This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
PART 1- Different WAN technologies and their comparisons
"Integrated Services Digital Network" ( ISDN ) it is a group of " ITU (CCITT)" standards which provide video, data transmission and voice services over "digital telephone network".( 301 book) Connections of ISDN provide full duplex digital communication or half between two points on dial up over telephone wire. Half duplex means that signals carry by communication channel is in only one direction. Full duplex means signal carry by communication channel simultaneously in both directions. Digital means data received in the form of ON -OFF. As compare with Analog connection digital connection incur lower errors. The services of ISDN purchased at different speeds like "64 Kbps, 128 Kbps, 256 Kbps and 512 Kbps". The most common service ISDN offer is 128 Kbps. It carry both data and voice also support dozen users simultaneous with good response rate (Dash,1999).
Figure Integrated Services Digital Network (ISDN)
Source: (ICOM, 1996-2000).
ISDN basic rate provide two 64 Kbps channels which called bearer channels or B channels that carry data among two callers and 16 Kbps channel also called D or data channel which carry control signals eg ring telephone. D channel initiate calls digitally. 128 Kbps is now available in many geographic areas and connection charges come monthly. ISDN services installed by your telephone company and require telephone connection. We call this connection U-Loop which consists of two copper wires maximum length of 5.5 Km between yours and central telephone office. U-Loop is connecting to device" NT1 network termination 1" it has many purposes. First of all two twisted wire pairs used by companies to four wire connector which is found in telephone and lots of other telecommunication equipments. It work as translator as well like telephone company and local network it also provide power to telephone, fax if necessary. Technology of "ISDN also called digital subscriber line" (Dash,1999).
"Digital Subscriber Line" (DSL) its uses telephone line at high speed. On downstream to user end speed is up to 52 Mbps and from user side also known upstream 2.3 Mbps. ADSL "Asynchronous Digital Subscriber Line" is a common form of DSL. It offers similar speed as Leased T1 lines. It can support simultaneous user and data communications.
DSL allow users to use phone and internet at same time. For DSL service we need DSL modem that connects to telephone and computer (Dash,1999).
Figure Digital Subscriber Line
Source: (Specall, 2008).
This device act as modulator it translate digital signal of computer into telephone line to central hub called DSLAM "digital Subscriber Line Access Multiplier" (Kayne, 2003-2010).
"Frame Relay" "within network cloud Frame Relay provide digital data communication service". Network cloud means any network you do not maintain. In frame relay network telecommunication carrier can maintain connection your sites. Generally frame relay take large geographical area like whole state. By creating Frame Relay Network each building must connect in your Frame Relay network cloud to the site which is maintain by your telecommunication provider. They use any WAN technology like TI lines.
C:\Users\ASIF ULLAH\Desktop\frame relay.PNG
Figure: Frame Relay
Source: (Real Time, 1998-2010).
You can purchase frame relay in different speeds like 56 Kbps, 128 Kbps, and 1.544 Mbps. Operation of frame relay network is by sending information on circuit. It is a path which is establish for connection duration. The circuit is either PVCs permanent Virtual Circuits or SVCs Switched Virtual Circuits. Permanent Virtual Circuit is defined at time of configuration one point on WAN to every other point. Switched Virtual Circuit it is defined when connection initiated for example phone call. Advantage of Frame Relay is it requires few components to install and maintain. It is easy to expand. Frame relay is faster than ISDN and commonly available (Dash,1999).
"Asynchronous Transfer Mode" (ATM) It is high bandwidth technology developed by "ITU Telecommunication standards sector" ("ITU-TSS"). ATM forum responsible for ATM implementation and characteristics. It can be layered on physical technologies like "Fiber Distributed Data Interface" and "SONET". ATM has fixed length 53 byte cells. The length of ATM cell is uniform. Another ATM distinguishing feature is Asynchronous delivery it means that transmission does not occur periodically but in irregular intervals (Berg,1998).
Figure Asynchronous Transfer Mode
Source: (Quest, 2010).
A technique used in ATM is called "Label Multiplexing time" slots are allow on demand.(book end) ATM is powerful but expensive network to carry video, voice and data to large organization. ATM provide LAN and as well as WAN technology. Frequently deployed for WANs. Speed of ATM is 1.54 Mbps to 622 Mbps. ATM has potential to carry high volumes of voice, video and data. Advantage of ATM are compare with FDDI it has higer speed (Berg,1998).
Technology Consideration for Lawyers Firm:
Internet Protocol "Virtual Private Network" (IP VPN) it is networking technology which connect more than one location and remote users. IP VPN replaced Frame relay, ATM and TDM based VPN services (Global Communication Group, 200-2009). VPN is private network which use resources of other networks to connect remote sites and users (Astro, 2008). IP VPN is the collection of technologies which ensure privacy over shared IP network. Privacy is achieved in many ways for data privacy most common form is encryption or partitioning of data for customers. For IP VPNs encryption is closely associated with IP security IPSec. IPSec is well developed standard combined into IP protocol. IPSec has two variant first one is Data encryption standard DES which use 56 bit key or Triple DES 3DES which means the 56 bit key apply three times strong security. Partitioning of data traffic used for IP VPNs associated with MPLS "Multi Protocol Label Switching". MPLS separate data traffic of one customer from another in shared network. Partitioning of data traffic is same as frame relay networking privacy method. IP VPNs uses an IP network. Data traffic which uses ATM or frame relay network is classified as VPN not an IP VPN (Steven Harris, 2002).
