Belmont State Bank, with their current computer system is virtually wide open for an attack from external or internal sources because of their password requirements. That is the first thing that jumped out when reading the scenario. This is probably the easiest type of password there is to crack. And if not the easiest, it is certainly one of the easiest. It would probably take less than one minute for even an inexperienced hacker to crack a four (4) digit numeric password. Belmont State Bank should require at least a 6 to 8 digit password containing upper-case and lower-case letters, at least 1 number, and at least 1 special character. (Vanin, 2012)
The next concern is the dial-up network that causes significant alarm when concerned with the security of the networks. There are severe limitations to the security of dial-up networking. In today’s security processes it either requires excessive time in terms of hours to download the updates provided by AV vendors. It is much more difficult to have an effective firewall in place because the dial-up services are very unlikely to be routed through a router. A dial-up connection is generally exposed to the world once the connection to the Internet is complete. Finally, if there is an infection with the dial-up device it is usually very much more difficult to detect and clean than a broadband device. (Morales, 2006)
The potential problems of the Multi-vendor networks comes into play with the Banks use of the variety of client computers and ATM they have in service. Is there really a problem with security when using or including a variety of vendor’s equipment, computers, servers, routers, etc., in the network? There may not be a problem but it must be considered in any risk assessment. The following questions need to be considered when choosing between multi-vendor or single vendor networks:
1.How important is having a single vendor to your organization?
2.Is the IT budget an issue?
3.What is the current life-span of the current network equipment?
4.Is the decision long-term or short-term?
5.Will training be required?
6.Is compatibility a deciding factor?
These are just some of the considerations that must be addressed during the risk assessment for the Banks network security. (Kobuszewski, 2012)
The assessments of the previous considerations are just the beginning of a thorough risk assessment. This brings us to the point of developing a Control Spreadsheet and defining the assets and threats in a more concise manner. To be sure that the data communication network and microcomputer workstations have the necessary controls and that these controls offer adequate protection, the following spreadsheet was developed for Belmont State Bank to give us a base point from which we can outline the possible threats to the Bank’s network.
Figure 1: Belmont State Bank Control Spreadsheet
CircuitsLocally operated circuits
Internet access circuits
Network softwareServer software and configuration settings
Client softwareOperating systems and configuration settings
Organizational dataClient database
Mission-critical applicationsServer software for web servers Server software for transaction server
Figure 2: Types of assets
Identify Bank Threats – A threat to the data communication network is any potential adverse occurrence that can do harm, interrupt the systems using the network, or cause a monetary loss to the organization. While threats may be listed in generic terms (e.g., theft of data, destruction of data), it is better to be specific and use actual data from the organization being assessed (e.g., theft of customer credit card numbers, destruction of the inventory database).
Once the threats are identified they can be ranked according to their probability of occurrence and the likely cost if the threat occurs.
There is always a risk associated with this kind of configuration. The risk assessment plan will have following steps:-
System characteristics: the first step is to check the scope of the effort to be made.
Threat Identification: the next step is to identify the threats that are associated with the system and also the resources of threats. The threats in this case can be hacking, cracking, blackmailing, fraud and theft etc.
Vulnerability identification: this is next step after identification. In this a checklist of vulnerabilities that can exploit the resources of threats is made. In this case the vulnerabilities can be any former employee has the passwords and can access the system. There are flaws, and remote user login permissions. Control analysis: in this step, the various control measures that are planned or implemented are analyzed.
Impact analysis: the next step is to check the impact that the risk if strike the system will have on the system.
Risk determination: analyze the impact of risk associated with the identified threats.
Control recommendations: the control mechanism that will be applied such as halting the remote login, changing the passwords timely.
Documentation: the documentation that will highlight the above findings.
