Project Title:
Designing and implementation of IT infrastructure in a fictitious company and ISMS audit on the organization IT assets.
PRESENTED BY
EROMOSELE CHRISTIAN MAT. NUMBER 922161
FACHHOCHSHULE UNIVERSITY OF APPLIED SCIENCES Grenzstraße 5, 24149 Kiel, Germany
[email protected].
Table of Contents ACKNOWLEDGEMENT ............................................................................................................................................................ i ABSTRACT .................................................................................................................................................................................. ii INTRODUCTION ...................................................................................................................................................................... iii 1.
Virtualization, IOS Modes and Cabling ................................................................................................................. 1 1.1.
Graphical Network Simulator (GNS 3) ........................................................................................................ 1
1.2.
VirtualBox................................................................................................................................................................ 1
1.3.
Usefulness of Virtualization ............................................................................................................................. 2
1.4.
Network Media ...................................................................................................................................................... 2
1.5.
Types of cables ...................................................................................................................................................... 2
1.5.1.
Shielded Twisted-Pair cable (STP) ...................................................................................................... 2
1.5.2.
Unshielded Twisted-Pair cables (UTP).............................................................................................. 3
1.5.3.
Coaxial Cables............................................................................................................................................... 7
1.5.4.
Optical Fiber Optics Cable ....................................................................................................................... 8
1.6.
1.6.1.
Command-line Interface (CLI) .............................................................................................................. 9
1.6.2.
Cisco Security Device Manager (SDM) ............................................................................................... 9
1.7. 2.
3.
4.
Configuration Methods ...................................................................................................................................... 9
Techniques for accessing Command Line Interface (CLI) ................................................................. 11
LAN Switching .............................................................................................................................................................. 12 2.1.
Command modes of the IOS ........................................................................................................................... 12
2.2.
Comparison of switches to hubs and bridges ......................................................................................... 13
2.3.
Virtual local area network and Trunks ..................................................................................................... 14
2.4.
Spanning Tree Protocol ................................................................................................................................... 16
2.5.
Host-to host Packet Delivery within and outside the Network....................................................... 18
Routing ............................................................................................................................................................................ 22 3.1.
Dynamic Host Configuration Protocol (DHCP) Server: ...................................................................... 22
3.2.
Access Control Lists (ACLs) ........................................................................................................................... 23
3.3.
Enhanced Interior Gateway Routing Protocol (EIGRP)...................................................................... 26
3.4.
Comparing EIGRP to other Routing protocols ....................................................................................... 27
3.5.
Network Address Translation (NAT) ......................................................................................................... 29
3.6.
RADIUS Server ..................................................................................................................................................... 30
Firewalls ......................................................................................................................................................................... 33
5.
6.
4.1.
Advantages of a Firewall ................................................................................................................................. 33
4.2.
Firewall Technologies ...................................................................................................................................... 33
4.2.1.
Stateless Packet Filters ........................................................................................................................... 33
4.2.2.
Stateful Packet Filters ............................................................................................................................. 36
4.2.3.
Application Layer Gateway (ALGs) ................................................................................................... 37
IT Security standard (ISO 27001) ........................................................................................................................ 39 5.1.
Why Employ ISO 27001?................................................................................................................................. 40
5.2.
ISO 27001 Audit certification process ....................................................................................................... 40
5.3.
Performing IS audit on the IT assets with reference to ISO-27001............................................... 42
5.4.
ISMS Security Policy .......................................................................................................................................... 42
5.5.
ISMS Scope ............................................................................................................................................................ 44
5.6.
ISMS Audit Work Plan ...................................................................................................................................... 45
5.7.
Audit Questionnaire .......................................................................................................................................... 45
5.8.
Audit Evidence .................................................................................................................................................... 47
5.9.
Risk Assessment / Risk treatment Options (Control) ......................................................................... 48
5.10.
Management approval to operate and implement the Controls ................................................ 50
5.11.
Statement of Applicability (SOA) ............................................................................................................ 50
Conclusion...................................................................................................................................................................... 53
References ................................................................................................................................................................................ 55 Appendix ................................................................................................................................................................................... 59
ACKNOWLEDGEMENT I would like to thank Professor Nils Gruschka for approving this topic and for supervising my project work. My thanks also go to Mr. Stefan Rieber for the knowledge impacted on me in performing IT audit. I also want to thank some of my friends for their reviews and adding valuable comments and suggestions to improve the quality of this paper.
i
ABSTRACT This paper is on planning and designing of IT infrastructures. It discusses the configuration of network components, such as Cisco routers, switches, radius servers and deals with Firewall technologies. Implemented protocols on the routers are Enhanced Interior Gateway Routing protocol (EIGRP), Network Address Translation (NAT), Access Control Policy (ACLs). Virtual Local Area Networks (VLANs) are created to segment various administrative tasks and the Spanning Tree Protocol (STP) is configured on the switches to ensure redundancy and a loop free topology. For authentication and restriction to the network devices, a radius server was configuration to grant administrative privileges to the routers. Finally an Information Security Management System (ISMS) audit was performed on the organization IT assets.
ii
INTRODUCTION IT infrastructures are sets of information technology components comprising hardware (Data Centers, Routers etc.), software (Enterprise Resource Planning (ERP)) etc., and network security devices such as firewalls etc. which could be used in the organization to deliver IT services to customers. These IT components are used to monitor and support IT services within or outside the organization [4]. The software used in the realization of this project includes the Graphical Network Simulator (GNS 3) which emulates the network [1] and VirtualBox, which is a cross visualization application that can be used with any operating system. It’s a powerful tool and it has the ability to run several computers at the same time [2]. Various configuration methods such as Command line interface which is used to ingress commands into the Internetwork Operating system [12] and the Security Device Manager (SDM) which is a web based management tool [8][9, p.4-124], and the command line configuration modes were also outlined [17]. It is essential to discuss the network communication media as a good knowledge of cable design and implementation is very vital with respect to connecting similar and dissimilar devices to the network using a straight through or a cross over cable. Its selection criteria such as speed and cost were also outlined [3, p. 1-146] [5, p. 8, 20]. Before purchasing any network cable, ensure it satisfies the requirements of the U.S National Electrical Code (NEC) [5, p. 20]. A comparison was made between Hubs, Bridges and Switches. Switches are best to use in practice. Their functional advantages are high port density, and their low price. Hubs and bridges therefore are not even considered [3, p. 2-23]. VLANs were created in the Local Area Network (LAN) in accordance with the 802.1Q standard, which enables you to implement access and security policies to groups of users, thereby enhancing network flexibility [11, p. 2-3]. The Spanning Tree Protocol was also described since it is enabled by default on Cisco switches and how it ensures loop free topology and provides redundancy in cases of failover [15]. Furthermore; host to host packet delivery within the same network and outside the internal network were described in detail. The Dynamic Host Configuration Protocol (DHCP) was configured on the cisco router to hand out IP addresses, Subnet masks etc. to clients. Its mechanism and process of handing out IP addresses were described [9, p. 4, 1–139]. Access Control Lists (ACLs) were configured since the firewall does not operate within the LAN; the routers were configured to provide filtering using ACLs. This enhances the organization infrastructure security and offers a unique way to control traffic on the network [19]. In order to enable routers to communicate with each other, the Open shortest Part First (OSPF) and the Enhanced Interior Gateway Routing (EIGRP) protocols, which are widely used in big enterprise networks, were also configured. They have the advantages of both distance vector and link state routing protocol [11, p. 5-1] [20]. A clear distinction and similarities between all the routing protocols were described [14].
iii
Network Address translation (NAT) was also configured to enable hosts assigned private IPv4 addresses to communicate over the internet. It conserves Internet Protocol Version 4 (IPv4) addresses and simplifies management tasks as defined in RFC 1631 [18page 7-3]. NAT type and terms associated were also explained. A Remote Authentication Dial-In User Service (Radius) server was also enabled for network authentication and accounting to restrict unauthorized access to network devices (routers) [23]. Its authentication steps and its similarities to TACACS servers were outlined as they serve as the principal protocols used to administer Authentication, Authorization and Accounting (AAA) on network devices [25]. Various technologies of firewalls and rule sets, demerits and merits of them were also covered. To protect the network from intrusion attempts, a firewall is employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies, these policies were also described [26] and the importance of employing the firewall as it is a reliable gateway in connecting a private network to the internet [28] were covered. The Information Security Management System (ISO 27001) was established on the organization IT assets to ensure confidentiality, integrity and Availability of information in the organization. ISMS mandatory requirements for audit were analyzed in steps. ISMS is applicable to all businesses regardless of the sector and its flexibility makes it unique in employing it as the organization can choose whatever control is applicable to its business [52]. ISO/IEC 27002 is employed to select suitable information security controls within the ISMS, it serves as a code of practice and guideline rather than a certification standard, since it gives greater details than it’s antecedent [49].You may decide to implement any other controls as ISO 27001 is flexible [38] [39]. Finally a statement of applicability was developed to attest compliance of the applied controls. This paper is intended to be a network kit in the hands of network administrators and others who are interested in learning about networking. It is divided into two parts which are part 1 and part 2. Part 1 describes the software used in this project and its features, media types, and the various configuration modes. It focuses on how the various protocols implemented in this project work in theory, describing various firewall technologies and how filter rules for access rights are designed. Information Security Management System (ISMS) audit was performed on the organization IT assets and its steps in establishing and performing ISMS were covered. Part 2 is the appendix part outlining the basic configuration commands used in the course of this project and criteria for selecting the risk treatment.
iv
1. Virtualization, IOS Modes and Cabling 1.1. Graphical Network Simulator (GNS 3) Graphical Network Simulator (GNS3) is open source software that helps in emulating networks using the Cisco Internetwork Operating Systems (IOS). GNS3 enables you to run a Cisco IOS in a virtual environment and serves as a graphical user interface to Dynamics [1]. Features In order to efficiently utilize the functionalities in GNS3, the following program emulates the operating systems as they work in real networks.
Dynamics: This is the program responsible for the emulations of Cisco IOS. Dynagen: Found at the button pane, i.e. below the work area in GNS3 Console. It runs on top of Dynamics to provide its users a friendly text based interface. Qemu: Runs open source machine emulation such as Cisco ASA, PIX firewall etc. and VirtualBox: It’s able to run desktop and server operating systems [1].
1.2. VirtualBox VirtualBox is an application which runs across various platforms regardless of the operating system such as Windows, Linux, and Mac operating systems. VirtualBox expands the capabilities of your computer which enables you to run several operating systems simultaneously but has some practical limitations which depends on your operating system like the disk space and memory (RAM) [2]. Features These are some of the features of Virtual Box,
Portability: VirtualBox runs on both 32-bit and 64-bit host operating systems, it requires an operating system for it to be installed and it runs alongside other existing applications on the host. VirtualBox is identical in all its host environments, the same image and file formats are created and used. This enables you to run virtual machines created on particular host on another one with a different operating system. Furthermore Virtual machines can be imported and exported effortlessly using the Open Virtualization Format (OVF) [2]. No hardware virtualization required: It does not need additional built in features that exists in new hardware such as Intel VT-x or AMD-V etc. as required by other visualization programs [2]. Guest Additions and shared folders: VirtualBox additions are software packages that can be installed in the supported guest systems to improve their performance and provide additional integration. Installing VirtualBox additions automatically supports adjustment of video resolutions and accelerated 3D graphics etc. It also supports shared folders, which allows you to access folders and files in your host operation system from the virtual environment [2].
1
Great hardware support: VirtualBox supports these features and many others not described here; 1. USB device support: VirtualBox has a virtual USB controller which enables you to connect arbitrary USB devices to your virtual machines without having to install a driver on the hosts to enable this functionality [2]. 2. Full ACPI support. The advanced configuration and Power Interface (ACPI) feature is supported by VirtualBox. This enables cloning of Personal Computer (PC) images from real machines into VirtualBox. It also supports mobile systems running on batteries by enabling energy savings and notifies the user of remaining power [2].
1.3. Usefulness of Virtualization
Running multiple operating systems. It has the ability to run multiple operating systems at the same time [2]. Testing and disaster recovery. Upon installation of a virtual machine, its virtual hard disks are referred to as a container that can be duplicated, backed up and transported between hosts. With the snapshots feature in VirtualBox, you can save a certain state of the virtual machine and regress to it in the future in case of any failure [2]. Infrastructure consolidation. Virtualization reduces both hardware and electrical cost etc. Instead of running many real time computers, you can install many virtual machines into powerful hosts and balance the loads between them thereby minimizing a lot of hardware resources and electricity being wasted [2].
1.4. Network Media Network media such as cables or wireless media transmit signals from one device to the other in a LAN [3, p. 1- 146] and the selection is based on the application, requirements, cost and speed etc. [5, p. 8]. In order to ensure good communication between devices and to mitigate issues of poor network design, it is vital to emphasize on the various cable types of an Ethernet LAN. The cables that support Ethernet implementation are derived from the Electronic Industries Alliance and Telecommunications Industry Association (EIA/TIA) standard body [3, p. 1-163].
1.5. Types of cables Four distinct types of cabling are handy for today’s networking, they are: 1. 2. 3. 4.
Shielded twisted pair cables (STP) Unshielded Twisted pair cables (UTP) Coaxial Cables and Fiber Optics (FO) [5, p. 8].
Twisted-Pair Cables - They are the cheapest and most widely used cables today. Twisted-pair cables are not only cheaper than other media, their implementation is simpler than others and the tools required to implement them are less expensive. UTP and STP are the two types of twisted pair cables [5 p. 8]. 1.5.1. Shielded Twisted-Pair cable (STP) 2
STP cable consists of two pair of wires which provide a signal path and a return path. The wires are twisted in spiral manners which are normally eight twists per meter. Figure 1 below shows a typical STP cable. Despite more expensive than UTP to install, it has this merit:
Figure 1 shows a typical STP cable [5, p. 13].
It reduces the problem of noise, thus making it less susceptible to electromagnetic interference (EMI) compared to unshielded cables [5, p. 11, 12]. Note: simply installing STP does not render cables immune to EMI or reduce cable emission. Some other conditions need to be met to ensure a perfect shielding, e.g.
All components used in the link must be shielded as no other type of UTP patch cord is allowed. The shield must fully protect the whole link and enclose the pairs, as any lapse in the shield could lead to EMI leakage etc. [5, p.13].
1.5.2. Unshielded Twisted-Pair cables (UTP) UTP has been in use for telephone systems and became typical for the development of Ethernet over twisted-pair cabling and 10Base-T standard. UTP is less expensive and straightforward to install compared to STP and its bandwidth capacity is improved continuously by cable manufacturers [5, p. 9]. UTP consists of four pairs of wires and each individual UTP wire is covered with an insulating material to eliminate electrical interference [6]. UTP cables are connected using RJ-45 with eight (8) connector pins. UTP has an advantage since it’s able to cancel interference because the twisted pair wires control signal degradation from EMI and radio frequency interference (RFI). UTP used in networking has an impedance of 100 ohms as opposed to the 3
cables used in telephone wiring. This differentiates both [3, p. 1-169] [6] [7]. See figure 2 below for a typical UTP cable.
Figure 2 Showing a typical UTP cable [3, p. 1-169] [7]
From figure 2 above, UTP has an outer jacket made up of a non-conducting material enclosing the four twisted pairs of wires. Each wire is insulated with a good dielectric property which enables good signal propagation [5, p.10] [7]. For UTP links, a maximum distance of 328 feet (100m) is recommended. UTP has gained a lot of ground due to its ease of installation and its low cost. The external diameter is approximately 0.17 inches i.e. 0.43cm. Its small size makes it easy to install, and its support for most networking architectures have made it dominant [3, p. 1-169] [5, p.11]. Categories of unshielded twisted pair cables (UTP) Cables: These are the various categories of UTP. The ANSI/TIA-568-C standard (American National Standards Institute / Telecommunications Industry Association) aides network engineers in choosing the right standard for their application [5, p. 11].
