The wharf traders

Wharf Traders

Introduction

Wharf Traders is moving to new location and is looking for network setup, I am providing this document for their new office location.

I have suggested detailed specifications that are required in order to create and achieve security and protection of the data, which is sensitive in nature.

I have proposed 3 Windows server 2008 and 3 Linux servers including Ubuntu and Centos as backend server to the network. Also, I have acknowledged that users will have client machines as Xp or Vista.

In manual I have detailed step by step configuration of services and configuration that needs to be enabled in the network along with other details further mentioned in Detailed Specification and Justification section of the manual

AIM of Proposed Manual

The sole aim of this manual is to guide system administrator of Wharf trader for configuration and setup of the network as mentioned and specified.

Expected Audience of Proposed Manual

This is very sensitive document and manual contains information related to network, which can reveal potential threat to network if released abruptly.

It has confidential information and it is meant to be only for the use by system administrator for planning of Wharf Trader Limited network.

1. Planning of Users and Groups for Wharf Trader Network

Wharf Traders comprises of four main Departments (AKA Divisions) namely:

  • 1.Corporate Finance
  • Investment Advise
  • Research
  • Back Office

As par requirement the confidential data flow is identified here and Investment Advise department requires secure communication with the market makers over application, which is to be run on secure server. As well as Corporate department requires the same.

DATA FLOW:

Corporate Finance Department Clients, Lawyers and Accountants.

Investment Advice Market Makers (Brokers etc.).

Remember: The nature of data is very important to classify in order to create successful groups and their plan, which is referred below in next section and it, is advisable to read the data flow before reading and implementing and further.

Groups will have users based their designation in company such as:

1. Chief Executive of Wharf Traders (CEO)

Corporate Finance Department:

As this department has special requirements such as secure and confidential transfer and storage of top-secret data, which is highly sensitive in nature and liable to persecution under UK Law special care is taken in creating groups and identifying their roles long with users.

  1. Managing Director of Corporate Finance (CF)
  2. Project Supervisor
  3. Project Team
  4. Project coordinators
  5. IT Adminitrators

Investment Advice Department:

As this department has special requirements such as secure and confidential transfer and storage of secret data, which is highly sensitive in nature and liable to persecution under UK Law special care is taken in creating groups and identifying their roles long with users. The data is hosted on separate server and it is acknowledge that the hosted services is provided to the clients such as market makers via AIM to Wharf and then to it's clients.

  1. Managing Director of Investment Advise (IA)
  2. Investment Advisors Supervisors
  3. Investment Advice Team
  4. Market facilitators Team
  5. Coordinators

Research Department:

Research is not having sensitive data to work on but as it is providing information to departments such as Corporate Finance and Investment Advice for potential clients, prospects, and progress on listing of current clients. It makes its information sensitive in nature ultimately.

  1. Managing Director of Research (RE)
  2. Investment Advice Support Supervisors
  3. Investment Advice Support Team
  4. Corporate Finance Support Supervisors
  5. Corporate Finance Support Team

Back Office:

Back Office is responsible for all the clerical work of the company and hence it also does the printing and accounting such as from creating invoices for the clients to sending it via post, printing of documents to posting them on news posts, And other various activities

  1. Managing Director of Back Office (BO)
  2. Back Office Supervisors
  3. Back Office Team
  4. Personal Assistant to Chief Executive (CEO)

Remember: This information will additionally follow the Bell-La Padula Information model to produce effective Users and Groups and eventually enforce policy based on this.

IN Simple terms Bell-La Padula Information model consists of two things:

  1. No read UP
  2. No write Down

More information is mentioned in Details specification and justification if required to refer when in doubt.

Creation of Groups is based on above mentioned planned and mentioned in Section 5 of this manual

2. Data Flow and Classification of Data in Wharf Traders

IPsec

It is very essential part of User and Group planning as data classification supports and acknowledges daily operations and functionalities of Wharf Trader in terms of storing and transferring of data over network internally and externally over internet.

Classification helps to identify following things:

  1. Criticality of Data
  2. Sensitivity of Data
  3. How much to Protect, Control and Secure any particular Data

Hence, by keeping these things in mind below is the proposed classification of data based on UK Data Classification.

Remember: This information will eventually follow the Bell-La Padula Information model to produce effective Users and Groups and eventually enforce policy based on this.

IN Simple terms Bell-La Padula Information model consists of two things:

  1. No read UP
  2. No write Down

More information is mentioned in Details specification and justification if required to refer when in doubt.

