Level O f Defenses In Network Security

Level of Defenses In Network Security- A Case

Study Of Geetanjali Institute of Technical
Studies, Dabok
Naveen Malkani#1, Bhavesh Jain*2, Kritika Soni*3, Kunal Singhvi*4
1
Executive Director, Microsystems, Udaipur, India
director@micro-system s.org

2, 3 , 4
Department Of Computer Science and Engineering
Geetanjali Institute of Technical Studies, Dabok
2
sonikritika569@ gmail.com, 3shaan01jain@g mail.com , 4ku nal.singhvi. [email protected] om

Abstract A secured network is one which is free of administrative and management policy required to provide
unauthorized access, threats and hackers. This paper an acceptable level of protection for hardware, software,
describes the different levels o f network security. A brief and information in a network.” [1]
overview of the Network Security, its need, different hreats
and related pro tection techniques are presented. The paper A. Need of Network Security at Geetanjali Institute of
presents a general overview of the most common network Technical Studies
security threats and the steps which can be taken to p o tect
an educatio nal institution and to ensure that data travelling
Institute has a difficult network environment to secur .
across the network is safe and secure. The objective of the
Proprietary information must be protected, the network
must be available 24x7, yet hundreds of untrusted student-
paper is to highlight the loopholes in the existing network of
owned computers must be given access. That’s where the
computer science department of Geetanjali Institute of
problem arises. Network administrator cannot control what
Technical Studies. The paper presents the setup of an Ideal
students do, or have done, with their laptops and desktops,
Network Defense System in the institute.
and that puts the entire network at risk.
Keywords Network Security, IP Sec, VLANs, Firewalls,
As an educational organization, the administration strives
Antivirus Packages, MAC Filtering, Access Control Lists,
to facilitate the open exchange of information. Studen s,
Tokens, Security Policies, Intrusion Detection.
faculty me mbers and librarians all need access to Internet.
I. Introduction However, at the same time, the administrator has a
responsibility to protect users from network threats, and
The Internet has undoubtedly become the largest public keep the network up and running. A top security priority is
data network, enabling and facilitating both personal d to establish a private network to keep confidential
educational communications worldwide. The volume of information (student records, scholarships, administrative
traffic moving over the internet, as well as education records, financial information etc.) safe from unauthorized
networks, is expanding exponentially every day. This vast users, hackers, and other threats.
network and its associated technologies have opened the
II. Objective
door to an increasing number of security threats from
which educational institution must protect them. Network Networks in the institution are isolated from each other. It
is desired to have a single backbone network. The paper
security consists of the provisions made in an underlying
will discuss:
computer network infrastructure, policies adopted by the
network administrator to protect the network and the • Users in college.
network-accessible resources from unauthorized access, • Current network plan.
and consistent and continuous monitoring and • Drawbacks in the existing network plan.
measurement of its effectiveness combined together. • Level of defenses in an ideal network system.
Network Security refers to “all hardware and software • Proposed network plan for the college.
functions, characteristics, feature, operational procedures,
accountability measures, access controls, and

Ridhima ,Sheela Bhatt ,Amandeep

et.al. (Eds.): ICOACCE 2010
© Geetanjali Institute Of Technical Studies , Udaipur.
Naveen Malkani, B havesh Jain, Kritika Soni, Kunal S ing i

IV. Current Scenario

A. Users
College has departments - Computer Science, Electronics
and Communication, Mechanical, Electrical, Automobile,
Information Technology, MBA and MCA. Besides these
departments, internet facility is required by accounts
section, administrative department and director sir. All
faculty me mbers and students are availing the internet
facility.
B. Existing Network Plan
The network in Geetanjali Institute is divided into three
different netw orks.
1) BLOCK-A
The block-A network includes Computer Science Figure: BLOCK- B Network
department, MCA department, IT department, Mechanical
department and the administrative department. The 3) ACCOUNTS
networ k plan is shown in figure.

