You are a newly hired civilian contractor for the U.S. Navy at a naval air stati
ID: 3661458 • Letter: Y
Question
You are a newly hired civilian contractor for the U.S. Navy at a naval air station. Your position is a security engineer. This project has recently been consolidated to this location from several coastal areas. The team is a small department that focuses on unmanned naval surveillance vehicles.
You have been asked to perform the initial network design while you wait for your security clearance to get approved. You have to bear in mind the requirements that the Navy has for this project. There is a 2 terabyte UNIX DB2 database, which is used for craft designs, part lists, and experimental results; additionally, a smaller Oracle database running on Windows servers takes care of scheduling, administration, and personnel data.
The network will require 200 hosts in the design and development department, 20 in the personnel department, and 40 in the acquisition department. The acquisition department will need access to the secure internal network and external Department of Defense suppliers, whose networks are not considered secure. Both of these departments will need access to Windows laser printers and UNIX-based design plotters. The captain in charge of the project and his staff of 10 need a wireless virtual private network (VPN).
This work is considered top secret and outside of the requirements of the acquisition department; the network is considered a secure one that must meet the requirements of common criteria and evaluation assurance level 4 + (EAL 4 +). The internal, border, wireless, and default gateway duties are handled by a major equipment company. Data availability is important because the government has tens of millions of dollars already invested in this project.
In preparation for your network design project, discuss with your classmates ideas for addressing the security vulnerabilities in the network design. In your discussion, address the following:
What challenges will need to be addressed with the U.S. Navy project described in your scenario?
What types of vulnerabilities need to be addressed in the design?
Where might there be points of failure in the design?
What areas concern you about securing the network?
What steps would you recommend to overcome those concerns?
Explanation / Answer
Hi,
Below are the solutions to your questions:
1.What challenges will need to be addressed with the U.S. Navy project described in your scenario?
There are lots of challenges that needs to be addresses in this above mentioned project,Few of them include:
a.Anonymizing network on the Internet,The biggest threat to anonymity of the network is Ongoing trends in law, policy, and technology and these threaten this even more.
b.The network must be up and running in a way that handles as many users as possible.
c.The network must be protected from the transport of data.we need to use protocol-specific support software if you don't want the sites you visit to see your identifying information.
d.Also we need to provide flitering the websites to prevent the network from being hacked or being attacked by viruses or any other form of vulnerabilities,which impose a threat on the network and leak sensitive information from the network database servers.
e.Also since the project is a top secret one some sort of software needs to be installed on the network such that visiting or surveilling web sites would not leave government IP addresses in theweb logs, and for security during sting operations.
f.Ttraffic analysis needs to be addressed so that it can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests.
2.What types of vulnerabilities need to be addressed in the design?
The system is vulnerabale to lots of threats:
a.Cyber threats to prevent hacking of the network.
b.Network spoofing.
c.Wireless access points: Wireless APs provide immediate connectivity to any user within proximity of the network. Wireless attacks by wardrivers (people in vehicles searching for unsecured Wi-Fi networks) are common and can cause significant damage.
d.Misconfigured firewall rulebases
e.E-mail: E-mail is frequently used within businesses to send and receive data; however, it's often misused. Messages with confidential information can easily be forwarded to any external target.
3.Where might there be points of failure in the design?
There can be various loopholes in the network design,
a.Opening more firewall ports than necessary
b.Failing to use SSL encryption where it counts
c.Excessive security loggingAlthough it's important to log events that occur on your network, it's also important not to go hog wild and perform excessive logging.
d.Make sure VLAN trunking in your network does not become a security risk in the network switching environment.
4.What areas concern you about securing the network?
5.What steps would you recommend to overcome those concerns?
Steps that needs to be kept in mind to secure the network are:
a.Putting both the public (VLAN 46) and private (VLAN 102) VLANs on the same switch, behind the firewall, is not a good idea. The VLAN separation does not provide enough security for your private information, such as a corporate database. This is not recommended because the management of the switch is more easily compromised by having a public VLAN. In addition, this is not recommended because a simple misconfiguration or incorrect cabling could expose the management interface of the switch.
b.High-end switches can perform firewall functions without using an external firewall device.
c.Layer 3 interfaces between switches provide additional access control.
If one of your network users does not want his workstation to be tampered with, that user must control the physical access to that workstation, such as powering off the computer at the end of the day.
Hope that helps...HAPPY ANSWERING!!!
c.Layer 3 interfaces between switches provide additional access control.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.