Professional Documents
Culture Documents
Chris Hasek, Marina Rhodes, Jade Olan, Jeanie Brown, Tina Barkley
This network security policy establishes minimum information security requirements
for all networks and equipment deployed in CMJJT. CMJJT operates perimeter firewalls and/or
gateways between the Internet and the CMJJT network to establish a secure environment for
CMJJT¶s computer and network resources. CMJJT perimeter firewalls are major components of
the CMJJT network security planning. CMJJT perimeter firewall policy directs how the
perimeter firewalls will sort Internet traffic to lessen the risks and losses associated with security
threats to the CMJJT¶s network and information systems.
CMJJT¶s information technology priorities are the maintenance of a safe and
secure computing environment. The assets at risk from targeted attacks against the network
include data/information, software and hardware. Services, including access to the Internet and
access to central servers are also at risk. CMJJT firewall administrators designed the perimeter
firewall policy to proficiently enable the security control system found within the perimeter
firewalls. CMJJT¶s network security design provides a multi-layer-approach for network
security. This approach is to have a Perimeter Firewall as the first line of protection. This
document provides additional measures to secure CMJJT¶s network.
¯
A firewall is a system that is designed to prevent unauthorized access to or from a
private network. A firewall can be implemented in hardware, software, or both. Firewalls are
frequently used to prevent unauthorized Internet users from accessing private networks that are
connected to the Internet. The CMJJT application level firewall is using ports:
The proxy server implemented by CMJJT acts an application-level firewall for our networks.
Client computers must use the following LAN settings in order to access the Internet:
The CMJJT firewall is configured using Industry best practices and standards including but not
limited to the following:
All Internet traffic from inside to outside, and vice-versa, must pass through the firewall
implementation. Only network sessions using strong authentication and encryption will
be permitted to pass from the Internet to inside through the firewall implementation.
The firewall will be configured to deny all services not permitted and will be regularly
audited and monitored to detect intrusions or misuse.
The firewall will notify the firewall administrator(s) in near-real-time of any immediate
attention such as a break-in into the network, little disk space available, or other related
messages so that an immediate action could be taken. Any modification of the firewall
will be conducted by a security administrator
Appropriate firewall documentation will be maintained on off-line storage at all times.
This information will include the network diagram, including all IP addresses of all
network and client devices, and also include all other configuration parameters such as
packet filter rules. This documentation will be updated any time the firewall
configuration is changed.
Network security policy and maintenance procedures will be reviewed on a regular basis
(every three months minimum) by the security administrator(s).
The firewall implementation and configuration must be backed up daily, weekly, and
monthly so that in case of system failure, data and configuration files can be recovered.
Also referred to as static packet filtering. Controlling access to a network
by analyzing the incoming and outgoing packets and letting them pass or stopping them based on
the IP address of the source and destination. Packet filtering is a technique used to implement
security firewalls.
!
"#
Filter 1 inspects traffic leaving the network
V ICMP traffic on port 1
V TCP traffic on port 6
V UDP traffic on port 17
Filter 2 allows unmatched traffic leaving the network
"#
"#
Filter 1 drops and logs traffic leaving the network from specified addresses
Filter 2 inspects http traffic on port 80 that¶s leaving the network
Filter 3 inspects smtp traffic on port 25 that¶s leaving the network
Filter 4 inspects imap traffic on port 143 that¶s leaving the network
Filter 5 inspects pop3 traffic on port 110 that¶s leaving the network
Filter 6 drops any p2p traffic on any port that¶s leaving the network
Filter 7 drops instant messenger traffic on any port that¶s leaving the network
Filter 8 inspects ccp-ds-insp-traffic that¶s leaving the network
Filter 9 inspects traffic leaving network
V H323
V Skinny
V Sip
Filter 10 allows any unmatched traffic to leave the network
"#!
Filter 1 through 3 allow traffic coming into the network
V http traffic on port 80
V https traffic on port 443
V dns on port 53
V smtp on port 25
Filter 4 drops any unmatched traffic coming into the network
A stateless firewall filter filters packets from a source to a
destination, or packets originating from, or destined for, the Routing Engine. Stateless firewall
filters applied to the interfaces protect the processes and resources. Stateless firewall filter can be
applied to an input or output interface, or to both. Every packet, including fragmented packets, is
evaluated against stateless firewall filters. The stateless packet filtering for CMJJT is configured
in the following way:
Allow only local users to ping this machine
Discard spoofed packets
Log firewall, UDP, and TCP messages
Allow firewall messages to be logged
Log UDP-related messages
Log UDP-related messages for ports 1024
Log TCP-related messages with the flags: SYN, URG, FIN, PSH, Unk, ACK, AND RST
!
A stateful firewall is any firewall that performs stateful packet
inspection (SPI) or stateful inspection. A stateful firewall keeps track of the network connections
such as TCP streams and UDP communication traveling across it. The firewall is programmed to
distinguish genuine packets for different types of connections. Only packets matching a known
connection state will be allowed by the firewall; others will be rejected. The stateless packet
filtering for CMJJT is configured in the following way:
c ! $Accepts requests for new digital certificates over transports such as
remote procedure call (RPC) or HTTP. Certificate Services confirms each request against custom
or site-specific policies, sets possible properties for a certificate to be issued, and issues the
certificate. Certificate Services allows administrators to add components to a certificate
revocation list (CRL), and to publish signed CRLs on a regular basis.
