TDC 477
Spring' 09

 

TDC477: Network Security

Assignment #3: Network Security Architecture and Configuration for an Enterprise Network

 

Due: 11:59pm, May 28, 2009

 

Problem1 In this part of the assignment, you are asked to design the network security architecture using firewall and IPSec devices. You should define the policy rules for each device based on the security policy given below. Your solution should include three things: (1) what security devices you will use (2) the network diagram that shows the topology and the security device locations, and (3) the policy rules for each device. (85 points)

Network and Security Policy Description

You are hired to design and configure a network security system for a company that has headquarters and remote offices. The company has the following network services WWW, FTP, Mail, NFS, DNS, Print server. The company headquarters (HQ) has the following departments that offer network services to employees and external users:

-         Accounting Department: 

o       Highly secure area that allows only for printer sharing and Internet browsing.

o       No data transfer out is allowed by any program.

-         R&D Department

o       Employees in this department can use FTP for download only.

o       They also can receive limited multicast to groups SDR, and 224.4.4.*, but can establish/initiate any multicast session to communicate with other external group.

o       Employees in this department can use Internet browsing, printer sharing (with  accounting) and send/receive email.

-         Customer Service Department

o       Employees in this department can use the Internet browsing, Skype, and FTP (download and upload).

o       They have their own separate printing server (no sharing printer).

o       Employees in this department can also use email services to send and receive messages.

 

General Company Policy

-          The company has a cluster of web servers to offer web access to external customers.

-          The Accounting and Customer Service departments share database services to store financial records and customer data respectively. All database incoming and outgoing traffic must be secured to guarantee confidentiality, integrity and authentication.

-          All outgoing/incoming emails require inspection to make sure that it does not contains viruses and information sent out is not sensitive.

-          Employees from all departments can share the Web-based documents (Document Sharing Server) that are for internal use only.

-          Employees can access the web-based shared documents Document Sharing Server from home via the internet but with confidentiality.

-          Only authorized traffic is permitted.

 

 You are asked to use any design architecture, configuration, resource partitioning and security devices to provide the maximum security you can to this network. Budget is certainly is an issue for this agency!  You must also assure the enforcement of the policy enough and you can add to it whatever you think appropriate to make it more secure.

 

To submit your solution, (1) define the network subnets and security device locations, (2) review this policy and add whatever necessary to make the Company network more secure, and (3) for each firewall, define the firewall filtering rules, and for each IPSec device, define the IPSec protection rules to implement the security policy.

 

HINT: Use the concept of defense-in-depth to enhance network security using screen router, firewalls, proxies, crypto systems, etc. You should not also allow for any firewall/IPSec rule conflict created in your policy implementation.

 

Write firewall rules for each firewall using the following rule format:

 

Interface

Protocol

IP Source

IP Dest

Port Src

Port Dest

Action

     

Interface: the name of the interface on the firewall (e.g.,  port1, port3)

Protocol: ICMP, IP, IPX, UPD, TCP or ANY

IP Source/Destination: E.g., IP(WWW) means IP of WWW or ANY

Port Source/Destination: E.g., WWW, TELNET or 80, 23

Action: Permit, Deny, Authenticate, Scan

 

Write IPSec rules for each IPSec device using the following rule format:

 

Source

Address

Destination

Address

Transform

Tunnel-endpoint

(for tunnel mode)

 

IPSec transforms: AH integrity/authentication, and ESP integrity/authentication/encryption for both transport and tunnel modes.

 

REMEMBER: Avoid intra- and inter-policy conflicts in the firewall and IPSec policies as discussed in class.

 

Problem 2. In the following given network and firewall configuration, identify all firewall policy anomalies in single or multiple firewalls? (15 points). Check the following references to answer this question.

§         Ehab Al-Shaer and Hazem Hamed, “Taxonomy of Conflicts in Network Security Policies”, IEEE Communications Magazine, Vol. 44, No. 3, March 2006

§         Ehab Al-Shaer and Hazem Hamed, "Discovery of Policy Anomalies in Distributed Firewalls" , In Proceedings of IEEE INFOCOM'04, March 2004

 

 

The answer should be in a table as follows:

rules

Anomaly type

Explanation

e.g. fw1.R1 and fw2.R2

Spurious

Because traffic x allowed by R1 is not allowed  great then one

Submission Procedure:

  • Submit your assignment through DLWEB as a SINGLE MS Word document
  • No grading review of any assignment will be done after the final exam
  • This assignment is due 11:59pm, 28 May, 2009.