Please change the words around so any fraud is not picked up
/in Feeds /by Munene davidPlease change the words around so any fraud is not picked up. I have
highlighted the words that have to be changed in order to receive a clean paper. This should not take you that long. I need this asap. Thank you. Attached is the document. Please just change around the highlighted words.
cmit 495 security guidlines orignal.docx
Redundant Links
Implementing redundant links at the core layer ensures that network devices can find
alternate paths to send data in the event of a failure. When Layer 3 devices are placed
ate the core layer, these redundant links can be used for load balancing an addition to
providing backup.
Security at the Network Edge
Many of the security risks that occur at the access layer of the network result form a
poorly secured end devices. User error and carelessness account for a significant
number of network security breaches.
Three types of common security risks that occur at the access layer are as follows:
• Viruses
• Worms
• Trojan horses
Providing adequate security for end devices may not be in the scope of a network
design project. Nevertheless, the designer needs to understand the network impact of a
security incident, such as a worm or a Trojan, at an end device. The designer can then
better determine which network security measures to put in place to limit the effects on
the network.
Permitting network access to only known or authenticated devices limits the ability of
intruders to enter the network. It is important to apply wireless security measure that
follow recommended practices.
Todays networks are more likely to face an attack originating from the access layer of
the internal network than from external sources. Thus, the design of server farm
security is different from the older DMZ model. A layer of firewall features and intrusion
protection is required between the servers and the internal networks, and between the
servers and the external users. An additional security layer between the servers may
also be required.
The sensitivity of data stored on the servers and contained in the transactions traveling
the network determines the appropriate security policy for the design of the server
farm.
To achieve high availability, servers are redundantly connected to two separate switches
at the access layer. This redundancy provides pa path from the server to the secondary
switch if the primary switch fails. Devices at the distribution and core layers of the
server farm network are also redundancy and failover.
Because these servers will form the foundation of our network management and
security, we will want to create a separate management VLAN which is isolated from
the rest of the network by a firewall or access lists. The only traffic that we will allow in
the management network is either from the managed devices or protected by
encryption.
A design goal will be to keep management traffic off the production network, to
eliminate the possibility that it could be intercepted in transit. Ideally, we would
configure each device with a physical port on the management VLAN. If this is
encrypted via ssh or IPSEC. For traffic coming into a subnet, we will permit only
appropriate incoming packets, based on the policy of that subnet. Similarly, we will filter
outbound traffic to eliminate spoofing and minimize any malicious or illegitimate activates. Finally, we will want to filter traffic leaving each subnet to prevent spoofing.
The presence of incorrect source addresses could indicate either a misconfigured
machine, or one which was compromised and attempting to launch a DDOS or similar
attack
We will use strong authentication provided by a one-time password server, such as RSA
Security’s ACE server. Encrypted communication protocols such as ssh will be used if an
(over the production network) communication is necessary. Logging to the syslog
servers located on the management network will meet our auditing requirements. As
most busy network admins may not be able to monitor every unused port., there are
many other techniques that can be used to enhance security. One technique is to
require the users to authenticate via RADIUS or LDAP before they are given access to
any resources. This technology is implemented in Cisco’s User Registration Tool
(URT) Ciscos URT allows users to be assigned to different VLANs depending on the
credentials supplied.
Limiting the MAC addresses that are permitted to communicate on the ports is key to
layer 2 security. A flood of MAC addresses, or even a single new MAC address could
indicate an intruder, or ARP spoofing activities such a the sniff utility. Creating a static
MAC assignment ensures that frames for the designated ethernet address are always
forwarded to the specified port, and it can present ARP spoofing attacks. To set a static
port on a Cisco switch, the following statement is used:
• Set cam permanent aa-bb-cc-11-22-22 6/1
Another good idea is to limit the number of MAC addresses that can appear on each
port, either to one or an appropriate small number, or configure a timeout that prevents
a new MAC from appearing until a certain time period elapses. These features can be
configured with the set port security statement on a Ciosco switch.
Spanning-Tree Protocol (STP) is used by switches and bridges to establish their MAC
address forwarding tables, and establish a tree-like topology which forwards frames via
the fasters path and eliminates loops. Bridge Port Data Units (BPDUs) are exchanged by
switches to share information about the topology.
For optimum performance, we will want the root bridge of the spanning tree to be
located near the core of the network on the highest bandwidth links. The STP root guard
feature allows us to enforce the STP topology, and prevent the root bridge from
appearing on an edge segment, or on a lower bandwidth connection. Root guard will be
enabled on ports we do not want to see the root . If superior BPDUs are received from a
port with root guard enabled, the port will change from forwarding to listening state
until the superior BPDU announcements are stopped.
The spanning tree portfast command is typically configured on ports where end stations
are attached, and slows the port to immediately transition the forwarding state, without
the delay caused by the STP calculation.
I also propose a private VLAN. If a hacker gains entry to our public server, the will
logically launch attacks against other hots on the public segment. Private VLANs provide
a means to prevent hosts on the same subnet from communication with each other.
While permitting required communication to their router and hosts on other networks.
A final strategy that could be considered is implementing security at the network level.
Strong encrypting and authentication implemented at the network level would prevent all but the most determined attacker from compromising our hosts, even if he were able
to penetrate our perimeter defenses. IP security (IPSEC) is an enhancement to the IP
protocol documented in various RFCs by the IETF. IPSEC ensures that every packet
transmitted on the LAN is encrypted with strong encryption algorithms.
