Network Design project

  

 

 

 

 

 

Network Design Project 

Robert Wahlstedt 

Professor Irving 

Liberty University 

CSCI 601 D02 

December 10, 2019 

 

 

 

When coming up with a security policy, it is important to realize what we wish to protect and how similar organizations have suffered attacks in the past. In the health care field, there are attacks from denial of service, malware, man in the middle attacks, rootkit injections, and misconfiguration of devices. 

Denial of service is the over-requesting of services in order that it deprives other of the opportunity to use the devices and so they cannot do their goals.  The area most prevalent in this fictitious network is the EMR edge web server.  Defending against a DOS attack could be done using a third-party service such as Amazon’s Cloudflare.  DOS attacks are not as technical but merely could be seen as an act of vandalism.  In a DOS attack, resources are exhausted to the point of failure or severe degradation.  Types of locally exhausted resources include filling up the process table, filling up the file system, sending outbound traffic that fills up the communication links (Skoudis & Liston, 2006).  There are many types of DOS attacks most notably the amplification attack in which a remote internet server pings a large group of internet hosts.  When these devices respond back affirmatively, the attacker makes it appear as though the victim’s server is the one that sent out the requests by changing the field of the source IP address.  This is a version of the smaller SYN-ACK attack in which a single host query.  To defend against these attacks, it is important to make sure that there is some flexibility in the bandwidth of connection between the ISP’s bandwidth.  Also, there is a firewall that protects the organization from unsolicited information.  The IPS located at each network segment acts as a barrier in case of internal rouge devices. 

Worms, viruses, and Trojan horses are three different types of malware.  Worms are propagated through a network automatically sometimes through remote desktop protocol sessions.  To prevent the spreading of worms, there is an IPS between each network segment which not only uses templates of predefined acceptable behaviors which are whitelisted, it also uses behavioral heuristics.  Also Packet Fence is a network access control which in order to save the network entirely is willing to allow a possibly compromised host only access to the internet to download certain things such as Microsoft updates or McAfee antivirus signatures. Notice that a compromised host does not necessarily mean infected, instead it could also mean there could be room for improvement in the computer’s cyber security hygiene. To protect against viruses, which rely on the human touch for transmission, this fictious organization uses McAfee antimalware solution to protect the endpoints.  Should there be an outbreak, there is a direct connection between the antivirus server and the server the SIEM is running on.  By reviewing the logs for alerts related to viruses, the system administrator hopes to find the sources of malware into the organization and design security policies to safeguard the organization.  Sometimes these human transferred viruses are Trojan horses when the users forget about the computer acceptable use policies.  Sometimes a user looks at an occasional cat picture when they are on break or bored during a shift.  To prevent from such incidences the users do not have administrator rights and patching is done through a System Configuration Manager using Powershell Desired State Configuration which is reported on using a Puppet server.  These services are hosted by Microsoft in their Azure platform.  There is a change log for each device which is recorded in UVDesk. 

There are opportunities for man-in-the-middle attacks using the Avaya VOIP solution given the necessary placement of the edge server with relationship to the outside world.  To prevent these attacks, the system administrator recognized that the risks of patient phone call voice messages leaving the facility is too great through the risk of SIP MITM attacks so they decided to disallow voice messages from leaving the facility.  The phones also require a pin for authentication which changes each 180 days.  The administrator thought about making the time interval less but was worried that the pins would be written down in too close of a proximity to the telephone and that a malicious actor would be able to photograph the common phone extensions and the pins with the cell phone of his camera.  The managed switches are also managed by the Microsoft server software environment offering not only OSI level 3 filtering but level 2 filtering as well.  Also related to MITM attacks are password relay attacks.  These are when a user records messages that are being transmitted over sometimes older versions of server message block which do not provide end to end encryption.  To prevent these attacks, the system administrator decided to install Windows 10 as often as possible.  He decommissioned a badge making machine which had software which required Windows 7 to run Windows XP mode.  This cost the company some money in replacing the badges, but it is worth it to protect the privacy of the patients.  As a critical care hospital, the hospital is dependent upon donations and grants, otherwise the hospital would have to close.  In order to secure donations, it is essential that the hospital maintain confidentiality of the patient records.  There are some richer donors who see other hospitals who have breaches as irresponsible and therefore the donor is unwilling to trust them with their financial information. 

