SEC 410 – Individual Research Project

Individual Research Project

Consultant for expanding a global eCommerce corporation

Brendon Feole

 

Overall Strategy

            If someone swears to be as uncooperative as possible, then I’d need to have a talk with them and see why they are swearing to be uncooperative. I want them to have the same quality of life at work as they did under the other management. Plus, working with them may prove beneficial across the board, not just with the IT department. It’s unusual for someone to swear to be uncooperative for no reason. Perhaps something happened that can be resolved. In the worst-case scenario, the networks can be mapped, and devices accessed. However, a lot of times there can be incomplete documentation and when people leave the company, they take that knowledge with them. It would be a high priority to get these people onboard by their own choice. We would also need to identify precisely what hardware is at each site. The employees already there would be able to speed that process along.

            The security policy for the company can be documented for each system it applies to. For example, the network security policy, employee best practices for information security, and physical building security are separate issues for the most part. For each of those there is generally an accepted secure way to set that up as they have been addressed at a lot of companies, many times before. However, before a security policy can be defined, the requirements of the company in terms of networking equipment and configuration, employee access and equipment requirements, and physical layouts of the building(s) need to be identified first. For example, depending on the sensitivity of information at a location, it may not be acceptable for an employee to bring their own equipment into the building at all. We must first identify these types of information before we can proceed with security protocols.

Network Audit

           PRTG (or a similar program) can be installed to do an audit of all the devices it can find on the network. After PRTG is installed, new devices can be found via the ‘devices’ tab after it runs an automatic network scan. Keep in mind that it can only detect devices that are accessible from the network you are on. So, for example, if your vlan can only access devices on vlans 10 and 20, and you want to see what is on 30, then you would need to physically connect the computer running PRTG to vlan 30 (ip address, subnet, and gateway for vlan 30 could be manually set on a computer). The program functions similar to nmap (cli Linux program) (Paessler, 2019).

            It wouldn’t be terribly hard to find what devices are connected to what on the network as they generally have to be accessible in some manner to work at all. PRTG can find a lot of devices automatically, and quickly. Tools like nmap could be used to find additional devices manually. Logging in to the devices to get the configurations would require the login information which I don’t have (assuming I can’t get it from the person or persons who know already). However, many modern firewalls offer password recovery provided you have physical access to the equipment. For example, the Cisco Firepower 2100 series has a password reset feature via console (Cisco, 2019).

           Additionally, tools like PRTG could be used to identify what areas of the network are using what kind of bandwidth, and a tool like SmokePing could provide a very in-depth analysis of network to see if any parts of it are dropping for even a second. Spikes in network traffic can very difficult to identify without a tool like SmokePing because they can be quick and then return to normal. That is disruptive to employees and hard to detect for regular monitoring and mapping tools (Oetiker, 2014).

Security for Integrating Two Corporate Environments

            On the network side of things, we will need to set up a connection (IPsec vpn tunnel) between the Paris location and the New York and London locations (assuming Paris needs to connect to both). That way, employees can access local files at any of the locations. It will also allow IT administrators to easily access equipment at the Paris offices remotely if needed. Files will be able to be shared securely (the connection between the offices is encrypted). It will be important to identify which subnets can access what resources on the other sites. For example, sales at one site may want to be able to access the sales information at the other sites. IT staff may want to be able to access everything. It’s important to only provide access where it’s needed to reduce mistakes and limit vulnerability. The fewer entrances a fortress has, the easier it is to defend.

            Business Continuity and Disaster Recovery will need to be explored. We can bring in an expert from outside to do an evaluation on cost vs. benefit to find the best price point to be prepared for security or disaster problems such as attacks, power outages, fires, etc. If Paris already has that it would be good to review their plan due to potential new problems from new systems, employees, and network configuration.

            Training employees on the new procedures could be done with a combination of short video lectures and regular testing. Regular exposure in smaller doses will keep people better honed on skills than one big presentation a year. IT staff could create security documentation specific to each department (and some of it would encompass more than one department) and email and quizzes could be sent out automatically on a monthly basis.

           

Intrusion Detection System

           Fortigate Firewalls can come with the FortiGuard service as a subscription. Bundles or individual services can be purchased. They offer a variety of services to make sure that security is maintained. For mobile devices, there is Mobile Security Service. Files with active content (programs or scripts that may run upon being transmitted like an exe file or a bash script) can be stripped of active content if it’s indicated on the firewall as not being allowed. AntiSpam can greatly assist in removing and controlling against phishing attacks via email and preventing a lot of junk which can decrease productivity.

          Antivirus on the firewall can stop threats before they even reach a computer. Definition updates are performed automatically, hourly. Intrusion prevention (NGFW Service) can identify suspicious activity using a variety of metrics such as port, protocol, ip addresses, and applications. Patterns can be identified to find attacks and intrusions that would otherwise go unnoticed. All the individual parts may look fine, but as a whole they could indicate an attack or security problem. Web filtering also prevents problems before they can begin by only allowing access to certain websites and preventing certain applications from traversing the network.