F igure: ACCOUNT Network

C. Problems in Existing Network

In the college environment, a single unpatched or
compromised end-terminal threatens the entire network. It
can serve as a backdoor to intruders, a channel for worms
and spywares, and it can infect the entire network. The
institution tries hard to implement a consistent security
policy that defines w hat’s permitted and what’s prohibited
on student end-terminals , but a number of logistical
Fig 1 : BLOCK -A NETWORK problems prohibit enforcement of such policies. Major of
the m include:
2) BLOCK-B
1) Wide Range of Operating Systems and Versions
The block-B network includes Electronics department,
Implementation and administration of a security
Electrical department and MBA department. The network policy that efficiently accommodate multiple OS platfo rms
plan is shown in figure. and versions is a tough job .
 Level O f Defenses In Network Security

2) A Limited Time for Registering Devices

Students must have network access when classes begin, V. Level of Defenses
making it unfeasible for network administrator to
We have an extensive choice of technologies, ranging
implement uniform security measures on a device-by-
fro m antivirus software packages to dedicated network
device basis in the limited time available at the beginning
security hardware, such as firewalls and intrusion
of the semester.
detection systems, to provide protection for all areas of the
3) Difficulty of having to physically touch each network. Further tools can be deployed that periodically
device detect security vulnerabilities in the network providing
ongoing, proactive security. With all these currently
Limited resources and personnel prohibit effective
options available, it is possible to implement a security
physical management o f each device.
infrastructure that allows sufficient protection quick access
4) Three Separate Networks to information. A network requires multiple layers of
There are three different existing networks in the col ege- protection to be truly secure.
‘A’ block, ‘B’ block and Office netw orks. It is difficult to
monitor the separate networks then having a centralize
network for the entire institution. Security Applicable Security Measure
Level
5) Mesh Network 5. Network Access Control Lists
Level Intrusion Detection/Prevention
There is no planning in the current network set-up. All the
Systems
end -terminals and switches are arranged in a disorganized 4. Switch MAC Filtering
manner. The side effects of this topology are: Level
3. Server Level Security Policies
• More amount of cabling is required. VLANs
• Detection of point of fault is difficult. Tokens
• More effort is required in installing, modifying 2. PC Level Antivirus Packages
and maintaining the network devices. IP Sec
Folder Guards
6) No Load Balancing 1. Physical Lock and Key
Level Protected Server Room
There is no provision of switching between the alternate
channel if the primary channel is blocked or damaged.
Tab le: LEVEL OF DEFENSES
7) Server Location
Server is located outside the college premises. It is A. Physical Level Security
maintained by the host outside the college. Physical security is an initial concern when designing a
8) No Network Facility in Hostel secure network. The easiest and best means of protecting
important machines like servers is to secure them under a
There is no internet facility for the students residing in the lock and key. Next, make sure to use wiring that is le st
college hostel. susceptible to eavesdropping and snooping. Copper wiring
9) No Proxy Servers can be connected to with greater ease than other types of
There are no proxy servers, resulting in the increased cables, and is thus more vulnerable.
chances of entry of viruses and worms. • Install UPS (uninterruptible power supply)
10) No Physical Security systems for mission-critical hardware.
• Deploy backup generator systems for mission-
There is no proper physical security for server room and critical disaster recovery if feasible.
terminals. • Test and maintain UPS and/or generators based
on the manufacturers' suggested preventative
maintenance schedule.

Ridhima ,Sheela Bhatt ,Amandeep

et.al. (Eds.): ICOACCE 2010
© Geetanjali Institute Of Technical Studies , Udaipur.
Naveen Malkani, B havesh Jain, Kritika Soni, Kunal S ing i

• Monitor and alarm power-related parameters at through it, and denies or permits passage based on a s of
the supply and device level. rules[3]. The firewall creates a protective layer between
• Use filtered power and install redundant power the network and the outside world. In effect, the fire all
supplies on mission-critical devices. replicates the network at the point of entry so that it can
receive and transmit authorized data without significa
B. PC Level Security
delay. However, it has built-in filters that can disallow
This level of defense includes technologies as Antivirus unauthorized or potentially dangerous material from
Softw are Packages, IP Sec, host Firewalls, Folder entering the real system. It also logs an attempted intrusion
Guards etc. and reports it to the network administrators.

