The Network Plan and Security PlanningIACT424/924 Corporate Network Design and Implementation

Overview

Dimensioning the network Capacity Planning Redundancy

Accountability Ethics Regulations

Security Planning Security audits

Dimensioning the Network

In developing a network plan one of the primary stages is dimensioningTo dimension a network we need to decide For Voice networks

How many outgoing lines How many incoming lines How many internal calls

For data networks Capacity of cables Location of switches/routers Traffic distribution

Dimensioning the Network

The objective of network designers is to minimise the cost of installing and maintaining the network

Dimensioning the Network

These problems are complicated by the need to consider many factors such as Cable capacity End-to-end blocking probabilities Delay and reliability requirements

Dimensioning the Network

Mathematically we can say that The objective of designing and

maintaining a network is to: Minimise the cost of installation and

maintenance Whilst meeting some given performance

criteria

Dimensioning the Network

Or more specifically: Given

Node locations Edge locations Traffic requirements

between node pairs Cost of transmission

capacity Cost of node

installation Minimise

Total network costs

Determine Network topology Edge capacities Routing policy

Subject to Performance

constraints Capacity

constraints Reliability

constraints

Dimensioning the Network

These models generally end up being combinatorially explosive or NP complete

Dimensioning the Network

To simplify the problem of solving these models several assumptions are used Packet (data) arrival is independent of other

traffic (Poissonian arrival) Packet size is independent of other traffic

(exponential packet size)

In voice networks assumptions are made about Number of phone calls made per

customer/phone Length of calls

Working It Out

Modern network based applications don’t follow these assumptions Most applications have a real time

component These types of applications tend to

create a traffic stream that creates packets: At fixed time intervals (deterministic) Have a fixed size (deterministic)

Working It Out

This means that all the simplifying assumptions are no longer valid

Also potential savings can be achieved by installing excess capacity to meet future requirements

Issues

Privacy

Security

Responsibility - Accountability

These are inter-related and must NOT be considered in isolation from each other

Privacy

Personal Privacy We believe we have a right to privacy We expect governments, institutions,

corporations and individuals to respect our privacy

We expect that we have a right to examine any information held about ourselves – medical records, credit references etc Who holds what sort of data about you?

Privacy

Australian Federal Government debate over regulating corporate access to private details- will it destroy the telemarketing industry?

Government bodies are not allowed to collate their databases, but private organisations may, there is no law against it

Privacy

Governments are outsourcing their administrative functions to private groupsDo Governments need access to private data to enforce the law? National security Organised crime Drug trafficking Child pornography etc

Is that why governments don’t like people using the best encryption systems?

Security

Information technologies Tools that improve the quality and

efficiency of our work Repositories for critical and

proprietary corporate information

Improper access or the destruction of these resources will have serious consequences

Security – Three Aspects

Physical Security Ensure that the physical elements of the network are

protected. Includes routers, switches, servers, computer rooms, cabling frames etc

Network Security Ensure that access to the network is controlled and the

network protected from unauthorised access

Content Security Ensure the integrity and confidentiality of the contents

on the network, both stored and message traffic

Security Polices

A Security policy: Ensures corporate IT resources are

protected from destruction, alteration or unauthorized access

Ensures protections are accomplished in a manner consistent with business requirements

Security Polices

A high-level organisation-wide plan for protecting informationProvides the following information How the organisation approaches information security

issues Statements of intent Recovery priorities

Agreed conditions of use This agreement is a direct product of part of the security policy

Rights of users

Security Polices

Security Policies should cover Security of computer systems Security of resources Their operation Data stored within the system and data in

transit

Security Polices

Security policies are a form of risk analysis Seek to reduce the likelihood and effect of security

incidents Provide guidance on ANY activity that may affect

telecommunications security Who can make external data connections How new technology should be introduced

Should NOT contain technology specific details Changes may may the policy impractical

Why do we need a Security Policy

Cost Reduction Defending or losing assets Help prevent security incidents

Basis for organisational procedures What actions should be taken Who should be advised What are the underlying priorities Chain of command

Security Planning Checklists

There is no industry-standard information systems security planning checklist

IT technology is used by a huge number of industries, all of which have varying levels of information security requirements

One checklist can't be a standard for everyone

Top 10 List of Security Planning To-do Items.

1. Research the industry for which your company is in Identify if there are any security and auditing

regulations that are either imposed through legislation or an industry standards body

If so, obtain copies of those documents

2. Download the SANS institute top 20 security threats http://www.sans.org/top20.htm

Top 10 List of Security Planning To-do Items.

3. Download updated lists from all OS and application vendors your company uses that outline availability of

Current patches Hot fixes Service packs Etc

4. Reconcile the SANS top 20 security threats with whatever standards/regulations may be appropriate to your industry

Top 10 List of Security Planning To-do Items.

5. Identify all the resources in your environment Who uses them What's on them

Rank them in an order of criticality on a scale of 1 to 5

1 being least critical and 5 being most critical Ask the information stakeholders and management to

identify the information they use and to rank it from 1 - 5 on the same scale

Top 10 List of Security Planning To-do Items.

6. Perform a vulnerability analysis scan of your environment in the order identified in step 5

Take the results of that scan and reconcile it with the information obtained in steps 1 to 3

Top 10 List of Security Planning To-do Items.

7. Re-mediate the outstanding issues that exist in the order you developed in step 5

8. Identify areas of any regulatory or industry requirements identified in steps 1 and 4 that were not addressed in step 7

9. Re-mediate those outstanding issues10. Implement a plan to maintain the state that you

are now in You've gotten secure, now you must stay secure, and

that's a process that doesn't end