Upload

Browse
My Library
and Management Policies
CHAPTER TWO
2.1.0 POINT TO POINT LEASED LINE
A point-to-point leased line is a dedicated pair, or pairs, of copper wire connecting
two
endu s e r s t h r o u g h a n e t w o r k r e n t e d f r o m a t e l e c o m m u n i c a t i o n s p r o v
i d e r . U n l i k e n o r m a l d i a l - u p connections, leased lines are always active and deliver
guaranteed bandwidth.Point to point leased line is a cost effective, resilient and secure
solution for connecting multipleoffices or remote workers with guaranteed uptime
and bandwidth. Leased line offers a number of significant advantages over traditional
dial-up connections and these advantages are:
Non-contention - A Leased line is 100% dedicated to the companys exclusive use.
Security - A dedicated leased line is private, and therefore secure.
R e l i a b i l i t y a n d r e s i l i e n c e A l e a s e d l i n e i s b a c k e d b y S e r v i c e L e v e l
A g r e e m e n t s a n d i s monitored by the service provider at all time performance.
Symmetric Upload and download speeds are the same.
Cost control The monthly rental charge is fixed and does not vary with variable usage.
Permanence The connection is always on.\
2.2.0 POINT TO POINT PROTOCOL
The Point-to
point Protocol (PPP) originally emerged as an encapsulation protocol for t
ransporting IP traffic over point-to-point links. PPP also established a standard for the
assignment andmanagement of IP addresses asynchronous (start/stop) and bit -oriented
synchronous encapsulation,network protocol multiplexing, link configuration, link
quality testing, error detection, and
optionn e g o t i a t i o n f o r s u c h c a p a b i l i t i e s a s n e t w o r k l a y e r a d d r e s s n e
g o t i a t i o n a n d d a t a - c o m p r e s s i o n negotiation. PPP supports these functions by
providing an extensible Link Control Protocol (LCP) anda family of Network Control
Protocols (NCPs) to negotiate optional configuration parameters andfacilities. In
addition to IP, PPP supports other protocols, including Novell's Internetwork
PacketExchange (IPX) and DECnet (James & Keith 2009).
2.3.0 CSU/DSU DEVICE

Channel Service Unit (CSU) is a device that connects a terminal to a digital line,
while
DataS e r v i c e U n i t ( D S U ) i s a d e v i c e t h a t p e r f o r m s p r o t e c t i v e
a n d d i a g n o s t i c f u n c t i o n s f o r a telecommunications line. Typically, the
two devices are packaged together as a single unit. We can think of CSU and DSU as a
very high-powered and expensive modem. This device is required for bothends of a T-1 or E1 connection. The units at both ends of th e connection must be from the
samemanufacturer, their configurations must be set to be similar and the routers at
both ends must beconfigured to be in the same subnet (Robert et al 2005) .

IT Security for ABC Broadcasting

Corporation_______________________________________________
11
_______________________Network Infrastructure, Network Security and Management
Policies

CHAPTER THREE

3.1.0 ANALYSING ABC CORPS NETWORK CONFIGURATION SETUP

For ABC Broadcasting Corporation to survive it must consider network security as
criticalfunction of its success. Appropriate measures are taken to tighten the security of ABC
Corps Network infrastructure to prevent breach of security and yet be in line with the
companys objectives which aimfor flexibility, scalability and affordable cost for
consumers. Below is the analysis of ABC Corps Network infrastructure;ABC Corps
Network infrastructure is made up of three (3) layers;
1.The Outer-Layer which accommodates the Web server, FTP server, and E -mail
server. Thislayer is the general public layer and is enclosed in the External DMZ. The
employees and the public including the clients and partners have access to this layer.
2.The Middle-Layer is a more protected layer than the outer layer. This layer is
strictly for theemployees, whether they connect from within, branch office or from
remote location.
Thisl a y e r i s w h e r e m o s t o f t h e o p e r a t i o n a l d e p a r t m e n t s a r e f o u n d ,
e.g. Sales, Accounting,Broadcasting, and Customer relations depar
t m e n t s . A c c e s s i n t o t h i s l a y e r r e q u i r e s authentication.
3.T h e I n n e r - L a y e r i s t h e m o s t p r o t e c t e d o f a l l t h e t h r e e l a y e r s ; h e n c e i t i s
r e f e r r e d t o a s t h e Core of the network. This layer is where the Research and
Development, Human Relationsand IT departments are located.

Lists of hardwares used in setting up ABCs network:

1 . F i r e w a l l s
2 . S w i t c h e s
3 . I n t r u s i o n D e t e c t i o n S ys t e m s ( I D S )
4 . R o u t e r s
5.Leased Line Routers
6.Fiber Optics Cable
7.Work Stations
8.Web server
9.Proxy server
10.FTP server
11.E-Mail server
12.VPN/AAA server
13.Active Directory server
14.CSU/DSU Modem
15.Departmental servers
16.Digital Transmission Satellite Dish
17.Digital Video Broadcasting (DVB) System
18.Clients/Subscribers
19.Printers
Note:
All the Routers used in this setup are Ciscos 3800 series routers, and the Core
Switches areC i s c o s c a t a l ys t 4 5 0 0 s e r i e s S w i t c h e s . D - L i n k s D E S 3 0 2 8 S e r i e s S w i t c h e s a r e u s e a s A c c e s s Switches. The Boundary Firewalls are
Ciscos PIX 500 series appliance fir ewalls.
The IDS used is
IT Security for ABC Broadcasting
Corporation_______________________________________________
12
_______________________Network Infrastructure, Network Security and Management
Policies
Cisco Threat Defense IDS 4250 series. Ciscos VPN concentrator 3000 Series is
also used. All theservers in the External DMZ are Unix-Based Linux platform servers