• Antivirus Packages: • Folder Guards:

Virus protection softw are is packaged with most Folder Guard is a computer security software tool that lets
computers and can counter most virus threats if the you password-protect, hide, or restrict access to files and
software is regularly updated and correctly maintained. folders of your choice, and also restrict access to ot er
The package includes a virus database that helps it to Windows resources, such as Control Panel, Start Menu,
identify known viruses when they attempt to strike. To Desktop, and more. You can configure the protection so
keep updates and maintenance costs to a minimum, all the that only specific users would be restricted, on both d-
computers on a network should be protected by a same alone and networked computers.
antivirus package. It is essential to update the antiv rus
C. Server Level Security
package on a regular basis.
This level of defense includes Port Blocking, Service
• IPSec: Authentication, VLANs, Tokens, and Security Policies
It is an industry-wide standard suite of protocols and etc.
algorithms that allows for secure data transmission over an
IP-based network that functions at the layer 3 of the OSI • Security Policies:
model [2 ]. The two primary security protocols used by Security policies are rules that are electronically
IPSec are Authentication Header (AH) and Encapsulating
programmed and stored within security equipment to
Security Payload (ESP). The AH protocol provides control such areas as access privileges [4]. These are also
authentication for the data and the IP header of a packet written or verbal regulations by w hich an organization
using a one-way hash for packet authentication. AH does
operates. The policies that are implemented should control
not offer any encryption services. ESP protocol provides who has access to which areas of the network and how
Confidentiality (through the use of symmetric encrypti n unauthorized users are going to be prevented from
algorithms like DES or 3DES), Data origin authenticati n entering restricted areas. The security policy management
and connectionless integrity, Anti-replay service (it is function should be assigned to people who are extremely
based upon the receiver, meaning the service is effective trustworthy and have the technical competence required.
only if the receiver checks the sequence number. When e
hacker nicks a copy of an authenticated packet and • VLANs:
transmit it later to the intended destination, it can disrupt
services. The sequence Number field is designed to foi A VLAN is a logical grouping of network users and
this type of attack), Traffic flow (for this, Tunnel Mode resources connected to administratively defined ports a
have to be selected. In tunnel mode, the entire IP pac et is switch. A VLAN is treated like its own subnet or
encapsulated in the body of a new IP packet w ith a broadcast domain, meaning that frames broadcast onto t
completely new IP header. It is most effective if network are only switched between the ports logically
implemented at a security gateway, thus company grouped within the same LAN. It allows network
machines in a network do not have to be aw are of IPSec). administrator to have total control over each port and user
plus whatever resources each port can access. VLANs can
• Firewall: be created in accordance with the network resources a
A firewall is a dedicated appliance, or software running on given user requires.
another computer, which inspects network traffic passing
 Level O f Defenses In Network Security

• Tokens: statements. Because of this, the order of the statements

within any access list is significant. Access lists can be
A security token can be a physical device that an
authorized user of computer resources is given to ease applied as inbound or outbound access lists. Inbound
authentication. They are used to prove one’s identity access lists process packets as they enter a router's
interface and before they are routed. Outbound access lists
electronically. Hardware tokens typically store
cryptographic keys, such as digital signature, or biometric process packets as they exit a router's interface and after
they are routed.
data, such as finger-print minutiae. The simplest security
tokens do not need any connection to a computer. Other
tokens connect to the computer using wireless techniques. • Intrusion Detection/Prevention Systems:
The new form of tokens are mobile devices which are Intrusion Detection is the process of monitoring the e
communicated with out-of-band channel (like voice, sms occurring in a computer systems or network and analyzing
etc.). Disconnected tokens have neither a physical nor the m for signs of possible incidents, which are violations
or imminent threats of violation of computer security
logical connection to the client computer. They use a built-
policies, acceptable use policies or standard security
in screen to display the generated authentication data, practices. Intrusion Detection System (IDS) is software
which the users enter manually via keyboards. Connected that automates the intrusion detection process. An
tokens are tokens that must be physically connected to e Intrusion Prevention System (IPS) is software that has all
client computer. These tokens automatically transmit the the capabilities of IDS and can also attempt to stop
authentication info to the client computer once the possible incidents [6].
physical connection is made, eliminating the need for e
user to manually enter the authentication info. [ 5] VI. Proposed Network

