Detail Specifications and Justification
In above-mentioned sections I explained how to configure the network of Wharf Traders Limited and configuration of it's services offered by various servers within the network hosting various services.
In this section I will explain more in detail about any specific information and justification to the sections I have done above.
1. Type of Data flow in network of Wharf Traders Limited
The network is fully secures by the protection of two firewalls creating DMZ (Demilitarised Zone). In this zone I have hosted servers that require secure information flow of data such as WT-CF-Com hosting services of file sharing via SFTP with its clients, WT-IA-Com hosting web services Apache along with SQL on WT-DB server for secure hosting of web application to be used by clients. LAMP is considered to be very secure in itself.
I have hosted only one service per servers that are in DMZ perimeter as it is essential in terms of security that if one is compromised other is not. Not to mention that firewall creating DMZ is of two types Proxy and Packet and hence they are capable of filtering at IP layer and Application Layer of OSI Model creating very effectively secure environment along with firewalls such as IP Tables of servers.
Also, the transmission of data within the network is protected by IPsec which is encrypting the information.
Also the LDAP used in servers communicate with kerberos to authenticate users by granting and generating tickets via server for secure communication. There are additional Access Control List deployed in order to more secure the authentication process on switches.
2. Authentication Authorisation and Access Control in network of Wharf Traders Limited
As mentioned above the certification will be generated by server so that authentication can be done internally and along with clients but however, root server itself needs to have certificate which needs to be obtained by Certification Authority such as Verisign etc.
Also, other measure such as Kerberos is used for authenticating users along with ACL etc.
Access Control is achieved by passwords and permission policies.
3. Planning of Users and Group in network of Wharf Traders Limited
Users and Groups planning is very essential as over the time it becomes difficult to manage users if groups are not created. Also, implementation of policy cannot be applied effectively. Hence, groups are created with users having similar role in the organisation and by doing so we can apply group policy on each different group including permissions and it creates fine grained access control to manage the network and resources.
4. Methodology and Advisability for encryption of data in Storage and Transit in network of Wharf Traders Limited
Internally, IPsec deployed can encrypt the data in transit and provides security. In Storage EFS is used to encrypt the files in storage and NFS is used to mount files in order to create shared folder which can be accessed only with suitable permissions.
Over the Internet, SSL secure socket layer is used for data encryption, which uses symmetric encryption and also SFTP Secure File Transfer protocol is used to transfer files from WT-CF-com servers.
5. Integration and Configuration of other services in network of Wharf Traders Limited
I have used Email via exchange and Share point Intranet services via IIS to provide email and other internal communication services to the users of Wharf Traders Limited.
Also, for web access I have configured LAMP which is used for file transfers and internet access for the staff and hosting of application to be used by clients.
6. Restoration in case of failure in network of Wharf Traders Limited
As I mentioned in the sections above about the backup procedures on mission critical servers. If those procedures are followed than the critical data can be retrieved and restored easily via restore option in Windows that take backup tape files for restoration .bkp it can be used to restore any lost data. Else a full restoration in case of server failure can be retrieved from off site storage and used on new server.
However, Reason for secondary domain controller was only this to give redundancy to network in case of primary server failure.
In Linux systems backup can be done by using crontab and cronjobs can be set to run daily,weekly and monthly to take differential and full backup.
Use shell script to create a cron file to take backup as mentioned below.
File are stored in TAR format which is used for restoration as well.
now save this file and in crontab use crontab-e from backupadmin account account to open crontab and type :
01 2 * * * backupadmin /etc/confidential/cron.everyday
13 1 * * 0 backupadmin /etc/confidential/cron.everyweek
40 3 * * * backupadmin /etc/cron/cron.everymonth
this will backup the files every daily,weekly and monthly
It is just a sample file to help and need to be changed according to the requirement of the network as backup can significantly slow down the network and hence need to be done always when there is less traffic on the network.
7. Audit methods in network of Wharf Traders Limited
Auditing is very important for network as it will help in troubleshooting any cause of failure and also any compromise done in the network servers.
I have suggested above that log file should be backed up and stored on other server as well incase if system is compromised log file can be still retrieved.