Data Flow

As par the specification, above-mentioned technologies are used for securing the data and overall communication. Data flow in Wharf Traders Limited can be divided into three categories:

  1. Internal Data Flow within organization
  2. External Data Flow for Corporate Finance Department
  3. External Data Flow for Investment Advise Department

1) Internal Data Flow within organization

As shown in the network diagram 1 in this manual below data is flowing in network from servers to clients/workstations of different department. below mentioned is the list of methods used to protect this communication:

a) Access Control Lists on switches

I. 1.Server Farm

II. 2.Main backbone switch

This practice will allow controlling the access of data flow from various departments and authenticating only IP Addresses that are provided in list

b) IP Sec

IP sec is used mainly for encryption, This protocol can safely guard the data against any sniffing on network. By using this technology internally individual departments cannot intercept each others data.

It is essentially required as Corporate and Investment departments are having confidential data that will transfer over internal network.

2) External Data Flow for Corporate Finance Department & Investment Department

Corporate Finance and Investment Advice needs to send confidential information which is rate is top secret and confidential respectively under classification above hence usage of SSH, SFTP, IPsec and Firewall will prevent interception of data in unauthorized way.

a) SSH and SFTP is used in Linux servers and its implementation and configuration is mentioned in this manual in section below.

Firewall is used as mentioned in network diagram 1 to create demilitarized zone that will control the flow of data in two below mentioned way:

b) External Firewall: This firewall will do the packet filtering on the basis of IP packets and can block packets if configured well on top of server's own firewall by providing additional security at packet layer. It works at network layer of OSI Model.

c) Internal Firewall: This firewall will be proxy firewall and will filter the data based on protocols and applications. It works at layer 7 of OSI Model.

3. Network and Server Cataloguing within Wharf Trader

The network of Wharf Traders comprises of the following network equipments:

  1. Switches
  2. Firewalls
  3. Servers
  4. Backup Servers
  5. Client Workstations

Remember: Please refer to Details Specifications and Justification for further information related to his details and in case of any doubts.

3.1Network Cataloging

Wharf Trader network's domain contains following set of servers including their services as mentioned in diagram1:

Windows Server:

  1. Primary Domain Controllers -WT-DC1.
  2. Secondary Domain Controllers -WT-DC2.
  3. A Member Server/File server - WT-SRV1.
  4. A Member Backup Server/File server -WT-SRV2 Linux Server:
  5. Corporate Department Server -Linux-Corporate -WT-CF-Com
  6. Investment Department Server -Linux-Investment -WT-IA-Com
  7. Database Server -Linux-Wharf (WT-DB)
  8. Backup Server -Linux-Backup (WT-BKP)

Network of Wharf Trader comprises of the following:

  1. Main 3 Layer Network Backbone Switch
  2. Server Switch -Vlan
  3. Corporate Finance Department Switch -CF Switch Vlan
  4. Investment Advice Switch -IA Switch Vlan
  5. Research - RE Switch Vlan
  6. Back Office - BO SwitchVlan
  7. Main Network Router after firewall

Remember : Refer to justification section of this manual for identifying the reason for any items in this section.

Role Definition for Above Mentioned Servers :

4. Network Server Configurations

To configure the server ideally, there are certain steps and procedures to follow by planning as we just did above where roles are specifically declared in Tables 3.1 and 3.2.

Remember: This is just a step procedure with any detail information and hence if incase of uncertainty any such detail information is required then please refer to Detailed Specification and Justification Section of this Manual.

Active Directory within domain controller is essential for providing authentication and authorization process. Users from each department will assigned with security (SID & UID) to access the IT resources.

Windows Server Configuration

4.1 Configuring the Primary Domain Controller

  1. Organize the Primary Domain Controller. Initial Configuration and Setup should be done in Primary Domain Controller as mentioned in Figure 3.1.
  2. Promote the Primary Domain Controller, there are the minority of configurations to keep in mind:
    • Fully Qualified Domain Name (FQDN) within root domain forest: WHARF.COM
    • NetBIOS Name/default name of Domain: WT
    • Options -> Additional Domain Controller, leave checkbox next to DNS Server as it is selected
    • Use of a complex password is essential with combinations of uppercase characters and lowercase characters, numbers, and alphanumeric characters with at least 8 digits.
    • DNS delegation is selected to manually: Yes (for email exchange services configured in 4.10)
  3. Log On as Domain Administrator (Network Administrator)
  4. Verify the Domain Zone for the Primary Domain Controller

4.2 Configuring the Secondary Domain Controller

Function of a Secondary Domain Controller within the same domain is to increase the redundancy and reliability of network services and resources. Deploying supplementary Domain Controller can help significantly to bestow fault tolerance, and load balancing within Domain.