Multiple technologies and terms often associated with IP VPNs like encryption, RADIUS, firewall, authentication, tunnelling, IPSec, Extranet, MPLS and L2TP. Some of these technologies, functions and protocols may or may not a part of IP VPN implementation. 48% medium and large business using IP VPN. Main reason companies uses IP VPNs are remote access. IP VPNs is efficient to transport IP based application. There are some reasons why we deploy IP VPN. Security is on top of list. IP VPN uses Internet in secure way (Steven Harris, 2002).
C:\Users\ASIF ULLAH\Desktop\vpn sv.PNG
Figure Reason for IP VPN deployment
Source : ( Harris, 2002).
Benefits of IP VPN
MPLS uses RFs to provide secure environment use of unique RD which identifies customer traffic.
IP VPN is truly MPLS based service which built over fiber optic network its availability is whole year.
Now you can access your business anywhere and anytime.
Global crossing and various billing options which help your budgets and costs. By using your existing equipments you can save cost.
Ease of Management:
Within your network you can add sites without reconfiguring your routers.
IP VPN provides high bandwidth with speed of 155 Mbps (Global Crossing, 2009).
PART 2 SECURITY WEAKNESSES / RISK AND RECOMENDATIONS:
Wide Area Network technology was developed it is simple easy to install and configure but also easy to attack. In lawyer firm two offices one Main Head office in Manchester branch and branch office Glasgow. Some security vulnerabilities between these below we will discuss these and will give suggestion and solution of these threats.
The Environment / Challenge:
In this Network system multiple or separate application are supported for example
Web based application ( Email, file transferring etc)
Phone calls between HQ and Branch office
Above some applications may be run over WAN or Internet including Voice, Inventory Control and Video. All these applications must be isolated from networking, server and each other. However the efficient infrastructure runs and combines all application from single server as well as from cost perspective it is also good. In given scenario we have two offices Head office which is based in Manchester and Branch office which is based in Glasgow as a firm it can handle legal documents and sensitive as well for that security is our high priority.
For securing sensitive documents and legal data first one is criminal breaking of network via existing wireless equipments. For our system we must see and understand security holes entry points as well as weaknesses in to network. Major risk for WAN is inventory reader and barcode scanners. To secure these devices many companies claim that use clocking and masking. By using WEP key cracking it shows that clocking can slow hackers but you cannot stop to break the key. Another common threat to our internal network is an outsider. Outsider attacks are stealing of user name and password to access internal resources. They can crash operating system routing devices, email and DNS etc they all are affected by outsiders. Some Threats to computer system are:
Misuse of computer
Attacks on Network
Some kind of disaster like flood , fire etc
Some of theft hardware ( Irving, 2003).
Security Suggestions and Recommendations:
First of all define wireless and physical security policies these should address some techniques like manual procedures, firewalls, routers, limiting user access, backup of data regularly (Irving, 2003). The purpose of these policies to protect sensitive, valuable documents hardware and software's.
Policies for physical access:
Restricting to server rooms and equipments:
From unauthorized user's servers, gateways, routers, switches, bridges, and other equipments should be restricted.
Install Approved Equipments:
Install those equipments which should be approved and reliable.
AAA (Authentication, Authorization and Accounting):
Access control it is a way to control who will access network server what services they allowed to use when to access. "Authentication, Authorization and Accounting" (AAA) server provide primary framework by which you can setup control on router and access server. With modular way AAA provide performing following services (Cisco , 1992-2010).
Figure Typical AAA Network Configuration
Source: (Cisco, 1992-2010).
Authentication: By this you can identify users it include login and password, response and challenge security protocols which you select and encryption. Authorization is a way in which a user is identified prior to access network and its services. By configuring AAA authentication define name and list of authentication methods (Cisco System Inc, 1992-2010).
Fig Authentication process
Source: (Cisco , 2008).
Authorization: It can provide method of remote control access, enabling include one time or for each service authorization, support of user group and IP, IPX and Telnet. AAA authorization assemble some set of attribute that describe what and how user is authorize with a database these attribute are compared with given users (Cisco, 1992-2010).
Accounting: It provide a method of collecting, sending security information which is used for auditing, reporting billing, start time and stop time execution commands number of packets and bytes. Accounting can enable to track services which user accessing as well as how much network resources are consuming. While accounting is activated network access server can report to RADIUS security server. AAA uses RADIUS, KERBEROS and TACACS+ protocol (Cisco System Inc, 1992-2010).
Benefits of AAA:
It can increase control and flexibility
Standard methods of authentication (RADIUS, TACACS+ and Kerberos) (Cisco, 1992-2010).
