Network design proposal
Introduction
Any organization that has its operation on many interconnected computers remains exposed to attacks from both external and internal sources. To address the issue, a computer that operates over a network requires several measures that target to minimize possible attack. The term network security is used to describe the process of bringing together the physical and software based preventive measures to prevent the underlying network infrastructure from attacks such as modification of data, misuse of infrastructure, unauthorized access and another form of attacks.
The problem statement
Analysis of security needs
The university environment provides different security threats. Data that is stored by the university is highly sensitive and will attract a lot of interest from many people both internally and externally. University intellectual property rights on different products by the students and by staff members need to be protected from industry players who might want to benefit from the knowledge without compensating the University.
Examination management is also a critical section of any university. The credibility of the university programs is judged based on how reliable the examination processing and examination management are. Students might attempt to gain access to the exam management systems with intentions of altering Grade or even gain access to the set exam papers. The success of such attacks affects the quality of the programs offered by the university which in return will affect the public trust with the institution.
Finance management system is another critical area of the university. Finance records are critical and can easily be subjected to attack by different interested parties. Alterations or deletion of finance record may result in loss of University money and important data.
Most of the university operations are on the universities ERP platform that is network based. Attacks such as denial of service might bring all the activities of the university to a stop.
Overview of security threats
Unauthorized access into computer and computer networks
Unauthorized access is defined as the illegal gain of access to a computer or computer network using another person’s account information or by any other method. Dictionary attacks and Brute-force attacks can be used to generate the right combinations of and passwords allowing an attacker to gain access to a computer networks or system illegally. This form of attacks exploits ignorance from users which include the tendency to use predictable passwords, password interception and disclosure of password information to seemingly trustworthy people.
Monetary gains do not motivate most of these attacks, but people might take them up as intellectual challenges. Students are keen to test different security system hence this might be a major challenge to the university system security team. Access to protected information such as student exams, University staff data, and other sensitive financial information is disastrous to the university.
Potential solutions: the most common approaches to dealing with these kind of attacks are passwords, firewalls, and antivirus.
Passwords
It is important for the users who have access to the computers and computer networks to ensure they have passwords. Computer passwords will prevent unauthorized users from accessing the computer. The passwords used should not be easily predictable and should use a combination of different characters.
Alerts should also be created to notify the system administrators of any attempt to gain access by an authorized person
The systems implemented should force a change of password after a given period preferably every three months
Firewalls
It includes implementation of Hardware and software firewalls. The university should configure the physical devices such as the network routes to provide security.
Software firewalls should be installed on computers to protect them from unauthorized incoming or outgoing data.
Installation of antivirus software will also help in protection from malware that target to capture keystrokes to obtain sensitive data such as passwords and the associated user names (Pounder, 2001).
The computer will also require frequent updates to provide protection against any new threats that might come up.
Interceptions of communication
Data packets that are in transit are susceptible to being intercepted, read, and altered. Attackers monitor data streams from a particular source to gather sensitive information that can be used against the university. The act is commonly referred to as eavesdropping or sniffing. Tools such as packet analyzer and packet sniffers can actively be used to capture data. The most common point of data interception is network management points and concentration points such as the routers switches and other network communication gadgets ("Protecting practices from data theft", 2013).
The process of detecting interception should, however, be able to distinguish between lawful and unlawful interceptions. The government can intercept internet traffic as a matter of national public interest. This is provided for in different legal frameworks which allow law enforcement agencies through court orders to intercept data in matters of public interest.
Dangers of interception: unlawful interception of data can invade individual people privacy through exposing their private data and also make the university loose revenue if profit-making institutions access the different intellectual property rights. At time, the intercepted document might become unavailable, and unusable if the intruder tampers with the data
Solution: to protect the data from interception, data that is in transit should always be encrypted. Transmitting plaintext data increases data venerability.
Creation of virtual private networks will also allow secure access of the university resources in a cost effective and secure network.
Implantation of the IPSec, WebVPN, and MACSec framework will also ensure secure transmission of sensitive university data over the unprotected networks. The IPSec framework offers access control, data origin authentication, connectionless integrity, protection against replays, encryption, and limited traffic flow confidentiality at the IP layer.
The MACSec standards’ allow identification of unauthorized LAN connections defining a secure infrastructure that provides data confidentiality, integrity, and authentic origin.
The WebVPN provides secure remote access of through the secure socket Layer to allow easy access to university resources in a secure web-enabled application.
