
2/14


Table of Content:-

A) Introduction:-Network Infrastructure Security..3

B) Internal Network Security.. 4

i) Internal LAN Security. 4

1.1 LAN Risk and Issues...4

1.1.1 Inappropriate Access to LAN Resources... 5

1.1.2 Disclosure of Data... 5

1.1.3 Unauthorized Modification of Data and Software.. 5

1.2 Good Practices to Avoid LAN risk and issues.6

ii) Network Connection Control.6

iii) Administrative Services.7

iv) Physical Access Control..7

C) External Network Security..8

i) Third party access to internal Network.8

ii) User Authentication for External Connections...8

D) Network Devices Guidelines..9

i) Firewall9

ii) LAN-Switches...9

iii) Network Intrusion Detection/Intrusion Prevention System .10

iv) Antivirus.10

v) Content Filters10

vi) Web Proxy Servers..11

E) References. ..11



3/14


A) Introduction: - Network Infrastructure Security

Network Security consists of the provisions and policies adopted by the systemadministrator to prevent and monitor unauthorized access, misuse, modification, ordenial of a computer network and network accessible resources. It covers a verity ofcomputer networks, both public and private, that are used in everyday jobs conductingtransactions and communications among business, government agencies andindividual.

Network infrastructure is an essential component of ensuring that potential

threat to overall information and communication technology security of a Business.

Devices connected to the network or a program comes into communication network.

Controls can be implemented through a terminal or some softwares. Lack of controls

over network will affect CIA (Confidentiality, Integrity, and Availability) of an organization

which include

Confidentiality: - Protection of secure data which transmitted over network fromunauthorized user/Party. Unauthorized access of data, which stored on server due to

weak controls, can affect the confidentiality of data.

Integrity: - Ensures that Information is accurate and complete in storage. It can be

modified while transmitted between networks .It will provide wrong or inaccurate

information to the actual users.

Availability: - Availability of information to the authorized user in proper form.

Monitoring, reviewing logs, checking security incident and system performance in timely

manner can be preventative control to ensure availability of information over network.

Key Requirements for Network Infrastructure Security

1. Network devices should be configured securely and accessed in a secure

environment.

2. Secure protocols should be used for networks.

3. Securely configured firewalls and Routers should be used.

4. Remote access to internal networks should be securely managed.

5. Anti-Virus and Malware should be installed in machines.

6. Fire extinguishers for fire-sensitive areas like server rooms and security rooms.

7. Implement physical security management like closed circuit television for entry

areas and restricted zones.

http://en.wikipedia.org/wiki/Physical_securityhttp://en.wikipedia.org/wiki/Closed_circuit_televisionhttp://en.wikipedia.org/wiki/Physical_securityhttp://en.wikipedia.org/wiki/Closed_circuit_television


4/14


8. Security guards can help to maximize security.

B) Internal Network Security

i) Internal LAN Security:-

LAN provides the storage and retrieval of programs and data used by a group ofusers.LAN software also provide security to these programs or data but these provide

low level security. Here are the risks associated with use of LAN:-

1. Inadequate LAN management and security policies.

2. Unauthorized changes cause loss of data and integrity.

3. Lack of training for proper LAN usage and security.

4. Inadequate protection mechanisms in the workstation environment

5. Inadequate protection during transmission.

1.1 LAN Risks and Issues:-

Unauthorized LAN access results from an unauthorized individual gaining access to

the LAN.LAN provide file sharing, printer sharing, file storage sharing etc. As resources

are shared and not been used by individuals so there should be control of the resources

and accountability of resources. Three common methods used to gain unauthorizedaccess are password sharing, password guessing and password capturing. In this

password sharing is common in some organization. It allows an unauthorized user to

have the LAN access and privileges of specific user .sometime unavailability of specific

user will affect a part of organization/department, due to repel this password has been

provided to other to work on the place of specific user.

http://en.wikipedia.org/wiki/Security_guardshttp://en.wikipedia.org/wiki/Security_guards


5/14


Password guessing is generally not a means of unauthorized access.

While password capturing is a process in which a legitimate user unknowingly reveals

the users ID and password. Trojan horse program is used to capture password that

appear to the user as legitimate login program.

Here are the vulnerabilities which are caused by unauthorized access:-

a) Lack of or insufficient, identification and authorization scheme,

b) Password sharing

c) Poor password or easy to guess passwords

d) Single user PCs that are not password protected at boot time

e) Unprotected modems

f) Lack of time-out for login time and logs of attempts.

g) Poor physical controls of network devices.

h) Lack of last successful login date/time and unsuccessful login attempts

notifications and log.

1.1.1 Inappropriate Access to LAN Resources:-

Many resources are easily available to many users rather than giving them dedicated

resources. As many resources like file stores, application, and printers easily available

to users. So to lesser the risk of security of resources, permission is given only those

who are authorize to access them. Unauthorized access occurs when a user access a

resource that the user is not permitted to use. It happens because access rights given

to users are not clear or specified. So to control the risk of accessing the resources

access control matrix has to be implemented in an organization.

