See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/232590969

Design and Implementation of System and Network Security for an Enterprise

with World Wide Branches

Article  in  Journal of Applied Sciences Research · October 2008

CITATIONS READS

9 34,946

3 authors, including:

Seifedine Kadry Smaili Khaled

Noroff University College Lebanese University
574 PUBLICATIONS   3,261 CITATIONS    26 PUBLICATIONS   126 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

the early detection of breast cancer by artificial intelligence View project

Preserved Disease-EVidence-Information (DEVI) for automated disease detection. View project

All content following this page was uploaded by Seifedine Kadry on 03 June 2014.

The user has requested enhancement of the downloaded file.

 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

DESIGN AND IMPLEMENTATION OF SYSTEM AND

NETWORK SECURITY FOR AN ENTERPRISE WITH
WORLDWIDE BRANCHES
Seifedine Kadry, Wassim Hassan
School of Engineering, LIU, Beirut, Lebanon
E-mail: skadry@gmail.com

ABSTRACT

The basic reasons we care about information systems security are that some of our information needs to
be protected against unauthorized disclosure for legal and competitive reasons; all of the information we
store and refer to must be protected against accidental or deliberate modification and must be available in
a timely fashion. We must also establish and maintain the authenticity (correct attribution) of documents
we create, send and receive. Finally, the if poor security practices allow damage to our systems, we may
be subject to criminal or civil legal proceedings; if our negligence allows third parties to be harmed via
our compromised systems, there may be even more severe legal problems.
Another issue that is emerging in e-commerce is that good security can finally be seen as part of the
market development strategy. Consumers have expressed widespread concerns over privacy and the
safety of their data; companies with strong security can leverage their investment to increase the pool of
willing buyers and to increase their market share. We no longer have to look at security purely as loss
avoidance: in today’s marketplace good security becomes a competitive advantage that can contribute
directly to revenue figures and the bottom line. Networks today run mission-critical business services that
need protection from both external and internal threats.
In this paper we proposed a secure design and implementation of a network and system using Windows
environment. Reviews of latest product with an application to an enterprise with worldwide branches are
given.

Keywords: Network design, LAN, WAN, Security, Encryption, VPN, IPSec, Active Directory.

1. INTRODUCTION employees, customers, products, research, and

financial status. Most of this information is now
Information security means protecting information collected, processed and stored on electronic
and information systems from unauthorized computers and transmitted across networks to
access, use, disclosure, disruption, modification, or other computers. Should confidential information
destruction. The terms information security, about businesses customers or finances or new
computer security and information assurance are product line fall into the hands of a competitor,
frequently used interchangeably. These fields are such a breach of security could lead to lost
interrelated and share the common goals of business, law suits or even bankruptcy of the
protecting the confidentiality, integrity and business. Protecting confidential information is a
availability of information; however, there are business requirement, and in many cases also an
some subtle differences between them. These ethical and legal requirement. For the individual,
differences lie primarily in the approach to the information security has a significant effect on
subject, the methodologies used, and the areas of Privacy, which is viewed very differently in
concentration. Information security is concerned different cultures.
with the confidentiality, integrity and availability The field of information security has grown and
of data regardless of the form the data may take: evolved significantly in recent years. As a career
electronic, print, or other forms [8]. choice there are many ways of gaining entry into
Governments, military, financial institutions, the field. It offers many areas for specialization
hospitals, and private businesses amass a great including Information Systems Auditing, Business
deal of confidential information about their

