Assessment: Case Study Research Report
Assessment Title: Bolton Health Service – Secure Network Design
Assessment Length: 3000 words
Learning Outcomes:
LO1: Perform a risk assessment for a given network security scenario and design a defensive strategy to address the risks that you have identified.
LO2: Devise a firewall security policy and implement it using appropriate hardware and/or software.
Assignment Brief Introduction
The Internet has changed the approaches and attack vectors used by criminals in a massive way. The requirements for a criminal to geographically close to their target is no longer a requirement. Attackers can probe and gain access to any unprotected network from the comfort of their local internet café; no physical presence, no violence – simply following a logical processes and careful analysis of the information retrieved from a probed network is sufficient for the criminal to obtain sensitive data such as credit card and deeply personal details. Therefore the design and development of a secure network that provides a defence in depth strategy is paramount in today’s business environment.
Assignment Brief and Overview of Research Scope
You are required to design and document a secure network for a medium sized doctor’s office that includes the development of a shell script that includes all of the configuration elements for a Linux based iptables based firewall.
For this written assignment you are expected to research and develop two areas of network security. This assignment will provided you with a deep yet rounded understanding of the approaches required to protect networks from outside attack without restricting use for the authorised users of the network.
The assignment will consist of at least a minimum of three thousand words (excluding appendices, bibliography and contents page) and will require independent research covering the following two aspects of risk assessment for the design of a secure network that takes a defensive strategy to address the risks that you have identified and devise a firewall security policy and implement it using appropriate hardware and/or software.
1. Risk Assessment and Secure Network Design: Under take a risk assessment to determine services, protocols, connection directions, security classifications for data, access control, overall network security and Host and server security. Design the secure network contrasting technologies and techniques to define the best strategy to mitigate the attack vectors identified based upon the protocols and risk analysis. This will include a detailed network diagram outlining ingress and egress points and full topology diagram that provides a defence in depth strategy.
2. Devise the firewall policy: Provide detailed instructions for the configuration of the firewall and rational for the rules applied based upon the identified network services highlighted from the risk analysis as identified in part one. This must be submitted as a shell script with detailed information on each of the rules that have been identified and how this related to the information security strategy and the defence in depth strategy
For both areas you will need to consider and research contemporaneous security practices for network design and deployment. Furthermore you will need to provide comparisons and justify your approaches for the topological design, deployment of technologies and why you have chosen the strategies and technologies. It may well be worth researching to see if there are existing practices within the NHS for this sort of development.
Please use the papers provided in the Case Study lectures on Moodle 2 to help you understand the topic and how to write at the required academic level. This is a piece of applied research and should be documented as such.
Case Study area of research.
Bolton Health Service medium sized medical practice.
The assignment will consider the environment of a medium sized doctor’s office and surgical practice. There will be a number of assumptions that can be made in terms of the requirements of the services – such as internal servers and external connection requirements, protocols and services that are used will be standard ports for those services. For example, SSH prot 22, DNS port 53, SMTP port 25, http port 80 etc etc. There is also some specialist equipment for medical imaging – an example of one can be found here https://www.philips.co.uk/healthcare-product/HC781342/ingenia-30t-mr-system that contains some basic specifications. Assumptions can also be made about this equipment and how the data is stored and transmitted – assume a standard network protocol appropriate to the task is used.
Consider Information Security: This is a prerequisite exercise for the main element of the assignment brief. Understanding an organization’s data is the first step to securing their network. Data will have different confidentiality and reliability requirements depending on whether it is medical, personal or general. Use the titles of medical, personal and general as the classifications of the data and consider how each class is to be handled in the context of the access permissions for the various roles in the organization. For example a Doctor would need to see all medical and personal information where as a receptionist would only require to personal.
Planning The Network through risk analysis (1): Network security requires: 1) Identifying the services, protocols/ports, connections, software and hardware technologies used within the network, and 2) allocating services to virtual or physical computers, based on their Criticality/Sensitivity classification and role-based access control. This is all undertaken through the process of risk analysis.
In this case study of the doctors’ office you must complete research in order to undertake risk analysis to determine an appropriate design of a secure network for the required services including appropriate controls to securely protect the data. The first step would be to determine which network services are allowed to enter and leave the network, and in which directions connections normally originate and identify potential attack vectors that could be exploited based upon Application Level protocols and transport and addressing protocols. The second step considers which applications can be stored together on physical or virtual machines, based on access control (who can access what) and the Criticality classification. Based on the Criticality classification, you will then define the required controls for each service/host and technology used. The design and implementation of the network and technology needs will be based upon the risk analysis you have identified and based upon the services that are required for this busy doctor’s surgery and must to protect the organization’s data, hosts and LANs from unauthorised access from the Internet, inside and wireless networks.
Finally, you are required to develop a topological diagram that has a colour code the different systems according to their level of security. Please use the floor plan of the office to help with the topological diagram
Figure 1: Floor Plan for Bolton Health Service.
Devise the Firewall Policy – Network Security Research Element 2: If you are to protect the network, you must be able to define and develop the rules for the firewalls that are placed throughout the network. These rules must be written as a BASH script that can be used on the Linux based firewall. Additionally there MUST be a chapter in the main body of the research paper that discusses the rules you have implemented, why you have implemented them and why they are appropriate for the services and protocols you have identified from the risk assessment undertaken in research element 1. Understanding protocols is essential to recognizing attack traffic, attack vectors as well as how attacks can be manifested at different levels of the TCP/IP stack and programming a firewall is a key skill required for today’s security set. For example, you may need to consider which ports should remain open in and in which direction do connections normally occur? Sometimes this is not easily known, and some research will need to be taken.
This very technical exercise and each of the practical sessions that have taken place will help you with the development of the rules. It is expected that you will test your rules to ensure that they work.
Secondary Research Level HE6 – It is expected that the Reference List will contain between fifteen to twenty sources. As a MINIMUM the Reference List should include four refereed academic journals and four academic books.