Category 1: Supports frequency of less than 1MHz and is commonly used for analogue voice telephone communication and is not suitable for transmitting data. It’s not defined in the ANSI/TIA-568-C. Category 2: Also not defined by ANSI/TIA-568-C, it’s only capable of transmitting data up to 4Mb/s. it is often used in the installation of Apple LocalTalk networks. Category 3: It is recognized by ANSI/TIA-568-C, and used in 10BASE –T networks, digital and analogue telephone systems. It can transmit data up to 10 Mb/s and more. Category 4: Also not defined by ANSI/TIA-568-C and is used in Tokin Ring networks and can transmit data up to 16Mb/s and more. Category 5 development replaced Tokin Ring LANs, since it provides higher bandwidth with a small increase in price.
4
Category 5: Included in ANSI/TIA-568-C for informative purpose only. It’s capable of transmitting data up to 100Mb/s. The application it supports is 100Base-TX, FDDI over copper, ATM over IP etc. This category 5 type cable is cited often times as Class D in ISO/IEC 11801 Ed. 2.2. Category 5e: Often referred to as the enhanced category 5, it was introduced by TIA/EIA568-A-5 and is used in networks running at speed up to 1000Mb/s (1Gb/s). Additional performance criteria and tighter transmission test make it superior to category 5. Same applications in category 5 are applicable here. It is recognized by ANSI/TIA-568-C. Category 6: Was officially included in the ANSI/TIA/EIA-568-B in June 2002. It consists of four pairs of 24-guage copper wires, which can transmit data at speed up to 1000Mb/s. This cabling category is available to both STP and UTP and cited as Class E in ISO/IEC 11801 Ed. 2.2. Category 6a: Is also a recognized cable type by ANSI/TIA-568-C. It was officially accepted in February 2008 in a publication of ANSI/TIA/EIA-568-B.2-10. It is used in networks running at speeds up to 10 Gbps [3, p. 1-169] [5, p.11] [7]. This cabling category is available to both STP and UTP.
From the various categories discussed, category 5, 5e and 6 are most commonly used cables today [3, p. 1-169]. There are other categories not covered in this paper such as category 7 and 7a as they are presently not accepted by ANSI/TIA-568-C [5, p.12]. Unshielded twisted-Pair Implementation For implementing a UTP in a LAN, the EIA/TIA defines three different implementation types such as Straight-through, Crossover and Rollover and specifies which one to choose when implementing a LAN [6] [7]. Table 1 shows the various TIA/EIA standards for connecting UTP cables. Table 1 TIA/EIA standard for connecting UTP cables [3, p.1-173]
Pin Numbers 1 2 3 4 5 6 7 8
T568A color Green/white Green Orange/white Blue Blue/white Orange Brown/white Brown
T568B Color White/orange Orange Green/white Blue Blue/White Green Brown/White Brown
Pin label TX+ TXRX+ NC NC RXNC NC
Straight through cable: A straight through cable is a network cable type used in connecting dissimilar devices, and the wires on both sides of the cable are in the same order. They are used in connecting devices like switches to routers, switches to PCs, servers to PCs etc. figure 3 below shows the connection type and devices it connects [6] [7].
5
Figure 3 UTP implementation of Straight through [7]
A straight-through cable has either T568A or T568B at each end and both cables are crimped in the same way at both ends. Note: if both connectors (RJ-45) are held together in the same direction, the colored wire or pins should be the same at both ends of the connectors [7]. Crossover cables: A crossover cable connection is used in connecting similar devices such as a switch to a switch, a hub to a switch, a hub to a hub and a router to a router etc. [3, p. 1-p173]. The RJ-45 standard cable connection type between the source device and the destination device is cross-connected, i.e. not similar as it is in straight-through cables. See figure 4 below on how it is implemented, here some wires on cable ends are crossed [6] [7].
Figure 4 UTP Implementation of Crossover [7]
A crossover cable has a T568A at one end and a T568B at the other end. (Both ends must be crimped differently). Note: When both connectors (RJ-45) are held in the same direction, you 6
should notice that some wires on one side of the cable are matched to a different wire on the other cable end [7]. Rollover cables: They are cables used to connect to a router or a switch console port. Rollover implementation is entirely different from the previous UTP implementation. Here the rollover cable (8 pin wires) are connected in this form. Pin 1 connects to Pin 8, pin 7 connects to pin 2 and it continues in this fashion until they are properly crossed [6]. 1.5.3. Coaxial Cables Coaxial cables are also referred to as coax cables. They have a single copper conductor situated at the middle. It has a plastic layer which provides insulation between the center conductor and the braided metal shield. The metal shield helps in obstructing interference from the outside. It has some drawbacks, such as being very difficult to install. Some advantages are for instance a greater distance covered as compared to twisted pair cables. The specification for coaxial cable is also included in ANSI/TIA-568-C.4. Figure 5 below shows a typical example of a coaxial cable. They appear in different forms, but the basic architecture is the same [5, p. 19] [55].
Figure 5 shows a typical coaxial cable with a plastic layer housing the metal conductor [5, p. 19]
Coaxial cables are of two types which are;
Thick coaxial cable: Often referred to as thicknet, it has an additional protective plastic feature that keeps moisture from the conductor situated at the center. Its specification is 10Base5, and the 5 refers to the maximum distance it covers which is 500m. Its area of coverage makes it a fundamental reason why thick coaxial cable is chosen when connecting devices with a longer length in a business environment. Thin coaxial cable: Also referred to as thinnet and mostly used in business networks e.g. Linear bus networks. The specification for thinnet is 10Base2, and the 2 refers to the maximum distance of 200m [55]. They are mostly used for closed-circuit TV, in broadband and cable television (CATV) applications {[5, p. 19]. 7
1.5.4. Optical Fiber Optics Cable Optical fiber is a medium that carries information and it is made up of silica-based glass or plastic. It consists of a central part (core) that is surrounded by cladding and these are the components that enable it to combine with light. The light travels down the fiber by internal reflection between the boundaries of the core and the cladding. The major reasons why it is used are transmission over a long distance and higher data rate than other forms of communication [3, p.1-170] [7]. They are also used in place of metal wires because signals travel along them with less loss and with greater immunity to EMI [7]. It provides a cabling distance approximately up to 1800 feet [3, p.1-170]. Types of Fiber Optics
Single-Mode-Fiber Optics Cable (SMF): Available in just one size and the core size is 9 micrometers and cladding size is 125 micrometers. They are commonly used by telephone companies as transcontinental links but they are not deployed in horizontal cabling such as connecting computers to a switch etc. Figure 6 illustrates the diameters and components of single mode fiber. The coating or buffer in figure 6 has nothing to do with the light signal in the fiber. Its goal is to shield the glass from scratches and dampness [7].The light in this cable type travels down the fiber and it does not rebound from the surrounding cladding as it moves down the link [5, p.17] [3, p. 1-p170]. Multimode Fiber-Optic cable (MMF): MMF optic cable is applied in networking applications, e.g. 10Base-FL, ATM, Gigabit Ethernet etc. which needs fiber optics for both backbone and horizontal cabling. Multimode fiber optics as the name implies permits a section of the light pulse to spread through the cable. [5, p.18]. It is available in various sizes, the typical size is 50 or 62.5 micrometers and the cladding size is 125 micrometers [3, p. 1-p170].
See figure 6 for a single mode diagram. They are used to connect servers in a LAN environment and both fibers can be used because the distance is relatively small [3, p. 1-p170].
Figure 6 Single Mode Optic Fiber [7]
8
The difference between single-mode fiber (SMF) and Multimode fiber (MMF) is its ability to send light to a longer distance and at a higher bit rate. Therefore MMF is for shorter distance implementation and it’s less expensive [7]. Note: It has a drawback in the sense that it can easily be broken and scratched like a glass and if this happens, it destroys the fiber. Another great tip is to always keep the fiber dry [7].
1.6. Configuration Methods The Command line Interface (CLI) and Cisco Security Device Manager popularly known as (Cisco SDM) are the two ways we can configure our cisco devices. 1.6.1. Command-line Interface (CLI)
The CLI is used to ingress parameters into the cisco IOS. Both routers and switches use the same CLI. Commands and entries are either typed or pasted within the configuration mode and thereafter the parameters that are entered are being parsed as soon as the enter key is pressed. If there are no errors in the syntax, the commands are executed and stored in the running configuration, but these commands are not saved to the NVRAM until it is initiated by the administrator or the user using the “copy running-config startup-config” command. This is truly the perfect way to configure a router and a switch as it exposes the real configuration process unlike SDM that hides the process [11, p. 1-4]. It has some command-line help functions such as the context-sensitive help, command history buffer and console error message facilities. To gain access to the CLI, from the initial configuration dialogue box (setup mode), type “NO” and press enter, after this is done the router or switch notifies you about whether the interfaces are up or down [13] [3, p. 2-48]. See an example below: System Configuration Dialog Continue with configuration dialog? [yes/no]: No Press RETURN to get started! Enter *Mar 1 00:00:05.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down *Mar 1 00:00:06.811: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down Router# 1.6.2. Cisco Security Device Manager (SDM) It is a tool for the management of Cisco IOS, and it is a web based application. It was developed to quickly and easily configure a LAN, WAN and security features on a router with the aid of the smart wizards without requiring any further knowledge of the CLI. It is supported on a number of cisco routes and associated cisco IOS software versions [8] [9, p. 4-124]. These are some of the features of Cisco SDM.
Easy to configure and Built-In Application Intelligence: Cisco SDM enables administrators to easily administer and implement routing, switching, security and qualityof-service (QoS) on cisco routers. Figure7 below shows how a Cisco SDM graphical user 9
interface looks like and how it enables users, even if they are not skilled to monitor and configure cisco devices without using the command line interface with equipped user assist help [8][9, p. 4-125].
Figure 7 Cisco SDM configuration overview [8] [62]
This also enables administrators to configure and monitor routers from a secluded environment using secure socket layer (SSL) and secure Shell (SSHv2) or telnet protocol over the internet. For instance when deployed at a branch office, it enables you to configured and monitor it from the corporate office reducing the need for experienced network administrators [8]. Monitoring and Troubleshooting. From the GUI (monitoring mode), Cisco SDM provides a swift status overview of the router information and performance evaluation, such as if the interface status if up or down, CPU, and memory usage etc. For wireless models it also provides support for real-time 802.11 a/b/g interface statistics. Cisco SDM provides thorough diagnostics and troubleshooting of WAN and VPN connections. VPN icons offer 10
you a pass or fail status to monitor your VPN as well as practical reasons for failure of VPN. Furthermore, it provides a Cisco technical assistance center (TAC) with recommended actions for recovery [8]. Cisco Router Security Management: The GUI based device management tool helps administrators to efficiently manage Cisco IOS software security features such as Network Address Translation (NAT), Access Control Lists (ACLs), firewall, Intrusion Prevention System (IPS) etc. as seen in figure 7 above. The cisco SDM smart wizard understands the process of routing and security features and guides the user to a final configuration that is accepted and examined by the Cisco TAC from end to end [8].
1.7. Techniques for accessing Command Line Interface (CLI) The CLI can be accessed through a console connection, telnet or secure shell (SSH). Before one can access the CLI, one needs to connect a device (computer) to the switch or router console port [9, p. 4-113]. If the network device is configured to support telnet or encrypted secure shell (SSH), you can gain access through a remote telnet or SSH session. The SSH or telnet client must have network connectivity to be able to access the switch or router [17]. Note: “enable secret password” or “enable password” must be configured to restrict access to the privilege executive mode thereby securing the device. Telnet ports on the router are known as the virtual terminal line (vty), which enables different users to administer the device at the same time [9, p. 4-113]. Secure shell (SSH) versus Telnet Access: Telnet is the most conventional way of accessing a network device but it is unsecure as data streams can be captured and analyzed by an attacker using Wireshark for example, as communications are in clear text and not encrypted. SSH is a secure successor of telnet which renders the same type of access. SSH has both version one and two (SSHv1) and (SSHV2). SSHv2 is often times used because it uses a more enhanced security encryption algorithm. When this encryption is enabled, RSA (Rivest, Shamir and Adleman) key must be generated and in addition, the IP domain must be defined and assigned to the router [9, p. 4119].
11
2. LAN Switching 2.1. Command modes of the IOS Its principal that one understands the different prompts in configuring the IOS as this enables you to perform the right operation within the configuration mode [13]. The IOS uses a pecking order of commands in its configuration mode structure, and each mode is differentiated from the other by a specific prompt. Each configuration mode provides a platform for Cisco IOS commands that are associated to a type of operation on a device. As a security feature, the Cisco IOS software separates these executive (Exec) sessions into three distinct classes [11, p. 1-4] [3, p. 2-47].
User Executive: This mode is denoted by the greater than symbol (>). It’s the first mode you are prompted to when you directly log into the CLI and it has limited subsets of commands. It enables you to execute basic tests and to list information about the device etc. To have a full privilege to all commands one must be logged in into the privilege exec mode by typing “enable” or “en” [11, p. 1-4] [12]. Privilege Executive Mode: This mode is designated by the hash symbol (#) symbol and it grants access to all available commands on a device, and it can be password-protected to grant administrative rights to only authorized users. This is implemented in this project using a radius server for authentication. This mode is basically used for troubleshooting and viewing of all running commands [11, p. 1-4] [3, p.2-47]. From this mode, one can access the global configuration mode by typing the “configure terminal” or “conf t” for short. Global Configuration Mode: Represented by the “router(config)#” symbol. This is the primary configuration mode. And from this mode all commands entered in the CLI automatically modify the whole device. See figure 8 to see how you can navigate from one configuration mode to another [11, p. 1-4].
Figure 8 Overview of Cisco IOS configuration Modes [11, p. 1-5]
12
2.2. Comparison of switches to hubs and bridges Network Hub: A hub is a network appliance that connects multiple computers together. A hub operates on layer one (physical layer) of the Open System Interconnection (OSI) model and it’s similar to a repeater. When a Hub receives a signal from a device on the network, it boosts the signal received and retransmits the signal. Attaching a Hub to a network broadens the segments of the network so that data can be communicated over a wider range. A hub differs from a repeater as it has multiple ports to connect multiple network devices. Hubs have no intelligence as they do not scrutinize the data passing through them and are not cognizant of the source or destination of the frame. Since it’s a physical layer device, It’s mode of operation is to receive incoming bits, boosts the electrical signal and transmit these bits to all of the devices connected to the network [3, p. 2-6, 7]. Here are some limitations of a Hub; they can only increase and not terminate an Ethernet LAN. There is also a bandwidth constraint. Despite each device having its own cable connecting to the Hub, they compete for the same amount of bandwidth. The transmitted signal is sent to all connected devices. This makes the network vulnerable to attacks and it uses the half duplex communication which results in collisions of signal sent at the same time. See figure 9 below on how collision happens if both devices tend to communicate at the same time [3, p. 2-6, 7].
Figure 9 shows a collision of frame between user 1 and user 2 [3, p. 2-7]
Network Bridges: A network bridge is a device used for connecting networks together. They are typically used for segmenting a LAN into smaller segments as this reduces both traffic and collision. They are different from switches as they have fewer ports for LAN connectivity [3, p. 2-15]. Some of the most important characteristics of bridges are: They aid in reducing network traffics, bridges buffer frames between two or more segments, it operate on the layer 2 of the OSI model, they are more intelligent than Hubs because they can analyze frames, forward or drop frames sent to specific addresses and they maintain a MAC address table. Most importantly they create more collision domains which enable users to communicate concurrently. This absolutely makes the bridges different from the Hub as it delivers frames to a specific address enhancing security. Bridges also have similar features to switches as they operate both on layer 2 of the OSI model, but switches perform more advanced function as they are fast and support different port speeds unlike bridges [3, p. 2-15, 16, 20]. Network Switches. A Switch is a networking device that operates at the data link layer or network layer of the OSI Model. They route frames by using the MAC address table of incoming frames and port number through which the frame entered the switch [3, p. 2-22]. 13
Switches are similar to Bridges and Hubs as they connect devices together but with a greater capability of eliminating collisions as it is in Hubs. Unlike bridges, switches support more improved functionalities which make them better such as,
High port density: Unlike bridges with just two ports, switches have 24-ports and 48-ports and operate at speeds of 10 and 100Mb/s respectively. Large frame buffer: The capability to receive frames and ability to drop them when there is congestion in the network etc. [3, p. 2-18, 19].
With these great functionalities switched networks are the most prevalent type of LANs used today. The per-port price of switches has dropped, that Hubs and bridges are not even considered when making inquiries on which to purchase [3 p. 2-23].