111
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

Continuity Planning and Digital Forensics Science, networks. Integrity for data in transit is typically
to name a few. provided by using hashing techniques and message
authentication codes.
2. SECURITY SERVICES AND • Availability
PROCESSES From a security perspective, availability means
Security is fundamentally about protecting assets. that systems remain available for legitimate users.
Assets may be tangible items, such as a Web page The goal for many attackers with denial of service
or our customer database — or they may be less attacks is to crash an application or to make sure
tangible, such as our company’s reputation. that it is sufficiently overwhelmed so that other
Security is a path, not a destination. As we analyze users cannot access the application.
our infrastructure and applications, we identify
potential threats and understand that each threat
presents a degree of risk. Security is about risk Goals Efficiency, Scalability, Accessibility
management and implementing effective
countermeasures.
• Authentication
Authentication addresses the question: who are
you? It is the process of uniquely identifying the Results Privacy, Integrity, Authenticity
clients of our applications and services. These
might be end users, other services, processes, or
computers. In security parlance, authenticated
clients are referred to as principals.
• Authorization Processes Access control, AAA, Audit
Authorization addresses the question: what can
you do? It is the process that governs the resources
and operations that the authenticated client is
permitted to access. Resources include files,
databases, tables, rows, and so on, together with Tools FW, IDS, VPN, Encryption, AV
system-level resources such as registry keys and
configuration data. Operations include performing 3. WAN PROTECTION
transactions such as purchasing a product, All companies should protect its wide area
transferring money from one account to another, or network ‘WAN’ to make the connections between
increasing a customer’s credit rating. all their branches secure, and all sending data
• Auditing reach in safe hands as recipients. To let the
Effective auditing and logging is the key to non- external network of any company protected and
repudiation. Non-repudiation guarantees that a high level secured, the virtual private network
user cannot deny performing an operation or ‘VPN’ is a good solution to organize a secure
initiating a transaction. For example, in an e- access to the internal network remotely. Internet
Banking system, non-repudiation mechanisms are protocol security ‘IPSec’ is configured with VPN
required to make sure that a client cannot deny to have more security to the network. The
ordering to pay a bill from his account. encryption is a good process to support the
• Confidentiality communication to be secret by using a private key.
Confidentiality, also referred to as privacy, is the
process of making sure that data remains private 3.1 Virtual Private Network ‘VPN’
and confidential, and that it cannot be viewed by One of the most important solutions to viruses and
unauthorized users or eavesdroppers who monitor hackers threats is VPN [4] that makes the network
the flow of traffic across a network. Encryption is between companies and users secured; it is also
frequently used to enforce confidentiality. Access authenticated and encrypted for security. VPNs
control lists (ACLs) are another means of provide the ability for two offices to communicate
enforcing confidentiality. with each other in such a way that it looks like
• Integrity they're directly connected over a private leased
Integrity is the guarantee that data is protected line. Basically, a VPN is a private network that
from accidental or deliberate (malicious) uses a public network "usually the Internet" to
modification. Like privacy, integrity is a key connect remote sites or users together. Instead of
concern, particularly for data passed across using a dedicated, real world connection such as

112
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

leased line, a VPN [11] uses "virtual" connections corporate LANs over shared service
routed through the Internet from the company's provider networks.
private network to the remote site or employee. There are two types of remote access VPNs:
Three types of tunneling or encryption protocols • Client Initiated. Remote users use clients
that Windows Servers use for secure to establish a secure tunnel through a
communication: L2F, L2TP and PPTP. shared network to the enterprise.
Layer 2 Forwarding ”L2F”: it creates network • NAS Initiated. Remote users dial into an
Access Server (NAS), initiated tunnels by ISP Network Access Server (NAS). The
forwarding Point-to-Point (PPTP) sessions from NAS establish a secure tunnel to the
one endpoint to another across a shared network enterprise private network that might
infrastructure. support multiple remote users initiated
Because L2F is not client-based, systems do not sessions.
need L2F client software of configuration.
However, this also means that communications ¾ Site-to-Site: The two common types of
between the users, systems and the ISP are site-to-site VPNs (also known as LAN-to-
completely unprotected. L2F can use LAN VPNs) are intranet and extranet.
authentication protocols such as RADIUS and Intranet VPNs connect corporate
TACACS+. However L2F does not support headquarters, remote offices, and branch
encryption. offices over a public infrastructure.
Layer 2 Tunneling Protocol “L2TP”: it is IETF Extranet VPNs link customers, suppliers,
standard tunneling protocol that tunnels PPP traffic partners, or communities of interest to a
over LANs or public networks. L2TP was corporate intranet over a public
developed to address the limitations of IPSec for infrastructure.
client to gateway and gateway to gateway 3.2 IPSec
configuration, without limiting multivendor
interoperability. In these configurations, all traffic IPSec [3] is defined as a set of standards that
from the client to a gateway, and all traffic verifies, authenticates, and encrypts data at the IP
between two gateways is encrypted. L2TP uses its packet level. It is used to provide data security for
own tunneling protocol, which runs over UDP port network transmissions. IPSec is a suite of
1701. Because of this, L2TP may be easier to pass protocols that allows secure, encrypted
through packet filtering devices than PPTP. L2TP communication between two computers over an
can support multiple sessions within the same unsecured network. It has two goals: to protect IP
tunnel. packets, and to provide a defense against network
Point-to-Point Transfer Protocol “PPTP”: it attacks.
provides a protected tunnel between PPTP enabled Depending on which protocol is used, the entire
client "personnel computer" and a PPTP enabled original packet can be encrypted, encapsulated, or
server. It is not a standard tunneling protocol. It both. IPSec consists of a number of protocols. The
employs Microsoft Point-to-Point Encryption two IPSec protocols: Authentication Header (AH)
(MPPE) for data encryption. Microsoft developed and Encapsulating Security Payload (ESP), see the
PPTP, which like L2TP, tunnels Layer 2 PPP table (table 1) below:
traffic over LANs or public networks. Microsoft
has also created MS-CHAP to provide stronger Protocol Requirement Usage
authentication than PAP and CHAP.
PPTP creates client-initiated tunnels by
AH The data and Use for data
encapsulating packets into IP datagrams for
the header integrity in
transmission over the Internet or other TCP/IP
need to be situations where
based networks. So L2TP is more secured than
protected from data is not secret
PPTP.
modification but must be
VPN services for network connectivity consist of
and authenticated —
authentication, data integrity, and encryption [11].
authenticated, for example,
The two basic VPN types are remote access and
but remain where access is
site-to-site:
readable. enforced by
¾ Remote Access: Remote access VPNs
IPSec to trusted
secure connections for remote users, such
computers only,
as mobile users or telecommuters, to
or where network