  1. Organize the Secondary Domain Controller. Initial Configuration and Setup should be done in Domain Controller as mentioned in Figure 3.1.
  2. Adhere the Secondary Domain Controller to WHARF.COM Domain
  3. Mount the DNS Service in Secondary Domain Controller
  4. Endorse the Secondary Domain Controller, there are the minority configurations to keep in mind:
    • Effective Configuration: Add this domain controller to the same forest as above.
    • Network recommendation: The name of Domain will be WHARF.COM
    • Construct this Secondary Domain Controller as a Global Catalogue Server for the domain (replication of WT-DC1)
    • A delegation of DNS is required for exchange server (as configures in 4.10).
    • Media Install: imitate data over the network by current domain controller.
  5. Log On as an Domain Administrator and not as local administrator.
  6. Verify the Domain Zone for the Secondary Domain Controller

4.3 File Services Configuration on Windows Server 2008

  1. Organize the Member Server WT-SVR1. Initial Configuration and Setup must be done in Domain Controller as mentioned in Figure 3.2.
  2. Adhere the Member Server to WHARF.COM Domain
  3. Endorse the Member Server WT-SVR1 as a File Server
  4. Verify in Server Manager console that File Services role is added

4.4 DHCP Services Configuration on Windows Server 2008

  1. Endorse the Member Server WT-SVR1 as an DHCP Server
  2. Verify the Server Manager console that the DHCP Services are added
  3. There are this minor configurations to keep in mind:
    • Construct new Scope (different IP address range for every departments) base on the setting as mentioned in Figure 3.2.
    • Construct new Reservation that a DHCP client (workstations) from same departments is always assigned the same IP address.

Remember: Always Log On as Domain Administrator (Network Administrator) when accessing this Member Server WT-SVR1 and not as the local administrator else the domain wont be visible.

4.5 Network File System (NFS) Services Configuration on WT-SVR1

Begin Installation of Network File System (NFS) on WT-SVR1

  1. Configure NFS authentication and Create two NFS shared folders (CF and IA)
  2. Assign permissions to folders (e.g. Read Only permissions, Write Only permissions, and Execute (Read and Write) permissions)
  3. From the Corporate server WT-CF-Com and Investment Server WT-IA-Com, Mount above created NFS shared folders
  4. SSH Server is required in windows server to secure data transfer as required per specification provided (.e.g. archiving Backups, transferring of auditing logs to another server etc.)

Linux Server Configuration (Ubuntu Server Version9)

This server setup is to facilitate the secure transfer of data between corporate finance department and its clients that comprises of new clients, their advisors and their lawyers respectively).

4.6 Corporate Server WT-CF-Com Configuration - Ubuntu Version9

  1. Organize the Corporate WT-CF-Com Server; Initial Configuration and must be done as mentioned in Figure 3.2.
  2. Once the Corporate Server WT-CF-Com(Ubuntu (V9)) is installed, there are the minority configurations to keep in mind:
    • Transform the root password to a strong password as per mentioned in windows. A complex password with similar combinations of letters (upper and lower ), Numeric characters and alpha numneric characters as mentioned below
    • Construct a less privilege user, this user will have access to root account via sudo utility as required e.g. wtadmin
    • Ensure a strong password policy:
      1. Password Complexity needs to be atleast e.g., a-z, A-Z, !#~% etc.
      2. Max. Age of password before it expires
      3. Min Length of password is need to be at least 8 characters long
    • Make certain that openssh server is install to provide secure remote access
    • Disable traffic from telnet and FTP and allow SSH and SFTP by amending IPTables and changing port of Telnet.
    • Turn ON the Firewall IP Tables
    • Remember: Be confident that you are not to altering any other configuration option in file. Always save file before quit.

    • Make certain that 'PermitRootLogin' value is assign to 'No' in file of SSH configuration .
    • SSH server needs to restart to take changes in effect.