Until recently, the hospital used AIX systems which were impossible to install a rootkit on, however time marches on and Windows servers were procured from Techsoup.  The system administrator thinks that there are two phases in the rootkit attack phase which could be improved upon.  The first of which is prevention from getting the rootkit in the first place.  Since a Cisco Meraki unit is being used as the firewall, the system administrator uses the OpenDNS platform also produced by Cisco.  This product quickly scans each website a user connects to making sure the organization is in as much of a good security posture as possible.  The second part that could be improved upon is the detection once a system has a rootkit infection.  Therefore the network administrator chose to use a network access control server instead of simply relying on the network access control that is built into the endpoint protection that McAfee offers.  Packet Fence isolates suspected devices based their compliance and then the Untangle virtualized appliances spread throughout the organization which serves as the IPS for the organization.  In addition, the hospital bought cyber security insurance through Malwarebytes which offers to get organizations up and running after a malware attack.  Because of these measures, the system administrator is not entirely confident in the system but feels like he is doing the best he could to prevent rootkit injections. 

The staffing at the rural hospital is particularly worrying because 2.5 FTE work on the information technology system.  For this reason, an emphasis on backup and recovery software for both the SAN and the workstations is a high priority using the Zmanda to the private cloud hosted at the hospital.  For this reason, the system administrators are relying on vendor support and have purchased enterprise support agreements whenever possible.  A few years ago, the hospital in an effort to save costs hired a couple of undergraduate student interns to setup the firewall and the Cisco wireless access points.  They did a good job, however it took a while for the students to figure out exactly how to configure the firewall VPN rules.  Since then the hospital not only backs up the software and data but also the configurations as much as possible. Also the hospital configured its switch to have certain levels of security and this is tied to LDAP credentials in the active directory. The administrators have user accounts without administrative access which they try to use when doing day to day work such as checking emails. 

The hospital is using Cisco 2950 switches which they configured for security.  These are gigabyte switches.  Secured ports allows for the limitation of what ports a user is allowed to access.  For example, when a guest comes into their network, they cannot access any of the internal workstations.  Port security enable a dedicated amount of bandwidth to be reserved for each client as the minimum amount that it would allow.  They simply go out to through the firewall to the internet. To prevent ARP poisoning the Cisco switches are pre-configured to use private VLANS (ARP Poisoning, 2019).  The ARP tables are maliciously set to static routes. 

The Cisco VPN auto provisions using Cisco’s cloud server to broker secure connections.  This enables cryptographic key exchanges to occur in Cisco’s infrastructure and not on infrastructure belonging to the hospital.  IPsec is primarily used.  The VPN authenticates to a Windows server which acts as a TACAS+ which is a proprietary Cisco protocol introduced in 1999 which is a new version which does not work with previous technologies because of a new set of network communication primitives.  TACAS+ uses Transmission Control Protocol port 49 to communicate through SSLVPN. RADIUS is different because while TACAS+ use both authentication and authorization, TACAS+ just supplies the initial authentication but does not repeatedly check to make sure that the user still has permission to access the resource they are trying to access. This is similar to perfect port security described in the paragraph above. 

The Meraki firewall provides some nice features to the security environment.  First it is a turnkey solution that leaves smaller potential for error in the installation and management.  It utilizes Cisco’s cloud platform so it is always up to date and can be centrally managed in the cloud.  There is a technical support contract so the vendor could access the firewall.  It is scalable with no centralized controller but the network still functions even if management is interrupted.  Lastly it is HIPAA compliant.  The firewall gathers a fingerprint on each user and works with the SIEM to provide high availability for applications. For cloud management there is two factor authentications. 

The wireless is also managed by the Cisco firewall using AC mode for multiple signals operating at one time.  In academia there has been a discussion since Gregory Raleigh proposed multipath wireless signals coupled with a 1970’s paper about how to avoid crosstalk in multipath propagation.  This lead heavily to the wireless that we know today as 802.11n and 802.11ac.  Because of all these discussions, the wifi alliance broke away from their parent organization, the IEEE to better focus on wireless technologies.  In 1993 Arogyaswami Paulraj and Thomas Kailath proposed an SDMA-based inverse multiplexing technique.  Our CSCI 601 class discussed electromagnetic interference as a form of attack and what impact they have on the business infrastructure.  While initially it might not seem as though with the laptop docking stations that a hospital has a need for WIFI, there are many other devices which could use the connection.  This includes the PDA or tablet devices which connect to the internet to access information about information.  At the hospital, we do not expect the medical providers to have all of the information stored away in their brain particularly the fact that the hospital sees a wide variety of patients with a variety of problems.  The community is known for its agricultural economy so there might be a farming accident from operating the massive equipment that farmers sometimes operate.  In addition to the PDA devices, there is a guest WIFI signal which is segregated from the staff Wi-Fi.  This allows patients an opportunity to allow the communication of Fitbit or other health tracking devices with their carrier. 