2.3. Virtual local area network and Trunks A VLAN is a logical broadcast domain that can span across multifarious LAN segments. They are group of end stations with a unique grouping set, irrespective of their physical location. They have the same features as a physical LAN other than; it allows the grouping of end stations even when they are not located on the same Network. VLANs also enable port grouping on a switch so one can limit unicast, multicast and broadcast traffic flooding. Note: VLAN floods only to the ports associated with the VLAN whereas ports in different VLANs do not and this enhances the overall performance of the network. VLANs can exist on a single switch or span across multiple switches as it is in this paper (project). Figure 10 shows how VLANs can span across multiple switches. Note: VLANs in different switches which are identical to each other can exchange packets [11 p. 2-3, 6] [14].
Figure 10 Shows VLANs spanning across switches regardless of its physical position [11page 2-6]
These are some benefits of VLANs
They enable you to implement access and security policies to group of users They allow for segmentation They create network flexibility 14
However, to allow VLANs communication across a router, devices on the VLANs need to forward network traffic from one VLAN to another through the router interface and this is referred to as inter-VLAN routing. By default, network devices on a separate VLAN within or across a router can never communicate with another device. To permit this kind of communication inter-VLAN routing is used. This communication occurs at layer 3 devices (routers or layer 3 switches). In this project, router on a stick configuration method was used to route packets between different VLANs with a single physical interface. This physical interface has several virtual interfaces (sub-interfaces) bound to it with their own IP addresses that enable logical routing. See figure 11 for an example of a router on a stick implementation, with just an interface to enable communication between the hosts on different VLANs [11, p. 2-3, 84, 86].
Figure 11 Inter-VLAN routing using router on a stick method [11page 2-84]
VLANs are arranged into various ranges in accordance with the IEEE 802.1Q standard. The key configuration difference here is that the extended range VLANs can only be configured manually while other ranges can be propagated to other switches by using VLAN trucking protocol (VTP). Table 2 describes the various ranges of VLANs [14]. Table 2 describing VLAN Ranges [14].
VLANs
Range
0, 4095
Reserved
1
Normal
2-1001
Normal
1002-1005
Normal
1006-4094
Extended
Utilization
Replicated by VTP Reserved for system use only, it cannot be ----seen or used. VLANs can be used but cannot be deleted. Yes Cisco default. These VLANs can be created, modified and Yes deleted. For Ethernet VLANs. Also Cisco default for FDDI and Token Yes ring. They can also not be deleted For Ethernet VLANs only No
15
Trunks: A trunk is a direct connection between one and more switch interfaces or with a similar networking device such as a router. IEEE 802.1Q trunk enables inter-switch communication with multiple VLANs across the whole network. For a VLAN to span over many switches, a trunk is required to link the switches together. Figure 12 shows truck interfaces carrying different VLANs [11, p. 2-3, 15]. A switch interface is either configured as a trunk port or access port,
Access port: An Access port is a port that has just one VLAN configured on its interface. It’s able to send traffic for just one particular VLAN. A trunk port: A trunk port can have multiple VLANs configured on its interface and carries traffic. Figure 12 shows how 802.1Q trunk ports are used in a network.
Figure 12 Trunk ports are used in a network [11page 2-17, 15]
Traffic is delivered on a trunk port securely with several VLANs using the IEEE 802.1Q encapsulation (tagging) technique. It uses a 4-byte tag field inserted in the frame header which transmits data about the specific VLAN to which the frame and packet belong. This enables packets that are encapsulated for different VLANs to pass through the same port and thereby maintain traffic segmentation between VLANs. [11, p. 2-17,] [15]. An Ethernet interface can be configured as a trunking or non trunking port. It can also be configured to negotiated trunking with other interfaces. Note: there is one native VLAN that is untagged where each device sends untagged frames to which is VLAN 1 and other VLANs created are tagged with VLAN identification (VLAN ID). It is the duty of the switch to analyze the 4-byte tag field to determine where to send the frame [11, p. 2-17, 18].
2.4. Spanning Tree Protocol The spanning tree protocol operates on the data link layer (layer 2) of the OSI model. It runs on both switches and bridges and the specification for STP is IEEE802.1D which describes the algorithms that can create a loop free logical topology thereby providing redundant links. Redundant links are vital in cases of failover [15]. A large number of networks include redundant devices to mitigate single points of failure. Despite the fact, that this redundancy eradicates potential network issues; it can introduce some other network problems such as; 16
Broadcast Storm: Without having some loop-avoidance mechanism in place, each switch or bridge floods broadcast ceaselessly. Multiple frame transmission: Numerous copies of unicast frames may be transmitted to the target devices and this result to errors. MAC database instability: This is as a result of multiple copies of the same frame being received on different ports of the switch and this leads to damage of data being forwarded [11, p. 2-44, 50].
Layer 2 LAN protocols are lacking the mechanism that can recognize and eradicate endless loops. While some layer 3 protocols implement time to live (TTL) mechanism to restrict the transmission of packets. To expunge these problems, the spanning tree protocol was developed to tackle any undesired loop thereby providing path redundancy [11, p. 2-44, 50]. Spanning Tree Protocol (STP) resolves loops by the following ways:
Enables layer 2 devices to exchange packets with each other and to discover the physical loops in the network It constrains certain ports into standby mode so that they cannot listen, forward or flood data frames. In this case only one path to each network segment is active at a particular point in time. If issue of connectivity arises to any of the path within the network, STP automatically renegotiates connectivity by automatically activating the idle path that was forced to a standby state previously [11, p. 2-55].
Spanning Tree Operation: STP implements an algorithm referred to as the spanning tree algorithm. It selects a source port, referred to as a root bridge and thereby determines the accessible path to the source point. If multiple paths exit, STP blocks others and selects the best path thereby enabling a loop free logical topology, but if the redundant path is needed, STP automatically enables this redundant part to become active. This is realized by the three steps below [11, p. 2-56].
Elect a root bridge: STP chooses and appoints a root bridge in a network, on this root bridge all port are designated ports and they are always in the forwarding state. When these ports are in the forwarding state they can send and receive data frames. Select the root port on the non-root bridges: Creates a root port on a non-root bridge and this is the lowest cost path from the non-root bridge to the root bridge. Root ports are always in the forwarding state. Select the designated port on each segment: STP creates a designated port on each section (switch) that has the lowest-cost path to the root bridge. Root ports are always in the forwarding state while non-designated ports are always in the blocking state. When a port is in the non-designated state, it still receives traffic but cannot forward traffic. This is necessary to prevent loops in the Network. See figure 13 for STP operation as described in my project [11, p. 2-56].
17
Figure 13 Showing STP Root Bridge and Designated and Non-designated Ports [11page 2-68]
Switches and bridges exchange information at regular intervals (every 2 seconds by default) when operating on STP. This information is swapped using a frame known as bridge protocol data unit (BPDU) and a chunk of the data attached is the bridge ID (BID). The BID incorporates a priority value of 2 bytes and a bridge MAC address of 6 byte. It has a default priority in conformity with IEEE 802.1D which is 32768 or 0x8000. Here Switch A is the root bridge as it has the lowest BID (MAC 0000.0CDD.AAB5) [11page 2-57].
2.5. Host-to host Packet Delivery within and outside the Network A) Host to Host communication within the same network: Host-to-host communication requires a layer 2 device which provides an interface to the physical media [3page 1-119]. The Address Resolution Protocol (ARP) table keeps the latest bindings of IP address to MAC address. When a node wants to send a packet to another node in the same network, it looks at the ARP table to see if there is an entry, if there is, the device will make use of it but if there is not, it will use the ARP to get it. Note: The entries in the ARP table expire every 300 seconds by default, if there is no communication between the nodes and if the node wants to communicate again the entry in the ARP is launched again. This can be changed by configuring it. Here are the steps for host-to-host communication: See figure 14 below for the representation of this communication. Step 1: Node A with a layer 3 address of 192.168.3.1 want to send some packet to Node B with a layer 3 address of 192.168.3.2 and needs to use a reliable connection, the application employs the transport layer service and the Transmission Control Protocol (TCP) is chosen as UDP is unreliable. TCP starts the session by passing a TCP header with the synchronization (SYN) bit set to the destination node B IPv4 address. Step 2: The TCP SYN flag is then encapsulated with the IPv4 address of both the source and destination IP address received by TCP. Layer 2 maps the IP address of Node B to its MAC address and this is made possible by requesting a mapping from ARP. The ARP table is reviewed and 18
assumed they have never transmitted data before. Layer 2 holds the packet until the ARP provides its mapping. Step 3: The ARP makes an ARP request to layer 2 (device) and instructs it to send a broadcast address. The ARP request is encapsulated by layer 2 frames and uses the broadcast address given by the ARP as the destination MAC address and the source MAC address. Step 4: Node B receives the frame from the broadcast address and unveils the content, the remaining ARP request is passed to the ARP and the ARP table is updated. The ARP sends a response to layer 2 (device) instructing it to send a response to Node A with a MAC address of 0800.0222.2222. This is encapsulated by layer 2 frames by using the MAC address given by the ARP and the source MAC address (Node A). When Node A receives it, it unveils the encapsulation and ARP updates its table with the IP and MAC address of Node B. Step 5: Node A (Layer 2) can now transfer the ongoing layer 2 frames initiating the three way hand shake (TCP SYN). See figure 12 below for the process with the same network.
Figure 14 shows communications between hosts and the data transmission channel within the same network [3, p. 1, 125-136]
Step 6: At Node B with IP address 192.168.3.2, the frame is moved through the stalk in the OSI model where encapsulation is stripped off and the remaining Protocol Data Unit (PDU) is passed to the TCP. In response to the SYN, TCP passes SYN ACK down the OSI model to be encapsulated and send to 192.168.3.1 (Node A). 19
Step 7: At Node A (192.168.3.1) the frame is moved up the OSI model where encapsulation is stripped off and SYN ACK is passed to TCP. Now Node A has to notify Node B that the SYN ACK has arrived. The SYN ACK is sent to Node B. The three way hand-shake has been established and TCP informs Node B the session has been completed. Now both can transmit data over the channel relying on TCP for error detection and reliable transfer. When host B receives the frame with the application data, it is then moved through the OSI model where encapsulation is removed and the data is delivered to the right application as shown in figure 14 above [3, p. 1,125-136]. B) Host to Host communication outside the same network: The antecedent transmission within the same network was possible because the ARP was able to map the MAC address and the IP address of the destination end device. However since they are not on the same network, the transmitting Node will have to send the data to the default gateway which will have to route the date to the right route. The default gateway is the routers interface associated to the local network and it has a layer 3 address that matches the network address on the Nodes. The hosts are configured to identify the address of the gateway [3, p. 1-138]. In this scenario, we assume any of the routing protocols has been configured to route packets to their destinations and the next hop router is identified to which the packet is to be forwarded. This is made possible by using a route to map the destination network address to the next hop and then forward the packet to this next-hop address. See figure 15 below showing the process of packet delivery outside the same network.
Figure 15 showing packet delivery outside the same network [9, p. 4, 90-100]
20
Step 1: The layer 2 device (switch) in network 1, searches for the mapping between the layer 2 and 3 address and if the mapping is not found, the ARP holds the packet while it finds the mapping. When this is achieved, the router replies with its MAC address. Step 2: Then host A assembles his packet, includes his own IP address, and the destination IP address of Host B, and also includes its own MAC address and the MAC address of its router. Step 3: The packet arrives at router 1, the layer 3 device (router) notices the destination IP address which differs from its address, the router de-encapsulates the packet and look up its routing table and finds the route in the routing table which shows the destination network is directly connected to the network. The router re-encapsulates it with its own layer 2 Source MAC address and the destination MAC address of router B in network 2 and sends the packet to the destination MAC address (Router 2). Step 4: The packet arrives in Router 2 destination address, the router de-encapsulates the packets and discovers the packet is to be sent to another destination, it reassembles the packet and includes the Source MAC address of Router 2 in network 3 and the destination MAC address of the host (B) and this packet is delivered to Host B [9, p. 4, 90-100] [16].
21
3. Routing 3.1. Dynamic Host Configuration Protocol (DHCP) Server: The DHCP service allows devices in the network to randomly obtain an IP address from the DHCP server. The server assigns IP address, subnet mask, and Domain Name Service (DNS) [3, p. 1-78]. DHCP supports these three mechanisms for IP address allocation.
Automatic allocation: The IP address is allocated permanently to the clients. Dynamic allocation: The IP addresses are allocated to the hosts at a finite and definable time (until the clients’ expresses renewal). Manual allocation: Here IP addresses are assigned manually by the administrator and the DHCP server is used to deliver the assigned address to the clients [9, p. 4-138].
The process of obtaining IP addresses. A DHCP server processes a client’s request based on the bindings for the client. A DHCP server can receive either of the following requests from the client.
DHCPDISCOVER: This request occurs when a client boots for the very first time, and sends a DHCPDISCOVER message on its local physical subnet. This message is an all subnet broadcast as the client does not know the particular subnet it belongs to and its IP address at this time, the source IP address of 0.0.0.0 (null) and all subnet broadcast of 255.255.255.255 destination address is used to communicate with the server using TCP/IP. DHCPOFFER: The DHCP receives the DHCPDISCOVER request and replies with a DHCPOFFER message which contains the IP address selected randomly from the IP pool. This DHCPOFFER message could also include subnet mask, default gateway. DHCPREQUEST: After acknowledging the DHCPOFFER, the client expresses acceptance of the DHCPOFFER and sends a broadcast to layer 2 and layer 3 because the client isn’t sure if it can successfully make use of the address or if the same IP address is being requested by another DHCP client. Note: this is termed a request as the client can decline acceptance and request for another IP address. DHCPACK: As the DHCP client gets the DHCP request message, the server replies with a unicast DHCP message thereby completing the process of assigning the IP address [9page4139].
See figure 16 below showing how clients request for IP address and how the entire process is layout.
22
Figure 16 showing the DHCP IP allocation process [9page4-139].
In this project, the cisco router was used as the DHCP server as it provides DHCP server support features.
3.2. Access Control Lists (ACLs) Within a LAN, where a firewall is not implemented oftentimes, network devices such as a router can be used to provide packet filtering capabilities using the ACLs. ACLs render good management for access policies for device administration. They enhance the organization infrastructure security and render a unique way to control traffic on the network [18, p. 6-4] [19]. By default IP traffic is routed in and out of the router interface, therefore ACLs restrict access and examine packets based on these criteria e.g. on a destination address, source address, protocol and port numbers, either permitting network traffic or denying it. Masks are used alongside with IP addresses and they are in reverse form e.g. 0.0.0.255 and are sometimes referred to as inverse mask or wildcard mask specifying matches to the IP address bits[18, p. 6-4] [19]. ACLs Application: ACLs application falls into two categories, which are filtering and classification.
Filtering: Packet filtering also called static packet filtering and it provides an ordered set of rules for filtering traffics on the network by analyzing incoming and outgoing packets thereby allowing or denying them based on stated rules. Note: when a packet is discarded, it notifies the user that the destination is unreachable in response to a ping and administrative prohibited response (!A * !A) to a “traceroute” command. Classification: IP ACLs organize and differentiate traffics which enable special handling for traffic defined in the ACL. E.g. They use Network Address Translation to determine which addresses are to be translated (NAT), identify the route veering from one routing protocol to another and also identify the type of traffic that is to be encrypted across a virtual private network (VPN) [18, p. 6-4]. 23
Access Control Lists Operation: An ACL is a configuration script of a router that oversees whether a packet is allowed or denied in accordance to the defined criteria in the packet header. ACLs operate in two ways:
Inbound ACLs: Incoming packets are analyzed as they enter an interface before they are routed to the outbound interface. Inbound ACLs are effective because they save the routing lookup time if the packet will be denied in the later process. If inbound ACLs permit a packet, it is ready to be routed. Outbound ACLs: Incoming packets are not processed as they enter the interface, but as it exits the interface i.e. the outbound interface. This is done in two ways. First, if a packet enters an interface, the router checks its routing table to see if it can be routed, if not the router drops the packets. Secondly, the router reviews the ACL destination interface to ensure it’s not bound to an ACL and sends the packet. But if the packet is bound to an ACL, it test to ensure it matches the ACL statement but if not the packet is dropped. See figure 17 below for the graphical illustration of an ACLs process [18, p. 6-8, 9].
