Riordan is a global plastics manufacturing company with three branches in the United State and one in China. The Riordan network is divided into four locations San Jose, CA, Pontiac, MI, Albany, GA, and Hangzhou, China. The corporate headquarters located in San Jose and the China branch are connected by a 51.8 Mbps Ka band (K-above) WAN satellite connection operating in the 26.5-40 GHz range with AES end-to-end encryption. The only down fall with using Ka band is weather susceptibilities (Sala, Zennaro, Sokol, Miao, Spousta, & Chan, 2013), which could cause problems with communications between China and the office in San Jose. The other branches of Riordan are connected with T2 leased lines from the local ISP’s in the respective cities, the San Jose branch has a T3 or a 45Mbps link to the other two branches. The leased lines give Riordan an unshared link to the internet and to the other branches. Unshared simply means the T2 the equivalent of 4 T1s or 6Mbps are not shared with other customers. (U-Verse Offical Site, 2015)
Riordan corporate office is divided into several different departments Marketing, Finance, Corp, and is the main Research and Development department of the organization. Riordan will not make drastic changes to the network just upgrades to the LAN at the respective branches. The 100BaseT backbone can support 100 Mbps to the departments and the 1Gbps fiber backbone in the R&D department can handle the information traversing in and out of that department. Upgrading the hardware in the corporate office will completed during the down hours of the San Jose branch so work will not be interrupted. The 24 port HUB will be taken off the network and replaced with a switch supporting the NAS and the three servers. Replacing the HUB will separate the collision domains and help the flow of traffic to and from the server area. The Riordan network is designed to receive data from the satellite link from China using a 512 AES end-to-end encryption to protect the link.
The network server and the exchange server will be moved to a demiliertize zone (DMZ) off the fire wall so customers can have access to Riordan web server and contact employees via email. (Rouse, 2015) All other server will remain behind the firewall to protect the organizations work information. The R&D server will stay on the R&D backbone that department needs to stay only accessible to that department this could be done using VLANS off of the gateway switch, company policy says that the information on the R&D WIN server remain on a separate connection. The firewall will limit attackers access on to the Riordan network, but to further help protect the network and the users on the network all the Windows based computers will run a third party malware program to defend against the different types of malware that could cripple the LAN. The OSX based machines on the network will not need the third party protection, but they will be scanned from time to time.
The San Jose branch will maintain a Windows Server Update Service Home (WSUS) scan the windows machines once a week and push patches group policies as needed to those systems. (Microsoft.com, 2015) Riordan keeps the server room and the satellite base on a separate power source and environmental control, both the server room and the Satellite base maintain several uninterrupted power sources (UPS) to allow both areas to maintain a consistent temperature and in case of a loss of power the UPS will maintain the equipment for up to 8 hours. (Klinder, 2015) Riordan will use a third party data center as a disaster recovery site, the company will work with an organization in Arizona that has been contracted to backup information from the three Riordan location in the United State. The China branch of Riordan replicates to the San Jose branch, so all the information from all branches will be saved to the data center. The issue with using a third party data center is their security tough enough to keep attackers from electronically or physically getting to corporate information safe. IT representatives visited the data center and inspected the center to ensure they were in compliant with the Riordan information security policies.
The Riordan China branch is a duplicate of the San Jose branch, so the same network upgrades that are being done to the San Jose branch will be done to the China branch. The thought is to keep both branches as close to being a duplicate of the other, so research done on both sides of the world can be studied or improved on at each branch. This branch was opened in China, so Riordan will remain a leader in research and development in the plastics industry. All of the research and development department in China replicate to the San Jose branch for redundancy. Since the Asian networks are attacked regularly policies on the firewalls will be stricter leading out to the WAN on the T3 going to the Chinese ISP. The China branch of Riordan is held to the same physical security standards as the San Jose branch the perimeter of the compound is surrounded by a 10ft barbed wire fence with guarded entry to the compound. Each employee has color coded badges allowing the employee into the area in which that employee is authorized to enter. (Infosec Institue, 2015)
The front of the building has a man trap access control point giving one employee access at a time into the building preventing tailgate entry from any unauthorized personnel. (Clark, 2012) The Albany branch of Riordan is a small expansion branch that produces plastic bottle products. The LAN at this branch supports 20 computers, a NAS, a HP BL, 460 P blade servers; the cabling on the network supports 100 Mbps. The CISCO 2900 integrated services router can handle multiple protocols and is also capable of supporting IDS to monitor the network for any unauthorized access attempts. (CISCO.com, 2015) The two CISCO 3560 switches support 10/100 Ethernet as well as PoE Power over Ethernet to provide power to devices like VoIP phones if necessary. (CISCO.com, 2015)
This branches network will not get many upgrades; the manufacturing floor will receive connections to the robotic machinery to help protect the machinery from electronic attacks. Computerized machinery are susceptible to DDoS distributed denial of service attacks, the firewall facing the WAN will stop these types of attacks and the IDS is in place to detect any anomalies that might get past the firewall. (Beal, 2015) The WSUS located at the corporate office will keep the 20 Windows OS computers up to date with the organizations group policies while regular Windows updates also protect the users. Adding the upgrades to the manufacturing floor will take approximately a week most of which will be running CAT5e cable from the machinery to a patch panel connected to the CISCO 3560 switch.
The Riordan Pontiac MI, branch was originally the main office in 1992 when Dr. Riordan purchased a fan manufacturing plant. The network in this branch supports 45 client computer all running a Windows 7 OS, four networked printers, a NAS storage device, a HP BL 460 P blade server. The T2 line in this branch also works as a connection to the corporate branch in San Jose as well as the link to the internet. The leased line will allow corporate to push group policies and patches to the 45 client computers on the LAN. The main security concern at this branch is electronic attacks. The firewall will stop most attacks, but the 2900 series router can support an IPS as a second line of defense against anomaly based attacks, while the firewall defends against signature based attacks. Anti-malware will protect the users along with patches and the group policies from corporate. Using the layered approach to network security gives the organization a better chance of defending against all types of attacks. (Banathy, Panozzo, Gordy, & Senese, 2013)
The server rooms in all branches have been equipped with a separate power source and environmental control units as well as UPS for backup power in case of power outages to the main office. Like the corporate office and the office in China ID badges are used to gain access to the parking lot as well as the building itself. Upgrades to the network are minimal, monitoring the systems on the production floor is important because downtime due to denial of service attacks is the concern of the organizations IT department.
Corporate wanted to go with a wireless solution on the manufacturing floor, but the IA team advised against it due to the increased risk of a man-in-the-middle attack. Although, it is possible for someone to carry out a man-in-the-middle attack on wired networks it is more difficult, because the attacker must gain access to the mires on the network where a the attack on a wireless network is difficult the chances are greater it will be successful because the attacker does not have to be physically attached to the network. The wired solution was the over whelming winner when this was explained to the executives of Riordan.
Banathy, A., Panozzo, G., Gordy, A., & Senese, J. (2013, July). A Layered Approach to Network Security. Retrieved from http://www.industrial-ip.org/en/knowledge-center/solutions/security-and-compliance/a-layered-approach-to-network-security Beal, V. (2015, March). DDoS