intrusion detection system that can be used is a Cisco Next-Generation IPS.
Smith and Jones Auctioneers’ internal network should be completely isolated from the public Internet. To achieve this isolation, all the company’s infrastructure should be behind a firewall. However, since the auction takes place via the company’s website, we should isolate the webserver from the internal network into a demilitarized zone protected with another firewall. This setup allows secure public access to the website while eliminating any threats to the internal network containing the databases.
Access control and network segregation can also be used to prevent cyber-attacks. Network segregation means that network traffic is classified based on a given criterion. Smith and Jones can segregate their network based on location. This makes it easier to enforce security policies and assign access rights based on location. Since the company expects multiple users within its network, implementing a network access control can minimize the chances of a malicious attack. An example of an access control scheme is where administrators grant employees access to department-specific applications, while guests are only allowed access to public information.
The organization should use antivirus and antimalware applications to protect their network from malicious software such as viruses, Trojans, worms, and ransomware. An excellent antimalware application scans every file upon entry to the company’s network; it should also continuously track and monitor the file’s behavior for any suspicious activity.
Encryption and Algorithms
The company’s website and databases are central to its business operations. In addition to the security control risks, encryption provides an extra layer of security to the databases and webserver. Encryption algorithms transform plain text into ciphertext, which can only be accessed from a pair of keys generated at encryption. Database encryption can be achieved using either AES (The Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman), or 3DES (Triple Data Encryption). AES is a symmetric algorithm that uses block cipher. It can be implemented using either 128, 192, or 256 bits. RSA is an asymmetric algorithm that uses public and private key pairs, and the public key is used in encryption while the private key is used in decryption. 3DES also uses block ciphers for encryption; it uses 56-bit keys to encrypt three times. Of the three encryption methods, AES is a much faster standard. The auction process involves multiple queries to the database, and therefore AES would be the best encryption method for Smith and Jones to achieve faster and efficient business processes.
The webserver handles sensitive information across multiple clients, to ensure security, the server should be encrypted using SSL (Secure Socket Layer). SSL enables secure HTTP (HTTPS) communication between clients and the server. This encrypted communication prevents Man in the Middle attacks.
The company expects more than 500 connections over Wi-Fi at each of its sites. To ensure that client’s information is encrypted and safe from malicious attacks, the Wi-Fi network should be encrypted using WPA2 (Wi-Fi Protected Access 2). WPA2 uses Advanced Encryption Standards (AES); hence it’s the best Wi-Fi encryption standard.
Task 3: Setting up the VPN
A site-to-site VPN (a virtual private network) is a connection between two or multiple networks. Site-to-site VPNs are used widely in corporations that want to connect their central office to their branch offices. For example, Smith and Jones auctioneers would implement a site-to-site VPN to connect their new sites Mexico and Manchester to the main office in Canada while peering with the other sixty locations. Site-to-site VPN can be implemented using the Hub-and-Spoke topology, Point-to-Point topology, or the Full Mesh topology.
Hub-and-Spoke Topology
The hub-and-spoke VPN topology connects the central hub (office) to multiple remote sites known as spokes. The technology implements separate secure tunnels for communication between the central hub and each remote site (spoke). The hub-and-spoke topology models an intranet VPN that utilizes a third party network or the Internet to connect the main office with branch offices(Deal, 2006). This topology provides all employees full access to their enterprise network from any of the remote offices. Most of the traffic is generated from the hosts at the spoke (remote offices), and in some instances, there is traffic generated from the hub to the spokes. The topology provides for failover in cases of failure. One can configure a backup hub to be used by all remote sites in case of failure of the primary tunnel.
Full Mesh Topology
A full mesh VPN topology is ideal for a network where all peers are in communication with each other. This topology allows every remote site to communicate with other sites via a unique and secure IPsec tunnel. Unlike the hub-and-spoke topology, all sites within the mesh topology are peers. The peer-to-peer relations is advantageous since it reduces congestion at the VPN gateway and provides for redundancies. Failure at one node does not affect the topology; other sites can still communicate with each other directly or through other nodes(Deal, 2006).
I would recommend Smith and Jones Auctioneers to use the full mesh VPN topology, since this would allow peer to peer communication between its sixty sites, therefore enabling seamless auction across any of the sites. The topology also provides for redundancy, thus enabling business continuity.
Site-to-site VPN, Mexico Manchester, and Canada
Firewall and firewall rules
Firewalls are network devices used to monitor inbound and outbound network traffic and make decisions on whether to permit or block packets based on a set of predefined rules. A firewall can either be hardware or software. They are vital in mitigating cyber-attacks by creating a barrier between the internal network and the public Internet. The standard firewall rules are as defined below.
Default policy
The default policy is the manufacturer default firewall configurations; they consist of rules to drop or accept specific traffic. An example would be to drop all traffic destined for port 22 and accept all traffic destined to port 80.
Incoming and Outgoing Traffic
This defines rules that control inbound and outbound traffic based on specific rules such as the source and destination IP addresses, the destination port number, and the traffic protocol.
Task 4: Maintaining Security
Network security is critical for any business’s success, especially a business that conducts most of its operations online, such as Smith and Jones Auctioneers. Human beings are the weakest link in network security; therefore, to ensure security standards are maintained at the firm, all employees should undergo training on network security. Employees are vulnerable to social engineering attacks and phishing schemes via their email addresses. All users of the company’s network should be enlightened on the need for strong passwords on all user accounts. They should also learn to be careful with suspicious emails and website links that could potentially contain malware. In addition to this, the company should implement strong network security policies such as access control, network segregation, and the use of antivirus applications to mitigate potential attacks.
The effectiveness of any information security system can be measured through various monitoring techniques. According to the ISO/IEC 27004:2016, we can measure effectiveness by outlining a set of business objectives and evaluating the results after a given period.
Stallings, W., 2017. Network Security Essentials. Harlow, England: Pearson.
Deal, R., 2006. The Complete Cisco VPN Configuration Guide. Indianapolis, Ind.: Cisco Press.
Vacca, J., n.d. Cyber Security And IT Infrastructure Protection.