4.7 Investment Server WT-IA-Com Configuration - Ubuntu Version9

  1. Organise the Investment Server WT-IA-Com to ensure the settings as mentioned in Figure 3.2.
  2. Once the Corporate Server WT-IA-Com(Ubuntu (V9)) is installed, there are the minority configurations to keep in mind:
    • Transform the root password to a strong password as per mentioned in windows. A complex password with similar combinations of letters (upper and lower ), Numeric characters and alpha numneric characters as mentioned below
    • Construct a less privilege user, this user will have access to root account via sudo utility as required e.g. wtadmin
    • Ensure a strong password policy:
      1. Password Complexity needs to be atleast e.g., a-z, A-Z, !#~% etc.
      2. Max. Age of password before it expires
      3. Min Length of password is need to be at least 8 characters long
    • Make certain that openssh server is install to provide secure remote access
    • Disable traffic from telnet and FTP and allow SSH and SFTP by amending IPTables and changing port of Telnet.
    • Turn ON the Firewall IP Tables
    • Remember: Be confident that you are not to altering any other configuration option in file. Always save file before quit.

    • Make certain that 'PermitRootLogin' value is assign to 'No' in file of SSH configuration .
    • SSH server needs to restart to take changes in effect.

3) LAMP services are mentioned below which needs to be configured here:

4.8 Configuration Linux-Database Server - Centos Server

  1. Organise the Database Server WT-DB to ensure the settings as mentioned in Figure 3.2.
  2. Once the Corporate Server WT-CF-Com(Ubuntu (V9)) is installed, there are the minority configurations to keep in mind:
    • Transform the root password to a strong password as per mentioned in windows. A complex password with similar combinations of letters (upper and lower case), Numeric characters and special characters as mentioned below
    • Construct a less privilege user, this user will have access to root account via sudo utility as required e.g. wtadmin
    • Ensure a strong password policy:
      1. Password Complexity needs to be atleast e.g., a-z, A-Z, !#~% etc.
      2. Max. Age of password before it expires
      3. Min Length of password is need to be at least 8 characters long
    • Make certain that openssh server is install to provide secure remote access
    • Disable traffic from telnet and FTP and allow SSH and SFTP by amending IPTables and changing port of Telnet.
    • Turn ON the Firewall IP Tables
    • Remember: Be confident that you are not to altering any other configuration option in file. Always save file before quit.

    • Make certain that 'PermitRootLogin' value is assign to 'No' in file of SSH configuration. /etc/ssh/sshd_config
    • SSH server needs to restart to take changes in effect. /etc/init.d/ssh restart
  3. Install Gnome and X-terminal distribution package to get graphical user interface on this server

4.9 LAMP Services Configuration on Linux Ubuntu and Centos Servers

In order to communicate securely over Internet Linux server requires LAMP services to be installed, which is Linux Apache My SQL PHP.

As this services will be running under DMZ - Demilitarised Zone only one service per server should run in order to create secure environment by best practice.

Hence, Apache will run on Linux - Investment server running on Ubuntu operating system, MY SQL will run on Linux-Database server running on Centos operating system.

  1. Create root certificate as mentioned in the manual and ssh folder. Permit SSL on this server
  2. Install Apache server from distribution package
  3. Create directory in root and also create user with privileges for apache server.
  4. Never run Apache from root. Alter the Http.conf file and accept connection at only port 80.
  5. Change the port for ssl
  6. Alter host file to allow only connection from particular IP's i.e from firewall and not directly/
  7. Save configurations and restart the service
  8. Verify that apache is running under low privilege user and not the root user.
  9. Make configuration on IP Tables and restart Apache services once again.

Configuration for WT-DB

  1. Download distribution package of LAMP and install MY SQL
  2. Create privilege user with access on database and on web server configured above.
  3. Change the IP Tables to only accepted connetions from IE:2 (Interface 2) of WT-IA-Com to only permit traffic via this server and divert external traffic from there as well. Restart the IPTables

Verify that My SQL is running on lesser privilege mode and not root mode.

Refer to the Backup section of manual for backup procedures which is essential.

4.10 IIS and email Services Configuration on Windows WT-DC1 server

  1. From install and remove services select and install IIS and email exchange service
  2. Download and configure Microsoft Sharepoint on this server to be used for internal communication purpose.
  3. For email services, create two virtual connectors, enable smtp on port 25 and other protocols, along with reverse dns and alter the firewalls (Windows, Internal (Proxy) and External) to allow this protocols.
  4. In smtp virtual connectors, define load balancing (matrix) on both with first connector as primary and second as secondary with load of 70 and 30 respectively.
  5. Amend the MX records and create full exchange name to mail.wharftrader.com and reverse com.wharftrader.mail.
  6. Restart virtual connector to make changes into effect.
  7. Restart the services - DNS,SMTP,IIS and exchange to make all this changes into effect

5. Creating Groups and Users as Planned in Section 1 of the Manual within the active directory of WT-DC1 (Primary Domain Controller)

The objective to implement the Active Directory is to control (restrict) and smooth the usage of resources within Wharf Trader network. The formation of groups helps to create a fine control in windows environment so that authorization and authentication can be maintained.

