Introduction
Wally World is a large retail chain in the Midwest United States. The company has a single corporate campus and has 25 regional distribution centres that support 3,000 retail locations. The company has made heavy investment in e-Commerce. There are point of sale systems connected at retail locations that help in maintaining dynamic inventory. WAN based intranet has been configured using IPSec to support retail locations using encrypted VPN links that are connected to the nearest regional distribution centre.
The Wally World’s Enterprise Network mainly consists of a core backbone, two data centres, corporate campus, regional distribution centres, and Internet Edge with DMZ. There are seven departments in the corporate campus of the company, including Finance, Human Resources, Operations, Sales, Technology, Marketing, and the Corporate Executive Office. The company has provided appropriate computing equipment all of its employees. There is an option for network administrators and other selective staff remotely access company’s network by means of encrypted laptops and two-factor authentication.
- Implementing VLAN segments and separating workstations, servers, and printers on different VLANs.
- Protection against spoofing attacks
- Deploying secure network switches
- Implementing firewalls between Virtual LANs so to protect against attacks
- Implementing port security so to protect against MAC layer attacks
Point of Sale Systems (POS)
Point of Sale System is a computerized network that operates by the main server or computer and link various checkout terminals. Point of sale system and inventory software program works in collaboration and thus, control inventory at the cash register. The POS system keeps track of each sales activity and thus always keep inventory records up to date. By means of these software programs, it gets easier for the manager to make decisions regarding merchandising and ordering. Similarly, in case of Wally World, there are point of sale systems connected at retail locations that help managers in the maintenance and restocking inventory decisions. However, these Point of Sale systems is not directly connected to the internet for a purpose of security .
Virtual Private Networks (VPNs)
Organizations like Wally World who have various regional offices connect to each other by means of dedicated lines for efficiency and security of sensitive information during transfer of data packets. For example, regional offices use asynchronous transfer mode (ATM) lines or frame relay as end-to-end networking solution to connect them. However, this method costs expensive. As an alternative, most organizations deploy Virtual Private Networks (VPNs) that cost rather cheaper than other methods. VPNs provide secure digital communication between two networks via dedicated circuits and create a Wide Area Network (WAN) using existing Local Area Networks (LANs). VPNs use datagrams as the transport layer to transmit over IP. Thus, data packet reaches an intended destination through secure means. Most organizations use VPN software programs; however, some use hardware VPNs to further secure the system. Some of the hardware VPN solutions are Nortel, Checkpoint, and IBM and software based solution is FreeS/Wan.
Internet Protocol Security (IPSec)
Wally World uses software based solution and implements standardized Internet Protocol Security (IPSec). Such VPN connection, whether it is hardware or software acts as a special router that route information over IP connection from one office to another. IPSec also supports the connection of remote hosts and networks with each other. It uses a secure path on a common carrier network like the internet. IPSec can be implemented using a network-to-network, i.e. LAN/WAN to other LAN/WAN or host-to-host, i.e. From one computer or workstation to another. Wally World implements a network-to-network, i.e. WAN based intranet connected to the nearest regional distribution centre.
Implementation of VLAN Segments
In a Virtual Local Area Network or VLAN, there are a number of workstations that communicate with each other in a way they communicate on single isolated LAN. One of the workstations sends data packets, and they are received by all other workstations in the VLAN. However, this is the concept of traditional VLAN in which workstations are connected to each other via repeater or the router. Repeaters and hubs are usually the causes of delay in VLAN networks, but if they are replaced with routers, the delay is removed, but data are sent over to each user in the network .
VLAN provides an option to the network manager to segment a LAN into several broadcast domains. Therefore, workstations do not need to be connected to each other or located in one place. Workstations on different floors or in different buildings can be connected together via local area network using a router and switch. Similarly, different departments in the corporate campus of the Wally World are segmented into different LAN domains, and thus workstations are connected together. The logical view of different VLANs of the Wally World is as follows:
Workstations, Servers and Printers, can now easily be segregated using switch, router, and bridging software. Bridging software is used to define which machines, printers, servers, or workstations needs to be added in the broadcast domain.