Malicious software attacks
Malicious software’s can be executed remotely or internally to delete or modify data. The software can also be used to give control of a computer to the creator of the malware. Malware includes viruses, Trojans, adware, spyware worms and many other attacks.
Damages of malware: malware can be very dangerous to the universities data. They can delete, modify data and give access to the malware creator. Malwares are used to steal information from the databases and even cause sabotage to the operation and services provided by a system.
Solution: use of antivirus that is well updated can be used to detect and delete suspicious programs. Users of the university should be trained on the need to keep the security systems in good shape.
Network disruptions
Network disruptions that interfere with services delivered can be experienced. Most disruptive attacks target to exploit weaknesses and vulnerabilities in the different network component such as computer operating systems, routers, and name servers.
Routing attacks: attacks that target the router lead to unauthentic information provided to the neighboring routers. Routers depend on the information provided by the neighbors to build a network topology. The resulting topologies are used to determine the best path for transmission of data. The attack can misrepresent a router as the best route so as to intercept, block and modify data that is in transit.
Denial of service attack: the attack will flood the network with artificially generated messages and strain the capacity making it difficult for the genuine data to be transmitted or processed.
Dangers associated: the university heavily depends on its website to deliver service. Attacks that targets to disrupt the network will lead to poor service delivery by the University.
Solution: DNS server attacks can be addressed through the use of the latest DNS software that has appropriate patches that prevent attacks from known loopholes. Deployment of the DNS Security protocol that is based on server authentication will reduce threats that result from DNS cache poisoning
Malicious misrepresentations
Dangers of network disruption: users might download viruses and other malware from the university sites that are masquerading as trusted sources. Data confidentialities is interfered with as unauthorized data might be released to the wrong people.
Solution: implementation of virtual private network and IPSec will provide a secure communication platform. Use of digital certificates also is used to ensure that data sources are authentic to protect the university website users.
Natural disasters and unintentional events
Natural disasters, such a storms, flood, Earthquakes, and fires can result in severe loss of institutional data. Human errors and poor management can also lead to system faults that will cause loss of university data.
Dangers of natural disasters and unintentional events: natural disasters can result in the destruction of network infrastructure and even the data servers. Hardware failure and poorly designed software will lead to the creation of weak points that can be exploited by the attackers. Hardware failures will also result in denial of services.
Solution: Providing backup and storing data in the cloud platforms will reduce the possibilities of loss of data in case of natural calamities. Migration of the data to cloud platform will also minimize the need for the university to invest in backup hardware.
Users
Users are critical to the success of the security systems implemented. Data integrity will depend on the integrity of the users.
Dangers associated with users: even if the system has the capability of protecting the data in transit and during storage the users can provide network weak points. Sharing of login information with unauthorized users poses a significant risk to the entire security system. The authorized users might also disclose university data to the unauthorized users. Such acts put the university data integrity and confidentiality at risk.
Solution: university staff working with the system will require training on the importance or securing the university network. In the training, the importance of passwords and how to protect their passwords will be emphasized. All system activities will be associated with a login ID, and users will be held responsible for any issues arising from their accounts. This way user will be keen not to release their login details to unauthorized people. Sharing of information and data in the University will be guided by the university data exchange policies.
Security devices Procurement and implementation
Implementation of the plan will be guided by the universities best procurement policies. The university procurement officer will, however, consult the ICT officers for technical guidance on the best product to be acquired.
Once devices and software from specific vendors have been acquired, the device vendor or the partner will be requested to provide installation support and offer training to the universities technical department.
In the procurement of the network devices, device compatibility with the existing technologies should be considered. This will reduce the need to purchase new devices due to the incompatibility issues.
.
Conclusion
I propose the formation of a technical team to oversee the implementation of the security policy, in this team, the heads of department should be included as they will be responsible for systems security. Chairpersons of the Departments and the ICT department will be tasked with ensuring that all the policy guidelines are followed.
References
Huang, Y., Feamster, N., Lakhina, A., & Xu,J. (2007). Diagnosing network disruptions with network-wide analysis. ACM SIGMETRICS Performance Evaluation Review, 35(1), 61. http://dx.doi.org/10.1145/1269899.1254890
Pounder, C. (2001). The European Union Proposal for Policy Towards Network and Information Security. Computers & Security, 20(7), 573-576. http://dx.doi.org/10.1016/s0167- 4048(01)00705-2
Protecting practices from data theft. (2013). BDJ, 214(6), 314-314. http://dx.doi.org/10.1038/sj.bdj.2013.307