Two of the department Corporate Finance and its groups Team and Investment Advice and its team is an example on the managing members and memberships within domain and active directory to fine the control over access, authentication and permission to specific resources. Similarly, other group's needs to be created in order to achieve fine-grained control over the network and users usage of the other network resources.

Only certain type of permission will be available to research on the folders for example CA and IA as created in section 4 so that they cannot have full right on either of it. Note that as Back Office won't have any rights on these folders and hence cannot access it.

Follow the steps mentioned below to create users and groups as specified in Section 1 Planning of User and Group

Create groups and users by following these steps:

  1. Construct Global Groups as mentioned in section1.
  2. Allocate Users to their relevant Global Groups,
  3. For Specific use, Allocate domain local group from global group

As from Section 1 begin Creation of Global Groups

1) Construct Global Groups:

  • Launch "Active Directory Users and Computers"
  • In domain ->WHARF.COM, go to New and choose Group from
  • In Group Scope: choose Global, Group Type: choose Security
  • Write the group name and choose OK to complete the process.

2) To complete the rest of the Groups as mentioned in section 1 of this manual and others as required follow the same steps again.

As from Section 1 begin creation of users

1) Construct Users:

  • Launch " Active Directory Users and Computers"
  • In domain -> WHARF.COM, click New -> User.
  • To create individual user at any instance, Fill the name of the user (e.g. Mary) etc and OK to continue.
  • Set user password only to " change at next logon".

2) To Complete account setup configuration for other users mentioned in section 1 or others as required follow this steps again.

Assign Users to Groups

1) To add Users to Global Groups:

  • Launch "Active Directory Users and Computers".
  • In domain (WHARF.COM), Choose group and choose Properties.
  • In Members choose add, Then Choose advance, and find now. OK to complete the process.

2) To add users to their respective groups from section 1 of this manual and others as required follow the same steps again.

6. Authentication, Authorisation and Access Control Methods in Wharf Trader Network and Storage Security

6.1 IP Sec Implementation

Using IP security (IPsec) method is to ensure sensitive transfer of data across the internal network is done safely and securely. This Approach is mainly aimed at protecting the data in transit from unwanted interference and capture.

Follow these steps to setup IPSec:

1) To communicate with server comply client systems with IPsec. Make below mentioned minor changes to accomplish this:

  • Always response to ipsec and do not allow unsecured connections
  • Do not allow any inbound passing
  • Do not accept connection from IP addresses that do not comply with ipsec
  • Use only Pre-shared key as method to authenticate
  • Choose IPsec mode as tunnel setting
  • Choose only IP address from WT-SVR1.

In user authentication and Account Information with Windows AD, LDAP is used for A/c information, whereas Kerberos is used for user authentication.

6.2 Lightweight Directory Access Protocol Installation and configuration on Linux Ubuntu Server V9

  1. Install ldap and library by using SU command to get root privilege.
  2. Use the IP address of WT-DC1 which is having active directory for windows. Use DC=WHARF;DC=Com
  3. Choose ldap Version = 3 and amend details in nsswitch configuration file to hide details of ldap
  4. To view users via ldap install utility and test user account that are present in active directory

6.3 Install and configure kerberos On Linux Ubuntu Server

  1. Install Kerberos and configure kerb5 configuration file
  2. Default area WHARF.com
  3. provide the IP address along with port for KDC (Key Distribution Center)
  4. specify WHARF.com.
  5. Configure ticket granting time encryption methods etc. for added security
  6. Modify /etc/pam.d/common-session file
  7. Add another session_need here and restrict root access
  8. Add above mentioned session to create home directory of user session
  9. Systems need to have time synchronised in order to get authenticated within 5 minutes of slot.
  10. To do this install NTUPDATE from SU command via root

6.5 Authenticating via Certification Authority

Certification authority is essential because when any system need to connect it will query for ticket by matching username provided by ldap and sending password in encryption format along with key provided by server to substitute certificate for securing the transfer of data by doing so, It will create certificate to be used on the network and hence does not require external CA and server can issue its own Root CA.