          FortiDeceptor is a service that created a honeypot network – a fake network – that looks enticing to criminals. They are more likely to attack and break into it first. This can cause attackers to reveal themselves and serves as an effective early warning system. Attacks can be stopped before any real damage is done.

          Fortigate also has 24/7 support which is very comprehensive, and they really know what they are doing. They offer a security rating service to perform regular audits and identify potential avenues of intrusion (Fortigate, 2019).

 

Web/Vulnerability Scanners

          A lot of companies don’t focus much on web design and security. This can be dangerous to the bottom line of a company. For one, customers want to use services with a company that is very professional and organized. Secondly, a well-maintained site can also be very secure. This is important for obvious reasons. A common avenue to attack is simply the login for the website. Sometimes the ftp login will not automatically lock out after a certain number of failed attempts, so it can’t prevent a brute force attack.

          Nikto is a Linux program that can comprehensively test website security. It can check for ssl and http issues, outdated server components, server ports (similar to nmap), guess default login credentials, guess subdomains, and report unusual headers. If the ftp subdomain is guessed, a brute force attack on the ftp server could be started. There are also tools on WordPress and other content management systems (what runs the website) to lock down certain avenues of attack like this and even report suspicious activity via email (Kali, 2014).

          Redseal can assist with network vulnerability assessments and ongoing management. They can tailor an evaluation based on the type of business that is done, how many employees, the kinds of equipment, and the overall priorities for a business. A network scanner can be placed onsite to do scheduled evaluations and they can assist with configuration of the firewall to allow the scanner to access all the devices on the network (Redseal, 2018).

 

Network Firewall Recommendation

           Depending on the overall bandwidth throughput, which can be monitored precisely via tools like cacti or PRTG, we can see what model we will need. Additionally, depending on how much of that requires IPS scanning there are different models. Typically, the configurations are fairly interchangeable. Upgrading would not be a disaster as a configuration could be copied from a lower model to a higher model if they are using the same version of firmware. In the worst case, a Fortigate technician could assist. Ideally though, it would be optimal to have gear that is a step higher than what is needed for peace of mind and to accommodate unusually high activity which will occur every so often. Typically, it’s not that much more expensive for one model higher. Graphs of bandwidth can also be analyzed for averages over time and for spikes of high traffic.

          There are other factors such as how many vpn’s can be in use at once (people working from home or outside the office), or IPsec vpn tunnel traffic (how much direct office-to-office bandwidth can be handed between two firewalls over the encrypted connection). Also, typically a business like this will want to separate internet connections for each firewall so that if one goes down, the company is still online. So, the firewall will need a dual wan internet connection. 

Without seeing the metrics on network resources that the offices already use, The Fortigate 100F seems like the best place to start.

 

Conclusions

            If employees can be brought to our side and the assessment can be completed, we can identify if any internal upgrades need to be made to the infrastructure of the Paris location. It may be in the best interest of the company to upgrade all locations’ firewalls to the same 100F or similar model for consistency and ease-of-use. It’s easy to get sites communicating securely if it’s all the same brand. It does appear as though the locations may have similar needs so the same model will probably be fine as well. The FortiGates around that level have fiber optic support both internally and externally so that will help future-proof the networks.

            Additionally, FortiGate can assist with PCI compliance where needed and the sales/billing team can talk with a lawyer to make sure that we know ahead of time what level we need to be (IT team can assist with this communication). Evaluations will need to include VoIP support as depending on how many calls may occur at a time the settings will need to change to ensure priority. As for cost, the 100F with 3 years of antivirus/IPS and other FortiGuard options plus FortiGate support costs around $5000 for each firewall. Internet network cabling may also need to be evaluated if it’s limiting the bandwidth internally.

           There are many quality of service and security changes that can be implemented, however we really need to do the onsite evaluations, testing, mapping, and graphing of information so that we can make the right choices for what would provide the most security and allow for the most productivity. Fortigate products can allow for this and while they are built to handle a variety of highly customized options, they are not inherently difficult to use and FortiGate technicians can assist with specialized configurations when needed (typically over the phone working with someone onsite).

 

Bibliography

Cisco. (2019, January 16). Password Recovery Procedure for Firepower 2100 series. Retrieved August 11, 2019, from https://www.cisco.com/c/en/us/support/docs/security/firepower-2100-series/213257-password-recovery-procedure-for-fp2100-s.html

Paessler. (2019, February 15). How does the PRTG auto-discovery help in 3 steps. Retrieved August 11, 2019, from https://www.paessler.com/support/how-to/auto-discovery

Oetiker, T. (2014, March 15). About SmokePing. Retrieved from https://oss.oetiker.ch/smokeping/

Fortigate. (2019, July 16). FortiGuard Security Subscriptions: Security Intelligence Service. Retrieved from https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions.html

Kali. (2014, February 18). Nikto. Retrieved from https://tools.kali.org/information-gathering/nikto

Redseal. (2018, June 8). Network Vulnerability Management Program: Vulnerability Prioritization, Assessment, and Remediation Solution. Retrieved from https://www.redseal.net/solutions/vulnerability-management/