XYZ Corporation has relocated to a new building that was wired and set up for a

Question

XYZ Corporation has relocated to a new building that was wired and set up for a local area network(LAN). The company implemented a client/server -based network in which all printers, folders, and other resources are shared but everyone has access to everything and there is no security outside of the defaults that were in place when the system was set up.

You have been hired to secure XYZ;s network and ensure that the company has the highest levels of security to protect against internal and external attacks. In 8 to 10 pages prposal, include the following items to provide a comprehensive secure enviroment:

1. A plan to provide secure access control methods for all user access.

2. A viable password policy, which includes coomplexity, duration, and history requirments.

3. A cryptography method to ensure vital data is encrypted

4. A remote access plan to ensure that users who access the network remotely do so in a secure and efficient manner.

5. A thorough plan to protect the network from malware and various types of malicious attacks.

Your proposal should include all of the element noted above with support, detail, and elaboration for each section.

Explanation / Answer

Secure Access control Plan:

Access control is basically identifying a person doing a specific job, authenticating them by looking at their identification, then giving that person only the key to the door or computer that they need access to and nothing more. In the world of information security, one would look at this as granting an individual permission to get onto a network via a user-name and password, allowing them access to files, computers, or other hardware or software the person requires, and ensuring they have the right level of permission (i.e. read only) to do their job. So, how does one grant the right level of permission to an individual so that they can perform their duties? This is where access control models come into the picture.

Access control models have four flavors: Mandatory Access Control (MAC), Role Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule Based Access Control (RBAC or RB-RBAC). Let’s look at each of these and what they entail.

The Mandatory Access Control, or MAC, model gives only the owner and custodian management of the access controls. This means the end user has no control over any settings that provide any privileges to anyone. Now, there are two security models associated with MAC: Biba and Bell-LaPadula. The Biba model is focused on the integrity of information, whereas the Bell-LaPadula model is focused on the confidentiality of information. Biba is a setup where a user with low level clearance can read higher level information (called “read up”) and a user with high level clearance can write for lower levels of clearance (called “write down”). The Biba model is typically utilized in businesses where employees at lower levels can read higher level information and executives can write to inform the lower level employees.

Authorization and Access Control Technologies Architecture

The authorization and access control model used in Windows Server 2003 is based on the following concepts:

User-based authorization

Every application that a user starts runs in that user’s security context, not in the application’s security context. Applications can also run in a restricted security context, with fewer privileges and more limited access than their user’s security context.

Discretionary access to securable objects

The user who owns a securable object can control who has permission to use it and in what way. An object’s owner can give permission for different kinds of access to particular users or groups of users. Owners can also allow or deny other users access to individual properties of certain types of objects, as well as to the entire object.

Inheritance of permissions

You can control permissions for new objects created in a container object by setting inheritable permissions on the container. The permissions that you set on a container are also inherited by existing objects in the container as well as newly created objects.

Administrative privileges

You can control which users or groups have the right to perform various administrative functions or to take any action that affects systemwide resources. Domain administrators can use Group Policy to manage privileges on several computers at once or even on all computers joined to a domain.

Auditing of system events

The auditing feature detects attempts to circumvent protections on resources and creates an audit trail of administrative actions on the system. If another administrator changes the auditing policy so that failed logon attempts are no longer audited, the log shows this event too. You can also use Group Policy to centrally control who is allowed to manage security logs on computers joined to a domain, as well as to control such configuration options as log size and retention method.

Deployment Planning This section of the document covers various aspects of Cisco Secure ACS that influences its deployment in the network. These aspects include: Databases: Databases supported and how they affect the deployment decision. Authentication Protocols: Authentication protocols, including password types, and how they relate with each other. Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine: How to decide which type will work best in a given environment. Centralized Management: How to centrally manage a number of Cisco Secure ACS systems. Logging: Types of log, how to configure them, and how to choose the correct storage format. Performance and Scaling: Taking all the other aspects into consideration, how to decide the number of Cisco Secure ACS systems to deploy and where to deploy them.

