c



 

  Chris Hasek, Marina Rhodes, Jade Olan, Jeanie Brown, Tina Barkley

  This network security policy establishes minimum information security requirements
for all networks and equipment deployed in CMJJT. CMJJT operates perimeter firewalls and/or
gateways between the Internet and the CMJJT network to establish a secure environment for
CMJJT¶s computer and network resources. CMJJT perimeter firewalls are major components of
the CMJJT network security planning. CMJJT perimeter firewall policy directs how the
perimeter firewalls will sort Internet traffic to lessen the risks and losses associated with security
threats to the CMJJT¶s network and information systems.

   CMJJT¶s information technology priorities are the maintenance of a safe and
secure computing environment. The assets at risk from targeted attacks against the network
include data/information, software and hardware. Services, including access to the Internet and
access to central servers are also at risk. CMJJT firewall administrators designed the perimeter
firewall policy to proficiently enable the security control system found within the perimeter
firewalls. CMJJT¶s network security design provides a multi-layer-approach for network
security. This approach is to have a Perimeter Firewall as the first line of protection. This
document provides additional measures to secure CMJJT¶s network.

CMJJT administration is responsible for executing and maintaining the

CMJJT network¶s perimeter firewalls. CMJJT is also responsible for actions relating to this
policy. The responsibility for information systems security on a day-to-day basis is every
employee¶s responsibility; however, specific guidance and direction for information systems
security is the responsibility of CMJJT. CMJJT¶s network and systems security teams will
manage the configuration of the CMJJT perimeter firewalls.

¯
   
  A firewall is a system that is designed to prevent unauthorized access to or from a
private network. A firewall can be implemented in hardware, software, or both. Firewalls are
frequently used to prevent unauthorized Internet users from accessing private networks that are
connected to the Internet. The CMJJT application level firewall is using ports:

 Internal AD/DNS NAT allows all traffic out

 Firewall allows traffic from ports 80 & 443 into web server.
 Firewall allows traffic from port 25 into SMTP.
 Firewall allows traffic from port 53 TCP/UDP into DNS

The proxy server implemented by CMJJT acts an application-level firewall for our networks.
Client computers must use the following LAN settings in order to access the Internet:

  10.145.144.2

  8080

The CMJJT firewall is configured using Industry best practices and standards including but not
limited to the following:

 All Internet traffic from inside to outside, and vice-versa, must pass through the firewall
implementation. Only network sessions using strong authentication and encryption will
be permitted to pass from the Internet to inside through the firewall implementation.
 The firewall will be configured to deny all services not permitted and will be regularly
audited and monitored to detect intrusions or misuse.
 The firewall will notify the firewall administrator(s) in near-real-time of any immediate
attention such as a break-in into the network, little disk space available, or other related
messages so that an immediate action could be taken. Any modification of the firewall
will be conducted by a security administrator
 Appropriate firewall documentation will be maintained on off-line storage at all times.
This information will include the network diagram, including all IP addresses of all
network and client devices, and also include all other configuration parameters such as
packet filter rules. This documentation will be updated any time the firewall
configuration is changed.
 Network security policy and maintenance procedures will be reviewed on a regular basis
(every three months minimum) by the security administrator(s).
 The firewall implementation and configuration must be backed up daily, weekly, and
monthly so that in case of system failure, data and configuration files can be recovered.


  Also referred to as static packet filtering. Controlling access to a network
by analyzing the incoming and outgoing packets and letting them pass or stopping them based on
the IP address of the source and destination. Packet filtering is a technique used to implement
security firewalls.



! "#
 Filter 1 inspects traffic leaving the network
V ICMP traffic on port 1
V TCP traffic on port 6
V UDP traffic on port 17
 Filter 2 allows unmatched traffic leaving the network

"# "#
 Filter 1 drops and logs traffic leaving the network from specified addresses
 Filter 2 inspects http traffic on port 80 that¶s leaving the network
 Filter 3 inspects smtp traffic on port 25 that¶s leaving the network
 Filter 4 inspects imap traffic on port 143 that¶s leaving the network
 Filter 5 inspects pop3 traffic on port 110 that¶s leaving the network
 Filter 6 drops any p2p traffic on any port that¶s leaving the network
  Filter 7 drops instant messenger traffic on any port that¶s leaving the network
 Filter 8 inspects ccp-ds-insp-traffic that¶s leaving the network
 Filter 9 inspects traffic leaving network
V H323
V Skinny
V Sip
 Filter 10 allows any unmatched traffic to leave the network

 "#!
 Filter 1 through 3 allow traffic coming into the network
V http traffic on port 80
V https traffic on port 443
V dns on port 53
V smtp on port 25
 Filter 4 drops any unmatched traffic coming into the network 


