In this project I assumed the role of a network consultant for SNHUEnergy. My job was to evaluate the current network architecture for SNHUEnergy and to recommend changes. The major concerns for the company were network infrastructure scalability for future growth, network management, communication and connectivity between remote offices, and network security.
SNHUEnergy Inc. is an oil and gas production company that is looking to expand operations. The main objective is to add a division for oil and gas transportation and to add “two additional regional offices in Kansas City and Houston.” With currently 120 employees, and an expected growth of 50 percent every year going forward, scalability in their network infrastructure is a big concern. SNHUEnergy Inc. would like a plan on how to capitalize on their existing technology.
This section of the report will focus on analyzing the current telecommunications and networking technologies. It is necessary to complete a systems analysis of the existing equipment and of the way the company functions in term of communications strategies before any recommendations can be made for changing the network.
Currently the SNHUEnergy Inc. Dallas Office uses applications for Email, Payroll, Accounting, and Human Resources with servers that support each function. The SNHUEnergy Inc. Memphis Office uses applications for Billing and Operations and also houses servers for each application. The type of Applications being used and the type of work being done tells a lot about the network requirements for the company. Simply by observing that they carry out Billing in one location and Accounting in another tells us that the two locations need a shared source of information. It is unlikely that they can carry out work in one location without the information from servers in the other location. The type of information being processed and shared between servers, for example Human Resource files full of private information, tells us they also need a high level of network security.
First we need to understand SNHUEnergy’s Physical Network Diagram and how it pertains to the Open Systems Interconnection (OSI) Model. Below are the 7 layers of the OSI Model and the SNHUEnergy network details that match up with each layer:
Application – The Application Layer provides Users with the ability to interact with software Applications. (Pandey & Thiyari, 2020) The Applications being used by SNHUEnergy are for Email, Payroll, Accounting, and Human Resources (HR) in the Dallas Office. In Memphis the Software Applications Being used are for Billing and Operations. (IT 640 Final Project Guidelines, 2021)
Presentation – The presentation layer translates data from the Application Layer to a format than can be transmitted over the network. (Pandey & Thiyari, 2020) So, for example, the Presentation Layer converts data entered into the Billing Application into information that can be sent to a customer’s email so they can view their bill.
Session – The Session Layer establishes a connection between two processes. (Pandey & Thiyari, 2020) Using the example above, the Session Layer would begin a connection between the SNHUEnergy Billing Application and the customer’s Email Application.
Transport – The Transport Layer is responsible for making sure there are no errors or interrupts in the connection when data is being transferred. This means using Transmission Control Protocol (TCP). A connection is established between two hosts and and acknowledgement is sent to tell the sender if the data was received or not received. (Shaw, 2020) For example, the Billing information is transmitted to the customer email and an acknowledgement is sent back to the address that the Billing information came from.
Network – This layer has to do with packet routing and logical addressing. The Routers shown in the network diagram for the Dallas and Memphis offices are a part of the Network Layer.
Data Link – “The Data Link Layer is responsible for the node to node delivery of the message.” (Pandey & Thiyari, 2020) The packets are sent through the Switch and the Switch sends them to the correct host machine after reading the sending and destination Media Access Control (MAC) Addresses. The SNHUEnergy diagrams show that the Dallas office utilizes two Switches for this purpose and the Memphis Office uses one.
Physical – The Physical Layer is part of the Hardware Layers and incorporates the physical wires seen in the SNHUEnergy diagrams. These wires connect Routers, Switches, Firewalls, and other hardware and allow them to communicate by “transmitting individual bits from one node to the next”. (Pandey & Thiyari, 2020) This also includes the connection from the LAN to the Internet Service Provider (ISP).