113
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

intrusion network security. Traditionally, encrypting data for

detection, QoS, transmission across a network required that the
or firewall same encryption key, called a shared secret or a
filtering requires private key “figure 1”, be used at both ends of the
traffic inspection. data exchange [9].

ESP Only the data Use when data

needs to be must be kept
protected by secret, such as
encryption so it file sharing,
is unreadable, database traffic,
but the IP RADIUS
addressing can protocol data, or
be left internal Web
unprotected. applications that
have not been
adequately
secured by SSL. Figure 1: using public and private key for
encryption
Both The header and Use for the Asymmetric encryption classes usually use two
AH and data, highest security. separates keys for encryption and decryption. The
ESP respectively, However, there device receiving the data uses a private key to
need to be are very few decrypt data as it is received. Any remote device
protected while circumstances in wanting to send encrypted data to the receiver
data is which the packet must use a separate public key to encrypt the data
encrypted. must be so before it is sent. The following figure represents
strongly our design and implementation of two world wide
protected. When branches using VPN and IPSec technologies.
possible, use ESP
alone instead.

Table 1: IPsec Protocols

It is recommended that using L2TP/IPSec with
certificates for secure VPN authentication. By
using Internet Protocol security (IPSec)
authentication and encryption, data transfer
through an L2TP enabled VPN is a secure as
within a single LAN at a corporate network.
The VPN client and the VPN server must support
both L2TP and IPSec. Client support for L2TP is
built in to the Windows XP remote access client,
and the VPN server support for L2TP is built in to
the Windows Server 2003 family. L2TP server
support is installed when you install the Routing Figure 2: Proposed Security Design for WAN
and Remote Access Server Setup Wizard, L2TP is Topology
configured for five or 128 L2TP ports.
3.3 Encryption 4. LAN PROTECTION
Encryption is one of best processes of encoding a We have described previously our secure design
message or data through a mathematical key in a for external network between companies. In this
manner that hides its substance from anyone who part we explain our secure design for the internal
does not process the mathematical key. However, network of a branch and figure 3 below shows how
encryption has not always been applicable to our design of the local area network ‘LAN’ inside

