Secure Network Design for a Computer Manufacturer

1
Secure Network Designfor a Computer Manufacturer

• Thanawat Sorawatanakarn

May 2, 2005
2
Organizational Overview
BTEC

• Mid-sized computer manufacturer
• Located in San Antonio
• Primary products
• Desktop computers
• Notebook computers
• Max. capacity 20,000 computers/month
• Approximately 1,500 employees

3
Organizational Overview
BTEC

• Had shopping online last year
• Plan to open the sale office in CA

4
Current Network Design
BTEC
5
Current Network Design
BTEC

• Three-Interface Firewall
• Public servers are on the firewall
• All machines have anti-virus

6
Major Threats Vulnerabilities
BTEC

• Viruses, Worms, and Trojan horses
• Direct access
• Identity spoofing
• Man-in-the-Middle
• DoS

7
Legal Consideration
BTEC

• There is no single law in the US that provided a
  comprehensive treatment of data protection or
  privacy issues.
• Privacy Act of 1974
• Computer Matching and Privacy Act of 1988
• California Online Privacy Protection Act of 2003

8
California Online Privacy Protection Act of 2003
- Business Professions Code section 22575-22579

• Requires operators of commercial web sites or
  online services that collect personal information
  on California residents through a web site to
  conspicuously post a privacy policy on the site
  and to comply with its policy.

9
Security Consideration
BTEC

• Edge Network
• Separate e-commerce network from corporate
  network
• Customer database should be protected
• Need encryption to protect stored or transmitting
  customer information
• Provide secure remote access for sale office (CA)

10
Security Consideration
BTEC

• Campus Network
• No inbound access to campus network should be
  allowed as default
• Has strong password policy

11
Proposed Network Design
BTEC
12
Proposed Network Design
BTEC

• E-commerce Network
• Three-Tier Web design with 2 firewalls
• Separate application server and database server
• First firewall allow only HTTP SSL to the web
  server
• Permit web server to make requests of application
  server
• Deny any other web request
• Second firewall
• Permit application server to make requests of
  database server
• Deny any other web request
• Allow only traffic from internal management
  network

13
Proposed Network Design
BTEC

• Corporate Network
• Still use Three-Interface firewall design
• Firewall integrated with VPN gateway
• Allow everything out and nothing in with the
  following exceptions
• Traffic between external SMTP server and internal
  mail server is permitted.
• NetFlow and Syslog data is permitted from the
  router to management system.
• Return traffic is allowed when initiated from
  inside.
• Install anti-virus enterprise version on all
  hosts and servers
• Set auto-update software and virus definitions

14
Proposed Network Design
BTEC

• Remote site connection
• Site-to-Site IPsec VPN
• Encrypted with 3DES
• IPsec VPN software client with preshared key
• Corporate firewall will not allow non-IPsec
  traffic get through it.

15
Policies
BTEC

• Acceptable Use Policy
• Password Policy
• Privacy Policy

16
Password Policy
BTEC

• All user accounts must contain strong passwords
  as following characteristics
• Are at least eight alphanumeric characters long
• Contain both upper and lower case characters
• Contain at least one numeric
• Are not a word in any language, slang, dialect,
  jargon, etc.
• All passwords must be changed at least four
  months
• Passwords should never be written down

17
Privacy Policy
BTEC

• BTEC will take all appropriate steps to keep
  customer personal information confidential,
  including limiting access to customer information
  databases, communicating this policy statement to
  all employees and establishing and enforcing
  penalties for violating this statement.
• BTEC will not sell, rent or give away customer
  information to other companies for use in selling
  others' products or services.

18
Migration Steps
BTEC

• Request another Internet connection from the ISP
  and connect with new router on corporate network
  and set the basic ACL.
• Set and connect the stateful firewall for Web
  server.
• Move the Web server to connect to first firewall.
  Before move the Web Server, web master should
  post some maintenance notice on the website.
• Migrate data from application server to database
  server.

19
Migration Steps
BTEC

• Move application server to connect to the first
  firewall and move the database server to connect
  to the second firewall and configure follow the
  proposed design.
• Replace the firewall of corporate network with
  the one with integrated VPN Gateway and configure
  follow proposed design.
• Install and configure the VPN software at the
  sale office in California and try the VPN
  connection from the sale office.

20
Questions ?

• Why its better to separate e-commerce network
  from corporate network?
• For high availability
• Mitigate flood attack that will affect both
  network
• If the company has a plan to open a branch or
  sale office with fixed location, what kind of
  secure remote access to be use?
• Site-to-Site IPsec VPN

21
Thank You !