  A stateless firewall filter filters packets from a source to a
destination, or packets originating from, or destined for, the Routing Engine. Stateless firewall
filters applied to the interfaces protect the processes and resources. Stateless firewall filter can be
applied to an input or output interface, or to both. Every packet, including fragmented packets, is
evaluated against stateless firewall filters. The stateless packet filtering for CMJJT is configured
in the following way:

 Allow only local users to ping this machine
 Discard spoofed packets
 Log firewall, UDP, and TCP messages
 Allow firewall messages to be logged
 Log UDP-related messages
 Log UDP-related messages for ports 1024
 Log TCP-related messages with the flags: SYN, URG, FIN, PSH, Unk, ACK, AND RST

! 
 A stateful firewall is any firewall that performs stateful packet
inspection (SPI) or stateful inspection. A stateful firewall keeps track of the network connections
such as TCP streams and UDP communication traveling across it. The firewall is programmed to
distinguish genuine packets for different types of connections. Only packets matching a known
connection state will be allowed by the firewall; others will be rejected. The stateless packet
filtering for CMJJT is configured in the following way:

 Scans incoming mail and rejects unacceptable mail

 Returns information back to the sender 

c ! $Accepts requests for new digital certificates over transports such as
remote procedure call (RPC) or HTTP. Certificate Services confirms each request against custom
or site-specific policies, sets possible properties for a certificate to be issued, and issues the
certificate. Certificate Services allows administrators to add components to a certificate
revocation list (CRL), and to publish signed CRLs on a regular basis.

 CMJJT RSA # Microsoft Software Key Storage Provider

 Key Character Length: 4096
 Hash: sha512
 Standalone Sever
 Cryptographic Server Provider: Microsoft RSA SChannel Cryptographic Provider
 Cert Name: cmjjtcert
 RESTART PG 7, REQUESTING A CERT (once we get the internet back~)

%  : An individual or team responsible for maintaining a multi-user
computer system including a local-area network. The system administrator is sometimes called
the sys admin or the systems administrator.
Typical system administrator duties include:

 Adding and configuring new workstations

 Setting up user accounts
 Installing system-wide software
 Performing procedures to prevent the spread of viruses
 Allocating mass storage

The CMJJT system administrators are listed as followed:

 Chris Hasek
 Marina Rhodes
 Jeanie Brown
 Jade Olan
 Tina Barkley


%  &%' The process where a network device, usually a
firewall, assigns a public address to a computer or group of computers inside a private network.
The main use of NAT is to limit the number of public IP addresses an organization or company
must use, for both economy and security purposes.

¯ (In computer security, a DMZ, or demilitarized zone is a physical or logical sub-network
that includes or exposes an organizations external service to a larger unsecure network, usually
the Internet. The purpose of CMJJT¶s DMZ is to add an additional layer of security to our
organization's local area network (LAN); an external attacker only has access to the equipment in
the CMJJT DMZ, rather than any other part of the network.

) Encryption is the most valuable way to achieve data security. To read an
encrypted file, you must have access to a secret key or password that enables you to decrypt it.
CMJJT networks use MS-CHAP for its authentication protocol.MS-CHAP is the Microsoft
version of the Challenge-handshake authentication protocol (CHAP). MS-CHAP is used to
authenticate the user¶s credentials. MS-CHAP profides an authenticator-controlled password
change mechanism and also an authenticator-controlled authentication retry mechanism. MS-
CHAP defines failure codes returned in the Failure packet message field. Point-to-Point Protocol
(PPP) is used to establish a direct connection between the client and the VPN server; providing
encryption between the two networks using Microsoft Point-to-Point Encryption (MPPE). MPPE
uses 40, 56, and 128 bit session keys. These session keys are changed continuously as part of
CMJJT¶s security practices.


% *The method of determining whether someone or something is who or what it
is declared to be. In private and public computer networks, including the Internet, authentication
is commonly done through the use of a username and password. Each user registers in the
beginning or is registered by someone else using an assigned or self-declared password. CMJJT
has implemented a Network Access Policy (NAS) server to handle remote user authorization.
Ähen a user attempts to VPN the RADIUS server queries the user database on the NAS (Active
Directory) and verifies the user attempting access is a member of the CMJJT\Domain Admins
group.

 + $ A proxy server, also known as a proxy or application level gateway, is a
computer that acts as a gateway between a local network and a larger-scale network such as the
Internet. Proxy servers provide increased performance and security. CMJJT has installed wingate
proxy server software. Äingate is a multi-protocol proxy server, email server, and internal
gateway management system for windows. Current version of wingate is 6.6.4 (Oct. 14, 2009).

  $ !  Proxy servers can dramatically improve performance for groups
of users. This is because it saves the results of all requests for a certain amount of time.
  ,  Proxy servers can also be used to filter requests. For example, a
company might use a proxy server to prevent its employees from accessing a specific set
of web sites.