Figure 17 outbound access control process [18, p. 6-8].
ACL statements run in a logical order, if an ACL statement satisfies the defined criteria (matches a packet header), all other statements are ignored and the packet is then permitted or denied according to the statements. But if the packet does not match any statement, it is tested against the next statement and this continues until the list of statements is exhausted. Furthermore, a final implicit “deny any any” statement affects packets whose statements never matched. Because of this
24
statement an ACL should have at least one permit statement to avoid packets being dropped. [18, p. 6-8]. Types of ACLs: ACLs can be group in two distinctive classes namely,
Standard ACLs: This type of ACLs is straight forward as it filters packets based on it source address. This result either in denying or permitting the packet based on the source network, subnet or host IP address. Protocols used here are TCP and UDP. Extended ACLs: Here both the source and destination packet addresses are checked which gives more control than the standard ACLs. This gives administrators more control as he can deny or permit specific protocols, port numbers [18, p. 6-8].
However there are two techniques in which an ACL can be identified, they are
Numbered ACLs: Uses only numbers for identification and this is a major drawback as it does give the right details about the ACLs. Named ACLs: Here it uses descriptive names with alphanumeric characters for identification. Its major advantage is that it enables an administrator to edit and choose whatever name suits his description, see table 3 below for the various ranges of IP access list [18, p. 6-11]. Table 3 showing some Protocol ACL numbers [18, p. 6-13]
Protocol
Ranges
Standard IP
1-99
Extended IP
100-199
Standard IP (Expanded) Extended IP (Expanded) Apple Talk
1300-1999 2000-2699 600-699
Regardless of the ACLs used, an administrator can only configure an ACL on a router with the three rules namely, one ACL per interface, ACL per direction, ACL per protocol. Some configuration guidelines for ACL are as follows:
Extended ACLs should be placed as close to the source of the traffic denied as possible. In this scenario, unwanted traffic is filtered when gaining access into the network infrastructure. Since standard ACLs filter packets based on source address and do not specify destination address, they should be placed as close to the destination interfaces as possible [18, p. 6-8, 12, 16].
25
3.3. Enhanced Interior Gateway Routing Protocol (EIGRP) EIGRP is a cisco proprietary routing protocol designed to address the flaws in both the distance vector and link state routing protocols. This protocol is widely used in big enterprise networks as it includes the advantages of both the distance vector and link state routing protocols [11, p. 5-1] [20]. EIGRP Features: EIGRP behaves in a similar way to the link state routing protocol as it uses the “Hello” messages to learn about neighbor relationships and partial updates are sent only when changes occur. However the design is based on the key distance vector routing protocol as it learns about other networks from directly connected neighbors. It is regarded as an advanced distance vector or hybrid routing protocol with the following features [11, p. 5-4]. Rapid convergence: EIGRP uses the Diffusing Update Algorithm (DUAL) to accomplish this fast convergence. The computational engine that runs the DUAL and EIGRP reside in the kernel of the routing protocol; it ensures loop freedom and backup paths throughout the network. A router using this protocol stores all available backup routes. In case of route failover, it adapts immediately to the best path. If none exists, it queries the neighbor to learn about an alternate route. Reduces bandwidth usage: EIGRP employs the term partial or bounded when making reference to updates. For partial it means, instead of sending the entire content, it sends only the incremental updates when route changes occur, while for bounded, it means only the routers that are affected are being sent updates. By routing only the information needed and to only the routers affected, EIGRP reduces bandwidth that is required to send large chunk of updates. Multiple network layer support: It supports multi-address classes with easy transition such as IP version 4 (IPv4), IPv6, and Apple Talk. Classless routing: EIGRP advertises routing masks for each destination network. This makes EIGRP unique in supporting discontinuous networks and variable length subnet masks. Easy summarization: This feature enables one to create route summaries anywhere in the network, unlike OSPF that does configure route summarization at specific points in the network [11, p. 5-4, 5] [20]. Each EIGRP router maintains an EIGRP neighbor table which includes list of directed connected routers with adjacency with it and choses the best route and updates it’s routing. To determine the best route (successor) and backup route (feasible successor), EIGRP uses these two approaches:
Advertised distance: This is the EIGRP matrix for an EIGRP neighbor to get to a designated network. It is sometimes also called reported distance. Feasible distance: This is the advertised distance from a specific network learned from a neighbor plus the EIGRP matrix to get to the neighbor. And this provides a matrix to get to the remote network.
It computes all feasible distances and selects the lowest and places it in its table. This feasible distance becomes the EIGRP matrix to get to the designated network and the best route becomes 26
the successor. Figure 18 shows how the paths are calculated from the advertised distance (in the IP EIGRP Topology Table). Router B choses the 192.168.1.0/24 network to get to router A as the successor, and router C as the feasible successor when the successor’s link is no longer available [11, p. 5-6].
Figure 18 EIGRP path calculations on router C in choosing the best route [11, p. 5-7]
3.4. Comparing EIGRP to other Routing protocols In other to describe this extensively, first we have to group all the routing protocols into classes of routing protocols which are, Distance Vector e.g. [Routing Information Protocol (RIPv1 and RIPv2)], Advanced distance Vector e.g. (EIGRP) and Link-State e.g. Open shortest Path First (OSPF) and Intermediate System-to-System protocol ( IS-IS)] Please refer to table 4 below for comparison of these protocols.
Distance vector: Determines the link in a network through the direction and distance (matric or hop count as in the case of RIP). It periodically sends complete updates to all connected devices and in large networks this results in high traffic on the links, and they do not have a definite map of the network topology, therefore the view of the network is based on the information obtained from the neighbor. The only information the router knows about this protocol is the interface to send packets out to the network. Link State: It uses the Shortest Path First Algorithm (SPF) and creates a conceptual topology of the entire network or in some case, a partition in which the router is situated. A link state router uses the shorted part algorithm to create its network topology and select the best path to the desired destination. Unlike Distance Vector, it 27
does not send complete updates periodically; rather it uses event-triggered updates containing only specific information. Here Hello messages are exchanged between directly connected neighbors. But in advanced distance vector that exchanges information only with its successor. Advanced Distance Vector: This combines both advantages of distance vector and link-state algorithms [11, p. 3-10].
Table 4 Showing similarities and differences between these protocols [21]
Features Features Uses Subnet Protocol Used Administrative Distance Metric utilized Topology type Tables maintained
RIP (Version 1 and 2) RIP Ver1: No, classful Ver2: yes classless Distance Vector: open 120 Hop-count flat topology Routing table
Max-Hop Count
15: Maximum
Convergence Load-balancing
Slow 6 equal-cost path
Used Algorithm Neighbor Discovering Addresses Used
Bellman-Ford Ver1:No, Ver2: Yes
OSPF OSPF Yes: classless
EIGRP EIGRP Yes: classless
Link state: open 110
Hybrid: proprietary 90
Cost Yes: uses area Uses both routing, neighbor and topology tables It has no limit
Reliability, load and delay No Uses routing, neighbor and topology tables too.
Fast 6 equal-cost path Dijkstra SPF Discovers Neighbors
Ver1: Broadcast, Multicast 224.0.0.5 Ver2:224.0.0.9 Multicast 224.0.0.6 Type of Updates It updates every Sends triggered Packets sent routing information updates on partial changes to neighbors Time in discovering Every 30 seconds Does this every Neighbors 10sec. by default Command for For version one R#router ospf 10 Configuration (Ver1) R#(configR#router rip router)#network R(config-router)#ver 196.165.1.0 0.0.0.255 1 R(configNote: the zeroes after router)#network the network address 196.165.1.0 signifies they are unchanged as they For version 2: represent the R(config-router)#ver network address of 2 class C. 28
255 (default 100) Fast 6 equal/unequal cost path Dual Discovers Neighbors Multicast 224.0.0.10 Send partial updates to routers affected only Every 5seconds and in WANs 60 seconds R#router eigrp 10 R(configrouter)#network 196.165.1.0 R(config-router)#no autosummary This is done to avoid unnecessary route summarization.
Which takes you into version 2 config mode Commands for #show ip route #show ip route Troubleshooting #debug ip rip and #show ip protocol #show ip protocol etc. #show ip ospf neighbor #show ip ospf interface
#show ip route #show ip eigrp neighbor #show ip eigrp topology
3.5. Network Address Translation (NAT) NAT and Port Address Translation (PAT) are techniques used in conserving IPv4 addresses [18, p. 7-3]. Networks are oftentimes administered using private IPv4 addresses defined in RFC 1631 and this gives organizations flexibility in network designs. Private IPv4 addresses are not routed over the internet and there are not sufficient public IPv4 addresses for everyone. In order for a client in an internal network to communicate with an external network over the internet, these private IPv4 addresses need to be translated, and the mechanism for this is NAT [9, p. 5-36, 37] Forms of Network address translation.
Static NAT: Manually configured by an administrator to map the private IPv4 address to a public IPv4 address on a one to one ratio. Dynamic NAT: It dynamically maps an unregistered (private) IPv4 addresses to registered (public) IPv4 addresses in a one to one relationship. NAT Overload (PAT): It is a kind of dynamic NAT, PAT employs source port and IPv4 addresses to pinpoint a particular user’s workstation. This makes it possible for up to 65,536 clients to be mapped to just one outside address (many to one relationship). It is therefore termed NAT Overload [18, p. 7-6] [22].
NAT operates on layer 3 devices, it connects two networks and translates the inside local addresses (private IPv4 addresses) in the internal network into inside global (public IPv4 addresses) before packets can be routed. NAT can be configured to display just a single address to outside networks, hiding the local internal network addresses and thus provides some additional security features by making the users anonymous. Here are some terms defined by Cisco in reference to NAT processes [18, p. 7-5].
Inside local addresses: These are IPv4 addresses assigned to hosts within the internal network. They are either configured manually or obtained via DHCP. Refer to figure 19 on these terms and the internal working process of NAT. In this figure, IPv4 address 192.165.0.13 is assigned to the host. Inside global addresses: These are legitimate IPv4 addresses assigned by service providers or Network Interface Card (NIC) portraying the inside local address to the outside world. In figure 19 below, IPv4 address 209.165.200.225 is used and for PAT it has a port
29
number assigned to the IPv4 address. E.g. 209.165.200.225:980. This is the address that appears to the outside network as shown in figure 19 below. Outside local addresses: These are IPv4 addresses of the host situated in the outside network as noticed by the inside network. In some scenarios, these addresses are identical to the outside global addresses. Outside global addresses: These are IPv4 addresses assigned to hosts on an outside network by an administrator [18, p.7-5] [22].
Figure 19 NAT translation process [18, p. 7-10] [22]
ACLs are also used for this purpose besides filtering IPv4 addresses, for example defining traffic to NAT [19]. In figure 19 above, host A (192.168.0.13) wants to communicate with Host B (209.165.200.1), the packet arrives on the router and the router checks its routing table to ensure a static, dynamic or PAT translation is configured, if not it drops the packet and if yes it replaces the inside local address of (192.168.0.13) to inside global address (209.165.200.225) as seen in the NAT table above and sends the packet. Note: Host B replies to this inside global IP address and sends the packet. Arriving on the router, it looks at the NAT table and then translates back to 192.168.0.13 [18page 7-10, 11].
3.6. RADIUS Server The Remote Authentication Dial-In User Service (RADIUS) server is an access control server used for authentication and accounting purposes. It is a client and server based architecture and uses the 30
User Datagram Protocol (UDP). Therefore it is regarded as a connectionless service. Network issues such as retransmission, server availability and time out are managed by RADIUS-enabled devices and not the transport layer protocol (UDP). The communication between the client and RADIUS server is based on a shared secret, which is not sent over the network. The password is encrypted to eradicate the possibility of attackers snooping [23]. The RADIUS client is a standard Network Attached Storage (NAS) and runs on both UNIX and windows systems. Users hand in requests to the RADIUS server, upon receiving the request, it authenticates and returns to the user all required parameters to gain privilege (access) to the system. It also supports the authentication mechanisms such as Point-to-Point Protocol (PPP), Password authentication protocol (PAP) or Challenge-Handshake Authentication Protocol (CHAP) and UNIX login etc. [23]. Users are authenticated with the following steps using the Radius server. Step 1: The User launches a Password authentication protocol (PAP). Step 2: When this connection is enabled, the server prompts the user for a username and password. Step 3: The server confirms the request and compares the decrypted username and password to the previously created data in the RADIUS server directory. Step 4: If the details entered by the user are correct, the server responds with an access prompt to the user and if it’s wrong, it sends an access reject message to the user which usually includes possible reasons why it was rejected [23] [24] [28]. See figure 20 for the steps illustrated by a diagram and how it differs from the Terminal Access Controller Access Control System (TACACS) since it does not combine any of the AAA facilities together.
Figure 20 shows how a RADIUS and a TACACS server handles access request [25].
31
In the RADUIS server, both authentication and authorization are integrated together. The accounting part of the RADIUS server enables data to be sent at the beginning and end of sessions. This helps in monitoring the bytes, packets and time etc. This function also enables ISP to use accounting software and RADIUS access control to meet billing requirements. [23]. Protocol differences between RADIUS server and TACACS + RADIUS and TACACS+ are the principal protocols used to administer Authentication, Authorization and Accounting (AAA) on network devices. See table 5 below for some major differences. Table 5 showing RADIUS and TACACS+ server differences [25].
RADIUS SERVER The sever performs both authentication and authorization together It encrypts just the password without the username. It has no command logging used by administrators It’s a connectionless protocol and the UDP ports are as follow 1645/1646, 1812/1813 Was designed for subscriber AAA purposes RADIUS server requires all devices on the network to have authorization configurations each.
TACACS SERVER Performs the three operations of AAA separately. It encrypts both the Username and password Has command logging used by administrators It uses a connection oriented protocol and it uses TCP port 49. Was designed for Administrator AAA purposes TACACS+ server serves as a central management for all network devices in the organization.
Giving a broader view to the table 5 above, RADIUS was developed to authenticate and log dial-up remote users and has no command logging features as it keeps record of just the session start and end period. This implies if there are multiple administrators logged into a device at once; the server can’t differentiate between the administrators that entered a specific command. TACACS+ protocol was designed to solve these problems and its goal is to provide a means for managing multiple network devices and administrators from a centralized management service [25].
32
4. Firewalls A firewall is a reliable gateway used in connecting a private network to the internet [28]. They are designed to restrict access to and from a protected network thereby averting attacks from entering into the internal network. It is deployed often at a point where the internal network connects to the outside network (internet) [27, p. 19].
4.1. Advantages of a Firewall
Logs internet activities: Because the firewall is the point of access that allows traffic into the network and out of the network, it provides a good platform for information about the network device as well as misuse to be logged [27, p. 21]. A Firewall maximizes your exposure: This is only vital for internal use. It is used to segregate different sessions in the internal network. And this restricts the network hitch in one segment from spreading to the other network segments [27, p. 21]. A Firewall enforces security policy: It permits only allowed traffic within the specified rules thereby enforcing network security policy. Therefore, unwanted services are dropped or rejected. Various rules can be specified. See table 6 on how the rules are specified [27, p. 21], such as denying users from certain IP addresses, permitting access to specific ports etc. [28].
4.2. Firewall Technologies There are numerous forms of firewalls such as Stateless Packet Filter, Stateful Inspection Filter and Application Layer Gateway (ALGs) etc. [18, p. 6-4]. Firewalls operate on layer 3, 4 and 7 of the OSI. Packet filtering or screening routers, such as stateless (simple) and stateful packet filtering tasks are to filter IP addresses, Internet Control Message Protocol (ICMP) packets and also filter based on TCP and UDP ports. Firewalls on layer 7 of the OSI model are referred to as a Bastion hosts, application gateways or proxy servers, and their aim is to filter services rendered by the application [28]. 4.2.1. Stateless Packet Filters They are sometimes referred to as Simple Packet Filters. This filtering router was the first class of firewall developed. They filter packets based on the following criteria:
Source IP address and destination IP address TCP/UDP source and destination address.
They are used to deny connection to and from a specific host or network, or from specific ports. They are fast as packets are either accepted or rejected. See table 6 below on how this policy is drafted. These rules are applied to the router/firewall interfaces, either outbound or inbound depending on the flow of the traffic [28].