Databases The database is one of the most influential factors in making deployment decisions for Cisco Secure ACS. The size of the user base, distribution of users throughout the network, access requirements, and type of database employed all contribute toward how the Cisco Secure ACS is used. The type of database may influence the password type, which will also limit the availability of authentication protocols. The database type may also control the format of Cisco Secure ACS that can be used. Local Database The Cisco Secure ACS local database provides full feature support. The local database provides the maximum speed for authentication. It may have regional scalability problems, which can be minimized using database replication. However, replication requires a primary/secondary relationship between Cisco Secure ACS systems. Replication keeps AAA servers synchronized by copying selected configuration items from a primary Cisco Secure ACS installation over the configuration of a secondary Cisco Secure ACS installation, completely replacing those configuration items on the secondary. This restricts maintenance of user accounts to the primary Cisco Secure ACS installation. Another drawback is that if an organization has an existing database for users, the organization must maintain both databases separately. Windows Active Directory In organizations in which a substantial Windows Active Directory (AD) user database already exists, Cisco Secure ACS can take advantage of the work already invested in building the database without any additional input. This eliminates the need for separate databases. When the NAS presents the username to Cisco Secure ACS, Cisco Secure ACS searches its database to locate a match. If Cisco Secure ACS does not find a match and Cisco Secure ACS is configured to check the Windows AD user database, the username and password are forwarded to Windows AD for authentication against those in the Windows AD user database. Upon match confirmation, the username (but not the password) is stored in the Cisco Secure ACS user database. Authentication requests in future will authenticate much faster because Cisco Secure ACS goes directly to the Windows AD user database for authentication. Group mapping allows greater flexibility of user privileges. Cisco Secure ACS assigns privileges from the user’s group to the just authenticated user. Domain Controller (DC) trust relationships extend the number of users available for authentication by Cisco Secure ACS. Timeouts may be a problem using DC trust relationships because of the sometimes-present latency in NT networking. Another problem is that authenticating against the Windows AD user database does not allow storage of third-party passwords (for example, Challenge Handshake Authentication Protocol [CHAP]). Deployment Guide Generic LDAP Cisco Secure ACS supports authentication of users against records kept in a directory server using generic LDAP. Cisco Secure ACS interacts with the most popular directory servers, including Novell and Netscape. You can use Password Authentication Protocol (PAP) and clear text passwords when authenticating against the directory server. These services do not support CHAP or Microsoft CHAP (MS-CHAP). This may be an issue when trying to use network devices that are limited to using one of these protocols (for example, Lightweight Extended Authentication Protocol [LEAP]). Group mappings are available, as with Windows 2000 Server or Windows Server 2003. A white paper on LDAP authentication can be accessed at http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00800925 66.shtml Open Database Connectivity Cisco Secure ACS supports authentication against a relational database that is compliant with Open Database Connectivity (ODBC). This enables use of existing user records. ODBC is a standardized application-programming interface (API) that follows the specifications of the Structured Query Language (SQL) Access Group. The Windows ODBC feature enables you to create a Data Source Name (DSN) which specifies the database and other important parameters necessary for communicating with the database. Cisco Secure ACS passes the user information to the relational database through the ODBC connection. The relational database must have a stored procedure that queries the appropriate tables and returns to the Cisco Secure ACS. If the returned values indicate that the username and password provided are valid, Cisco Secure ACS grants the user access. Otherwise, Cisco Secure ACS denies the user access (See Figure 1). Because of the ODBC feature that allows password extraction, ODBC can authenticate clear text, PAP, CHAP, MS-CHAP, and ARA Protocol passwords. Note that the Cisco Secure ACS Solution Engine cannot use ODBC authentication. This is because the Cisco Secure ACS Solution Engine is a closed appliance and the required ODBC agent cannot be loaded.

Image Encryption Algorithms To address data confidentiality, lots of approaches has been proposed so far using affine transformation, space filling curves, SCAN methodology, quad tree structure, etc. There is no single encryption algorithm satisfies users for any application and treat all different image types as well some. The papers [1, 5, 11, 13] classify all these approaches into three major groups namely, transposition techniques (position permutation), substitution techniques (value transformation), and combination of both. Transposition techniques (position permutation): Some of the encryption methods have exploited transposition techniques to visual encryption. Transposition techniques basically rearrange individual pixels of an image so that the original concept is not visible. The chaotic based image encryption [15] proposed by Yen and Guo and also the paper [16] proposed by Mitra et al. which uses random combinational of bit, pixel, and block permutations are categorized in this class. Substitution techniques (value transformation): Some other encryption methods have exploited substitution techniques to visual encryption. Substitution maps each element in the original (plain) image into another element. A new chaotic neural signal security system proposed by Yen and Guo [17] which changes the pixel values of the original image is categorized in this class. This algorithm depends on a one -dimensional chaotic map for generating a pseudo-random key sequence. Combination of both: Some other approaches have combined and used both position permutation and value transformation techniques. For example, the Space Filling Algorithm is categorized in this class. It uses space-filling curves in order to pixel permutation and large period pseudo random number generators for pixel value substitution. The work [18] proposed a method that is based on permutation of pixels and substitution of the pixel values. SCAN methodology is used for permutation and a simple substitution rule, which adds confusion and diffusion properties, is used to value transformation.