Implementing redundant links at the core layer ensures that network devices can find
alternate paths to send data in the event of a failure. When Layer 3 devices are placed
ate the core layer, these redundant links can be used for load balancing an addition to
providing backup.
Security at the Network Edge
Many of the security risks that occur at the access layer of the network result form a
poorly secured end devices. User error and carelessness account for a significant
number of network security breaches.
Three types of common security risks that occur at the access layer are as follows:
• Viruses
• Worms
• Trojan horses
Providing adequate security for end devices may not be in the scope of a network
design project. Nevertheless, the designer needs to understand the network impact of a
security incident, such as a worm or a Trojan, at an end device. The designer can then
better determine which network security measures to put in place to limit the effects on
the network.
Permitting network access to only known or authenticated devices limits the ability of
intruders to enter the network. It is important to apply wireless security measure that
follow recommended practices.
Todays networks are more likely to face an attack originating from the access layer of
the internal network than from external sources. Thus, the design of server farm
security is different from the older DMZ model. A layer of firewall features and intrusion
protection is required between the servers and the internal networks, and between the
servers and the external users. An additional security layer between the servers may
also be required.
The sensitivity of data stored on the servers and contained in the transactions traveling
the network determines the appropriate security policy for the design of the server
farm.
To achieve high availability, servers are redundantly connected to two separate switches
at the access layer. This redundancy provides pa path from the server to the secondary
switch if the primary switch fails. Devices at the distribution and core layers of the
server farm network are also redundancy and failover.
Because these servers will form the foundation of our network management and
security, we will want to create a separate management VLAN which is isolated from
the rest of the network by a firewall or access lists. The only traffic that we will allow in
the management network is either from the managed devices or protected by
encryption.
A design goal will be to keep management traffic off the production network, to
eliminate the possibility that it could be intercepted in transit. Ideally, we would
configure each device with a physical port on the management VLAN. If this is
encrypted via ssh or IPSEC. For traffic coming into a subnet, we will permit only
appropriate incoming packets, based on the policy of that subnet. Similarly, we will filter
outbound traffic to eliminate spoofing and minimize any malicious or illegitimate activates. Finally, we will want to filter traffic leaving each subnet to prevent spoofing.
The presence of incorrect source addresses could indicate either a misconfigured
machine, or one which was compromised and attempting to launch a DDOS or similar
attack
We will use strong authentication provided by a one-time password server, such as RSA
Security’s ACE server. Encrypted communication protocols such as ssh will be used if an
(over the production network) communication is necessary. Logging to the syslog
servers located on the management network will meet our auditing requirements. As
most busy network admins may not be able to monitor every unused port., there are
many other techniques that can be used to enhance security. One technique is to
require the users to authenticate via RADIUS or LDAP before they are given access to
any resources. This technology is implemented in Cisco’s User Registration Tool
(URT) Ciscos URT allows users to be assigned to different VLANs depending on the
credentials supplied.
Limiting the MAC addresses that are permitted to communicate on the ports is key to
layer 2 security. A flood of MAC addresses, or even a single new MAC address could
indicate an intruder, or ARP spoofing activities such a the sniff utility. Creating a static
MAC assignment ensures that frames for the designated ethernet address are always
forwarded to the specified port, and it can present ARP spoofing attacks. To set a static
port on a Cisco switch, the following statement is used:
• Set cam permanent aa-bb-cc-11-22-22 6/1
Another good idea is to limit the number of MAC addresses that can appear on each
port, either to one or an appropriate small number, or configure a timeout that prevents
a new MAC from appearing until a certain time period elapses. These features can be
configured with the set port security statement on a Ciosco switch.
Spanning-Tree Protocol (STP) is used by switches and bridges to establish their MAC
address forwarding tables, and establish a tree-like topology which forwards frames via
the fasters path and eliminates loops. Bridge Port Data Units (BPDUs) are exchanged by
switches to share information about the topology.
For optimum performance, we will want the root bridge of the spanning tree to be
located near the core of the network on the highest bandwidth links. The STP root guard
feature allows us to enforce the STP topology, and prevent the root bridge from
appearing on an edge segment, or on a lower bandwidth connection. Root guard will be
enabled on ports we do not want to see the root . If superior BPDUs are received from a
port with root guard enabled, the port will change from forwarding to listening state
until the superior BPDU announcements are stopped.
The spanning tree portfast command is typically configured on ports where end stations
are attached, and slows the port to immediately transition the forwarding state, without
the delay caused by the STP calculation.
I also propose a private VLAN. If a hacker gains entry to our public server, the will
logically launch attacks against other hots on the public segment. Private VLANs provide
a means to prevent hosts on the same subnet from communication with each other.
While permitting required communication to their router and hosts on other networks.
A final strategy that could be considered is implementing security at the network level.
Strong encrypting and authentication implemented at the network level would prevent all but the most determined attacker from compromising our hosts, even if he were able
to penetrate our perimeter defenses. IP security (IPSEC) is an enhancement to the IP
protocol documented in various RFCs by the IETF. IPSEC ensures that every packet
transmitted on the LAN is encrypted with strong encryption algorithms.
Looking for a Similar Assignment? Order now and Get 10% Discount! Use Coupon Code "Newclient"