Why Need of AAA Services:
Security of users to access network and ability dynamically define users profile gain access resources of network legacy back to dial access. AAA provide primary framework to network administrators to setup access and control on network entry points or access servers usually it is the function of access server or router. Authentication can identify user, authorization can determine what a user can do and accounting can monitors network usage. Information of AAA is stored in external database such as TACACS+ and RADIUS. As information can store locally at access server or router (Cisco, 1992-2001).
Dedicated offices must kept separate from other systems and no gateway rather than HQ. Our all external gateway and network interfaces should protect by firewall. Design of firewall management and implementation is responsibility of HQ. Change of management logs should maintain by HQ office. Firewall should update and review threats to HQ and protect them from those threats.
Implementation of Antivirus:
This is lawyer's firm policy to protect workstation, file servers and peripherals from virus infections. Antivirus software must install on computer and should be update. Both offices HQ and Branch office should install antivirus on all server and gateways. Before opening emails and files it should be scanned.
Intrusion Detection Software's:
It is security management for network. This system collects information and analyze within various areas of network which identify threats including intrusion as well as misuse. Data may be misused within organization. Intrusion detection use scanning this technique develops assesses security of network. For Lawyers firm i suggest to install such equipments applications which prevent documents and also track the intrusion attempts.
For network security another step is to conduct assessments of wireless vulnerability. To perform following steps assessments will be efficient
Properly detect existing threats and locate them
Compare the report which generated on different time
Automatically scan all vulnerabilities and enable zero day and attack protection.
In context of relevant regulatory and compliance map your wireless threats (Stallings,2006).
PART 3 PREVENTION FROM ANTIVIRUS AND MALICIOUS SOFWARES:
Malicious Software: Malicious software are computer program that take partial or full control of your computer system then whatever hacker or cracker want to do. Malicious software may be virus, spyware, ad ware worm all can damage data. Damages may be in shape of to change login detail then get full access to system. Authorized user does not know and hackers attack gets access to confidential data. Most malware require user initiate operation. Some malware can damage data and some just view confidential data. They install when user click OK on popup. It can install in any operating system. Since release of Agobot malware it has hundred variants. Latest version of Agobot has the ability perform service attack and steal password account detail and then propagate on network by using diverse exploits and use polymorphism for avoiding detection (Rhee,2003).
ANTIVIRUS SOFTWARE: Antivirus is computer programs. The purpose of Antivirus is to infect system files. To protect every machine from Antivirus are difficult but not impossible there are some good Antivirus and anti malware available by many companies. For example KasperSky, panda, McAfee etc. All these software uses different approaches to detect and remove these viruses from system. Antivirus software using static and dynamic methods. They consist of two components: (Rhee,2003).
Definition files: Files can hold information about types of viruses, information about various viruses' footprints specification and removing viruses. Definition a file has their own database to keep known viruses information.
The Engine: Engine can access definition files database to run virus scan it can clean file notify appropriate users account. Both these components must be update and get particular results (Rhee,2003).
Below are some security recommendations how to secure computer system, legal confidential data.
Reliable Antivirus should use for system
All patch files should update and install
Session must be locked when user not use
Configure system to automatically install and download updates
Don't save password in browsers
Don't left USB, soft copy to keep sensitive data because it can damage by virus
Don't write user name and password on paper.
PART 4 SECURE NETWORK SWITCHES BY USING 802.1X
The working group of IEEE 802.11 passed 802.1X standard in 2001.It was passed to improve security in original 802.11 standards. 802.1x was planned to provide key management strong authentication and access control. 802.1x based on present authentication protocol which is known as "EAP" "Extensible Authentication Protocol". EAP is extension of Point to Point protocol. 802.1x is not tied to specific network scheme but it give basis for defining the authentication of user to network. EAP is maps by 802.1x to physical medium whether Ethernet or Wireless LAN. It has the ability to support Multiple Authentication techniques like token cards, on time password and Kerberos (Craiger,2002).
Mechanics of 802.1X:
There are main three components of 802.1x authentication.
C:\Users\ASIF ULLAH\Desktop\802 components.PNG
Figure IEEE 802.1x components
Source: (Cisco, 2008).
Authentication server is a "RADIUS" "Remote Authentication Dial In User Service" specifically it is not required by standard ( Craiger,2002).
Authentication process of 802.1x:
C:\Users\ASIF ULLAH\Desktop\802.1x authentication process.PNG
Figure Authentication process of 802.1x
Source: (Craiger, 2002).
Authentication is occurs as below:
For Authentication client send request to AP.
AP send request to client to provide identification, it block other traffic as HTTP, POP3 packets etc until AP verify client identity by using authentication server.
In this step client sends identity to authentication server.
By using appropriate algorithm authentication server verify client identity. If user is identified accept message will sent to AP if not the reject message to AP.
When client accept by authentication server then AP transition client port to authorized state (Craiger, 2002).
Using 802.1x in Lawyers firm:
In lawyers firm we use switches that support 802.1x protocol and should connect with Server room. As we know it transports authentication information by using extensible protocol. 802.1x uses standard technology to control network access. There are many departments in Lawyers firm like technical, accountancy, Lawyers office and security office 802.1x is true solution between these departments and server room.