Final Scenario 1. Prepare effective top level and technical security policies appropriate to a given scenario. 2. Evaluate the security measures in place in a networked computer system. 3. Assess information, with regard to evidential value and forensic safety. 4. Propose security measures appropriate to a given scenario and associated risks. Assessment Criteria and Indicative Weighting

Description Points

Task 1 contains: identification of services at each location, diagram of the design (services diagram, hardware diagram covering thus logical and physical design), identification and description of the services towards external providers and customers.

Task 2 contains: identification of aggregation and check-up points in the design, especially based on the diagrams.

Task 3 contains: the identification of the appropriate method(s) to secure the data or data flows in the identified aggregation points from task 2, based on the technologies and rules of design explained in class, during the semester.

Task 4 contains: a security policy and conflict voidance method for a system.

Task 5 contains: the design of a AAA system which solves permissions and creates forensics data.

Introduction

1. Background to the Scenario

The company lewisutech.org is a company which provides IT training and IT outsource consulting for partner companies (seen as clients). Currently, the company has a main headquarter in Romeoville, IL (100 employees). In 2021 the company will open a new smaller facility in Metropolis, IL (50 employees, 253 miles away from Romeoville). There need to be a decision made as to what type of connection will be made between these two locations. Due to the large demand in IT training, the lewisutech.org will expand in 2021 to a third location in Huntley, IL (25 employees, 57 miles away from Romeville and 414 miles away from Metropolis, IL). All three locations need connectivity to each other and access to the internet. All three must also have redundancy to each other and be able to use each other Internet connections if their connection to the Internet goes down.

In order to provide training and IT consultancy, lewisutech.org as a company must know deep details of the customer companies like their structure, detailed network plans and many other private data. The private data is always stored in secured data storage systems and, before the data is distributed to an employee of lewisutech.org, that person should fill in a form for requesting the data.

Moreover, lewisutech.org may on short term help any partner company by letting then have access to either devices or cloud services to the partner companies, providing them with instant-on services until they are able to build an on-site or cloud permanent service. All these services that lewisutech.org provides to the partner companies are on site at lewisutech.org.

2. Business and Technical Requirements

The inner working of lewiutech.org.

2.1. Currently Offered Services

lewisutech.org being a training and consultancy company and thus must maintain high quality of the services. Essentially, lewisutech.org has to be an example of a good, reliable and secure services as this has to serve as a model for the partner companies.

The services which lewisutech.org in Romeoville, IL offers to its customers are:

IT training offered either at the location of the customer or on the premises of lewisutech.org

IT consultancy offered usually at the location of the customer

Design and implementation of networked infrastructures

Purchasing of equipment, software, and licensing on behalf of the customers

Collocation of different services required by the customer on lewisutech.org servers and infrastructure, on a short-term basis, until the services can be started at the location of the customer. This service allows a customer to start a new service in the shortest possible time, even before its employees are fully trained and the necessary devices purchased

2.2. The Internal Organization

lewisutech.org is divided into the following departments in Romeoville IL:

Financial (10 employees)

HR (10 employees)

Purchasing / relationship to providers (20 employees)

Planning / relationship to customers (20 employees)

Engineers / trainers (40 employees) Besides the infrastructure required to support the business-related activities of lewisutech.org there is an on-site datacenter (supporting all the activities of lewisutech.org, both business-related and production) and an extensive lab (dedicated to testing, future implementations, prototyping, training, etc).

The current system / network diagram was designed for only one location, it is core collapsed and not entirely suited for scalability.

2.3. Expansion Requirements Wave 1 Metropolis, IL

It is necessary first to redesign the network in Romeoville, IL to allow it for expansion in a modular and scalable way while maintaining unchanged the locations of the devices. For this, networking devices and links may be added, removed, or relocated.

Because the expansion in Metropolis is only the first wave, it is necessary at this step to de-collapse the network core and strengthen its interconnections and security mechanisms as this will form the new enterprise edge.

The location in Metropolis, IL will provide the same functions as the one in Romeoville IL, scaled by a factor of . However, the systems should be designed in such a way that not only they will be redundant onsite but also between locations. Thus, the total failure of the datacenter in Metropolis, IL will not be felt by the customers as the one in Romeoville will take over all the tasks.

The datacenter in Romeoville, IL being larger, it cannot be entirely backed-up by Metropolis though it should provide the same services at some degradation of services but minimal if possible.

It is assumed that one service will never fail in two locations simultaneously. Moreover, during this first expansion wave it is necessary to introduce a new system for schedule appointments with partners. The system will be open towards the customers which can order and plan the resources for new services, from the list of services offered by lewisutech.org.

2.4. Expansion Requirements Wave 2 Huntley IL

Because the Huntley IL location does not allow for a full (even scaled-down) implementation of the systems, only the mission-critical systems should be implemented here. The business structure of the Huntley IL location is (scaled down version) of the one in Romeoville, IL.

3. Service Requirements

3.1. Generally Applied Design Rules

All the systems should obey the following design rules, with no exception:

Authentication, Authorization and Accounting (AAA) services for all the users and customers

Authorization should be designed based on a RBAC (Role Based Access Control)

Data path separation the principle of data segregation

Design should be modular, scalable, and as simple as possible

No single points of failure (in either cabling, devices, or services)

The data, control and management planes should be as separated as much as possible

The business should be able to perform 100% on mission critical systems with one location totally failed and gracefully degraded on non-critical systems

No two locations will totally fail simultaneously.

3.2. Particular Service Requirements

Access to the databases should be performed in a consistent way. Because lewisutech.org collaborates with multiple customers at a deep level of cooperation, it is necessary to avoid conflicts of interests or data bleeding over to other customers data.

Tasks

1. Design the network infrastructure and services at each location, according to the requirements 3.1 and 3.2. The design should be minimalistic (minimal number of devices to provide the services, though no single points of failure and all 3.1 requirements fulfilled). The output of the design is one (or more) diagrams and the associated text explanation.

2. Identify the points in which the proposed design should be secured, based on the security elements from this course or any others that you have experienced at Lewis or anywhere else.

3. Apply the proper security mechanisms to the previous points and explain their purpose and the way their job is achieved. Also, if they exist, present any disadvantages or insufficiencies your proposed solution might have (critical thinking).

4. For one database system of your choice (from the design in Task 1) write a security policy based on the users and data involved in the system. It is necessary to provide a mechanism for conflict of interest avoidance or information bleeding over into other partners information.

5. Specify a AAA (AAA / Authentication, Authorization, Accounting) solution for one of the systems in the design. Briefly explain how AAA should be solved for the other systems.

Deliverables

A single technical document, a diagram (possibly with Microsoft Visio) and a Packet Tracer buildout with at least the networking part working and the rest as a model if not work. Present the last week.