33
Packet Filter Drawbacks:
They are insecure, as the content of the packets are not examined but just the header alone, thereby permitting any attached content to go through and the packets’ senders are not authenticated. Some staffs may request for certain applications and rights such as internet access and these new rules will have to be defined thereby making it cumbersome to manage [28].
Packet filtering Policy: To protect the network from attacks from the outside networks, firewalls are implemented to filter both incoming and outgoing traffic based on rules specified. These rules are referred to as firewall policies [26]. See figure 21 of a fictitious organization and table 6 on how the policy set are created.
Figure 21 Shows a fictitious organization on how the policy filter rule is applied in table 6 [30] [31].
In configuring a firewall router, you can specify your desired rule such as all ports as well as hosts or certain ports and host respectively [28]. Note: Firewall policy and implementations are entirely different from one organization to another [27, p. 140] but could be defined in the following format and would enable the addition of new rules and deletion as well. IP addresses should be used instead of hostnames when developing a filter set as hostnames could be exploited, as an attacker can manipulate the host-name to address translation [27, p. 116]. 34
Table 6 Stateless packet filtering policy examples [27, p.127] [28]
Rule
A
Source Address 192.168.1.11
B
*
C
*
Source Port >1023 *
*
D
192.168.1.12
E
192.168.1.11
*
F
192.168.1.12
1258
G
*
Destination Address *
Type
Action
Comments
TCP
Allow
Access to the Internet (W3) Permitting internal access to Public Web server Allow internal users access to SMTP server Access to the Internet (W3) Block both host access. Allow both hosts access. Deny every other access
192.168.2.18
80
TCP
Allow
192.168.2.17
25
TCP
Allow
*
*
TCP
Allow
*
*
TCP
Deny
*
TCP
Allow
*
*
Deny
>1023
*
Destination Port *
192.165.4.15 *
Refer to figure 21 on how the stateless packets filtering in the fictitious organization were planned in table 6 above. Rule A: Permit users with IP address 192.168.1.11 access to the Internet (WWW) with access ports greater than 1023. Rule B: All internal users are allowed access to the Public Web server. Rule C: All internal users are granted access to the (Simple Mail Transfer Protocol) SMTP server Rule D: Allow user with IP address 192.168.1.12 and source port greater than 1023 access to the internet. Rule E: Block host 192.168.1.11 with any port number assigned access to the outside network. Rule F: Allow both communications between 192.168.1.12 and 192.165.4.15. Rule G: All other communication are blocked with the explicit deny all statement [28] [30]. Rule E: block communication access between host with IP address 192.168.1.11 and host with IP address 192.165.4.15. Note: Asterisk used here (*) means any address. Packet filtering is very fast and regarded as an important component of a firewall [28].
35
Actions performed by Firewall Routers in conformity to the filter rules: Packets going through a firewall experiences one of these results;
Accepted: Packets are permitted to be routed through the firewall to their destination in conformity to the security policy of the organization. Dropped: Packets are not routed through the firewall as they are not permitted from the rules defined and does not give any reason why the packets are dropped. Rejected: Packets are routed too, but alerts the user on possible reasons why the packet was not routed [26] [27, p. 71].
4.2.2. Stateful Packet Filters They are also referred to as Stateful Packet Inspection. It runs on UNIX and Windows OS. As the name implies, it inspects packets that are arriving into the network. This is governed by the security rules specified by the network administrator. Stateful Packet Inspection was introduced to eliminate some of the drawbacks of the Stateless packet filters. Here, the headers from the various layers of the OSI are examined and the information is entered into a dynamic state table where information about the connections is saved. See table 7 for these established connection states. [28]. Note: The information stored is then used to analyze subsequent packets that initiate the same connection or are invalid packets or a new connection in the network. However, this technology is not as effective as the Application Level Gateway Firewall, as just the headers are being inspected and not the entire packets [26] [28]. Table 7 Shows an example of established connection states of a Stateful Firewall [56, p.22-10]
Connection
Source
Destination
Address 192.168.1.12
Port 2010
Address 192.168.2.17
Port 25
State Established
2
192.168.1.12
2010
192.168.2.18
80
Established
3
192.168.1.11
1456
192.168.2.17
25
Established
4
192.168.1.11
1456
192.168.2.18
80
Established
Number 1
Source IP
Destination Connection
The Stateful Firewall secures the TCP traffic rules defined by generating a directory of outbound TCP connections and restricting incoming network traffic from higher ports but it permits traffic that fits to the established connection in the directory as shown in table 7. This connection state table uses the same notion from figure 21 above showing network traffic permitted between the hosts in the internal network and the servers. A stateless packet filter does not behave this way as it permits inbound network traffic to higher port numbers for TCP to occur. This you can see in table 6 above. This creates a vulnerability which can be exploited by attackers [56, p.22-10].
36
4.2.3. Application Layer Gateway (ALGs) Operates on layer 7 of the OSI model and is sometimes referred to as a Bastion host or proxy server. This firewall is designed by installing a proxy host with the proxy application installed on it. It is placed between the packet filtering router and the internal network (web infrastructure) [27, p. 74] [28]. The Application level gateway appears to the public or external network as the end application. Since it acts as an intermediary system, it analyzes certain applications and protocols [26] [29]. But in actuality, the ALG carries out a deep inspection of each incoming packet by analyzing and modifying it thereby preventing malicious packets from entering into the network, and then sends a new request to any of the web infrastructure as seen in the figure 22 below (application server) and the sever response in the same fashion to the AGL therefore permitting or rejecting some packets. [28][29]. Figure 22 shows how AGL is deployed.
Figure 22 shows the deployment application-level gateway filter [29]
If the installed host does not run a specific application proxy service, then the request to this application will not be routed through the firewall to and from the Internet thereby blocking services not running on the firewall. Here are some examples of application proxies supported by most application firewall manufacturers. They are FTP, SMTP, HTTP and Telnet [28]. However in figure 22 above , HTTP is used as it has the capability to filter various commands such as POST, PUT and DELETE as well as denying connections to (URLs) uniform resource locator (e.g. .de, .com sites etc.) [28][29]. 37
Functions of Application Level Gateway: As described earlier, they run a proxy that copies and forwards packets across the gateway as they intercept incoming and outgoing packets.
They allow users to make use of dynamic TCP/UDP ports in transmission of data with known ports used by the server application. Without ALGs, these known ports are blocked and would require an administrator to configure a large number of ports in the firewall (because they allow only a limited number of ports); this can make the firewall vulnerable to attacks. Carries out a thorough packet inspection in a given network. It identifies application specific commands and renders a good security control over them [29].
Drawbacks to Application Level Gateways: Despite the merits described above and how it was developed to overcome the shortfall of packet filtering, it does have some disadvantages which limit its functionality, here are some:
It has a huge hold-up time in inspecting the packets and delivering them to the right application as it acts as an intermediary system. It does not support many applications such as Email service (SMTP) and Web. If applications used in the network involve IP addressing, it is not advisable to use the ALGs [29].
With the differences in firewall technologies, when designing and planning to deploy a firewall, careful attention should be paid in other to choose the right firewall. You can as well build your own firewall which is not discussed in this paper.
38
5. IT Security standard (ISO 27001) ISO 27001 is a widely accepted standard that describes the need for Information Security Management Systems (ISMS). It is a well-known fact that organizations are different from one to another, an ISMS is often narrowed to handle the organization’s particular security demand. ISO 27001 was the first release on the ISO 27000 families and was published in October 2005. It was reviewed in October 2013 to attune to the information security (IS) challenges. ISO 2700:2013 is the most recent version [32] and its focus is on measuring and evaluating how an ISMS is accomplished [33]. ISO 27001 goals are to proffer requirements for establishing, perfoming, maintaining and rigorously improving an ISMS [33]. ISO 27001 ensures Confidentiality, Integrity and Availability of information in an organization. ISO 27001 covers 11 Domains, 39 Control Objectives and 134 controls. Your organization has the right to choose other additional controls that are applicable to its business. See table 8 for the domains covered by ISO 27001 and its purposes [38] [39]. Table 8 ISO 27001 Domains, objectives, control and its goal [39] [39].
ISO 27001 Objectives Control Domain Security policy 1
Controls 2
Organization of IS
2
11
Asset management Human resources security
2
5
3
6
Physical and environmental security Communication and operational management
2
13
10
33
Access control
7
25
System development and maintenance
6
16
Information
2
5
Purpose Offers management support for Information security in conformity with business needs and laws Manage IS within the organization and IT facilities used by external parties Ensures organizational assets are adequately protected Ensures employees and third party users understand their various roles to reduce risk and misuse of facilities. To halt damage and unauthorized physical access to the organization’s facilities and premises Ensures the accurate and reliable operation of information processing facilities, information protection in networks, and integrity of software and availability of processing facilities. Ensures authorized access to information systems, networked services and information security when using mobile computing Ensures security of information systems, preventing errors or misuse of information in applications and ensures system files are secured Pointing out information security events 39
security and incidence management Business continuity management Compliance
1
5
3
10
39
134
and gaps related with information systems and fostering a better communication medium that allows timely actions to be taken Ensures protection of critical business processes from failures or disaster of information system and timely reinstitution Ensures compliance to organizational security policies and to breaches of law
ISO IEC 17799:2005 provides a standard for implementation of the ISO 27001 controls domains [39].
5.1. Why Employ ISO 27001? There are various security controls adopted by most organizations. Having ISMS in place aligns the control to the organization business needs, and if not adopted, controls are not aligned to business needs. The ISO 27001 standard provides these advantages:
Confidence: It establishes trust to customers and business associates that your organization handles security challenges adequately and this adds to your organization’s credibility. Competency: Risk treatment option is always carried in the ISMS, thereby establishing technique in accepting various levels of risk, and making it efficient. Endless Improvement: With the strategic decision of the Plan-Do-Check-Act makes it possible to continuously improve your organization and helps your organization to meet the security demand in the right proportion [32].
5.2. ISO 27001 Audit certification process The generic audit processes of ISO 27001 are as follows: Step 1: The audit process begins when an organization decides to be certified in other to gain the trust of customers. Step 2: It is vital to point out here that it is the management’s duty to organize the IS process and assign responsibilities for the task itself [33]. Figure 23 below describes the logical flow of the audit activities of ISO 27001 [33]. Here the management plays an important role in establishing, monitoring, reviewing and improving the ISMS. This includes ensuring the appropriate resources are readily available to be used on the ISMS, and all employees that will be involved in the ISMS process have the right training and competency to carry out their tasks [35].
40
Figure 23 showing the activities involved in Audit certification process [33]
Step 3: At this stage the organization policy is developed and published (delivered) and capable of functioning independently, it can as well be supported with various auxiliary policies or part of the security manual being used by the organization [33] [35]. The output here could be a standalone document or can be included in the general security manual used by an organization [35]. Step 4: This is the most crucial part of the ISMS, at this level, the scope of ISMS is defined by the auditors to determine the area of audit in the organization [33] [34]. Here proper attention is paid to IS risks in the organization that are not also covered within the scope of the ISMS. Here the deliverable (output) is the ISMS audit scope agreed upon or engagement letter [34]. Step 5: At this phase, the risk assessment process is carried out to evaluate the organization threats to assets, vulnerability, risks and the severity that the depletion of confidentiality, integrity n availability can have on the organization [33]. 41
Step 6: At this level, rules are defined to address the identified risks and vulnerabilities. The output here is the agreed risk methodological document produced which describes ways for accepting all levels of risk associated with the organization [33]. Step 7: The methodology agreed upon in step 6 is the basis for this stage. At this level, risks are assessed and evaluated and options for the treatment of risks are stated, if to be accepted or avoided etc. [33] Step 8: This part encompasses the proper selection of controls with reference to those stated in ISO 27002 with a Statement of Applicability (SOA) of each control implemented [33]. Note: This certification process is executed and performed by a suitable third party (Auditor) and to maintain the certificate the organization will have to continuously adapt and vigorously execute the PDCA cycle in other to review and monitor the state of the ISMS [33].
5.3. Performing IS audit on the IT assets with reference to ISO-27001 In order for your organization to meet its goals, there is a need to perform a routine audit check to ensure policies and operation conforms to standard, with management playing a role in the PlanDo-Check-Act [PDCA] [35]. Aims and objectives: In carrying out the audit activities as it relates to this project, here are some identified purposes emphasized by the management:
To determine security gaps in the organization. To examine if the organization has processes in place complying with the ISMS. To know the organization risk and vulnerability level in the organization.
Figure 24 below depicts the project topology, showing how the Information security audit is performed and applied in the corporate office alone.
5.4. ISMS Security Policy A policy is defined as a document that precisely describe specific conditions or rules that must be adhered to. This entails the rules and regulations needed to use network facilities [37]. Here is the security policy developed by the management to indicate support for the ongoing audit process for the purpose of this project. Security Policy: This is the security policy for the corporate office. The protection of the organization assets is principal to the success of the organization [35]. This security policy document gives an overview of the organization security policies and the standards that must be adhered to [37]. 1) Data Center: Controls to restrict unauthorized persons into various areas in the organization are defined. The rooms housing the information processing facilities have to be locked [36].
42
Disaster recovery plans against natural and man-made disaster should be implemented, such as fire suppressors in case of fire outbreak and against civil unrest etc. are defined [36] [60]. Backups and recovery options are defined to enable recovery of the organization infrastructure and to be tested regularly to ensure data can be recovered in case of disaster [36]. 2) Operating systems (End Users): Guidelines for generating strong passwords are defined. Encryption keys used by employers are defined to halt unauthorized disclosure and fraudulent. Clean desk policy is defined to ensure sensitive and important information about employees, customers and vendors is protected in locked areas. Personal computers containing organization information must be protected with a locking case or locked in a drawer. Storage devices should also be protected and locked up such as USB drives and CDROM etc. [59].Security requirements for unattended devices are also defined to ensure users logoff when sessions are finished [36]. Disaster recovery plans are defined by the management, to recover IT systems, applications from an accidental or natural disaster; denoting the responsible head that should be contacted in case of disasters and equipment replacement plans are also defined [60]. Secure disposal process is defined to ensure sensitive and personal data are erased fully from removable or fixed storage media before disposing them. Employee privilege rights are defined to ensure access control rights are reviewed to ensure rights are appropriate for the business and security requirements [36]. 3) Network and Communication services: The physical security standard for the protection of network cables are defined [36]. Technical requirements for wireless infrastructure devices are defined in order for employees to be able to connect to the corporate network [58]. Proper cooling rooms equipped with air conditions, dust avoidance and sufficient electricity needed to power the devices are defined as well as standby backup power [36]. Standards for routers and switches security configurations are defined, local user authentication account should not to be configured on the router, and both routers and switches must use a RADIUS server for user authentication. The password configured on a router must be encrypted using the enable secret [57]. Auto configuration, telnet, and discovery protocols should be disabled. Banner must be configured on all routers and switches to notify individual of unauthorized access. Secure Shell version 2 (SSH) should be used as a management protocol [57]. Suitable access control systems such as security locks, surveillance cameras and intruder detection mechanism should be in place with rules defined to restrict unauthorized access [36]. 4) Service desk (Help Desk): Operational hours for the help desk are defined since it’s the central point for technical, hardware and software questions, maintenance, consultation.. The appropriate contacts to send requests to are also stated as they respond to queries and implement solutions in a
43
timely manner and rules that will enable it sustain departmental relationship with employees and IT staffs [40][41]. 5) Business Applications: Application software to be used such as ERP is defined. Application updates according to vendor specifications are defined and no unauthorized modification of software is allowed [36]. Note: Non Compliance by any employee will be subject to disciplinary action which could lead to the termination of his employment [60]. This policy is endorsed by the organization management and will be reviewed by the management review team per annum Signature: ……………………..
Date: 29/08/2014
This ISMS Policy is defined and it’s expected to be strictly adhered to in the organization operations [35].
5.5. ISMS Scope This part covers the assets to audit, and it places emphasis on the area in which you want to apply ISMS to in your organization [35]. In determining the scope of the ISMS, information source includes gathering details about the organization, previous ISMS audit reports carried out [34]. This step is regarded as the most vital in the audit process as it has a huge impact on the implementation, which includes cost and effort [47]. Here are some documents needed to guide the auditor through the ISMS process. They are,
Information security policy developed by the management The information security aims and objectives Roles associated with IS defined by the management are also taken into consideration Corresponding list of areas such as assets, location and technologies used by the organization that will be covered by the ISMS. [35].