ABC Corps network has being segmented into several Virtual Local Area Networks
(VLANs).This VLAN architecture is to help isolate uncontrolled broadcast of packets (Broadcast
Storm) whichmight lead to network jam and consequently shutting down the network function.
Secondly, the VLANimplementation is to ensure that the information meant for one
department is contained within thatdepartment without unauthorized access to
other departments.The range of IP addresses for the VLANs are;

192.168.1.x/24 range (VLAN 1)

192.168.2.x/24 range (VLAN 2)
192.168.3.x/24 range (VLAN 3)
192.168.4.x/24 range (VLAN 4)
192.168.5.x/24 range (VLAN 5)

3.2.0 HEAD QUARTERS AND BRANCH OFFICE VPN CONNECTION

T h e i n i t i a t o r ( e m p l o ye e o r d e a l e r ) l o g s i n t o t h e c o m p a n y s s e c u r e d V P N
i n t e r f a c e o n h i s computer by providing user ID and password or pass-phrase,
depending on how the configuration is being set up. The log-in is authenticated by the VPN
server at his own end, which is hosted either bythe Branch office or an external ISP. Upon
fulfillment the log-in requirements, access to the HQ aregranted through a secured VPN
tunneled which travel through the public internet cloud. The packetthen meets up
with the HQs router, and then the Boundary Firewall. At the router end,
Network Address Translation (NAT) is implemented which masquerades ABC internal IP
addresses from the public
.T h e B o u n d a r y F i r e w a l l i s a S t a t e l e s s h a r d w a r e A p p l i a n c e F i r e w a l l ; h e n c e
i t i n s p e c t s t h e transiting packet up to the Network layer of the Internet Protocol
Stack before forwarding it to the Intrusion Detection System/Switch. This piece of hardware
screens the frame against some laid downsecurity parameters. If the frame is found to
contain malicious codes, the IDS triggers an alarm andnotifies the IT personnel and
employees that an attack is about to take place or has already taking place. On the
other hand if the frame is clean, it is allowed into the network. The level of access intothe
network depends on the person who logs into the network. The access is spelt out
based on therules on the Internal Firewall 1 and this will grant the frame to reach
the VPN concentrator /AAAserver.
The Internal Firewall 1 is a State-full Firewall, in other words, it carries out inspection on
the packet up to the Application layer of the Internet Protocol Stack. It ensures that the packet
meets thestandards of the policies that are set in th e firewall before allowing it to
transmit further into thenetwork.
The VPN concentrator/AAA server analyses the packet, by decrypting the packet to reveal
itscontent, while processing Authentication, Accounting and Authority. This Authentication,
Accountinga n d A u t h o r i t y o n t h e p a c k e t a r e t o e n s u r e t h a t t h e e m p l o y e
e i s a n a u t h e n t i c a t e d m e m b e r t h e organization and has the authority to be in
the network. The authorized packet then transmits to
thed e s t i n a t i o n d e p a r t m e n t w h i c h i t s r e q u e s t h a s b e e n o r i g i n a l l y m a d e . T h e
se departments includeBroadcasting Department, Accounting Department,
S a l e s D e p a r t m e n t o r C u s t o m e r R e l a t i o n s Department. The Research and
Development (R&D) Department, Humans Relations (HR) Departmenta n d I n f o r m a t i o n
Technology (IT) Depar tment are situated in the Network Core which is
highly

IT Security for ABC Broadcasting

Corporation_______________________________________________
13
_______________________Network Infrastructure, Network Security and Management
Policies
restricted from the employees. This inner layer is restricted to a few employees who have the
authorityas defined in the organizations policies.The function of the

Active Directory server

which is controlled by the System Administrator from the IT department is to oversee the entire
access rule, with respect to passwords, log-ins, printing,emailing, and other security and
instructional issues initiated by the employees and non-employees.

3.3.0 HEAD QUARTER AND BRANCH OFFICE LEASED LINE CONNECTION

The second means of linking to ABCs HQ office is through Leased Line. The Leased
Line isused for the branch offices whose country share boundary with the HQs country, e.g.
Singapore andT h a i l a n d . T h i s d e d i c a t e d L e a s e d L i n e i s p r o v i d e d b y a t h i r d
p a r t y L e a s e d L i n e p r o v i d e r . F o r a n employee to have access to the HQ through Leased
Line, he initiates a connection from his office. Theframe travels through the Boundary
Firewall 1, Router, CSU/DSU Modem, and then through the E1F i b e r O p t i c s
leased line which spans several kilometers and then to the Headquarters
C S U / D S U Modem, Router and the Boundary Firewall. The frame meets up with the External
IDS, if found clean,moves to the Internal Firewall 1, and then to the AAA Server
which authenticates the request. After fulfilling the set rules, it is then allowed into the
internal network.For ABCs customers, subscribers or dealers, who desires to have access to
ABCs network for the purpose of enquiry on broadcasting services and online subscription, their
access is limited androuted to the Web, FTP and E-mail servers, which is controlled by the
External DMZ and regulated bythe Boundary Firewall.T h e m a i n f u n c t i o n o f t h e
I n t e r n a l D M Z i s t o c o n t a i n a n d c o n f i n e t h e v a r i o u s d e p a r t m e n t s within their
regions and limits, it restricts them from accessing other part of the network which
theyshould not have access to. The internal DMZ is regulated by the Internal Firewall 2.
Below is the overall network diagram of ABC Broadcasting Corps
IT Security for ABC Broadcasting
Corporation_______________________________________________
14
_______________________Network Infrastructure, Network Security and Management
Policies