The Logical Network Design Diagrams for the Dallas office and the Memphis office tell us a lot about how the current network is functioning. Both Networks use a Star Topology and are supplied with service though a Leased Lineprovided by an ISP. There are a few differences in their network configurations and included hardware:
Dallas Office – Firewall, one Router, two Switches
Memphis Office – Router, one Switch
A Firewall protects the Local Area Network (LAN) from being accessed by devices that are not authorized by the network. For example, Firewalls provide security from hackers that may try to steal information. The Firewall is placed between the public Internet and the Router in the Dallas office. “A router has intelligence in that it is able to read IP addresses and direct network traffic (packets) to the correct location.” (Routers, switches, firewalls, etc., 2021) The Router is a hardware device that creates a LAN and offers a level of privacy from the Wide Area Network (WAN) for users within that small network. A Switch is used to connect all devices within the LAN to the Router so they are provided with connectivity and communication for data transfer (for example sending emails), or data sharing (for example connecting to a shared server). A Switch is also a hardware device with ports that allow physical connections to computers, servers, and even phone systems.
The Memphis office differs from the Dallas office in that it also has a Router but does not have a Firewall or access to the public internet listed on the diagram. Instead, the Memphis networking diagram lists a direct connection to the Dallas office. This leads me to believe that they are utilizing Ethernet over Multi-protocol Label Switching (EoMPLS) to communicate directly with the Dallas office via a Secure Socket Shell (SSH) tunnel.
SNHUEnergy’s two office locations have completely different purposes that are also interconnected in a lot of ways. Having the need to communicate and share information between the offices constantly requires that network be up and running continuously. If the Dallas Office needs to process Payroll by accessing information from the Operations Server at the Memphis office, but the network goes down for the day, Employees could experience a delay in getting their paychecks.
The Memphis Office’s network diagram only includes a single Router and a single switch, compared to the Dallas Office’s two Switches. Currently this configuration makes sense because the Dallas Office has 90 employees, whereas the Memphis Office only has 30. However, scalability will be an issue with the Company’s projected 50 percent growth every year. The current network would not support the additional computers, servers and telephones necessary to add employees to the Memphis Office.
The other issue I see with SNHUEnergy’s current network configuration is that only the Dallas Office’s network diagram shows a firewall between the internet and the LAN. The diagram for the Memphis Office, instead, shows a direct connection to the Dallas Office, leaving out the Firewall and the Internet connections. The Memphis Office houses Billing Application Servers. This means they process a lot of data that needs to be secured, such as credit card information, personal customer information, and bank account information. The Memphis Office needs network security just as much as the Dallas Office. As previously stated, they may be connecting to the Dallas Office through an SSH tunnel, but they have internet connectivity and therefore should also include a Firewall. “The benefits of MPLS are scalability, performance, better bandwidth utilization, reduced network congestion and a better end-user experience. MPLS itself does not provide encryption, but it is a virtual private network and, as such, is partitioned off from the public Internet. Therefore, MPLS is considered a secure transport mode.” (Weinberg, 2018) This could affect future scalability in that the same SSH tunnel cannot be used for multiple remote offices. Different connections will have to be established for new locations.
SNHUEnergy will be expanding from two to four office locations and expanding the number of employees over the next two years. This section of the report will serve as a network analysis of their current network structure and will point out any potential problems moving forward with expansion of the network.
According to the project scenario, SNHU Energy is using three main physical network devices (Network Security Best Practices, 2021):
Firewalls – “One of the first lines of defense in a network, a firewall isolates one network from another. Firewalls either can be standalone systems or included in other devices, such as routers or servers. You can find both hardware and software firewall solutions; some firewalls are available as appliances that serve as the primary device separating two networks.”
Routers – “Routers help transmit packets to their destinations by charting a path through the sea of interconnected network devices. They remove the packets from the incoming frames, analyze them individually and assign IP addresses. Routers normally work at the Network layer of the OSI model.”
· Switches - “Switches generally have a more intelligent role than hubs. Strands of LANs, are usually connected using switches. Mainly working at the Data Link layer, they read the packet headers and process the packets appropriately. Generally, switches can read the hardware addresses of incoming packets to transmit them to the appropriate destination.”