114
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

the office works step by step and organized in a to disable media source for any install to avoid
way that allows secured and protected data having viruses problems and system's infection.
communication to occur between users through
4.2 WSUS
security servers control inside the office. Therefore
the system protection includes a special care for To keep office systems protected and updated, the
users, computers and information under main Windows Server Update Services 'WSUS' [5],
servers’ control such the Active Directory ‘AD’, which is configured in the Active Directory server,
Windows Server Update Services ‘WSUS’, the provides a capacity to download updates from
Symantec Update, Windows Right Management Microsoft or from another WSUS server within
Services ‘WRMS’, and SurfConrtol E-mail and user organization, and distributes these to its
Web Filtering ‘SCEF’. clients. WSUS provides a number of new features
including targeting of patches to specific groups of
In order to make the LAN safe during sending and
machines, support for more products (e.g. Office),
receiving messages, and during systems' job under
and improved reporting. WSUS is a service
administrator's control, there are many essential
administrator run inside his organization – on one
steps that keep the whole network process and
or more servers which he configures to serve
users' access avoiding infections' threats, using
software updates to one or more AU clients.
specific protection's servers:
Notice that AU client is an Automate Update
Client which is a Windows Automatic Update
software installed and running. The AU software
contacts a Windows Update server and receives
updates.
4.3 SurfControl E-mail and Web Filter
When the message gets inside the network, then
the Pix Firewall scans and filters it against viruses.
Therefore the SurfConftrol E-mail and Web Filter
server [10] gets the message and starts analyzing
and checking if it contains any spam or sex and
adult words and any unsecured attachments, if the
message is clean and clear, then the message
Figure 3: Proposed Security Design for LAN continues on to reach the exchange server which
Topology provides a reliable messaging system that also
protects against spam and viruses and finally the
4.1 Active Directory
server distributes messages to all users in the
Active Directory 'AD' [1] server is a common office.
repository for information about objects that reside
SurfControl E-mail Filter is a part of the
on the network, such as users and groups,
SurfControl Enterprise Protection Suite, a unified
computers and printers, and applications and files.
threat management solution that also employs
Administrators put all users in the office under
advanced Web and endpoint threat protection, to
control and give them permissions through the
provide comprehensive protection against today's
Active Directory 'AD' server's configuration which
known, emerging and internal threats that
stores data about user, computers and network
increasingly exploit multiple threat points.
resources such as shared files, and printers, and
lets only authorized users to access the AD. SurfControl Web Filter a best-in-class security
solution that protects the enterprise against known,
The Group Policy Object 'GPO' is configured in
emerging, and costumer specific threats before
the Active Directory and gives various permissions
they reach the network. It provides the strongest
to all users depending on each user's job level. The
combination of protection, flexibility and
GPO lets the administrator gives permission for
scalability of any Web content security solution on
users such as password policies to define its
the market. Also applying Web usage policies
complexity and its length and age, and it can
couldn't be easier.
remove the run command from the start menu to
restrict modifying the windows' system, also the 4.4 Symantec Antivirus
most important policy is that it can restrict CD-
The Symantec antivirus server [6] monitors,
ROM and floppy access to locally logged on, and
configures and updates each computer on the

115
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

office's LAN network, also helping users to make system protection using particular protected
their files better fortified against risks and viruses. servers --- Active Directory 'AD', Windows Server
Then the Symantec Antivirus main purpose is to Update Services 'WSUS', Symantec, and
protect files on your network and client computers SurfControl for web and mail filter.
from viruses and others risks, such as spyware and
adware. 6. RESULT AND DISCUSSION
Each client on the network can be monitored, There are some special cases illustrate how the
configured, and updated from a single computer by network can be protected and high level secured
installing Symantec administrator tool that is against hackers and viruses, actually during an
called the Symantec System Center to verify which email coming from the external to the internal
computers in the network are protected and network, and during the web browser access. Also
working properly. The administrator can install keeping the inside company’s system sheltered
and upgrade Symantec Antivirus clients and during sending messages between users, also avoid
servers from the Symantec System Center. systems be infected by prohibit using device may
include viruses such as CD, floppy or USB.
4.5 WRMS
When a user needs to send a file to the other users 6.1 Case 1: Incoming E-mail
internally then the Windows Rights Management If the incoming e-mail includes any kind of threats
Services 'WRMS' [7] server adds more security that cause problems to the network and systems,
and protection to information. Depending on the then the Mail Filter server helps to protect and
importance of the file the user wants to send like avoid system’s infection by making a decision on
customer data or financial reports, WRMS helps whether or not an e-mail is infected or not. If an e-
the user by letting him/her give specific mail doesn’t contain spam or/and viruses then the
permissions in which every recipient has specific Exchange server permits the passage of this email
jobs to do with that document, like read, save and to recipients. If infected, the e-mail gets isolated or
print, or delete. So the sending file is protected by discarded see figure 4.
RMS. WRMS is information protection
technology that works with RMS-enabled
applications to help safeguard digital information
from unauthorized user.
4.6 MOM
By delivering operational knowledge and subject
expertise directly from the application developers,
MOM [2] helps simplify identification of issues,
reorganize the process for determining the root
cause of the problem, and facilitates quick
resolution to restore services and to prevent
potential IT problems. So MOM allows user to
monitor and generate reports on the total uptime of
SQL Server and other service level exception. It
manages all servers from centralize management
(monitoring).
5. APPLICATION
This session discusses how these concepts come
together into practical use in the banking system, Figure 4: SurfControl Protection
with an applied focus on the network
"communication" between the main office of the
bank and its all branches. It also shows the actual 6.2 Case 2: Spoofing Data
practices of these concepts in the bank system,
which are through the virtual private network Data can be secured and protected against any
"VPN" using a secure tunnel protocol and makes outer theft and tampering, especially when data is
the virtual connection between user and company being sent between branches, through the VPN
connected through remote access or site to site connection using Internet security protocol ‘IPSec’
types within the external network, and the internal tunneling with the data encryption using data

116
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

encryption standard ‘DES’. Pre-shared keys are the such as CD-ROM, Floppy and USB that may
simplest authentication method to implement and include viruses ‘see figure 7’.
permit two branches communicate with each other
in private, and their private key should exist the
same and never given out “see figure 5.

