Table of Contents
ZXY Corporation decision to use a client-server based network in their Local Area Network (LAN) is a well-informed decision. Client-server environments are designed in such a way that end users or clients can access resources such as files or other services from a server which is a central computer. The central computer runs on Windows 2000 or Windows NT operating system which creates the network. A network name must be chosen so that the server can be set as the domain controller. The domain controller provides security to the network through providing logon permissions to the clients that share trust information. The server uses its dynamic host configuration protocol that produces leases for each client by assigning them IP addresses. This makes it possible for computers to execute or process functions independently which helps to reduce traffic in the network. Conversely, the server is responsible for updating and reporting services. The strong network created provides a flexible environment where clients can also match and mix additional software, hardware, and operating systems. Interestingly, these characteristics that make the client-server based network popular also make it prone to security challenges such as misuse, sabotage, and fraud. As such, to achieve a secure system, the ZXY Corporation needs to have an access control method for all users, a viable password policy, data encryption methods, a reliable remote access plan and overall security measures to prevent the network from external attacks.
We can do it today.
Creating a Secure Access Control Method for all Users
One of the primary requirements of ZXY Corporation is to have a secure network. In fact, currently, all users can access all folders, printers and other resources in the network without limitation. Therefore, the network access control methods must be employed to regulate who or what resources one can rightfully view in the computing environment (Mallard, 2010). These measures will help to protect the assets of the corporation as well as to keep track on who accessed what and the specific time. However, while implementing these tools the administrator must consider items such as objects which includes files or hardware settings, the subject which involves authority to process functions such as opening files and lastly is the operation which is the right given to an end user so that he or she can delete or modify an object.
Consequently, there are four major access control models to prevent malicious individuals from accessing vital resources or functions within the network. First, there is the mandatory access control in which the owner of the files does not have the authority to dictate who accesses it. The rule on how these files are accesses is determined by the configuration done by the administrator and the operating system. Second, is discretionary access control model which is the least restrictive and poses a security breach if misused. This is because it gives users the mandate to change permissions or control objects. Thirdly, the administrator should consider rule-based access control (Mallard, 2010). In this model, when the user tries to access a file or a program, the system first checks the roles and the rules that are assigned under his or her jurisdiction. Lastly, is the role-based access control which is a most realistic and recommendable approach. In this model, the administrator determines the role that the end user will be undertaking and what they can do or cannot do depending on their position in the organization.
Viable Password Policy
One of the major challenges faced by information technology departments is the attempt to make users create secure passwords to enhance the safety of the network. One of the proposed solutions for the ZXY Corporation is to employ a password policy that will be adopted by all the users. Advancement of technology has led to the creation of programs or tools that compare lists of words or character combination against a targeted password and generate a probable match (Manes, 2016). Therefore, creating a viable password policy will help to focus on the lifecycle of a password which will address factors such as how they are chosen. It will also enforce password history, minimum and maximum password age, and complexity requirements or techniques users should apply to prevent their passwords from being hacked.
Choice of Password and their History
When passwords are being created or chosen, users are supposed to adhere to some set requirements. For instance, there should be a systematic way in which passwords are reused. This will help to control users from alternating between several passwords which may cause a security breach. In fact, Windows Server 2008 R2 can track old passwords and prevent users from recycling them.
Minimum and Maximum Password Duration
In a client-server based network, there should be a control on the duration in which users use or how frequent they change their passwords. It helps to prevent users change them severally to prevent wiping out of the history and reinstating the old password. Therefore it is paramount to set the minimum and maximum time required to keep a password. For instance, the system can be set in such a way that users can only change the password after seven days and prevent reinstating a compromised password (Manes, 2016). If the user can not develop a new password, the administrator can make the change on their behalf. Conversely, there should be the maximum period the user should keep a password; this will make sure users change them occasionally to enhance network security. For instance, it can be achieved through the setting expiration date of passwords to 150 days.
Complexity Requirements
One of the ways of halting hackers is creating strong passwords so that it difficult for them to guess. In fact, long passwords are difficult for them to crack than short ones. Password strength can also be enhanced by employing the popular 8 + 4 rule. It entails that the password should have at least one lowercase, one uppercase, one numerical and one special character. To impose these rules, the administrator must enable the feature that states “Passwords must meet complexity requirements policy.”