Referencing the Logical Network Design we can see that there is one Firewall, separating the Local Area Network (LAN) from the Wide Area Network (WAN). After the Firewall, resides the Router for the entire LAN. The Network is then segmented into two main parts by two separate switches. I can tell by the addressing used that the Sub-Network (Subnet) is further segmented into Virtual Local Area Networks (VLANs), three per Switch, making a total of six VLANs. For this to work, the Switch has to be a Level 3 Switch, which utilizes routing, instead of just a Level 2 Switch. A layer 3 Switch uses routing to support multiple VLANs so you don’t have to use a separate router for each. Usually, the Router would handle the Layer 3 processes, but in large corporate networks, Switches need routing capabilities also. “Layer 2 switches work well when there is low to medium traffic in VLANs. But these switches would hang when traffic increased. So, it became necessary to augment layer 2’s functionality.” (Rathnam, 2018) This will work well for SNHUEnergy for network scalability moving forward.
According to the Logical Network diagram, 6 Subnets have been set up. “In this case, the subnets use a subnet mask of /24, which means that the prefix part of the addresses is 24 bits (3 octets) long.” The “/24” is known as the Classless Inter-Domain Routing (CIDR) shorthand, and it tells us that the subnet mask for the network is 255.255.255.0 and is a Class C network. By default, this Class C network can have only 254 usable IP addresses. (Mitchell, 2020) The Subnets are defined by the first three octets; 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6. The last octet defines the hosts in the network. This is important information when we are trying to determine critical traffic patterns between VLANs and between devices on the network.
The Wireshark Capture shows us several critical traffic patterns and different protocols being used by SNHUEnergy employees. We can see various addresses from the subnets specified above that are communicating across the network. Here is a breakdown of the main traffic patterns from the Wireshark capture:
SQL - SQL stands for Structured Query Language and is used to run queries for data analysis. The Wireshark capture shows us that employees are making query requests for data from the SQL server using MySQL protocol. “The MySQL protocol is used between MySQL Clients and a MySQL Server. It is implemented by:
Connectors (Connector/C, Connector/J, and so forth)
MySQL Proxy
Communication between master and slave replication servers” (MySQL Internals Manual, 2021)
RTP – “A protocol is designed to handle real-time traffic (like audio and video) of the Internet, is known as Real Time Transport Protocol (RTP). RTP must be used with UDP. It does not have any delivery mechanism like multicasting or port numbers.” (Real Time Transport Protocol (RTP), 2020) The Info column on the Wireshark capture shows us that the payload type corresponding to the RTP protocol is PCMU which denotes that audio data is being transferred. (Schulzrinne, 2003) This, in turn, shows us that Applications using Voice over Internet protocol (VoIP) are a critical traffic patterns for SNHUEnergy Employees.
SSH – SSH is Secure Socket Shell. “SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.” (Loshin & Cobb, 2021) So, this tells us that the devices on the network are being accessed remotely by IT professionals. They can use SSH to run systems checks, to transfer data, and run updates on computers at remote offices, among other things. “This is accomplished by generating a unique public key pair for each host in the communication; a single session requires two public key pairs: one public key pair to authenticate the remote machine to the local machine and a second public key pair to authenticate the local machine to the remote machine.” (Loshin & Cobb, 2021) Using SSH, tunnels can be created between remote LANs so information can be securely passed between the SNHUEnergy offices. This is especially important when it comes to querying personal or secure information from servers in a different office. Human Resources (HR) and Payroll may need to pull information from other offices. You would not want that information passing directly over the WAN. The same concerns would be directed towards company Email, as a lot of emails will hold secure information.
TCP – We also see that Transmission Control Protocol (TCP) is being used. “TCP (Transmission Control Protocol) is a standard that defines how to establish and maintain a network conversation through which application programs can exchange data.” (Lutkevich, 2021) We know that TCP/IP is being used by SNHUEnergy as described in the project scenario. On the Wireshark capture we see TCP in action. TCP, unlike UDP, is made to provide error-free data transmission. It sends and receives data packets from the transport layer and sends an acknowledgement (ACK on the Wireshark capture) when the information is transmitted successfully. We can see TCP protocol sending an acknowledgement from SQL and from SSH data transmissions.