The scope of the ISMS should conform to business needs. The deliverable here is the document showing the assets that needs to be audited for your ISMS [35]. Assets to Audit: The assets to audit in this fictitious organization (corporate office) are as follows; 1. 2. 3. 4. 5.
End User Services (operating system) Network and Communication services Data center services Service Desk (Help Desk). Business applications (ERP systems)
These scopes mentioned are then documented and remain a standalone document amongst other sets of documents that you need to develop [35]. The primary deliverable here is an agreed ISMS scope of the assets to audit [34]. 44
5.6. ISMS Audit Work Plan This encompasses the planning and preparation phase. Since the scope has been determined, a detailed process of the time required to complete the entire audit process is required. This process involves planning, fieldwork and meeting responsible personnel in charge of a particular asset identified in the scope of ISMS. The success of an audit plan is dependent on this plan. At this point, all responsible managers in charge of the assets identified in the ISMS scope are met and their work duties and documents are reviewed to ensure they are adhering to the policies laid down by the management. See table 9 for the audit checklist or work plan [34]. Table9 showing the audit work plan (schedule) [36]
Stake Holder
Requirements
No. of Start visits Date
Data Center Manager
Site visit and access control documents are to be reviewed. This ensures only authorized persons are granted access.
End Date
1
01.09.14
01.09.14
Site visit with relevant (End documents and policy reviewed
2
02.09.2014
03.09.2014
Network and comm. Document and site visit to administrator various network components and configurations to be analyzed.
4
04.09.2014
09.09.2014
Service Desk (Help Documents to be provided Desk) accomplished with site visit.
1
10.09.2014
10.09.2014
Business Application Site visit with necessary analyst (ERP) documents to be reviewed.
3
11.09.2014
13.09.2014
System Administrator User systems)
This work plan can be modified during the audit process if new areas of concern come to light [34]. This ensures a balance between the scopes of the audit, timeframes and meeting the required staff days to gather enough information [42].
5.7. Audit Questionnaire This part covers the fieldwork phase where audit evidence is documented by the auditor through a systematic audit questionnaire. Here managers and stakeholders are being interviewed, system configurations are being analyzed and documents are reviewed etc. and afterwards, audit test are performed to verify the evidence gathered [34]. Table 10 shows an audit questionnaire with dates to meet responsible asset owners
45
Table 10 showing the audit questionnaire and scheduling [34] [36] [46].
Information Security Management System Questionnaire for the Corporate Office References o
Start date
End Date
Audit Areas, Objectives and Questionnaires
Results
Sections
Findings
Audit Questionnaires
Information Security Policy Tests 1
2
3
01.09.14
02.09.14
04.09.14
01.09.14
03.09.14
09.09.14
Yes
Partial
No
Data center Are controls to restrict Manager unauthorized access in place? Are backups and recovery options in place in case of disasters and failures etc.? Are the rooms properly equipped with the right cooling and dust avoidance? Systems Are there malware protections, Administrat antivirus checks on or computers?? Are access rights defined for various job functions? Are security controls in place for user identification? Are passwords lengths complying and clear desk policy adopted? Network and communica tion administrat or
4
10.09.14
10.09.14
Service Desk
5
11.09.14
13.09.14
ERP
Are physical links in order to deliver the desired data to the recipient protected from interception and damages? Are network access points secured to avoid unauthorized access? Are supporting utilities like backup power (UPS) in place in case of failure? Are network rightly managed from threats? Are the right configurations specified in the policy being used? Are secure log-on to switches and workstations defined? Are all service request, information demand and incident reported in a timely manner and attended to? Are applications properly integrated and up to date?
46
*
*
*
*
*
5.8. Audit Evidence This process involves identifying threats and vulnerability associated with the assets. The technical compliance test is performed to ensure that the results gathered from the various stakeholders managing the organization assets are in accordance with organization security policies [34]. These identified risks are classified in conformity to their severity and vulnerability and also the impact that loss of confidentiality, integrity and availability can have on these assets listed [35]. Below are the threats associated with the organization assets. Data Center Services:
No good fire protector and detector in place. No adequate security policy to protect against authorized access. Backups not in place. Insufficient cooling system, which can lead to system malfunction [34] [36].
End User Services:
Unused ports remain accessible, which can lead to viruses and destructive programs on the operating system. Individual and work group can access whatever task in the organization [34] [36]. Information displayed on monitors and on screens (thereby not complying with clear desk and screen policy) [50].
Network and Communication (IT hardware):
Backups not in place in case of failures (e.g. router and radius server). Telnet configuration used instead of Secure shell version 2 (SSHv2). Switch ports are not secured [57].
Service Desk:
Reoccurring problems are not addressed. Users are unaware of the procedures to report incidents and no proper information flow exists. Decrease in customer satisfaction. This can erode the company reputation [36] [59].
Business applications:
Outdated and unsupported software, this can lead to crashes and integration issues. Delayed updates, this can lead to software vulnerability. Appropriate skills required for managing the ERP systems are lacking [43].
This document is referred to as the audit evidence and it’s filed, reviewed in association to the risks and control objectives. This phase is often referred to as the analysis phase in the generic audit process [34]. 47
5.9. Risk Assessment / Risk treatment Options (Control) This phase covers step 5, 6 and 7 of the ISO 27001 audit certification process described above. Table 11 provides a risk assessment plan with risk treatment options included. Here the nature of threats, vulnerabilities associated with assets are identified and evaluated. This makes it possible to analyze the impact of risk and hence come up with appropriate controls to administer them [35] [42] [44]. At this phase the level of threat is compared with the risk assessment criteria developed and necessary actions are taken to resolve the risks that need treatment and those that don’t [44]. Note: The risk treatment document is sometimes part of the Risk Assessment document as it is in this paper or it can be a standalone document [35]. Table 11 Showing Risk Assessment Report and Risk Treatment Plan [34] [35]
No
1
2
Assets
Threats (Risks)
Potential Impacts
Operating Systems (End Users)
Users can access whatever they desire and unused ports can lead to system infection. Unattended devices are not protected and no secure log-on procedure Reoccurring problems not addressed
Confidentiality derailed. Loss of revenue and various malware and virus attacks
Help Desk Data Centers
3
4
5
Network and communic ation services
ERP Applicatio n
Risk Value High
Loss of reputation Medium and decrease in customer satisfaction No security access policy Business will fail (in High to protect against case of any disaster) unauthorized users, Backups and fire protector not in place Right configurations are Loss of revenue and Medium not used such as telnet for compromise of remotely managing the Network and router, access to communication communication facilities facilities. by anyone and ports not used on the switches are not secured and unique authentication defined. Employees have no good Non availability of Medium training leading to applications leading erroneous systems and to loss of revenue human processing errors
Risk Treatment Reduce
Transfer (outsource) Reduce
Reduce
Transfer (outsource)
The risk treatment options offer a measure to treat risks which includes avoiding, accepting and transferring of risks. These measures can be implemented outside the scope of the ISMS in the
48
organization [45]. See appendix 8.0 on how risk estimation methodology is being defined and appendix 8 (A) on how risk treatment options is defined [35]. Risk Assessment matrix: The risk assessment matrix is a unique tool which allows an overall view of the risks evaluated in terms of likelihood and the consequences of the risks [48]. It is usually placed on a scale of 1-5 of potential loss impact against likelihood [47]. The risk assessment matrix is easy to develop as the information required to design it can be extracted from the risk assessment plan [48]. Refer to appendix 8 (B) on the criteria for selecting and designing the risk assessment matrix. Refer to the key table below, which explains the risks categories and ranges in the risk evaluation matrix. Table 12 Showing Risk Evaluation Matrix [47]
Risk Impact
Likelihood Very low Low Medium High Very High
Insignifican Minor (Small t with disruption) minor problem) 1 2
1 2 3 4 5
Moderate (Time and cost required) 3
Major (Operational damage)
Catastrophic (Business is at risk)
4
5
1
2
3
4
5
2
4
6
8
10
3
6
9
12
15
4
8
12
5
10
15
2
16
5
20
1
4
20 25
3
Key to table 12 [47]
Risk Category
Description and Ranges
Low Risk
Low Risk, (Risk acceptance) observation only and risks accepted. < or = 5 Medium Risk (Action required). > 5 < 20 Critical Risk (Swift action required). > or = 20 Associated risk (with numbers to identify them. See table 11 in section 5.9 above E.g. Star 1 refers to the risk associated with the Operating Systems etc.
Medium Risk High Risk
Designing a risk matrix is considered the second step in the risk management process, while the first step is completing the risk assessment form to determine the associated risks. This enables you to respond to the most critical risk [48]. 49
5.10. Management approval to operate and implement the Controls After carefully identifying and evaluating the risks, necessary actions for implementing the controls are approved by the management as suggested by the auditor. The end result here is a signed risk treatment plan [35] [45]. These include procedures, money, information systems and personnel with the right skills for the risk treatment activities. Here the cost of managing the threats are compared to the expected organization benefits [45]. Sign:……………………………………
Sign:………………………………..
Date: 21/09/2014
Date: 21/09/2014
Auditor: Eromosele Christian
Management: xxxxxxxxxxxxx
5.11. Statement of Applicability (SOA) The SOA is also known as the Compliance Checklist. It identifies and documents the controls chosen for your organization. These controls are selected from the Annex A of ISO/IEC 27001 and ISO/IEC 27002 (ISO/IEC 17799) which emphasizes more on the controls described in ISO/IEC 27001. In practice both are used. Some of these controls can as well be defined by your organization [35] [49] [50] and can be taken from any other frameworks such as COBITS etc. [33]. See table 13 below, it consists of controls selected in Annex A of ISO/IEC 27001 and denotes applicability if implemented, and a reference describing where the organizational procedure for using the controls are situated [35]. Table 13 Compliance Checklist based on ISO/IEC 27001 (27002) Annex A [49] [50]
ID Clause
Asset Domain
Compliance Statement (Description)
A.10 A.11
Communication and operational management Access control
A.10.1.3
Operating Systems (End Users)
A.10.7.1 A.11.2.4 A.11.3.1
A.11.3.3 A.11.5.1
-Roles and duties are defined to reduce unauthorized access. -Procedures for removable media and ports unused are defined. -User rights are reviewed by the management at specific intervals. -Selection of passwords is controlled by the management to ensure good security practice. -Clear screen and desk policy implemented. -Operating systems are protected by secure log-on procedures. 50
Applicability (Yes / No)
Yes
Reference
Company Security policy
Control defined by the organization -The service desk roles and performance are defined, with rules that will enable it to sustain departmental relationship [41]. -Operational hours for the help desk are defined since it’s the central point for technical questions, consultation, and network connection request [40]. Physical and Environmental Control Communication and Operational Management
Yes
Company Security policy
Data Centers
Yes
Company Security policy
Yes
Company Security policy
Yes
Company Security policy
Help Desk
Clause 9 Clause 10 A.9.1.1 and A.9.1.2
-Security controls are implemented to protect areas that house the information processing facilities and prevent unauthorized access -Processing facilities are protected against damage from fire and civil unrest -Backups are implemented and tested to meet the agreed backup policy
A.9.1.4
A10.5.1 A.9 A.10
Physical and Environmental Security Communication and operation management
A.9.1.3
Network and -Physical securities for offices and communication information processing facilities are applied against unauthorized access services -Networking cables are protected from damage and obstruction. -Networks are managed properly to maintain the security and protect them from threats, such as unused ports on switches being blocked.
A.9.2.3 A.10.6.1
Control defined by the organization ERP Application
-Best practices are defined for application software implementation and integration -Applications are updated according to vendor specifications [36].
The SOA document is sometimes included in the Risk Assessment document, but because of its lengthy size, it is usually developed on its own as a standalone document [35]. This is the output of the risk assessment/ treatment plan if ISO-27001 compliance is achieved. It relates the controls back to the original risks they are intended to mitigate.
51
After all necessary controls have been applied; the certification step is the next if you want to have your ISMS certified. Here, you make a detailed review of the corporate office audit process, management review and the PDCA process is rigorously carried out. Needed documents here are,
Documents developed in all the various audit steps Documents showing management reviews of the process, internal audits and the PDCA evidence and activities embarked upon as a result of the reviews by the management.
Then the external auditor will analyze these documents to determine their content, also with the records and evidence provided to him [35]. As shown in figure 23 above, when this audit step is passed you are then certified.
52
6. Conclusion This paper presents the prevailing technique in implementing and deploying networking configuration commands to network devices using various forms of CLIs such as the console and telnet etc. and the Cisco SDM. The SDM reduces cost of ownership of the Cisco routers by relying on Cisco SDM-generated configurations and are approved by the Cisco TAC. This reduces the instances of configuration errors [8]. This paper also emphasizes on the plans and methodology required to perform the ISMS audit as IS remains vital ensuring business continuity, reducing business damage through the management of IS risks and thereby increasing business opportunities. ISMS provides for any organization a manual to help halt security gaps and mitigate risks, enabling companies to be certified [39]. This means that a certification body has confirmed that an organization has successfully implemented IS compliant with ISO 27001 [52] [54]. This increases revenue, customer confidence and provides a systematic way to plan and administer business continuity principles [39]. In planning and drafting the ISMS, these documents are vital. You should purchase copies of the ISO/IEC standards namely: 1. The management system standard: ISO/IEC 27001 and 2. The code of practice standard: ISO/IEC 27002 (ISO/IEC17799). They can be found and purchased via these links respectively at: http://webstore.ansi.org and at: http://www.iso.ch. [35]. Furthermore techniques to secure the network from inside and outside were also suggested [52]. Here are some suggestions to adhere to in order to protect against attacks and ensure network efficiency. 1. To enhance the security of your network against intrusion and malwares, I would suggest you purchase Integrated and Aggregated Service Routers which allow deep inspection of network traffic as security concerns are increasing and the traditional firewall alone cannot deal with them [51]. 2. VLANs should be implemented across your organization to ensure segmentation of duties and increase security which can affect network productivity [11, p. 2-4, 6]. 3. Network administrators should use SSHv2 to remotely access network devices and not telnet as traffic can be captured while using telnet. 4. To ensure the demand for authentication and access control for your organization, you need the Cisco Secure Access Control System as it serves as a central management of access policies for device administration both for wireless and wired with these advantages, It allows integrated monitoring, reporting and troubleshooting components which are accessible through web based graphical user interface. It supports the two major authentication protocols and enhances both RADIUS servers for network access control and TACACS server network device access control and run multiple databases at the same time [53]. 53
Careful attention should be paid to the host to host packet delivery within and outside the network as its understanding is vital to administer and troubleshoot the network efficiently. The DHCP is a boon to network administrators as it overcomes the manual configuration problems in large enterprises by handing over IP address, subnet mask etc. to each host in the organization [3, p. 4137]. To avoid spanning tree priority values which are always the same, since they come by default in some networking devices such as Cisco, you should always change the default configuration settings from the default root bridge ID such as 32768 to your desired numbers to suit your network design [61]. A Firewall is the most effective way to connect a network to the Internet and protect it [27, p. 20]. A Firewall is also used to divide your network into different parts when these parts have distinct security needs [27 page20]. Building your own firewall is the best practice in theory. However, it requires a lot of time and expertise; I would therefore suggest you choose the right commercial firewall vendor that suits your organization to ensure the right security is implemented for your organization [27 page24]. Always ensure IP address are used in specifying filtering rules and not hostnames or network names, as hostnames could be exploited by an attacker, thereby manipulating the host-name to address translation[27, p.116]. Access Control Lists (ACLs) should be employed alongside with other network security solutions to enforce network security since most corporate computer crimes are perpetrated by internal users. Named Access Lists should be implemented as the names are also incorporated in the log table [27, p. 117]. Content filtering servers should also be implemented to see the content of every harmful packet and when they are discovered, they can be discarded. This enhances the security of the organization [28].