Follow the steps to create Root CA.

  1. openssl genrsa -des3 -out WHARF.key 1999
  2. it will ask for a phrase or password
  3. openssl req-new-x301-days 360-key WHARF.key-out WHARF.crt
  4. it will ask for information such as company name address etc.
  5. Certificate for you Organization is then produced and to view Certificate type openssl x301-in WHARF.crt -text -noout.

6.6 Configuration of SSH and SFTP

  1. Only permit domain authenticated users and groups to access the WT-CF and WT-IA respectively
  2. Make certain that ssh is running on server and check IPTable is configure accordingly.
  3. Transfer one copy sshd configuration file to other server and activate read only on file to prevent editing.
  4. Security configurations to note when configuring the SSH.
  • Choose logout, interval etc. time when system is not used
  • Do not allow direct login to root account
  • Delete unnecessary accounts and details and modify defaults.
  • Only use version 2
  • Only use PKI based authentication with complex passwords
  • Monitor and log every access and change IPtables to accept only limited connections and ports, also alter hosts.allow/deny
  • Only allow access to users own directory and not any other to lock the access such as SE Linux

5) Create folder sharing to allow users who are within the network of Wharf Traders.

  • Only allowed users access based on permissions.
  • Only allow root to alter permissions on folders.
  • Only allow specific format of files to be stored and shared and delete any file using cronjob daily that does not match the specification.
  • Write script in shell/perl to run from cronjob at specific time when fewer load is on server to delete any files that are not required. (Make sure this done with script which runs before daily backup is done) - command cronjob-e)

6.7 IP TABLES: Other measures to enable includes IPTABLE which is firewall of linux systems and it provides much better control than windows firewall where any specific IP address, protocol and port number can be blocked or allowed.

It can be checked by command checkstatus IPTABLES ON|OFF|RESET

6.8 SE LINUX : Is an extension to Linux accounts and provides additional security by creating compartments of each process and hence whenever any application is compromised it can only compromise process within that compartment and not the whole system. Every compartment has only one process. Enable and install It to achieve extra layer of security over servers in DMZ.

6.9 Configuring the Encryption File System

It only does encryption when data is actually stored on system and does not in transit of data over network or external link.

  • Allow EFS via local policy in server. And choose Encrypt the contents of user folder
  • NTFS is recommended as setting up of user permission same as in steps above protects the unauthorised access to the files and folders.

Backup And Restoration

In server backup can be done easily by backup tool that provides excellent solutions for backup and recovery or else additional third party solutions such as norton ghost or symentic backup.

7.1 Window Server

It is essential to keep backup and good practise, so that in event of failure the restoration can be done from backup. Ideally all mission critical systems should be configured backup regularly on daily basis

1) Backup mission critical systems

  • Essential files to successful restore are System files, policies,Mail server configuration including mx records and users and groups via Active Directory.
  • Logs are helpful in later process to identify the cause of failure and hence it is essential to backup logon,system,user,security and other logs.
  • Backup all data including folders of deparment hosted on server so incase of any deletion or drive failure.

2) Configure backup to schedule as mentioned below depending on criticality and amount of data.

  • Daily Backup -Incremental
  • Weekly Backup- Incremental
  • Monthly backup - Full

3) Backups should be stores in proper environment along with one copy of backup on offsite location to comply with BCM (Business Continuity Management).

4) One monthly backup copy is proposed to be sent to off site location to acknowledge BCM (Business Continuity Management) in event of disaster

5) Restoration of files should be done once a month to verify that the data is written properly and always change the media after certain time limit i.e. every 6 months.

7.2 Linux Ubuntu and Centos Servers

It is easy to backup on Linux with tar and cron utilities.

Tar is used to compress and store file in Unix system and cron is used as scheduler to run any script or command at specified instance of time. Mount command can be used for restoration from this type of files. Scheduling of backup should be done in similar way as it is done in windows server

  1. Using shell script backup all required files including: System files and logs
  2. Make sure that transfer of files via ssh is enable and no line in IPtable is blocking the functioning of ssh.
  3. Please refer to detail specification to see sample file.
  4. Restoration of files should be done once a month to verify that the data is written properly and always change the media after certain time limit i.e. every 6 months:

8. Auditing Servers in Wharf Trader Network

8.1 System Auditing for Windows Servers

  1. Set the Audting policy to enable on system.
  2. Ensure that policy is link with Organisational Unit to which the clients are connected and they have received the policy. Such as RE_Workstations
  3. Ensure that logs are not writing on top of other when logs are full
  4. Ensure the logs are stored and backing up on proposed timings mentioned in backup section of the manual to selected location.