Figure 7: Active Directory Policy

6.5 Case 5: Encrypted File

Figure 5: VPN with IPSec Encryption Technique
The Windows Rights Management Services
‘WRMS’ helps protect information from
6.3 Case 3: Web Browsing unauthorized use in the network. Figure 8 shows
that user 1 “the sender” sends a file internally to
ISA server secures the network through firewall, user 2 and user 3 by giving each one special
and accelerates the web access during cashing limitation using the built in “Restrict Permission
“HTTP” which users request like HTTP protocol. as”. Then the user 1’s computer will be configured
At the same time, the web filter checks the web for WRMS with contacting the WRMS server, and
content with high level of protection against any so the protected file contacts the WRMS server for
unknown web browser that may cause specific license. Finally the RMS organizations help the
threats before reaching the network ‘see figure 6’. sender to protect and prevent his file --- from
Then the Web Filter replies to HTTP request by intentionally getting into the wrong hand “user 4”.
allow or disallow depending on the web clearance.

Figure 6: Web Filter Protection

6.4 Case 4: Active Directory

To avoid the infection and malfunction that viruses
and hackers cause to systems in the internal
network ‘LAN’, the Active Directory contains
Group Policy Object ‘GPO’ which are controlled
by the administrators who provide permissions to
all users in the office. One of the most important Figure 8: File Protected by WRMS Server
permissions which is used against systems’ threats
is the policy of security options for ‘disable the
media source’ for any install and access locally

117
 Journal of Theoretical and Applied Information Technology

©2005 - 2008 JATIT. All rights reserved.

www.jatit.org

7. CONCLUSION Managing Windows Server Update

Services. Syngress, 2006.
This article proposed a secure design for network
and system in windows environment using the [6]. Shimonski Robert J., Configuring
latest technology. The security of networks always Symantec Antivirus: enterprise edition.
faces new potential threats as hackers and viruses Lavoisier, 2003.
advance. The design shows how the network can
[7]. Shinder D., How the Windows Rights
be more secure by encrypting the sending data
Management Service can Enhance the
using internet protocol security between user and
Security of your Documents. Published:
server. The purpose of network security is to
Sep 23, 2003 Updated: Apr 06, 2005
provide availability, integrity, and confidentiality.
Section: Articles. Windows 2003 Security.
Thus, the main objective of VPN is to prevent www.windowsecurity.com
outsiders (hackers) from interfering with messages
[8]. Stallings W., Cryptography and Network
sent among hosts in the network, and to protect the
Security, 4/E Prentice Hall, 2006.
privacy and integrity of messages going through
untrusted networks. The active directory manages [9]. Stinson D., Cryptography Theory and
all network resources such as servers, shared files, Practice, Third Edition last modified
and printers, through authorization access January 19, CRC Press, 2006.
resources. In addition to Active Directory, the
[10]. SurfControl Instant Message Filter,
main protection's servers such as WRMS, and
Administrator's Guide Version 4.5 printed
WSUS, and Symantec make the internal network
June 30, 2004. www.surfcontrol.com
'LAN' protected and secured against threats and
viruses. [11]. SÜHEYLA K ZIN, Performance
parameters of wireless virtual private
After applying our proposed design and these
network. Master Thesis, Middle East
concepts to an enterprise with worldwide branches,
University. 2006.
they proved efficient and highly reliable as
network security mechanism. Therefore, all the
mechanisms thoroughly discussed in this project
proved to work well together and provide the
needed security in any professional setting.
REFRENCES

[1]. Allen R. and Alistair G, Active directory.

O'Reilly 2003.
[2]. Fox C., Essential Microsoft Operations
Manager. O'reily, 2006.
[3]. Munasinghe K. S. and Shahrestani S. A.,
“Evaluation of an IPSec VPN over a
Wireless Infrastructure,” in Proceedings of
the Australian Telecommunication
Networks and Applications Conference
(ATNAC 2004), pp. 315-320, December
2004a.
[4]. Munasinghe K. S. and Shahrestani S. A.,
“Analysis of Multiple Virtual Private
Network Tunnels over Wireless LANs,” in
Proceedings of the 3rdInternational
Business Information Management
Conference (IBIMA 2004), pp. 206-211,
December 2004b.
[5]. Piltzecker T., Williams D., Snedaker S.,
Todd C., Vigil K.. How to Cheat at

118

V i e w p u b l i c a t i o n s t a t s