Azure Jane Lunatic (azurelunatic) wrote,
Azure Jane Lunatic
azurelunatic

Security rules given a specific network diagram

Group Members:
Sam (2)
Joan



Simple Business Structure:

1. Steps to secure each network service:

a) Ask all routers to packet filter.
b) Replace all hubs with switches, to reduce network traffic, and help make sure that each computer may only see traffic intended for it.
c) Have the Web Server residing in a demilitarized zone directly behind the router, and move the DNS Server and Proxy Server behind the firewall.


2. Points where packet filtering would be appropriate:

a) At each router.
b) At each firewall!
c) Rules:
i. Allow outbound traffic.
ii. Make the default rule to drop inbound traffic.
iii. Allow ssh access (port 22), to allow for remote administration.
iv. Allow tcp traffic on port 80 to the web servers.
v. Disallow traffic (inbound or outbound) on port 135, thus disabling most file-sharing, and cutting down on the worms and viruses spread happily throughout the network, and reducing the risk of transmitting any file-shared happy fun to others.
vi. Allow traffic on the local area network.
vii. Allow traffic to/from the DNS Server, port 53 on the LAN.
viii. Allow traffic to/from the Proxy Server on the LAN.
ix. Allow traffic to/from the Network Printer on the LAN.
x. Allow ping packets of types 0 and 8, for ping/acknowledgement, for administrative purposes.


Limited Corporate Structure:

1. Steps to secure each network service:

a) Ask all routers to packet filter.
b) Replace all hubs with switches, to reduce network traffic, and help make sure that each computer may only see traffic intended for it.
c) Have the Web Server and Mail Server residing in a demilitarized zone directly behind the router, and move the DNS Server and Proxy Server behind the firewall.
d) Remove the second, non-firewalled, uplink between #6 Switch and #13 Switch, as its presence defeats the entire purpose of having a firewall in the first place.
e) Have a backup domain controller in the Phoenix office, attached to #3 Workgroup Switch
f) Move the VPN/Firewall in front of the #3 workgroup switch in the Phoenix office.
g) Isolate the machines that have business talking to the #4 Accounting Application Server on their own little segment of the network with a bridge, to reduce the chances of any unauthorized access to the services.

2. Points where packet filtering would be appropriate:

d) At each router.
e) At each firewall!
f) Rules:
i. Allow outbound traffic.
ii. Make the default rule to drop inbound traffic.
iii. Allow ssh access (port 22), to allow for remote administration.
iv. Allow tcp traffic on port 80 to the Corporate Web Server.
v. Allow stmp traffic on port 110 to the mail server.
vi. Disallow traffic (inbound or outbound) on port 135, thus disabling most file-sharing, and cutting down on the worms and viruses spread happily throughout the network, and reducing the risk of transmitting any file-shared happy fun to others.
vii. Allow traffic on the local area network.
viii. Especially allow traffic on the local area network to the primary and backup domain controllers.
ix. Allow traffic to/from the DNS Server, port 53 on the LAN.
x. Allow traffic to/from the Proxy Server on the LAN.
xi. Allow ping packets of types 0 and 8, for ping/acknowledgement, for administrative purposes.
Subscribe
Comments for this post were disabled by the author