Port Security to Protect Against MAC Layer Attacks
In MAC layer attacks, switch is fed with many Ethernet frames by the attacker. Each of these Ethernet frames contains different MAC addresses. The aim of the attacker is to consume limited memory that is set aside in the switch storing the MAC address table. The effect MAC layer attacks vary depending upon the implementation. However, the main purpose of the attacker remains same, i.e. Forcing legitimate MAC addresses to move out of the MAC address table. After the MAC layer attack, the system becomes sensitive, and the malicious user can capture confidential information.
In order to prevent MAC layer attack, network operators introduce different features and equipment to secure the system. Port Security is one among the successful features that are usually implemented by the network operators and vendors. In a port security feature, advanced switches or ports are configured in a way to constrain a number of MAC addresses which connects end stations or user machines. In addition to the traditional MAC address table, there is another small table maintained, which is called as secure MAC addresses. There are different operating systems and programs that provide features to protect ports on the switch. There are two main classes of ports, i.e. untrusted or trusted ports. Secure MAC addresses lie in the range of trusted ports and others for the untrusted class.
Firewalls between VLANs to protect against VLAN attacks
VLAN Attacks or VLAN hopping is a security exploit, in which the network resources of Virtual LAN are attacked. An attacker or a host on VLAN tries to gain the access to the traffic of other VLANs. There are mainly two methods by which a host attacks the network resources, i.e. Double tagging and switch spoofing. These two can be mitigated by configuring switch ports.
All traffic of the VLANs is carried by the trunks on switches. If any attacker or host broke into trunk mode, then he can access all VLANs traffic. An attacker can also retrieve the and password credentials of the users and network administrators. Most organizations set up a Cisco Catalyst Switch Ports to avoid switch spoofing attacks. These ports are in auto mode by default, i.e. they become trunk ports automatically, if they receive any DTP frames. In a firewall enabled VLAN, switch forwards data packets to the firewall, and it classifies them on the basis of other tagged packets and in combination with IP address, protocol and ports. Firewall, thus ensures the security of data packets .
The internet edge is a type of network infrastructure that connects the system to the internet and acts as a gateway for the rest of the cyberspace. Demilitarized Zone or DMZ is a logical or a physical subnetwork that exposes organization’s external facing services to untrusted larger network, i.e. an internet. The main purpose of a DMZ is to introduce an added layer of security to local area network of the organization. Thus, an attacker could have the access to only the DMZ and not the other part of the network. A single or a dual firewall can be used to create a network architecture that contains DMZ. In dual firewall configuration, fast packet filtering router is placed at the front end or the internet edge that increases the performance of public servers. Similarly, another firewall is placed on the back end to provide more protection. Dual firewall provides more security than a single firewall.
Routing and Switching Infrastructure
It is highly important in case of Wally World to deploy switches and routers in an efficient manner as each regional distribution center and corporate campus departments are connected through Virtual LANs. The enterprise network is highly dependent on the right configuration of routers and switch ports. If it fails to configure properly than various networks could be under risk of attacks. By means of Virtual LAN, the employees of Wally World will easily be able to communicate over a single network. They would not need any routing protocol to communicate; neither, they will receive any outside VLAN broadcast message. However, as discussed earlier, in actual LAN is segregated into VLANs using routers and the distribution of LANs is being done through multiple switches. This segregation will not only improve the efficiency of a network, but also increase the security of the data packets, as it will be easier to restrict ports through configuration.
Graphical Representation of Secure Routing and Switching Infrastructure Topology
Trusted Zone
Regional Distribution Centers
References
Entrepreneur. (n.d.). Point of Sale (POS) System. Retrieved from Entrepreneur.com: http://www.entrepreneur.com/encyclopedia/point-of-sale-pos-system
Olzak, T. (2013). Enterprise Security: A Practitioner's Guide. InfoSec Institute.
Popeskic, V. (2012). VLAN Hopping Attack Switch Spoofing and Double Tagging. Retrieved from How does the Internet Work: http://howdoesinternetwork.com/2012/vlan-hopping-attack#more-1039
Varadarajan, S. (1997, Aug 14). Virtual Local Networks. Retrieved from http://www.cse.wustl.edu/~jain/cis788-97/ftp/virtual_lans/