The hospital uses multiple internet services provider companies and uses the routing protocol multiprotocol label switching for reliability purposes.  Because the setting is a rural hospital, the hospital uses satellite as well as cable internet.  Because it is too far away from an ASM, dial-up internet cannot be used.  Packet switching breaks down network traffic into packets before they are transported.  These packets can travel any path on the network to their destination.  This is similar to how in my home city of Spokane, there are many roads that lead from the library to the downtown core of the city.  One could take Washington as a north south street or they could take Ash as a north south street.  It doesn’t matter.  MPLS was introduced in 1999 to enable multiple types of the layer 3 protocols to travel through a connection-oriented layer 2 protocol (Dean, 2010).  Because IP is a layer 3 protocol and MPLS supports IP, MPLS is known as layer three and a half.  MPLS addresses concerns about an IP network because in the IP network, a router must interpret the IP datagram’s header to determine where to forward the packet next (Dean, 2010).  In MPLS, only the first router has to figure out where to send the packet and the tagging leaves little ambiguity about what the intended recipient is. MPLS is reliable (Dean, 2010). 

The main threat of beacon security such as Apple’s ibeacon is that people tend not to think about security until it is too late.  I image that credit card companies went through a similar time when they assumed that there would be no way to use RDIF to gain credit card information.  According to the Tripwire, credit card skimming is when the fraudsters use a device to collect radio frequencies transmitted.  These devices use a small quantity of radiation and bounce it off people to see if they would have any success in getting the radiation to bounce back in such a way to reveal that the person has a credit card.  I have a wallet which is made out a synthetic material which is able to block the radiation from entering to the credit card stored inside.  This might frustrate the attacker because very few people walk around with only cash in their pockets.  Since around 2005 phishing attacks have been a strong vector in data security breaches. 

Today with these devices, a data breach could be even easier than phishing.  Places where skimming can occur includes public transportation, crowded retail stores, and gas pumps where there are proximity and people searching for things in their pockets. Examples of types of data which could be stollen include credit card number, expiration date, as well as the card holder’s name.  For a pin for unfortunately too many people, they choose the year that they were born or some easily accessible information.  This is assuming that the retailer even verifies the credit card number.  Many of these stollen credentials are used to buy goods which could be exchanged or resold for cash.  

Although we have no discovered many flaws in the application of patient wristbands, I imagine that it would be a matter of time until someone is the unfortunate victim of an attack.  To come up with security controls, it is important to see how the RFID 2 implementation is thwarted for security.  Several generic types of attack are power analysis which is intended to steal information or gain access, eavesdropping and replay attacks.  During this attack, the attacker must know the protocol and tags for this to work.  There is also a man in the middle or sniffing which has the purpose of taking down the system.  In this attack, the hacker listens for communication between a tag and the reader and manipulates the information sometimes providing false information while pretending to be a normal part of the RDIF system.  There is also a denial of service which is also looking to take down the system.  These attacks usually are physical such as jamming the system with noisy interference to block the radio signals or even remove or disable the RDIF tags.  Other attacks include cloning and spoofing when an attacker clones the data from a pre-existing tag and spoofing is then used on the clone to gain access to a system.  There are also viruses which might be a future attack (Smiley, 2018).  While RFID tags do not currently have enough processing power to store a virus, perhaps in the future they might have one which could infect the computer at the point of sale. 

In a hospital setting, it could be commonplace for two people who know each other to switch armbands.  I am envisioning a psychiatric hospital which encourages their patients to interact with each other and certain medications may be deemed more desirable than other however they may not be appropriate medically.  For example, the medication Ritalin is a schedule 2 controlled substance. 

To prevent these attacks, RDIF cards should be placed next to each other, placing the wallet in the front pocket where it could more easily be observed, when using the card in a store make sure no one is standing near you, and by using cash as more of a currency and only using a credit card in an emergency.  

Patients should get other forms of identification checked.  For example, the administering nurse could have photographs of the patients at admissions and verify these each time the patient has medication administered to him or her. 

Currently there are working groups on RFID who seek to come up with the next generation of beacons.  Unfortunately, many companies might be reluctant to buy these devices because of the extreme cost of replacing cards.  It might seem that the lower levels of technology and the simpler the design, the better the output would be.  Upon searching The Online Etymology Dictionary, we find the following definition  

1721, "composite nature, quality or state of being composed of interconnected parts," from complex (adj.) + -ity. Meaning "intricacy" is from 1790. Meaning "a complex condition" is from 1794. 

