Security infrastructure design document This document describes an overview of the security standards and implementations the company will adopt to reach the designated goals and legal requirements. Premises: - the company is a small but growing organization,employee base, with 50 employees in one small office; - the company is an online retailer of the world’s finest artisanal, hand-crafted widgets. Requirements: 1) An external website permitting users to browse and purchase widgets 2) An internal intranet website for employees to use 3) Secure remote access for engineering employees 4) Reasonable, basic firewall rules 5) Wireless coverage in the office 6) Reasonably secure configurations for laptops First, we will implement a firewall or we will check if the one the company has is a good enterprise firewall and it is updated with the most recently patched and firmwares. Then we will configure the basic firewall rules. But as we are beginning from scratch we apply the concept of implicit deny and as we implement external websites, internal intranet etc.. we will create rules that allow permission to those implementations. Implicit deny means that the traffic not explicitly permitted is denied. We will implement, if the company hasn’t already, enterprise switches which have a feature called Dhcp snooping. This will help us monitor DHCP traffic, tracking IP assignments and map them to hosts connected to switchboards. This will be used to protect against IP spoofing, and ARP poisoning attacks. Ip spoofing means faking Ip address for deceptive purposes, while ARP (address resolution protocol) poisoning means manipulating ARP to redirect traffic maliciously. We will use DHCP snooping, IP source Guard, and DAI (Dynamic ARP inspection) to prevent and detect these types of attack. Furthermore, we will use IDS/IPS (intrusion detection system and intrusion prevention system) for monitoring network traffic and analyzing it. Second, we will set up the internal intranet website for employees and the network. We will use VLAN (Virtual Local Area Network) to have more local area networks and segregate traffic and enhance security and will separate the guest network and separate it from the internal network to isolate potential threats. We will use windows active directory for the internal network authentication process with Kerberos which will create tickets to use with the allowed services and softwares. Internal machines and internal machines will also need to use a Yubikey so that for access to the physical machine the user will have to physically touch the key. This will create a secure multi factor authentication environment. Thanks to windows directory we will be able to give organizational units unique permission to needed folders and databases based on the field of work of the users. This will also help monitor, protect and account for the privacy of sensitive customers' data.Internal and external laptops will have the requirement to have the TPM (Trusted Platform module) integrated, which will give more security to those devices as they will have integrated cryptographics keys. Thus, the external devices will have to use FDE (full disk encryption) to protect data in case they are stolen or lost. We will give external users access to the internal website and storage through VPN using the L2tp combined with IPSEC protocol, which is a very secure protocol. Remote access will be given only to engineering employees Organizational Unit. Their laptop will have special configuration and policies as all internal PCs will also have them,such as: - Strong password and multi-factor implementation FDE Enforced regular software updates and security patches. Anti-virus regularly updated. Firewall (because it is recommended to have both host and network firewall. Laptop will have VPN configuration configured and service allowed. Others pCs no. All unnecessary ports and services disabled. Laptop and mobile devices if used to connect with the company will have remote wipe enabled and tracking system. Enforced regular data backups. Mobile devices will have MDM (Mobile Device Management) and EMM (Enterprise Mobile Management) configured to allow the company to remotely manage the devices. Security and Privacy policy Recommendations courses and quizzes will be given to employees once a year. Employees will be trained on the overall security and privacy policies, as data classification, and incident response procedures. For example, they will be trained to recognize phishing emails and other malware threats, to regular software updates, and use strong passwords. In the office there will be some AP (access point) to allow wi-fi connection. There won't be a wps connection which will be deactivated. Ap will have a strong pre-shared key using WPA2 with AES encryption. This will give a very secure wi-fi office access. The company will have a NAS (Network Attached Storage) to regularly backup the internal data-bases storage, internal website and external website, practically all data in the servers. The server will control and force policies on applications. It will implement Microsoft Defender 365 within the server and in the end points. The internal website will implement RBAC to assign permission and limit access based on job roles and responsibilities. It will have encryption enabled to protect communication between employees browser and internal website utilizing HTTPS protocol which encrypts data preventing unauthorized interception. Furthermore, session management, logging and monitoring will be implemented. The external website will have stronger implementation: - Access Control with Multi factor authentication Secure coding practice least privilege principle to prevent common attacks as SQL injection and XSS (cross-site scripting) Regular vulnerability scanning with special tools and softwares A WAF (Web Application Firewall) will provide an additional layer of protection and prevent DDos attacks, injection attempts and malicious file uploads. SSL/TLS encryption must be used to encrypt communication between user and the website. SSL/TLS certificate installed to enable HTTPS. Content security policy Regular Patch Management to update its components and plugins Regular security audits and penetration tests. (those will have to be done also to the entire internal network and to the endpoints devices) As the company will handle customer credit cards payment, PCI DSS or Payment Card Industry Data Security Standard must be followed as it is a legal requirement. Many of these requirements are already covered by the implementation we described so far. Other steps that can be taken are: - Assign a unique ID to each person Restrict physical access to cardholder data Do not use vendor-supplied default password or security parameter etc.. This document is a summary of the implementation that will be done but it is not exhaustive. Many other implementations will show up while proceeding to integrate the suggested implementations and they will be also modified as new technologies will be discovered and old ones implemented.