Here are the vulnerabilities which are caused by unauthorized access of resources:-

a) Use of system default permission setting that are to permissive to users,



6/14


b) Improper use of administrative or LAN manager privileges,

c) Data that is stored with an inadequate level or no protection assigned

d) Improper use of privilege mechanism for users,

e) PCs that utilize no access control on a file level basis.

1.1.2 Disclosure of Data:-

As data stored and process through LAN, so it requires some level of confidentiality.The disclosure of LAN data or software occurs when the data and software is accessed,read and released to an individual who is not authorized for that data. This is due togaining access of information by someone that is not encrypted or by viewing monitorsor printout of the information

Here are the vulnerabilities which are caused by unauthorized access of LAN data:-

a) Improper access control setting,

b) Sensitive data stored in unencrypted form,

c) Application source code stored in unencrypted form,

d) Monitor viewable in high traffic areas,

e) Printer placed in high traffic areas.

1.1.3 Unauthorized Modification of Data and Software:-

Applications and Data are shared through LAN changes to them should be controlled.

Unauthorized modification of data or software occurs when unauthorized changes are

made to a file or program.

If undetected data modifications are present for long time, the modified data may be

spread through LAN possibly corrupting database, spreadsheet calculation and other

various application data. This can damage the integrity of most application information.

When unauthorized changes can be made in simple command programs, in utility

programs used on multiuser system, in major application programs, or any other type of

software. They can be made by unauthorized outsider or those who have authorize to

make changes. These changes can divert information to other destinations, corrupt the

data or harm the availability of system or LAN services.



7/14


Here are the vulnerabilities which are caused by unauthorized modification of Data and

Software:-

a) Privilege mechanism that allow unnecessary write permission

b) Lack of virus protection and detection tools,

c) Undetected changes made to software, including the addition of code to create

Trojan horse program

1.2 Good Practices to Avoid LAN risk and issues

The following are the good practices to avoid LAN risk and issues:-

a) First Virus protection should be necessary to avoid virus or malware attack, so

antivirus should be installed in main server and should be updated on daily basis

for new patches.

b) Access control list should be maintained. It will provide limited access to users.

Provision of access control lists for data shall be made in the system to protect

data from unauthorized access.

c) AD (active directory) in Domain controller should be managed by authorized

person like IT manager, which can control the access of users in the

system/application.

d) System force user for strong password with proper security requirements. Force

user to change temporary password at the time of first log-on .For transactions

like in bank E-tokens should be implemented for it, through which only authorized

users can pass the transactions.

e) End user system shall be configured to lock out in case of inactivity. At the time

of standby, it should automatically lock.

f) User activity logs should be maintained by the IT manager and reviewed on

regular basis.

ii) Network Connection Control



8/14


For an organization it is recommended that they should maintain a policy that user

access to network is restricted through techniques such as limiting network access in

certain time, allowing only one way file transfer so that user are not able to upload

malicious to the network and using VLAN(concept of partitioning a physical network) tofacilitate separation of network devices and hosts(workstation and servers) so that

uniform filtering policies can be applied so that organizational workstation can only be

able to access network services they require for business purpose.

Good filtering policies include:-

a) A conspicuous rule is added to ensure that all workstations and servers cannot

connect directly to the internet. Connection to the internet should take place through

the use of proxy server.

b) Ensure that workstations are connected to appropriate servers for properfunctionality like print, application, E-mail servers

c) Ensure that all workstations within a network segment can connect using

appropriate network ports to the relevant proxy server.

d) Ensure that all workstation connected to network segments that require

authentication can connect to the systems hosting authentication services (as active

directory) in order to authenticate user.

iii) Administrative Services

It is recommended that the availability of administrative services of organization

systems and devices is restricted to authorized internal IP addresses. Authorized IP

address could be given to higher authority like IT managers, system, and network and

data administrator.

iv) Physical Access Control



9/14


For the security of servers access card system should be implemented outside the data

center, so it will allow only authorized personal to access the servers. No Visitors should

be allowed in the data center without permission. Data center should have Visitors

register .Other than authorized user will make entry into the register.

C) External Network Security

i) Third party access to internal Network

A policy is maintained in which access of organizational internal networks like internet,

VPNs or dial up access or internal application is not granted to third access party unless

higher authorities like IT manager, HOD within the organization determines that there is

legitimated need for such access. According to the need of 3rd party, access can be

given into a timeframe according to the use to accomplish their approved task.

ii) User Authentication for External Connections



10/14


Sometime user use application, services, and data through external connection. These

external connections may become harmful for these services, application, data which

will create problem for an organization. So to allow user to use these connections some

policy should be maintained by the organization. Only those users should be permitted if

it has been identified or permitted by the authorized user.