Beyond the network design I would recommend designing a good security policy.  We need to have a comprehensive document which we can supply to all network users.  It is difficult implementing a secure network when the users of the network do not understand what they are protecting.  By seeing how the general documents supplied by HIPAA apply to a small rural hospital like the fictitious example given here, we need to ask questions such as what resources are confidential, what resources are precious and hard to replace, and what are we trying to protect against.  What should happen if unauthorized access is taken against confidential data? What should we do if we experience a malicious attack on network resources?  What other regulatory issues effect this policy?  When we have a good security policy, we know that it could be implemented both behaviorally and technically.  We know that there are tools or sanctions which could enforce it across the organization.  It needs to define the responsibilities towards reaching our goals as users, administrators, and management. 

As network administrators we have a responsibility to document changes and incidents on the network.  While a SIEM is a good first step, we need to define and document the responsibilities behind checking it daily. 

Biblical principles relating to network security occur when the Lord spoke to Job out of the storm. He said: 

2  

“Who is this that obscures my plans 

    with words without knowledge? 

3  

Brace yourself like a man; 

    I will question you, 

    and you shall answer me. 

4  

“Where were you when I laid the earth’s foundation? 

    Tell me, if you understand. 

5  

Who marked off its dimensions? Surely you know! 

    Who stretched a measuring line across it? 

6  

On what were its footings set, 

    or who laid its cornerstone— 

7  

while the morning stars sang together 

    and all the angels[a] shouted for joy? 

Cyber security is not a technical problem, it is a behavioral one.  Today technology influences everyone and could draw some into an addictive behavior where behaviors are performed This is evident in the trust which we put into service providers. Since the first digital alteration, humans have been hungry for relationships on their terms. It has been reported that when a person slides down on their email application, there is adrenaline like using a slot machine. We long to shape our identities and be recognized. How soon should we give certain types of technology to children. Mary Aikens reports that there were adults who screened the internet for content they found objectionable in attempts to build filters which prevents children from accessing this content.  These adults were so overwhelmed by the ideas made by terrorists such as the beheadings and violence that these adults began to experience PSTD (Aiken, 2016). 

It is important to some that Mark Zuckerberg who dropped out of college was majoring in consumer electronics which is a dual major between the computer science and psychology major. Mark Zuckerberg said that there is a lot of work to be done saying “Our society needs more heroes who are scientists, researchers, and engineers. We need to celebrate and reward the people who cure diseases, expand our understanding of humanity and work to improve people’s lives” Grove, 2013). 

 

Another element that are atypical offline but typical online is trolling and the lack of regard for authorities (Aiken, 2016).  While it might not be someone whom we agree with everything they say, it is essential that we are respectful of the ideals they represent. Should we fail, we might put an imbalance in the system that others that rely on the figurehead a struggle to find their own identity. Because of the nature of the online connection, we forget who we are as a child of God. An element that God finds so meaningful and so compelling that he personally came to earth as Jesus and laid in a manger full of hay and animal excrements. 

We need to make an outlet for children who have an aptitude for technology so that rather than by standing by letting these children who are heavily influenced by hormonal imbalances, we can redirect these interests in building technology. It is a lot harder creating than destroying. By focusing on our infrastructure that leads to crashes, we can eliminate the ambulances and the destroyed lives that come as a result of a collision. In the United States, computer intrusion is a felony. In many aspects of criminal justice, there is work release which looks to create a diversion from crimes to ethical working mindsets. 

May the Prince of peace and hope of Glory be with you.  We are lucky to be alive in a time such as this.  For these are the moments that God wants to work through and in us.  Our reactions reveal the peace of Christ whom we truly are.  I hope that we could solve this problem before we are too late.  This is whom we were meant to be. 

 

 

References: 

 

Aiken, M. (2016). The cyber effect a pioneering cyber-psychologist explains how human behavior changes online. New York, NY: Spiegel & Grau. 

ARP Poisoning. (2019, May 31). Retrieved from https://networklessons.com/switching/arp-poisoning. 

BibleGateway. (n.d.). Retrieved December 8, 2019, from https://www.biblegateway.com/passage/?search=Job+38&version=NIV. 

Cisco VPN Solutions and Highly Secure Connectivity. (2016, April 28). Retrieved from https://www.cisco.com/c/en/us/products/security/router-security/vpn-solutions.html. 

Dean, T. (2010). Network guide to networks. Australia: Course Technology, Cengage. 

Grove, J. V. (2013, February 20). Mark Zuckerberg co-sponsors $33M prize to extend human life. Retrieved from https://www.cnet.com/news/mark-zuckerberg-co-sponsors-33m-prize-to-extend-human-life/. 

Skoudis, E., & Liston, T. (2006). Counter hack reloaded: a step-by-step guide to computer attacks and effective defenses. Upper Saddle River, NJ: Prentice Hall. 

Smiley, S. (2018, March 27). 7 Types of Security Attacks on RFID Systems. Retrieved from https://blog.atlasrfidstore.com/7-types-security-attacks-rfid-systems.