8.2 System Auditing for Linux Ubuntu and Centos Servers

  1. Install auditing utility and configure it.
  2. With this utility monitor critical files such as Password files,File System and syscall audit.
  3. Ensure that logs are not writing on top of other when logs are full
  4. Ensure the logs are stored and backing up on proposed timings mentioned in backup section of the manual to selected location.
  5. Keep Logs on more that one system server and offsite location hence if one system is compromised and logs are changes to cover footprints logs will still be available from other system unknown by anyone who tried to exploit the sever and hide their tracks.

Remember: Check logs regularly using pearl/shell script and filtering specific logs and enable emailing of logs to system administrator using cronjob as mentioned in sample script in detail specification section of this manual.

9. Group Policy Setting and Management

9.1 Windows Servers

Policy are dynamic and hence can be changed and need to be changed over the time and hence it is on administrator to maintain control of it and review them in timely manner. Follow steps mentioned below to do this when required:

  1. 1) Launch Group Policy Management
  2. Choose name of GPO that can be Managing Directors, CEO etc.
  3. Choose Policy and Preference and configure following items
  4. Control access to user activity,
  5. Control software installation their update and deletion
  6. Control management of users data and roaming profile,
  7. Construct policy on basis of groups as required for example Managing Directors should have privilege to data of Supervisors and Teams, Teams should have privilege to have on data of Team coordinators, and Team coordinators should have privilege to limited domain where they can interact with other Team coordinators.
  8. After Assigning Appropriate privilege choose 'Group policy management' and construct GPO within this domain
  9. Verify In 'Active directory user and components' that it is visible and enforced.
  10. Configure policies

    1. Account Policies: - such as password, Lockout, Kerberos policy etc.
    2. Software's Policy: - to restrict running unauthorised software's
    3. Local Policies: - auditing, user rights management, security etc.
    4. Mail Policies :- Content filtering, email encryption, spam blocking etc.

    9.2 Configuration of Firewall Policy

    Using firewall provides extra layer of security. Use of application based (proxy) and packet based firewall can create Demilitarised zone as shown in network diagram above in this manual.

    1) Construct Firewall Policy as per requirement using below mentioned steps:

    • Permit only Internet services via Ports 80 and 443 In and out
    • Permit only SSH via Port 22 In and out
    • Permit only IPsec via Ports 500, 50 and 51 In and Out
    • Permit only DNS Services via Port 53 of User Datagram Protocol In and Out
    • Permit only DHCP Services via Ports 67 and 68 In and Out
    • Permit only SMTP Services via Port 25 In and Out
    • Permit only Remote Procedure Calls services via Port 135 In and Out etc.
    • Enable logging of firewall.
    • Use Access Control List on Switches for extra protection and for authenticating users internally and externally.

    2) Allocate policy to the clients systems in Organisational Units as mentioned in above section of this manual.

    Default Policies for windows

    1. Password specific policies : expiration,lockout,max tries etc.
    2. Exchange specific policies : FIFO (First in First Out), email notfication for service faults etc.
    3. 10. Patch Management Service

      10.1 Windows Server

      Using Microsoft Server Update service (WSUS) updates can be deployed in organisations such as Wharf traders. Aim is to download updates deploy it to workstations centrally rather than doing it manually on all systems

      1. Download and install WSUS on one of the windows server.
      2. Download updates and Schedule it to install on time when there is less flow of data on network (e.g. midnight).
      3. Only update when thoroughly tested on virtual environment
      4. Set restoration point before implementation and set it back if problem occurs.
      5. Keep the audit logs to track changes and troubleshoot of problems occurs.
      6. Permit only Administrator to deploy the installed updates .

      10.2 Linux Server

      Using Ubuntu update management system can be deployed in organisations such as Wharf traders. Aim is to download updates deploy it to workstations centrally rather than doing it manually on all systems

      1. Download and install Ubuntu update management on server within one of the ubuntu server.
      2. Download updates and Schedule it to install on time when there is less flow of data on network (e.g. midnight).
      3. Only update when thoroughly tested on virtual environment
      4. Set restoration point before implementation and set it back if problem occurs.
      5. Keep the audit logs to track changes and troubleshoot of problems occurs.
      6. Permit only Administrator to deploy the installed updates .