54
References [1] M. Fuszner,http://www.csd.uoc.gr/~hy435/material/GNS3-0.5-tutorial.pdf. Retrieved 12/5/2014. [2] https://www.virtualbox.org/manual/ch01.html#idp53219184. Retrieved 13/5/2014. [3] Interconnecting Cisco Networking Devices Part 1, Volume 1 and Version 1.1. Cisco Systems Inc. 2010. [4] S. Laan, “IT Infrastructure Architecture – Infrastructure building blocks and concept” Lulu press Inc. publisher, second edition, 2013 [5] A. Oliviero, B. Woodward, “Cabling: The complete guild to Copper and Fiber-Optic Networking” John Wiley and Sons publishing Inc. Indianapolis Indiana, 2014. [6] http://www.semsim.com/ccna/ccna-study-guide.asp?ain=58. Retrieved 17/05/2014. [7] A. Sequeira. http://www.ciscopress.com/articles/article.asp?p=2092245&seqNum=3. Retrieved 18/05/2014. [8] Cisco Router and Security Device Manager,http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/routersecurity-device-manager/product_data_sheet0900aecd800fd118.html. Retrieved 02/08/2014 [9] Interconnecting Cisco Networking Devices Part 1, Volume 2 and Version 1.1. Cisco Systems Inc. 2010. [10] Cisco Router and Security Device Manager Quick Start Guide “CA 95134-1706 USA” http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manag er/software/quick/guide/SDMq7.html. Retrieved 02/08/2014. [11] Interconnecting Cisco Networking Devices Part 2, Volume 1 and Version 1.1. Cisco Systems Inc. 2010. [12] Using Cisco IOS Software, http://www.cisco.com/c/en/us/td/docs/ios/12_2/termserv/configuration/guide/ftersv_c/tcfusin g.pdf. Retrieved 03/08/2014. [13] T. Lammle, “CCNA INTRO: Introduction to Cisco Networking Technologies Study Guide Exam” Wiley publishing, Inc. Indianapolis, Indiana, 2006. [14] http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/122SX/configuration/guide/book/vlans.html. Retrieved 05/08/2014. [15]http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/ guide/cli_rel_4_0_1a/CLIConfigurationGuide/AccessTrunk.html. Retrieved 08/08/2014.
55
[16] http://www.highteck.net/EN/Network/OSI_Network_Layer.html. Retrieved 10/08/2014. [17] http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/122_55_se/configuration/guide/scg_2960/swcli.html#wp1046063. Retrieved 10/08/2014. [18] Interconnecting Cisco Networking Devices Part 2, Volume 2, and Version 1.1. Cisco Systems Inc. 2010. [19] www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html . Retrieved 11/08/2014. [20] http://www.cisco.com/c/en/us/products/ios-nx-os-software/enhanced-interior-gatewayrouting-protocol-eigrp/index.html. Retrieved 12/8/2014. [21] https://learningnetwork.cisco4.com/docs/DOC-13902. Retrieved 12/8/2014. [22] http://kl2217.wordpress.com/2009/06/24/nat-pat/. Retrieved 13/8/2014. [23] How Does RADIUS Work? Document ID: 12433. http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-userservice-radius/12433-32.html. Retrieved 13/8/2014. [24] http://www.multitech.com/en_US/documents/collateral/manuals/s000030c.pdf. Retrieved 13/8/2014. [25] http://www.tacacs.net/docs/TACACS+Advantages.pdf. Retrieved 15/8/2014. [26] http://cs.brown.edu/cgc/net.secbook/se01/handouts/Ch06-Firewalls.pdf. Retrieved 16/8/2014 [27] E. Zwicky, S. Cooper and B. Chapman, “Building Internet Firewall” Second Edition, June 2000. [28] D. Chadwick, “Network firewall Technologies” IS Institute, University of Salford, England. [29] http://ipv6.com/articles/gateways/Application-Level-Gateway.htm. Retrieved 17/08/2014. [30] https://www.cs.columbia.edu/~smb/classes/f06/l15.pdf. Retrieved 18/08/2014. [31] http://www.watchguard.com/help/configurationexamples/snat_web_server_configuration_example_(en-US).pdf. Retrieved 18/08/2014. [32] http://www.neupart.com/resources/iso-27001.aspx. Retrieved 23/08/2014. [33] http://www.27000.org/iso-27001.htm. Retrieved 23/08/2014. [34] ISO 27001 security, “ISMS Auditing Guideline” http://www.docucu.com/view/676ed5439fa72845d0359b042ea252ed/ISMS-AuditingGuideline.doc. Retrieved 25/08/2014.
56
[35] ISMS Implementation Guide. http://www.atsec.com/downloads/documents/ISMSImplementation-Guide-and-Examples.pdf. Retrieved 26/08/2014 [36] V. Thiagarajan, “Information Security Management” “SANS Audit Check List” 3rd May 2006. [37] http://www.sans.org/security-resources/policies. Retrieved 28/08/2014. [38] D. VASILE. http://www.pentest.ro/iso-27001-domains-control-objectives-and-controls/. Retrieved 29/9/2014 [39] ISO 27001:2005-A standard for securing an organization’s information assets, http://site.ul.com/asiaonthemark/as-en/2006-Issue17/page6.htm. Retrieved 29/08/2014 [40] http://legacy.earlham.edu/ecs/html/policies/hdsla.html. Retrieved 29/08/2014 [41] http://www.techproresearch.com/downloads/help-desk-policy/. Retrieved 29/08/2014. [42] FCA Essential Practices for Information Technology. http://www.fca.gov/download/itmanual/itsystemsdevelopment.pdf. Retrieved 4/09/2014 [43] http://www.erp-common-sense.com/ERP-problems.html. Retrieved 04/09/2014. [44] https://www.enisa.europa.eu/activities/risk-management/current-risk/risk-managementinventory/rm-process/risk-assessment. Retrieved 04/09/2014. [45] https://www.enisa.europa.eu/activities/risk-management/current-risk/risk-managementinventory/rm-process/risk-treatment. Retrieved 05/09/2014 [46] T. Humphreys and A. Plate, “Are you ready for the ISMS Audit on ISO/IEC 27001?” BSI British Standards Institution, London W44AL, 2005. [47] I. Phoenix, “SecuraStar Information Security” “ISO 27001 Information Security Management System (ISMS)” http://phoenix.issa.org/wp-content/uploads/2012/12/2013-Q1SecuraStar_ISO_27001.pdf. Retrieved 08/09/2014. [48] http://www.brighthubpm.com/risk-management/88566-tool-for-assessing-project-risk/. Retrieved 10/09/2014. [49] http://www.iso27001security.com/html/27002.html. Retrieved 17/09/2014. [50] Statpro, “Statement of Applicability for ISO 27001:2005” http://www.statpro.com/wpcontent/docs/iso/StatPro-Statement-of%20Applicability-v05.pdf. Retrieved 17/09/2014. [51] http://www.cisco.com/c/en/us/products/security/router-security/index.html. Retrieved 19/09/2014. [52] http://www.irca.org/en-gb/registration/schemes/information-security/.Retrieved 19/09/2014.
57
[53] http://www.cisco.com/c/en/us/products/security/secure-access-controlsystem/index.html?referring_site=bodynav. Retrieved 19/09/2014. [54] http://www.iso27001standard.com/what-is-iso-27001/. Retrieved 19/09/2014. [55] http://www.bridgecable.com/learning_center.htm. Retrieved 22/09/2014. [56] http://mercury.webster.edu/aleshunas/COSC%205130/Chapter-22.pdf. Retrieved 23/09/2014. [57] SANS, “Consensus Policy Resource Community” “Router and Switch Security Policy” http://www.sans.org/security-resources/policies/network-security/pdf/router-and-switchsecurity-policy. Retrieved 24/09/2014 [58] SANS, “Consensus Policy Resource Community” “Router and Switch Security Policy” http://www.sans.org/security-resources/policies/network-security/pdf/wireless-communicationstandard. Retrieved 24/09/2014. [59] SANS, “Consensus Policy Resource Community” “Router and Switch Security Policy” http://www.sans.org/security-resources/policies/general/pdf/clean-desk-policy. Retrieved 24/09/2014. [60] SANS, “Consensus Policy Resource Community” “Router and Switch Security Policy” http://www.sans.org/security-resources/policies/general/pdf/disaster-recovery-plan-policy. Retrieved 24/09/2014. [61] S. Hogg, “Core networking and security” http://www.networkworld.com/article/2223757/cisco-subnet/9-common-spanning-treemistakes.html. Retrieved 24/09/2014. [62] D. Mitchell, http://www.trustedreviews.com/Cisco-877W-Integrated-Services-RouterEXCLUSIVE-review-screenshots-page-3. 27/10/2014.
58
Appendix This part of the project consists of network device configurations. The labs were performed in GNS3 and Packet tracer consisting of scenario 1 and scenario 2 for the project objectives to be fulfilled. Scenario 1 (Performed in GNS3). Figure 24 below describes the implementation of NAT, DHCP, Loopback address (Internet), EIGRP, Interfaces configuration, ACLs and default routes.
Figure 24, Project topology for NAT, DHCP, Loopback address (Internet), EIGRP, Interfaces configuration, ACLs
1. Connecting GN3 to the internet In order for your devices to connect with the internet, you need to set up a loopback adapter. These are the steps required. Step 1: Click on the start button, Right click on your computer, Click on device manager, from the dialogue box. Right click on your Personal Computer name (PC) Click on add legacy hardware, a welcome wizard appears, select the second tab which says (install the hardware that I manually select from the list (advanced) as shown in figure 25.
Figure 25 showing the manual selection of hardware
59
Click next. From the list, select network adapters as shown in figure 26 below and click on next.
Figure 26 showing the hardware to be installed
From the dialogue box that appears, select Microsoft and on the right pane of the windows select Microsoft Loopback Adapter and click on next, and finish. Then restart your computer to take effect. Step 2: Open network and sharing window, click on change adapter settings, and select the adapter with internet connection as shown in figure 27 below. Right click on the adapter. Click properties, from the dialog box that appears, click on the sharing tab.
Figure 27 shows how to share internet connection with the loopback adapter created
60
Select the network adapter you wish to share your internet with (Microsoft Loopback Adapter) and check both boxes as shown in figure 27 above and click ok. Ensure you note down the IP address that is assigned to your loopback adapter as you will need it to configure your router interface connecting to the cloud. Step 3: Go to GNS3, Drag and drop the cloud image, right click on the cloud and select the NIO Ethernet as shown in figure 28 below, and from the tab tree select the Loopback adapter you created and click on add and finally click on ok.
Figure 28 shows how GNS3 is connected to the loopback address created
Now GNS3 is fully connected to the internet through the loopback of your network adapter. Configuring the router interfaces and its default route: Configuration each interfaces of the routers with an IP address and Subnet Mask and enter the no shutdown to make the interface active. These commands should be entered on router2 and router3 with its own IP addresses and subnet masks respectively as shown in figure 24 above. A) Router1 Configuration of interfaces and IP address. For interface fa0/0 Router#conf t Router(config)#int fa0/0 Router(config-if)#ip add 192.168.0.1 255.255.255.0 Router(config-if)#no shutdown B) Configure the second interface (fa0/1) on router 1 connecting to the cloud (Internet). Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa0/1 Router(config-if)#ip add 192.168.137.2 255.255.255.0 Router(config-if)#no shutdown
61
C) Configuring a default route on all the routers in other to send packets when no other route is reachable. router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.137.1 To ensure that the configured interfaces are active, type in the command “show IP int brief” to display the configured interfaces as shown in figure 29 below.
Figure 29 shows the interfaces are up and running
2. Enhanced Interior Gateway Routing Protocol Implementation EIGRP is configured on all the three routers, step one involves enabling the routing process with the number 10 in the router configuration mode. This remains unique in all the routers. The second part is to configure the various network commands that are involved in scenario one. Router#conf t Router(config)#router eigrp ? Autonomous system number router1(config)#router eigrp 10 router1(config-router)#network 192.168.0.0 router1(config-router)#network 192.168.1.0 router1(config-router)#network 192.168.2.0 router1(config-router)#no auto-summary The no “auto-summary” command disables route summarization which can cause network issues from advertisements of routes and it’s enabled by default. This command should be replicated on other two routers for them to be able to communicate with each other. 3. Configuring the router as a DHCP Server for a Specific Network From the global configuration mode, enter the excluded-address command to restrict your DHCP server from handling out those IP address within a certain range. Create a DHCP pool and give it a unique name and specify the network you want it to hand out, subnet mask, default-router and the dns-server. router1#conf t router1(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.10 router1(config)#ip dhcp pool Corporate_Office router1(dhcp-config)#network 192.168.0.0 /24 62
router1(dhcp-config)#dns-server 4.2.2.2 8.8.8.8 router1(dhcp-config)#default-router 192.168.0.1 Using the command “Ipconfig /all” shows the client has been assigned a DHCP address from the figure 30 below.
Figure 30 shows the client assigned with a DHCP address
4. Network Address Translation Implementation These steps involve defining the IP NAT inside and the outside interfaces, creating a standard access-list and define the network that you wish to translate. Router1(config)#int fa0/0 Router1(config-if)#ip nat inside *Mar 1 03:30:43.099: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up Router1(config)#int fa0/1 Router1(config-if)#ip nat outside Router1(config)#ip access-list standard Client_NAT Router1(config-std-nacl)#permit 192.168.0.0 0.0.0.255 Router1(config-std-nacl)#permit 192.168.1.0 0.0.0.255 Router1(config-std-nacl)#permit 192.168.2.0 0.0.0.255 Router1(config-std-nacl)#exit Here the NAT overload is defined on the interface connected to the internet service provider (ISP). Router1(config)#ip nat inside source list Client_NAT interface fastEthernet0/1 overload Router1(config)# exit 63
Figure 31 shows the output from the command, “show IP NAT translation” when the network packets are sent to the internet and matches the ACLs defined.
Figure 31 showing the NAT address translation from the pings performed
5. Access Control List Implementation ACLs are implemented in this project using the extended named ACLs. Note: Extended ACLs should be placed as close to the source as possible to avoid further processing time and bandwidth utilization while standard ACLs should be placed as close to the destination as possible in order not to deny the entire traffic. (A) Task 1: Block access from the Radius server with IP address 192.168.0.3 from reaching host (PC_4) with IP address 192.168.2.3. See figure 24 above. Implementation Instruction: The extended Named ACL is created in this project using the configuration commands “ip access-list extended RADSERVER_PC4” from the global configuration mode, followed by the network to be denied, there after permitting all other networks using the command “permit ip any any” to avoid the explicit deny statement. router2#router2#conf t router2(config)#ip access-list extended RADSERVER_PC4 router2(config-ext-nacl)#deny ip 192.168.0.3 0.0.0.0 192.168.2.2 0.0.0.0 router2(config-ext-nacl)#permit ip any any router2(config-ext-nacl)#exit router2(config)#int fa0/0 router2(config-if)#ip access-group RADSERVER_PC4 in Here the interface in the ACLs is to be applied is defined “ip access-group RADSERVER_PC4 in”. Note: In here means the inside interface. router2(config-if)#do copy run start Figure 32 shows a ping result from the Radius Server to the destination host (PC_4) with IP address of 192.168.2.2 displays the following result.
64
Figure 32 shows a ping result of a destination unreachable from PC_4 to the radius server
To verify that the ACLs applied are effective after the pings, type in the command “show access-list” in the router the ACLs were configured on. Here you can see that access is being restricted with thirty six (36) matches as shown in figure 33 below.