Cryptography Method to Ensure Data is Encrypted
Scientifically, cryptography is the use of mathematics to secure data through encryption and decryption processes. It enables users to store or transmit sensitive data over insecure networks or the internet. The technology will be very significant to the ZXY Corporation because its local area network will support a remote access plan or roaming users who will access the system via the internet. The technology ensures that the information is hidden or is not accessible by an unintended user. Those who can see the encrypted data, they must engage the decryption process so that it becomes readable.
One of the recommendable methods for the corporation is the use of public key cryptography. The technology uses a pair of keys namely the public and the private key that are used for encryption and decryption processes respectively. The public key is circulated to all users while the private is kept secret. However, those who have got the public key can encrypt information, but they cannot read it. But once it is encrypted the only user who has the authority to encrypt it is the one who has the private key. The advantage of this cryptography method is that it is only for those users who have access to the security arrangement can share information securely. Therefore, once the user encrypts the information they must share the private key to the end user intended to receive the information.
Remote Access Plan
A remote access plan defines how users will be able to connect to the local area network while they are roaming or in a fixed position away from the office. This connection can occur through a number of ways such as wireless bridges, dial-in and secure internet connections. One of the most recommendable for the ZXY Corporation is use of a virtual private network (VPN). It will create a competitive business environment through enhancing effective communication and remote access to information by the employees. The VPN creates an end to end secure network through the use of advanced encryption and tunneling. One of the downloadable features used includes IP-based network access restrictions (NARs) that instill conditions a user must meet before accessing the network and ACLs that help to define the rights allowed or denied for a particular user. The virtual private system also helps to maximize sessions or employ idle timeout so that users can log in afresh and prevent users accounts from running open for extended periods which can make them vulnerable to a security breach.
The VPN is usually vulnerable to attackers because of its ability to offer remote access which allows transmission of information over public shared networks. Therefore, some defense mechanisms must be applied such as authentication (Cisco Secure Access Control Server Deployment Guide, 2007). Two-factor authentication is the most recommendable it involves a secret password that is only known by the user and an authentication certificate or token that generates a password supposed to be used only once. Once the users log in they must generate the token which will be utilized next log in process. Moreover, there is the use of authorization in which it allows the user to access the resources over the VPN only if they pass the authentication process. For instance, the Microsoft active directory is an authorization system which controls access and better VPN management. Furthermore, one of the notable features of the VPN is that it enables auditing through detecting and response to incidents. For example, in case of a malicious activity information that can be retrieved include information about the user, system location, date and time, authentication success or failure, authorization success or failure and privileged access.
Protection of the Network from Malware and Malicious attacks
When people hear about security, they think about protecting the software. However, the security plan of the ZXY Corporation must be organized at all levels such that all the servers must be located in access controlled environments where only authorized individuals are allowed to run or supervise them (Vennapoosa, 2007). This kind of control will prevent individuals who may try to make physical access to the servers and damage them or switch off power with the intention of sabotaging the virtual private network.
To prevent the network from malware attacks, endpoint security programs such as firewalls and anti-virus must be employed. The firewalls work as a barrier between the computer, the user and anyone who may want to invade the network. Logically, firewalls translate incoming requests by decoding and responding them into packets. Due to this, it is able to filter incoming and outgoing packets, control internet connections and alert users in case of suspected attacks. Anti-virus software also acts as an endpoint security (Vennapoosa, 2007). It searches for computer viruses in removable disk drives and other peripheral devices, and a list of recommendable anti-viruses include Kaspersky, BitDefender, and F-Secure. Lastly, the system administrator may consider the use of an anti-spyware such as CounterSpy or SpySweeper to protect the VPN from programs that collect data on user accounts without their knowledge. In fact, they may get into the system through viruses or during installation of new applications.
Through a thorough evaluation of the most viable security plan that would deliver the best VPN for ZXY Corporation, it is apparent that diverse and robust set of security tools will have to be incorporated. Users must have a secure access control method, a viable password policy that controls the duration, requirements, and enhance complexity to prevent hackers from generating a likely password using password cracking tool. The VPN should also be made secure through endpoint security programs such as firewalls and antiviruses. Furthermore, its remote access plan will have to be supported by two-factor authentication technology in which despite users having a secret password, it generates a one-time key used for every log in process. As a result, the ZXY Corporation will have a secure network that will increase its business value through guaranteed integrity and privacy of corporate information.
- Cisco Secure Access Control Server Deployment Guide . (2007). Cisco, 31-35.
- Mallard, S. (2010). Access control methods. Bright Hub.
- Manes, C. (2016). What makes a good password? TechTalk.
- Vennapoosa, C. (2007). Client-Server Security. Exforsys.