      11. Detail Specifications and Justification

      In above-mentioned sections I explained how to configure the network of Wharf Traders Limited and configuration of it's services offered by various servers within the network hosting various services.

      In this section I will explain more in detail about any specific information and justification to the sections I have done above.

      11.1 Type of Data flow in network of Wharf Traders Limited

      The network is fully secures by the protection of two firewalls creating DMZ (Demilitarised Zone). In this zone I have hosted servers that require secure information flow of data such as WT-CF-Com hosting services of file sharing via SFTP with its clients, WT-IA-Com hosting web services Apache along with SQL on WT-DB server for secure hosting of web application to be used by clients. LAMP is considered to be very secure in itself.

      I have hosted only one service per servers that are in DMZ perimeter as it is essential in terms of security that if one is compromised other is not. Not to mention that firewall creating DMZ is of two types Proxy and Packet and hence they are capable of filtering at IP layer and Application Layer of OSI Model creating very effectively secure environment along with firewalls such as IP Tables of servers.

      Also, the transmission of data within the network is protected by IPsec which is encrypting the information.

      Also the LDAP used in servers communicate with kerberos to authenticate users by granting and generating tickets via server for secure communication. There are additional Access Control List deployed in order to more secure the authentication process on switches.

      11.2 Authentication Authorisation and Access Control in network of Wharf Traders Limited

      As mentioned above the certification will be generated by server so that authentication can be done internally and along with clients but however, root server itself needs to have certificate which needs to be obtained by Certification Authority such as Verisign etc.

      Also, other measure such as Kerberos is used for authenticating users along with ACL etc.

      Access Control is achieved by passwords and permission policies.

      11.3 Planning of Users and Group in network of Wharf Traders Limited

      Users and Groups planning is very essential as over the time it becomes difficult to manage users if groups are not created. Also, implementation of policy cannot be applied effectively. Hence, groups are created with users having similar role in the organisation and by doing so we can apply group policy on each different group including permissions and it creates fine grained access control to manage the network and resources.

      11.4 Methodology and Advisability for encryption of data in Storage and Transit in network of Wharf Traders Limited

      Internally, IPsec deployed can encrypt the data in transit and provides security. In Storage EFS is used to encrypt the files in storage and NFS is used to mount files in order to create shared folder which can be accessed only with suitable permissions.

      Over the Internet, SSL secure socket layer is used for data encryption, which uses symmetric encryption and also SFTP Secure File Transfer protocol is used to transfer files from WT-CF-com servers.

      11.5 Integration and Configuration of other services in network of Wharf Traders Limited

      I have used Email via exchange and Share point Intranet services via IIS to provide email and other internal communication services to the users of Wharf Traders Limited.

      Also, for web access I have configured LAMP which is used for file transfers and internet access for the staff and hosting of application to be used by clients.

      11.6 Restoration in case of failure in network of Wharf Traders Limited

      As I mentioned in the sections above about the backup procedures on mission critical servers. If those procedures are followed than the critical data can be retrieved and restored easily via restore option in Windows that take backup tape files for restoration .bkp it can be used to restore any lost data. Else a full restoration in case of server failure can be retrieved from off site storage and used on new server.

      However, Reason for secondary domain controller was only this to give redundancy to network in case of primary server failure.

      In Linux systems backup can be done by using crontab and cronjobs can be set to run daily,weekly and monthly to take differential and full backup.

      Use shell script to create a cron file to take backup as mentioned below.

      File are stored in TAR format which is used for restoration as well.

      now save this file and in crontab use crontab-e from backupadmin account account to open crontab and type :

      01 2 * * * backup /etc/confidential/cron.everyday

      13 1 * * 0 backup /etc/confidential/cron.everyweek

      40 3 * * * backup /etc/cron/cron.everymonth

      this will backup the files every daily,weekly and monthly

      It is just a sample file to help and need to be changed according to the requirement of the network as backup can significantly slow down the network and hence need to be done always when there is less traffic on the network.

      11.7 Audit methods in network of Wharf Traders Limited

      Auditing is very important for network as it will help in troubleshooting any cause of failure and also any compromise done in the network servers.

      I have suggested above that log file should be backed up and stored on other server as well incase if system is compromised log file can be still retrieved.

Please be aware that the free essay that you were just reading was not written by us. This essay, and all of the others available to view on the website, were provided to us by students in exchange for services that we offer. This relationship helps our students to get an even better deal while also contributing to the biggest free essay resource in the UK!