3. Proposed Method In this section a novel layer based image encryption method is proposed, it is tried to take all encryption concerns into consider. Concerns and facilities that the authors have treated are mention in the following: Exploit previous author’s experiences to achieve lower correlation and higher entropy Embed region selective encryption Embed block independent encryption Propose a new permutation algorithm called PP algorithm and define BBE measure Provide different security level according to the block significance Achieve to both less processing time and more secure encryption The proposed layer based image encryption can be decomposed into four layers, segmentation, localization, permutation, and encryption. Each of the layers is separately described in the rest. 3.1 Segmentation This step deals with dividing the whole image into Nb number of non-overlapping blocks with variable size. Each block (region) is represented using a square matrix containing a specific number of pixels for each block size. This representative matrix is used for performing the operations on regions, each region is considered separately for encryption. Different block sizes are considered for region segmentation, block sizes defines as Bs = 2q , where corresponding block is consisted of 2 q×2q pixels where 1q6. In this work four various sizes are considered for blocks of images including 4×4, 8×8, 16×16, and 32×32. Input images are predefined as a 512×512 dimensions and all four block sizes contribute same (128×128 of 512×512) to decomposition of input image. So, system will have four set of blocks, comprise of 32 blocks of 4×4, 16 blocks of 8×8, 8 blocks of 16×16, and 4 blocks of 32×32. The work [3] use random number of blocks while here, system will have fixed number of blocks for each image so that one of the four different sizes assigned to each block. Just as variable block size is more secure than fixed block size, having some large blocks reduce the encryption time. 3.2 Localization Image file has distinct regions which belong to different level of importance. Recently researchers exploit this feature of image file and develop a new approach which refers as partial encryption or selective encryption. Selective Encryption makes it possible to encrypt only some regions of the image. The concept of partial or selective image encryption finds use in applications such as, internet banking transactions, military image database and communication and medical imaging systems [1]. The main advantages of selective encryption is reduction of the overhead involved in data transmission over secure channels. Providing same security level to whole of image data which have varied significance consumes more computational resources and seems unnecessary. First we should search the image to extract the features and identify important regions of image, the work [1] just let user to mark some region as important, while the work [3] do this automatically using prewitt edge detector. In this paper, two ways considered for identification of significant regions, Firs, it can be done automatically by system, and second, manually by user. International Journal of Signal Processing, Image Processing and Pattern Recognition Vol. 6, No. 1, February, 2013 40 The Edge property of an image plays a critical role its representation concept. An efficient encryption technique should be able to perturb edges shape and location to stand firm against various attacks. We decide to use Prewitt edge detection technique as in [3], for three reasons, first it is accurate, second it has easily implemented, and third it imposes low computational costs. 3.3 Permutation Region permutation deals with interweaving the blocks of the image to build a newly transformed image. The perceivable information of an image is highly depended on the correlation among the image elements in a given arrangement. Decreasing the correlation among the image elements using certain permutation techniques can makes it so hard to understand. Furthermore, the process of dividing and shuffling the positions of image blocks will makes difficult to predict the value of any given pixel from the values of its neighbors in other hand, it confuses the relationship between the original image and the generated one. Various permutation algorithms are exploited by [1] including, RC Permutation, ZPermutation, Random Sequence, and Chaotic Reordering. The work [19] have pointed out that all permutation-only image encryption are vulnerable to attacks. As a conclusion, they suggested that permutations have to be combined with other encryption techniques to design strongly secured images. In this paper, a new simple and efficient algorithm is designed by the authors to permutation of image blocks. We called it perspicacious permutation (PP) here, because this simple algorithm has a strategy exactly knowing where the current block should replace in. This algorithm calculates a measure value for each block. The PP algorithm efficiently permutes blocks with the help of Block Background Estimation (BBE) measure. BBE is the average of pixel intensity value for all pixels of the block. This algorithm simply acts in such way that minimizes the correlation in permuted image. For instance if BBE of the current block got 46, it will substitute with a block BBE most near as possible to 209 (255-46). Figure 4 shows how PP algorithm affects on the image. 3.4 Encryption As mentioned before in the second layer (localization), blocks are classified into insignificant or significant category. Binary significant vector of size 1× Nb is generated, so that element ‘0’ indicate the corresponding block is insignificant, and ‘1’ indicate the corresponding block is significant. Two procedures are designed to treat with blocks according to whether it is classified as insignificant or significant. Each insignificant block which is included less important information will encrypt using rescanning; a less complex methodology which introduced in [5, 9, 12]. Each significant block which has high potential to include critical information will encrypt using one of the algorithms in golden set.

Related Questions

Navigate

• Browse (All)
• Browse X
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.