$ ! Proxy servers can dramatically improve performance for groups
of users. This is because it saves the results of all requests for a certain amount of time.
,
Proxy servers can also be used to filter requests. For example, a
company might use a proxy server to prevent its employees from accessing a specific set
of web sites.
The Port Security for CMJJT is configured as such:
Redirect smtp, pop3, and imap to the mail server
Allow dns traffic in and out of the DMZ
Redirect http and https traffic to the web server
Ä $ A computer or device that serves up Äeb page; by installing server software into
a computer or device and connecting it to a network, it can become a Äeb server. Every Äeb
server has an IP address and a domain name our domain is cmjjt.com. CMJJT administrators
published cmjjt website on cmjjt web server.
$ Serves as an electronic post office for email; email that is exchanged across
networks between mail servers and runs specially designed software. CMJJT mail server uses
mail enable as a mail service and Mozilla thunderbird as a client. CMJJT uses the following
protocols.
Õ
$
&Õ' Any connection between firewalls over public networks
will use encrypted Virtual Private Networks to ensure the privacy and integrity of the data
passing over the public network. CMJJT's VPNs use authenticated links to make sure that only
authorized users can connect to our network, and they use encryption to make sure that others
cannot intercept and cannot use data that travels over the Internet. All VPN connections must be
approved by CMJJT administrators. CMJJT VPN IP address range is 172.18.0.101 to
172.18.0.120. The external router is configured to forward VPN traffic to the internal router
which in turn is configured as a VPN server. The internal AD server is also a Certificate
Authority and is also used for Authentication.
c A brief overview of the contents of the CMJJT Contingency Plan
Tome (CMJJTCPT)
The Chief IT Administrator, the CEO, the CFO, the CIO and the all of the major department
heads, are responsible for securing the confidential data of the network, as defined by section 10-
573B of the CMJJTCPT. Each of these individuals are also responsible for storing that data at a
secure off-site facility, located in the eastern highlands, which is a cold site, as sited in Article
5.7T. Full backups of this data are to be made weekly onto optical discs, of Memorex quality or
better, with incremental backups every other day during the week. The full backups are to be
taken to the cold site and stored, while the incremental backups will back up to an onsite external
drive, which is to be maintained by the CIO. Once a month, a full backup of the external drive
should be made and the information stored onto optical discs, of Memorex quality or better, per
Article 93.4 of section 10-3A of the CMJJTCPT. All IT staff members are to be trained on how
to handle a potential disaster, and this training should take place every 6 months, using a third
party disaster planning and reaction manual entitled Ähat To Do In Case Of Everything written
by Beatrice Fairweather. Every 3 months the IT Administrator and the CIO are to run checks on
the cold site to make sure that it could function properly should something occur, using section
98-575 to section 113-02 of the CMJJTCPT as a guide to proper cold site functionality.
CMJJT has the right to perform forensic data gathering on any machines that it
owns. This includes both servers and internal client machines. CMJJT¶s in house Forensics
Expert, Darwin Reynolds, is responsible for gathering and preserving forensic data. Should an
anomaly of any sort appear, the forensic data will be immediately sent to Joe and Son¶s
Computer Forensics Garage for analysis. The machine in on which the anomaly occurred will be
taken off the network to be analyzed by our Second Best Forensics Expert, Dana Schelieg.
Should the machine be compromised and incapable of functioning per CMJJT standards, it will
then be considered a liability in our security scheme. The computer will be re-imaged, secured,
and 2 weeks later redeployed on the network. This task is to be done by Urrich Vonlichtenstien,
our Re-Imaging Specialist. More detailed documentation of this process is to be found in the
Forensics Stuff sub chapter in the CMJJT Contingency Plan Tome.
¯- $Intrusion Detection/Prevention: Iintrusion detection is
the act of detecting actions that attempt to compromise the confidentiality, integrity or
availability of a resource. More distinctively, the goal of intrusion detection is to identify entities
attempting to subvert in-place security controls. Intrusion prevention is a preventive approach to
network security used to identify potential threats and respond to them quickly. An intrusion
prevention system (IPS) monitors network traffic and/or system activities for malicious or
unwanted behavior and can react, in real-time, to block or prevent those activities. Network-
based IPSwill operate in-line to monitor all network traffic for malicious code or attacks. An
intrusion detection system (IDS) monitors network traffic for suspicious activity and alerts the
system or network administrator. CMJJT is using a Network Intrusion Detection System (NIDS)
that is placed at strategic points within our network to monitor traffic to and from all devices on
CMJJT¶s network. For IDPS, IOS-S362-CLI.pkg and realm-cisco.pub.key were loaded onto a
flash drive formated in fat32. Tera-Term Pro was then used to connect to the cisco router and
load the contents of lash drive to the running configuration of the cisco router.