  The Port Security for CMJJT is configured as such:
 Redirect smtp, pop3, and imap to the mail server
 Allow dns traffic in and out of the DMZ
 Redirect http and https traffic to the web server



Ä $ A computer or device that serves up Äeb page; by installing server software into
a computer or device and connecting it to a network, it can become a Äeb server. Every Äeb
server has an IP address and a domain name our domain is cmjjt.com. CMJJT administrators
published cmjjt website on cmjjt web server.

 $  Serves as an electronic post office for email; email that is exchanged across
networks between mail servers and runs specially designed software. CMJJT mail server uses
mail enable as a mail service and Mozilla thunderbird as a client. CMJJT uses the following
protocols.

 IMAP on port 143

 SMTP on port 25

Õ   $
&Õ' Any connection between firewalls over public networks
will use encrypted Virtual Private Networks to ensure the privacy and integrity of the data
passing over the public network. CMJJT's VPNs use authenticated links to make sure that only
authorized users can connect to our network, and they use encryption to make sure that others
cannot intercept and cannot use data that travels over the Internet. All VPN connections must be
approved by CMJJT administrators. CMJJT VPN IP address range is 172.18.0.101 to
172.18.0.120. The external router is configured to forward VPN traffic to the internal router
which in turn is configured as a VPN server. The internal AD server is also a Certificate
Authority and is also used for Authentication.




c A brief overview of the contents of the CMJJT Contingency Plan
Tome (CMJJTCPT)

The Chief IT Administrator, the CEO, the CFO, the CIO and the all of the major department
heads, are responsible for securing the confidential data of the network, as defined by section 10-
573B of the CMJJTCPT. Each of these individuals are also responsible for storing that data at a
secure off-site facility, located in the eastern highlands, which is a cold site, as sited in Article
5.7T. Full backups of this data are to be made weekly onto optical discs, of Memorex quality or
better, with incremental backups every other day during the week. The full backups are to be
taken to the cold site and stored, while the incremental backups will back up to an onsite external
drive, which is to be maintained by the CIO. Once a month, a full backup of the external drive
should be made and the information stored onto optical discs, of Memorex quality or better, per
Article 93.4 of section 10-3A of the CMJJTCPT. All IT staff members are to be trained on how
to handle a potential disaster, and this training should take place every 6 months, using a third
party disaster planning and reaction manual entitled Ähat To Do In Case Of Everything written
by Beatrice Fairweather. Every 3 months the IT Administrator and the CIO are to run checks on
the cold site to make sure that it could function properly should something occur, using section
98-575 to section 113-02 of the CMJJTCPT as a guide to proper cold site functionality.

 CMJJT has the right to perform forensic data gathering on any machines that it
owns. This includes both servers and internal client machines. CMJJT¶s in house Forensics
Expert, Darwin Reynolds, is responsible for gathering and preserving forensic data. Should an
anomaly of any sort appear, the forensic data will be immediately sent to Joe and Son¶s
Computer Forensics Garage for analysis. The machine in on which the anomaly occurred will be
taken off the network to be analyzed by our Second Best Forensics Expert, Dana Schelieg.
Should the machine be compromised and incapable of functioning per CMJJT standards, it will
then be considered a liability in our security scheme. The computer will be re-imaged, secured,
and 2 weeks later redeployed on the network. This task is to be done by Urrich Vonlichtenstien,
our Re-Imaging Specialist. More detailed documentation of this process is to be found in the
Forensics Stuff sub chapter in the CMJJT Contingency Plan Tome.

 All access to all servers must be monitored.

 Access and Administration logs will be preserved for no less than 18 months.
 Firewall logs will be preserved for one year.
 Router logs will be preserved for one year.


 ¯- $Intrusion Detection/Prevention: Iintrusion detection is
the act of detecting actions that attempt to compromise the confidentiality, integrity or
availability of a resource. More distinctively, the goal of intrusion detection is to identify entities
attempting to subvert in-place security controls. Intrusion prevention is a preventive approach to
network security used to identify potential threats and respond to them quickly. An intrusion
prevention system (IPS) monitors network traffic and/or system activities for malicious or
unwanted behavior and can react, in real-time, to block or prevent those activities. Network-
based IPSwill operate in-line to monitor all network traffic for malicious code or attacks. An
intrusion detection system (IDS) monitors network traffic for suspicious activity and alerts the
system or network administrator. CMJJT is using a Network Intrusion Detection System (NIDS)
that is placed at strategic points within our network to monitor traffic to and from all devices on
CMJJT¶s network. For IDPS, IOS-S362-CLI.pkg and realm-cisco.pub.key were loaded onto a
flash drive formated in fat32. Tera-Term Pro was then used to connect to the cisco router and
load the contents of
lash drive to the running configuration of the cisco router.