Kobuszewski, F. (2012, February 27). Multi-Vendor versus Single-Vendor Data Centers. Retrieved October 21, 2012, from Switch IT Up: http://www.networkworld.com/community/blog/multi-vendor-versus-single-vendor-data-centers Morales, C. (2006, November 2). Security Limitations of Dialup. Retrieved October 21, 2012, from DDoS and Security Reports: The Arbor Networks Security Blog: http://ddos.arbornetworks.com/2006/11/security-limitations-of-dialup/ Vanin, S. (2012, May 10). The guide to password security (and why you should care). Retrieved October 21, 2012, from c|net: http://howto.cnet.com/8301-11310_39-57431102-285/the-guide-to-password-security-and-why-you-should-care/
Mini-Case 1: Computer Dynamics – Chapter 12
Computer Dynamics needs to have the three tiers of access, distribution and core applied to its network design. The application of these concepts will allow scalability to achieve a 3 – 5 year expansion goal. Application of the 3-tier concept will also increase bandwidth for the three (3) buildings and allow connectivity between all branches.
Since Computer Dynamics has 300 computers already in their network and endures heavy traffic to the point of being overloaded, it is assumed that they suffer from collisions and the lack of collision domains. This can be attributed to the Hub Topology which is their current mode of operation. The transition to a Switched Topology will place all computers in their own respective collision domains.
This will support the access layer or access tier concept and will increase the speed of the LAN traffic. Each end node will have a 10/100 network connection with full duplex connectivity. Each floor in the buildings would have a 3560 Cisco switch installed with a SPF Gigabit fiber connection to the distribution switch at the MDF or Main Data Frame of each building.
The MDF of each building will have a Cisco 6509 Catalyst switch with layer 3 routing capability. The switch will be configured with separate VLANs for each of the floors. This will break each floor into separate broadcast domains, increasing the overall bandwidth in the network. Each floor of each building will have a separate IP network scheme and the core/distribution switch will route and switch the gigabit uplinks for each floor.
It is assumed that each floor has approximately an equal number of clients. Therefore, the Cisco 6500 switch will provide the distribution and core functionality of the three tiers. The 6500 switch will be configured with static routers for the two networks in each building. Each uplink to the edge switches will have UDLD enabled and have Trunks configured for each switch statically. (Cisco)
The IP address plan and a sample network diagram for building #1 is shown bellow. It is also assumed that each building will utilize the same basic plan for the network configuration. Each building will have its own IP address plan.
Figure 1: IP address plan
Figure 2: Proposed network diagram
Since the buildings are adjacent and the distance between each MDF is not more than 700 feet; multi-mode fiber will be run between the buildings. The second and third building will have a similar equipment structure as the first building. The 6500 Catalyst switches will have 10Gbps cards installed with redundant links between them. This will allow the buildings to have a backup set of fiber in case of GBIC (laser) failure and assure the cores will be able to talk at the 10 Gbps rate between buildings. (Optics) Static routing between buildings will ensure that traffic will not be disrupted at the core. Hot Swap Router protocol will also be enabled on each switch to ensure routing in the event of a core switch going down.
In the future, a new office will be located 3 miles from their existing location and a T-1 circuit will be installed in building one to terminate to the new office. A Cisco 2800 router will connect the end of the T-1 in the new office and a WAN module in the 6500 Core switch will terminate the other end of the T-1 allowing the core switch to effectively route to the new office. RIP routing will be employed to route between the core switch in all buildings as well as additional locations in the future. Additional T-1 cards can be installed for additional remote locations. Using the 6500 chassis allows us flexibility and expansion by purchasing line cards and the ability to add them on the fly. Therefore, we could purchase an RSS series protection switching between locations to provide reliable switchover for line protection and redundancy applications. (Dataprobe)
Cisco. (n.d.). Switches. Retrieved October 21, 2012, from Cisco.com: http://www.cisco.com/en/US/products/hw/switches/index.html?POSITION=SEM&COUNTRY_SITE=us&CAMPAIGN=HN&CREATIVE=Network+Systems+-+Brand_Switches&REFERRING_SITE=Google&KEYWORD=cisco+switches_B|mkwid_s34pgdBcJ_15869791875_0v0xx7y7d0 Dataprobe. (n.d.). Automatic and Remote Controlled A/B Switches. Retrieved October 21, 2012, from Dataprobe.com: