Network Security final project

[Meresgi]

So I have a final project due in a week we have been working on and I just had a few questions. I'll just be using this thread instead of posting a bunch of questions in the question thread so thanks for any input on the subject. Anyways,


We are laying out a network for a small real estate business. They have 2 kiosk computers, front desk and conference computers, CIO computer, CEO computer and 2 accounting computers. Then we have 6 real estate agent computers and 3 laptops.

Now..is it more feasible to set up a VLAN for the computers and section them off like

Accounting+CIO+CEO
Real Estate Agents and Laptops
The rest

or should I set up a subnet for these instead? I made a thread awhile back on subnetting and understand the basics of it so I think I could accomplish that as well. But I have to wonder which is better, or do they work in tandem with each other?

Also when it comes to servers, should I purchase separate servers for email, web and files? Or purchase 1 server and run virtual machines on it for each?

One final question for now. When it comes to VLAN will I need more then one switch? And when it comes to subnetting will each subnetwork require its own router?

Thanks.

[Ratatapa]

For your Vlan separation it'S good so boss can access accounting easier if necessary

Also Servers 1 for email and 1 for Web + file imo (but 1 Physical) the rest virtual on ESXI (cheaper)

You can have 1 switch for all vlans np but you will need to enable routing for vlan threw the router (dot1q)

And you only need 1 router but you will need to create 1 sub interface (inside the router) per vlan

[Meresgi]

How about security wise? Ill be asked about that since it's the foundation of the course. How secure is a VLAN compared to a subnet?

[Niya]

Hehe, i still remember the subnetting thread

VLAN vs. subnetting seems to be a quite common question (just google it), and i'd say it's more of a personal preference than "one is better than the other".
For VLAN you'd need VLAN-capable switches/routers which might be more expensive, but it's more flexible. You could for example put a single switch port to a different VLAN ID and separate the connected PC/network device from the rest of the devices connected to this switch. All traffic that goes to or from this single device would have to pass through a router or layer 3 switch and can be controlled that way.
Subnets let you separate whole network segments from each other, and just as with VLAN you need a router to connect them to each other.

Whether you need more than one switch/router for either of them completely depends on the size of the switch or router One large 24 or 48 port switch could easily connect the whole network, and all decent firewall routers have at least 3-4 LAN ports.

Concerning servers... Splitting roles up between several is in most cases better, but you'll also have to consider the size of the company. I mean, a 20-(wo)man company won't need 5 servers, that would be overkill.
Virtualization... It's a big and popular topic, but you have to consider a few things with it and also you can't virtualize everything. Also it can get quite pricey when you do it right, with redundant server layouts, support contracts for software and hardware with short reaction times etc. You can also go "cheap and dirty" with everything in VMs on a single physical server, but always bear in mind: when this one pack of hardware fails, your whole network is screwed.

[Ratatapa]

How about security wise? Ill be asked about that since it's the foundation of the course. How secure is a VLAN compared to a subnet?

Imo a vlan is more secure

A subnet you just need to enable a route to it. and traffic can pass ( Of course firewall rules too)

While a vlan you need to enable trunking then make a route. So you can say you need 1 more step to access it

[Meresgi]

Thanks for the help guys, will post again if I run into a snag or need some input.

[Bockage]

Using both subnets and vlans will make it easier to administer a network and improve performance, but neither is really going to make your network significantly more secure. All both of those do is break up broadcast domains. Here are some basic things you can do to improve network security:

• Develop a company security policy. This does a few things:
  
  • Train users about network security, so they're less likely to accidently download trojans/worms/viruses/ect, or leave their computers unlocked while they go to lunch or use the bathroom.
  • Makes a plan for dealing with security breaches. You don't want admins to freak and have no idea what to do in the case of an attack.
  
  

• Physically lock up all networking hardware. If a hacker has physical access to your network they can fuck your shit up.
• Disable all unused ports. Again if a hacker has physical access to your network, you're fucked.
• Company wide anti-virus software. Keeps stupid users from getting to malicious software.
• Proxy web filtering. Also helps keep viruses away. Keeps the porn out too
• Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS). IDS will monitor the network and sound the alarm when a hacker tries to get in. IPS will also monitor the network and send out alarms, but the device will also try and stop the attack at the same time.
• Upgrade and patch networking hardware often. Removes threats discovered by the vendor.
• Turn off unnecessary services on networking hardware. If you don't need things like ssh, telnet, http, finger, snmp, cdp (cisco onry), ect, then turn them off. They all provides their own vulnerabilities.
• Use static route if your network is small enough to get away with it. If you have to use routing protocol's, make sure it's only running on interfaces with another networking device at the end of it. You should never have a routing protocol going out on a network with only users because someone using something like wireshark can listen in on your routing protocols exchanging routing tables and that will give them a map of your network.
• Firewalls and access control lists are your friends. They kill evil packets before they can even enter your network.
• Turn off ICMP echo replies. Your hardware won't respond to ping or tracert, so it's harder for hackers to even know you exist in the first place. This won't stop you from pinging outside your network though.
• Backup critical hardware configurations. If someone gets in and deletes it for the lulz you won't be totally screwed.
• This goes without saying, but change default passwords.

[Ratatapa]

Using both subnets and vlans will make it easier to administer a network and improve performance, but neither is really going to make your network significantly more secure. All both of those do is break up broadcast domains. Here are some basic things you can do to improve network security:

• Develop a company security policy. This does a few things:
  
  • Train users about network security, so they're less likely to accidently download trojans/worms/viruses/ect, or leave their computers unlocked while they go to lunch or use the bathroom.
  • Makes a plan for dealing with security breaches. You don't want admins to freak and have no idea what to do in the case of an attack.
  
  

• Physically lock up all networking hardware. If a hacker has physical access to your network they can fuck your shit up.
• Disable all unused ports. Again if a hacker has physical access to your network, you're fucked.
• Company wide anti-virus software. Keeps stupid users from getting to malicious software.
• Proxy web filtering. Also helps keep viruses away. Keeps the porn out too
• Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS). IDS will monitor the network and sound the alarm when a hacker tries to get in. IPS will also monitor the network and send out alarms, but the device will also try and stop the attack at the same time.
• Upgrade and patch networking hardware often. Removes threats discovered by the vendor.
• Turn off unnecessary services on networking hardware. If you don't need things like ssh, telnet, http, finger, snmp, cdp (cisco onry), ect, then turn them off. They all provides their own vulnerabilities.
• Use static route if your network is small enough to get away with it. If you have to use routing protocol's, make sure it's only running on interfaces with another networking device at the end of it. You should never have a routing protocol going out on a network with only users because someone using something like wireshark can listen in on your routing protocols exchanging routing tables and that will give them a map of your network.
• Firewalls and access control lists are your friends. They kill evil packets before they can even enter your network.
• Turn off ICMP echo replies. Your hardware won't respond to ping or tracert, so it's harder for hackers to even know you exist in the first place. This won't stop you from pinging outside your network though.
• Backup critical hardware configurations. If someone gets in and deletes it for the lulz you won't be totally screwed.
• This goes without saying, but change default passwords.

Or go to Facebook all day and catch virus there with their friends "Application"

Orz

[Meresgi]

Using both subnets and vlans will make it easier to administer a network and improve performance, but neither is really going to make your network significantly more secure. All both of those do is break up broadcast domains. Here are some basic things you can do to improve network security:

• Develop a company security policy. This does a few things:
  
  • Train users about network security, so they're less likely to accidently download trojans/worms/viruses/ect, or leave their computers unlocked while they go to lunch or use the bathroom.
  • Makes a plan for dealing with security breaches. You don't want admins to freak and have no idea what to do in the case of an attack.
  
  

• Physically lock up all networking hardware. If a hacker has physical access to your network they can fuck your shit up.
• Disable all unused ports. Again if a hacker has physical access to your network, you're fucked.
• Company wide anti-virus software. Keeps stupid users from getting to malicious software.
• Proxy web filtering. Also helps keep viruses away. Keeps the porn out too
• Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS). IDS will monitor the network and sound the alarm when a hacker tries to get in. IPS will also monitor the network and send out alarms, but the device will also try and stop the attack at the same time.
• Upgrade and patch networking hardware often. Removes threats discovered by the vendor.
• Turn off unnecessary services on networking hardware. If you don't need things like ssh, telnet, http, finger, snmp, cdp (cisco onry), ect, then turn them off. They all provides their own vulnerabilities.
• Use static route if your network is small enough to get away with it. If you have to use routing protocol's, make sure it's only running on interfaces with another networking device at the end of it. You should never have a routing protocol going out on a network with only users because someone using something like wireshark can listen in on your routing protocols exchanging routing tables and that will give them a map of your network.
• Firewalls and access control lists are your friends. They kill evil packets before they can even enter your network.
• Turn off ICMP echo replies. Your hardware won't respond to ping or tracert, so it's harder for hackers to even know you exist in the first place. This won't stop you from pinging outside your network though.
• Backup critical hardware configurations. If someone gets in and deletes it for the lulz you won't be totally screwed.
• This goes without saying, but change default passwords.

Awesome write up, thanks. For the IDS/IDPS how feasible is that for a small company point of view? Should it be outsourced since hiring on another employee to know how to monitor the readouts and everything seems to be a huge burden. Is it true they have a ton of false positives where there is a lot of data to sift through?

[Bockage]

Awesome write up, thanks. For the IDS/IDPS how feasible is that for a small company point of view? Should it be outsourced since hiring on another employee to know how to monitor the readouts and everything seems to be a huge burden. Is it true they have a ton of false positives where there is a lot of data to sift through?