D. Switch Level Security

We have discussed techniques for preventing network
This level of defense includes VLANs, MAC policies and security threats. Now we are in a position to design a
MAC filtering. strategy for designing a secure network. Network Security
• MAC Filtering: must follow three fundamental percepts [7 ]. First, a secure
network must have integrity such that all of the
MAC filtering refers to a security access control information stored therein is always correct and protected
methodology whereby the 48 -bit address assigned to each
against fortuitous data corruption as well as willful
network card is used to determine access to the network. alterations. Next, to secure a network there must be
MAC addresses are uniquely assigned to each card, so confidentiality , or the ability to share information on the
using MAC filtering on a network permits and denies
network with only those people for w hom the viewing is
network access to specific devices through the use of black
intended. Finally, netw ork security requires availability of
lists and white lists. While giving a w ireless network ome information to its necessary recipients at the
additional protection, MAC filtering can be circumvented
predetermined times without exception.
by scanning a valid MAC and then changing the own
MAC into a validated one. Additionally, certain preliminary steps must be
taken in order to access the need for and overall level of
E. Router Level Security network security. First, an appraisal of the dependenc on
the information within the network must be performed t
This level of defense includes Access Control Lists. know the level of security necessary to protect that
• Access Control Lists: information. Next, measurements must be taken of any
foreseeable weakness in the current network structure as
It is a list of conditions through which router can control
well as the design for future network security. In addition,
(permit or deny) the packet on the basis of sources an
it must be realized that security is a continuous task.
destination address and protocols. Access lists are
Network security is not purchased once; instead it mus be
processed in sequential, logical order, evaluating packets
continually monitored and managed. Finally, network
from the top dow n, one statement at a time. As soon as a
security should be an evolutionary process whereby its
match is made, the permit or deny option is applied, and
progression and subsequent protection occur in stages.
the packet is not applied to any more access list

Ridhima ,Sheela Bhatt ,Amandeep

et.al. (Eds.): ICOACCE 2010
© Geetanjali Institute Of Technical Studies , Udaipur.
Naveen Malkani, B havesh Jain, Kritika Soni, Kunal S ing i

Features of the proposed plan

• Centralized Network
• Redundancy
• Multiple ISPs (Internet Service Provider)
• Netw ork with Load Balancing

A. Centralized Network
We have discussed the mesh network in college so we are
going to propose a centralized network that can be
implemented using UTMs (Unified Threat Management).
Centralized computer netw ork system in which all the
resources are stored and managed at one place.
Centralization is easy for system administrator to keep
all that resources consistent and in accurate form. Wh le in
distributed system all the sites containing the data and
Fig 4: REDUN DANT N ETWORK WITH LOAD BALANCING
resources need to be managed separately. We can easily
back up the data that is stored only at one place. It is also VII. Conclusion
very much easy to protect the system from unauthorized
access because there is only site on the network that needs Network must be secure in order to prevent against threats
protection. to their integrity, otherwise the loss or misuse of
information can be catastrophic. The paper set upon
B. Redundancy defining the role of network security and hoped to explain
Redundancy is the internetworking, the duplication of further how to achieve that role. The changing strategy for
connections, devices or services that can be used as a developing a secure network coincides w ith the creation of
backup in the events like the primary connections or new threats; therefore, it is an evolutionary process
service failure. constantly changing to meet new requirements. In
conclusion, computers and software are now the part of
C. Multiple ISPs (Internet Service Provider) world-wide -network, making them more susceptible to
Multiple ISP solution addresses more than alternate threats and thus demanding Network Security.
pathways and disaster recovery. It can also provide a
solution for network traffic jams or supply network REFERENCES
isolation for specific applications .
[1]. Shaffer, S teven L., and Alan R. S imon, Network S ecurity,
D. Network with Load Balancing Academic Press, 1994.
[2]. C isco Certified N etwo rk Associate, S tud y Guid e, Tod d Lammle, 6 th
Load Balancing, a clustering technology enhances the edition.
[3]. M icrosystems Networking and Security S olutio ns. URL :
scalability and availability of mission-critical, TCP/IP- http ://www.i2 sc.org
based services, such as Web, Terminal Services, virtual [4]. A Beginner’s Guide to Netwo rk S ecurity, C isco S ystem.
[5]. Security Tokens, W ik ipedia. URL :
private networking, and streaming media servers. Network http ://en.wik iped ia.o rg/wiki/Security_tok en.
Load Balancing distributes IP traffic across multiple [6 ]. Alexander, M ichael, The U nderground Guid e to Co mputer
S ecurity, Addison- Wesley P ub lishing Company, 1996.
cluster hosts. It also ensures high availability by detecting [7]. G uide To Intrusio n Detectio n And P reventio n S ystems(IDPS ),
host failures and automatically redistributing traffic to the recommendation o f National Institute Of Standards and Techno logies
surviving hosts. The unique and fully distributed (Special Pub licatio n 800-94) . URL: csrc.nist.go v

architecture of Network Load Balancing enables it to

deliver very high performance and failover protection.