The strength of the user authentication mechanism depends upon the sensitivity of the

information or data which is used by user through external connection. Few

authentication mechanism are given below

E-Tokens

Cryptographic Technique

Challenge-response protocol



11/14


D) Network Devices Guidelines

i) Firewall

It is recommended that Firewalls should be configured according to security policies

measures for the network of the organization. Few best practices are given below:-

a) Device management only access authorized internal IP addresses.

b) Changes in firewall can be done only by authorized personnel like IT manager.

c) Ensure all passwords should be in encrypted form when stored in device.

d) Ensure that password should meet specific requirement :-

1) Minimum of 8 character

2) Combination of lower case and upper case character, numbers, symbols.

e) No generic userid shall be created for administrative purpose on firewall.

f) All firewall logs shall be stored in logging server for storage and analysis

purpose.

Firewall configuration shall not be changed without permission of proper authority like IT

manager. Testing of firewall shall be performed and reviewed on regular basis. All

administrative changes shall be made through the central authentication server.

ii) LAN-Switches

The following good practices controls are adhered to layers of data center:-

a) Ensure that password should meet specific requirement :-


2) Combination of upper and lower case character, numbers or symbols.



12/14


b) Device management only access authorized internal IP addresses.

c) Ensure all passwords should be in encrypted form when stored in device

d) Ensure all unused switch ports are configured into a shutdown state.

g) All switch logs shall be stored in logging server for storage and analysispurpose.

e) All network ports listed in the switch configuration are to be configured with a

description of the device connected.

f) All administrative configurations to the device are to be performed via a central

authentication server.

g) A VLAN should be implemented on the network switches to support administrative

functions.

iii) Network Intrusion Detection/Intrusion Prevention System

If an organization hosts web server or any other server, he has to implement network

intrusion detection or prevention system to discover unauthorized access to computer

network. Following good practices are required:-

a) Device management only access authorized internal IP addresses.

b) All communication between the management console and the device to be

encrypted.

c) The network interface being used for monitoring and network traffic collection

should not be configured with an IP address.

d) Ensure that password should meet specific requirement :-


2) Combination of upper and lower case character, numbers or symbols.



13/14


e) Signature must be updated on daily Basis.

f) Devices are to be patched and maintained in response to operating system and

product alerts issued by the respective vendor.

iv) Antivirus

It is the gateway to monitor to check the existence of virus or malware for incoming and

outgoing web and email traffic. Antivirus detects and prevents the action of malware or

virus like adware, fraudtools, and keyloggers. It should be updated on daily basis for

updating and new patches to detect new viruses.

v) Content Filters

Content filtering is used for blocking or controlling irrelevant material for the user in

organization especially used to restrict material delivered over internet via email, web or

other means. Content filtering software is used to determine what content will be making

available or what content will be blocked. Content filtering may be used to block access

to pornography, games, shopping, advertising, email/chat, or file transfers, or to

Websites that provide information about hatred/intolerance, weapons, drugs, gambling,etc.

Some good practices for content filtering are given below:-

a) Content filter should be patched and maintained according to vendor security

advisories.

b) Signature of content filter should be updated on daily basis.

c) A report on content filters activity should be checked and reviewed by higher

authority like IT managers.

vi) Web Proxy Servers



14/14


Policy should be maintained for web proxy servers. Good practices are given below:-

a) Allow proxy server management access to only authorized internal IP address.

b) Each proxy should only be configured to permit the flow of traffic in a single

direction.

c) Proxies are patched and maintained in response to product alerts issued by the

operating system and proxy software vendor.

d) All proxy should be forced to authenticate before access to internet and other

related services are permitted.

E) References:-

1)

http://www.lanenforcer.cn/global/pdf/white_papers/Best_Practices_LAN_Security_and_

NAC_rev1.pdf

2)http://www.cgiar.org/www-archive/www.cgiar.org/pdf/iau/gpn_Network

%20Infrastructure%20Security.pdf

3) https://security.tennessee.edu/pdfs/SNIBP.pdf

4) http://en.wikipedia.org/wiki/Network_security

5) Policy: - RBI, Uninor.

http://www.lanenforcer.cn/global/pdf/white_papers/Best_Practices_LAN_Security_and_NAC_rev1.pdfhttp://www.lanenforcer.cn/global/pdf/white_papers/Best_Practices_LAN_Security_and_NAC_rev1.pdfhttp://www.cgiar.org/www-archive/www.cgiar.org/pdf/iau/gpn_Network%20Infrastructure%20Security.pdfhttp://www.cgiar.org/www-archive/www.cgiar.org/pdf/iau/gpn_Network%20Infrastructure%20Security.pdfhttps://security.tennessee.edu/pdfs/SNIBP.pdfhttp://en.wikipedia.org/wiki/Network_securityhttp://www.lanenforcer.cn/global/pdf/white_papers/Best_Practices_LAN_Security_and_NAC_rev1.pdfhttp://www.lanenforcer.cn/global/pdf/white_papers/Best_Practices_LAN_Security_and_NAC_rev1.pdfhttp://www.cgiar.org/www-archive/www.cgiar.org/pdf/iau/gpn_Network%20Infrastructure%20Security.pdfhttp://www.cgiar.org/www-archive/www.cgiar.org/pdf/iau/gpn_Network%20Infrastructure%20Security.pdfhttps://security.tennessee.edu/pdfs/SNIBP.pdfhttp://en.wikipedia.org/wiki/Network_security

white paper-network infrastructure security

Documents