Figure 33 showing ACLs matching the denied packet
(B) Task 2: Block the host named WinXP with IP address 192.168.2.2 from getting to Radius Server with IP address 192.168.0.3 on HTTP, HTTPS and DNS using the extended named access list. Implementation Instruction: Here the extended Named ACL is created using the configuration commands “ip access-list extended XP2_HTTP_HTTPS_DNS_ONRADSERVER” from the global configuration mode. Followed by the ports addresses to be denied and lastly permit, there after permitting all other networks using the command “permit ip any any” router3# router3#conf t Enter configuration commands, one per line. End with CNTL/Z. router3(config)#ip access-list extended XP2_HTTP_HTTPS_DNS_ONRADSERVER router3(config-ext-nacl)#deny tcp 192.168.2.2 0.0.0.0 192.168.0.3 0.0.0.0 eq 80 65
router3(config-ext-nacl)#deny tcp 192.168.2.2 0.0.0.0 192.168.0.3 0.0.0.0 eq 443 router3(config-ext-nacl)#deny tcp 192.168.2.2 0.0.0.0 192.168.0.3 0.0.0.0 eq 53 router3(config-ext-nacl)#permit tcp any any router3(config-ext-nacl)#permit ip any any router3(config-ext-nacl)#exit router3(config)#int fa0/0 router3(config-if)#ip access-group XP2_HTTP_HTTPS_DNS_ONRADSERVER in The interface the ACLs is to be applied is defined using the command “ip access-group XP2_HTTP_HTTPS_DNS_ONRADSERVER in”. Note: In here means the inside interface. router3(config-if)#do copy run start To test ports restriction in GNS3 and ensure they are filtering packets as configured, telnet from the PC_4 with IP address 192.168.2.2 to the destination host Radius Server with IP address of 192.168.0.3 with port number included e.g. “telnet 192.168.0.3 80” etc. as shown in figure 34 which displays the restriction to the ports from the telnet connections:
Figure 34 showing Ports restriction from the telnet sessions initiated
To verify that the ACLs applied are working correctly, telnet to the destination host (Radius Server) using the command “telnet 192.168.0.3 80” etc. and type in the command “Show access-list” on the router the ACLs was configured on to display the matches as shown in figure 35 below.
66
Figure 35 showing the various matches of restrictions to the DNS, HTTP and HTTPs ports
From the figure 35 above, you can see from the first “show access-list” command entered, no match to any of the ports restricted, but from subsequent pings from PC-4 telneting to the RADIUS server on the defined ports, matches were evident. 6. Configuring the NAS for Authentication (Using the RADIUS server) Go to the router 1 the network device that you want to authenticate. In this project, router1 is the NAS device as seen in figure 24 above. You start by invoking the triple A new model command, defining the authentication type you want, either RADIUS or TACACS server followed by a local authentication type should in case the RADIUS server fails, to ensure access is granted to the NAS device. Lastly, specify to the NAS device where the server is located using the IP address with a secret key of your choice. router1#conf t Enter configuration commands, one per line. End with CNTL/Z. router1(config)#aaa new-model 67
router1(config)#aaa authentication login default group radius none router1(config)#radius-server host 192.168.0.3 key cisco router1(config)#do copy run start Scenario 2: Discusses these protocols, VLANs, Inter-VLAN routing, STP, OSPF and DHCP configuration to assign IP addresses to the different subnets of VLANs created. The figure 36 below shows the Implementation performed in Cisco Packet Tracer.
Figure 36 shows the topology for VLANs, Inter-VLAN routing, STP, OSPF and DHCP for the subnets
7. Open Shortest Part First routing protocol (OSPF) Implementation Implementing OSPF on router 1: First, from the global configuration mode, enter the “router ospf 1” command, followed by an ospf process number. This number must remain unique on other routers too. Secondly, you need to define the router-id in an IP address format in other for the neighbor relationship to be formed. Same router-ids can never form a relationship with each other. If it’s not configured manually, it takes the highest IP address from the interfaces and if any higher IP address is added, it changes the router-id. Finally specify the interface you wish to advertise using the wildcard mask the matching it. Note: OSPF does not advertise the network as EIGRP does. Implementing OSPF on router 0 Router0#conf t Router0(config)#router ospf 1 Router0(config-router)#router-id 11.11.11.11 Router0(config-router)#network 192.168.0.1 0.0.0.255 area 0 Router0(config-router)#do copy run start 68
Implementing OSPF on router 1 Router1#conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#router ospf 1 Router1(config-router)#router-id 22.22.22.22 Router1(config-router)#network 192.168.0.2 0.0.0.255 area 0 Router1(config-router)#network 192.168.1.1 0.0.0.255 area 0 00:55:08: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.11 on FastEthernet0/0 from LOADING to FULL, Loading Done Router1(config-router)# Implementing of OSPF on router2 Router2#conf t Router2(config)#router ospf 1 Router2(config-router)#router-id 33.33.33.33 Router2(config-router)#network 192.168.1.2 0.0.0.255 area 0 Router2(config-router)# 01:10:26: %OSPF-5-ADJCHG: Process 1, Nbr 22.22.22.22 on Serial2/0 from LOADING to FULL, Loading Done Router(config-router)#network 192.168.2.1 0.0.0.255 area 0 Router(config-router)# Virtual Local Area Network Creation (VLANs) In corporate office, create VLAN 50 (IT Management), VLAN 10 (SALES) and VLAN 20 (ACOUNTING) and enable Inter-VLAN routing between them. VLANs creation on switch 1 Switch1#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)#vlan 10 Switch1(config-vlan)#name Sales Switch1(config-vlan)#exit Switch1(config)#vlan 20 Switch1(config-vlan)#name Accounting Switch1(config-vlan)#exit Switch1(config)#vlan 50 Switch1(config-vlan)#name IT-Management Switch1(config-vlan)#exit Switch1(config)#do copy run start
69
These commands should be replicated on switch 2 and 3, or use VLAN Trunking Protocol (VTY) to propagate these configurations to other switches. Trunk Port Creation These ports are configured to carry all the VLANS in the network and send the frame to the right destination. And the VLANs that are allowed to pass through this trunk all also defined. (1) Creating trunk ports for switch1 and specifying the VLANS that can pass through them: Switch1#conf t Switch1(config)#interface range fa0/1 – 3 Switch1(config-if-range)#switchport mode trunk Switch1(config-if-range)#switchport trunk allowed vlan 1,10,20,50,1002-1005 (2) Creating trunk ports for switch2 and specifying the VLANS that can pass through them: Switch2(config)#int fa0/1 Switch2(config-if)#switchport mode trunk Switch2(config-if)#switchport trunk allowed vlan 1,10,20,50,1001-1005 Switch2(config)#int fa0/5 Switch2(config-if)#switchport mode trunk Switch2(config-if)#switchport trunk allowed vlan 1,10,20,50,1001-1005 (3) Creating trunk ports for switch3 and specifying the VLANS that can pass through them: Switch3#conf t Switch3(config)#int fa0/1 Switch3(config-if)#switchport mode trunk switch3(config-if)#switchport trunk allowed vlan 1,10,20,50,1001-1005 Switch3(config-if)#exit Switch3(config)#int fa0/5 Switch3(config-if)#switchport mode trunk Switch3(config-if)#switchport trunk allowed vlan 1,10,20,50,1001-1005 Switch3(config-if)#exit Switch3(config)#int fa0/4 Switch3(config-if)#switchport mode trunk Switch3(config-if)#switchport trunk allowed vlan 1,10,20,50,1001-1005 Assigning Ports to VLANs The VLAN membership allocation is simply configuring the ports connected to the computers as access ports and it carries only a specific VLAN.
70
(1) For switch2: The interfaces from switch2 connected to the PCs are being configured for their respective VLAN access. Switch2#conf t Switch2(config)#int fa0/2 Switch2(config-if)#switchport mode access Switch2(config-if)#switchport access vlan 10 Switch2(config-if)#exit Switch2(config)#int fa0/3 Switch2(config-if)#switchport mode access Switch2(config-if)#switchport access vlan 20 Switch2(config-if)# exit Switch2(config)#int fa0/4 Switch2(config-if)#switchport mode access Switch2(config-if)#switchport access vlan 50 Switch2(config-if)# (2) For switch3: The interfaces from switch3 connected to the PCs are being configured for their respective VLAN access switch3#conf t switch3(config)#int fa0/2 switch3(config-if)#switchport mode access switch3(config-if)#switchport access vlan 10 switch3(config-if)#exit switch3(config)#int fa0/3 switch3(config-if)#switchport mode access switch3(config-if)#switchport access vlan 20 Configuring Inter-VLAN Routing This involves enabling the VLAN sub-interfaces for Inter-VLAN routing on the router thereby making it an 802.1Q trunk. By default, VLANs on a separate network can never communicate. Using these commands enables different VLANS to communicate. Router0#conf t Router0(config)#int fa0/0.10 Router0(config-subif)#encapsulation dot1q 10 Router0(config-subif)#ip address 192.168.7.1 255.255.255.0 Router0(config-subif)#description Sales vlan Router0(config-subif)#no shutdown Router0(config-subif)#exit
71
Router0(config)#int fa0/0.50 Router0(config-subif)#encapsulation dot1q 50 Router0(config-subif)#ip address 192.168.6.1 255.255.255.0 Router0(config-subif)#description IT-Management VLAN Router0(config-subif)#no shutdown Router0(config-subif)#exit Router0(config)#int fa0/0.20 Router0(config-subif)#encapsulation dot1q 20 Router0(config-subif)#ip address 192.168.8.1 255.255.255.0 Router0(config-subif)#description Accounting Vlan Router0(config-subif)#exit Router0(config)#do copy run start To ensure these commands ingressed in to the router are configured correctly, use the command “show IP interface brief” and this displays the sub-interfaces that are up and running as shown in figure 37.
Figure 37 the sub-interfaces that are created for Inter-VLAN routing
Configuring the DHCP server for the different VLANs First, this involves defining the various addresses you do not want the DHCP sever to hand out from the various subnets and secondly, creating various DHCP pools for the different VLANs in the network, define the various VLAN networks you wish to hand out, the default-router and the DNSserver. See the topology in figure 36 above. Router0#conf t Router0(config)#ip dhcp excluded-address 192.168.10.0 192.168.10.10 Router0(config)#ip dhcp excluded-address 192.168.20.0 192.168.20.10 Router0(config)#ip dhcp excluded-address 192.168.50.0 192.168.50.10 Router0(config)#ip dhcp pool Sales_Vlan10 Router0(dhcp-config)#network 192.168.10.0 255.255.255.0 72
Router0(dhcp-config)#default-router 192.168.10.1 Router0(dhcp-config)#dns-server 4.2.2.2 8.8.8.8 Router0(dhcp-config)#exit Router0(config)#ip dhcp pool Accounting_Vlan20 Router0(dhcp-config)#network 192.168.20.0 255.255.255.0 Router0(dhcp-config)#default-router 192.168.20.1 Router0(dhcp-config)#dns-server 4. 2.2.2 8.8.8.8 Router0(dhcp-config)#exit Router0(config)#ip dhcp pool ITManagement_Vlan50 Router0(dhcp-config)#network 192.168.50.0 255.255.255.0 Router0(dhcp-config)#default-router 192.168.50.1 Router0(dhcp-config)#dns-server 4.2.2.2 Router0(dhcp-config)# 7. Spanning Tree Protocol Configuration By default STP comes in Cisco switches. First, the default priority number can be changed to select the root bridge (32768 is the priority number that comes by default in Cisco switches, plus the vlan 1 making it 32769). Secondly, with this command “spanning-tree vlan 1 root primary “you can specify the switch you want to be your root bridge. Thirdly, you can specifies the switch you want to be your secondary root bridge by using this command “spanning-tree vlan 1 root secondary” and Lastly, you can turn of the spanning mode using this command “no spanning-tree vlan 1”. Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#spanning-tree vlan 1 priority 2345 Switch(config)#spanning-tree vlan 1 root primary Switch(config)#spanning-tree vlan 1 root secondary Switch(config)#no spanning-tree vlan 1 8. Risk Assessment Criteria ISO 27001 does not have a defined risk assessment method. Therefore, there are no specific criteria for classifying risks as any methodology can be used [47]. This is a process of identifying risks, investigating threats to assets, its impacts on assets and vulnerability of information systems and network facilities. [35] Choosing this methodology is one of the most vital parts of the ISMS process. To meet the standard of ISO/IEC 27001, a document to enable you to assess the risk to the identified information assets needs to be defined and a decision about which risks are to be accepted has to be made. Risks that are intolerable need to be reduced or outsourced. The Management of residual risks is also considered regarding policies and controls [35]. 73
The risks are evaluated based on the confidentiality, integrity and availability. Table 14 below provides a matrix that defines the risk assessment method and describes the guidance to when and how the levels of confidentiality, integrity and availability are to be used [35]. Table 14 showing the CIA value table of how risk assessment is defined and used [35].
Low Confidentiality: Making sure information are only accessible to authorized employees
Any unauthorized disclosure could result in a mere disruption on the organizational operations, assets and individual involved.
Integrity: Ensuring the completeness and precision of information and processing techniques
Any Unauthorized modification of information could result in a mere disruption on the organizational operations, assets and individual involved.
Availability: Making sure that assets are readily available to employees when needed.
Any disruption of authorized access to the use of information systems could result in a mere disruption on the organizational operations, assets and individual involved.
Impact of Loss Medium Any unauthorized disclosure could result in a serious disruption on the organizational operations, assets and individual involved. Any Unauthorized modification of information could result in a serious disruption on the organizational operations, assets and individual involved. Any disruption of authorized access to the use of information systems could result in a serious disruption of the organizational operations, assets and individuals involved.
High Any unauthorized disclosure could result in a severe disruption and a catastrophic effect on the organizational operations, assets and individual involved. Any Unauthorized modification of information could result in a severe disruption and a catastrophic effect on the organizational operations, assets and individual involved. Any disruption of authorized access to the use of information systems could result in a severe disruption and a catastrophic effect on the organizational operations, assets and individual involved.
This document describes how your organization will evaluate its risks. Including the degree of assurance needed which gives a guideline to evaluate the risk treatment options and criteria for accepting risk. In assigning these values to risks, these following criteria must be adhered to.
The importance of the asset that is being protected How often the threat occurs (frequency) and The impact of loss it might have on the organization [35]. 74
Refer to part A, section 5.9 on how it is implemented in the organization and other subsequent steps needed to define this document, such as the assets and risks associated with the controls defined and needed to eradicate the risks [35]. A) Criteria for Risk Treatment Options: The criteria for risks treatment have to be agreed by the management in line with the organization objectives, managers’ view and the process of risk management itself [44]. To manage the risks identified, one of the following actions or all as the case may be must be employed.
Risk Transfer: This involves purchasing insurance against a particular risk or its being outsourced. Risk Acceptance: The risks are accepted because they are minor, or actions to implement the control are impractical or are extremely expensive. Risk Reduction: Here controls are used in bringing down the level of risks to a satisfactory level [35]
Note: In reducing the risks, the right controls should be selected and employed. These controls could include the controls or security policy defined by your organization or controls already defined in the ISO/IEC 27001 or ISO/IEC 27002 (ISO/IEC 17799) standard. Please refer to Annex A of the ISO/IEC 27001 or ISO/IEC 27002 (ISO/IEC 17799) which emphasizes on the controls described in ISO/IEC 27001 in selecting the treatment (control) options you might want to employ in your organization [35] [49] [50]. See section 5.11 in part A on how the controls selected from the Annex A ISO/IEC 27001 / 27002 are described when implemented. Note: This document (risk treatment options) is sometimes part of the Risk Assessment document as it is in this paper or it can be a standalone document [35]. Criteria for Risk Assessment Matrix The risk assessment process is calculated and rated from the Likelihood of occurrence multiplied by Potential loss Impact (consequences) [47]. Here, Risk is equal to Potential Loss Impact multiplied by the Likelihood [47]. The risks identified in the assessment matrix is plotted against likelihood and impact which give an overall view of the risks to be handled with urgency [48]. B) Criteria for placing risks on the risk assessment matrix: Risks are assigned in a cell of a matrix based on these two criteria:
Likelihood: It deals with probability of occurrence of a risk. It describes it also on a scale of 1 – 5, which are as follow. 1. Very low: Risk rarely occurs, < 5% 2. Low: Unlikely to occur, > = 5 % and < 30 %. Occurs but only in exception situations 3. Medium: Moderate occurrence, > = 30% and < 70 % 4. High : Risk likely to occur, > = 70% and < 95% 75
5. Very high: Almost certain, > = 95 % Potential Impact: Deals with the severity or damage extent of a risk and describing the various impacts it can have on the organization on a scale of 1 – 5. They are 1. Insignificant: No noticeable business impact 2. Minor: Minor business impact 3. Moderate: Business is interrupted leading to loss of confidence such as 20,000 USD 4. Major: Business is disrupted leading to loss of confidence up to the sum of 100,000 USD 5. Catastrophic: Several business effects, business are terminated leading to a loss of up to the sum of 1 million USD or more and reputation [48].
With these criteria defined, you can successfully assign risks in your organization in a matrix form to give an overall view of it at a glance.
76