I honestly don't know much more about IDS or IPS beyond what I posted earlier. I just know what they're supposed to theoretically do. Sorry.

[Meresgi]

Ok here is my initial layout of the network, not sure if i'm correct on the whole VLAN and Subnetting thing though

Spoiler: show

Going to go over it again tomorrow when I have some free time and see if I need to add more into it.

[Ratatapa]

2 Problemsi see unless i'm stupid again

1) the Kiosks PC on the left side needs a switch so you can add vlan and yeah

2) Um 164.214 is not a private IP but a public IP will cost your company a lot to buy all those Public IP

[Niya]

Other than what Rata already said:
- did you just split it up for the diagram or do you really want 2 firewalls and a router? oO Those 3 can easily be done with a decent firewall router like a Cisco ASA. Those have several ethernet ports that can be setup with individual firewall and forwarding rules between the ports and towards the internet
- don't make the subnets too narrow. Let's say the company grows after a year and they need a second front desk PC, what would you do? better distribute the subnet ranges so you have a few spare IPs for each, just in case.

[Meresgi]

For the Kiosks I didn't want to add them to a Vlan as they are just public accessed terminals, though I guess it would be more secure to section them into their own Vlan so yeah I think I will do that.

for the IP address, it was just given to us. The company has the IP address already apparently and was using all their computers on the same network, without a firewall or any protection :D

For the firewall router, how secure is it compared to a regular hardware fire wall? This is the one I was picking out for the project:

http://www.cdw.com/shop/products/ZyX...613024.aspx#TS

Based on its ability for VPN and VLAN support. The overall project has a budge of $45k. $30k of which is mine to use.

From your opinion Niya would it be more secure to go with the ASA? I just wanted to create a system of defense in depth using multiple pieces of hardware in case one is compromised. Obviously the real world application more then likely wouldn't be received well from the client.

For the subnets, I see what you're saying, i'll go back through and add some more there.


@ Rata, I was looking up the ESXI to see what exactly it is. From what I can understand, it doesn't require an overlying operating system on the server? What speed/size would you recommend for a server to run that?. I'll probably use it for the web/email/proxy and then use another server for the database and another for backup.

[Ratatapa]

I still suggest you get a Switch for the Kiosk because ATM You will use 2 router ports for 2 PC instead of 1

And like Niya said one of the most important part in planning is Expansion.

Imagine the Kiosk having to expand in 2months. Unplugging them to put and switch and maybe make them go down a while and etc

[Niya]

For the firewall router, how secure is it compared to a regular hardware fire wall?
From your opinion Niya would it be more secure to go with the ASA? I just wanted to create a system of defense in depth using multiple pieces of hardware in case one is compromised. Obviously the real world application more then likely wouldn't be received well from the client.

There is no "hardware firewall" Each of those boxes has some kind of software running on it ^^ ZyXEL is a good manufacturer, and i don't really know how good or bad they are compared to Cisco. It's just that my boss likes Cisco Firewalls because they have good performance for a decent price, and he's been in the IT business for 25+ years. Everyone has their favourite hardware and software companies, and i just happen to like Cisco ^^ (ok, and Mikrotik, but those are out of the question for your project ^^)
If you want, look through their products ^^ http://www.cisco.com/cisco/web/solut...uritySolutions

@ Rata, I was looking up the ESXI to see what exactly it is. From what I can understand, it doesn't require an overlying operating system on the server? What speed/size would you recommend for a server to run that?. I'll probably use it for the web/email/proxy and then use another server for the database and another for backup.

ESXi is a so-called hypervisor, a minimalistic OS that manages the hardware and distributes the available resources to the VMs. So you don't need an OS below it.
ESXi takes ~500MByte of RAM and a few GByte of disk space, the rest is available for the VMs. So it depends on the power your VMs need.
But as mentioned before, running 3 servers on one ESXi is the "cheap and dirty" version. You'll have to think about a good backup strategy in that case, otherwise it can get really complicated in case the physical server dies.
It might be enough for small environments. A well-planned virtualization environment can get really pricy. Just an example, one of our customers recently virtualized their servers, and just the licenses and support contracts for the VMWare cluster were more expensive than the 3 dual-socket host machines with 192GByte RAM each. So go figure...

[Meresgi]

Well I meant hardware more in terms of a firewall that isn't running on your box, as more of a front line defense. :D

[Niya]

I know ^^ It's just that "hardware firewall" is a marketing term everyone uses even though everyone should know that they don't exist xD Even our teachers in vocational school were mocking this ^^

[Meresgi]

So I had another question to run by you guys. You'll notice I subnetted the laptops for the realtors, now part of the overall thing is that the company wants the realtors to be able to connect with their laptops remotely. I'll utilize a VPN for this, but do the laptops need to be subnetted at all in your opinion? I did this just incase they were used in the office, as most people do use their laptops at times but not sure if that rationale is correct.