The project scenario states that “The total employee count is 120 across the organization, but this will grow by 50% each year for the next two years.” This means after two years SNHUEnergy is projected to have 270 employees. If each employee has one computer on the network, plus all of the other devices that require a network address, SNHUEnergy will quickly outgrow their Class C network. “Class C addresses are most common and used in small business and home networks. These support up to 256 hosts on each of 2 million networks.” (Lynn, 2013) The network will need to be re-configured into a Class B Network to support the growing company.
The other potential issue I see goes back to the idea of network segmentation with VLANs. SNHUEnergy is going to have four different offices. These offices are divided into departments that need to communicate and share data easily. For example, the HR department will have its own servers, employee computers, and phones. It would make more sense to configure the Switch ports to create a VLAN for HR and all of the devices they communicate with in order to simplify the network. Currently, it would be more complicated for HR employees in Dallas to access HR servers in the additional offices being added in Kansas City or Houston. Also, if all company computers for 270 employees are on the same VLAN, and everyone will be able to see everyone else’s broadcast traffic. The traffic on this VLAN will be significantly larger than other VLANs on the network. Smaller broadcast domains equal less traffic congestion on the network.
Standard cybersecurity practices should be emphasized at every company. Employees should be told to choose a secure password, use two-step logins, limit the personal information shared online (avoiding social engineering), and never write down your passwords or other sensitive information at your workstation. These are mostly Application Layer issues that deal very closely with User interaction with the network and applications. There are, however, specific security issues to discuss that have to do with the Applications and protocols being used by SNHUEnergy according to their critical traffic patterns. Here are some security issues that could arise on the network and how they pertain to layers of the OSI Model:
SSH Security – Since accessing the network devices remotely using SSH protocols requires security keys that are stored together on a central device, a security breach at this point would provide someone with malicious intent access to the entire network. This would include employee computers, company server farms, and even access to other private devices like cellphones that may be connected to the SNHUEnergy Wireless Access Points (WAP). Strict key management is essential to whole network security. (Loshin & Cobb, 2021) There are other considerations when it comes to SSH security. Configuring a Virtual Private Network (VPN) may be a better option for SNHUEnergy. “Unlike with a VPN, you must configure each application to use the SSH tunnel’s proxy. With a VPN, you’re assured that all traffic will be sent through the VPN – but you don’t have this assurance with an SSH tunnel.” (Hoffman, 2015) Employees would connect to the VPN from their devices before accessing anything from the company network. This would protect information and devices from hackers as it travels from office to office, because remote locations would be all on the same virtual network.
SQL Security– Good security practices need to start at the Application Layer “which presents potential intruders with the biggest attack surface”. (Application Layer Security and the OSI Model, 2016) Along with choosing secure passwords and making sure they are not stored in plain text, the main security issue with SQL servers is access. Access should be limited, and only granted at levels that restrict use to only what is needed. “Do not grant more privileges than necessary. Never grant privileges to all hosts.” (MySQL Internals Manual, 2021)
VLAN Security – VLANs are Virtual Local Area Networks, and they can help with security at the Data Link Layer. They provide segmentation of the network, so if one area is compromised by a security threat, the other areas are not affected also. We can tell by the Network Diagram that the subnet is segmented into VLANs and grouped by device type. For example, instead of segmenting the network by department, all Servers are grouped into one VLAN, and all corporate computers are grouped into another VLAN. This could cause a security issue if the VLAN for the servers is compromised, all company data is at risk instead of just HR information or just payroll information. “Treating each segment as a separate network creates a great deal of additional work, since the attacker must compromise each segment individually; this approach also dramatically increases the attacker’s exposure to being discovered.” (Network Security Best Practices, 2021)
Firewalls – As stated before, Firewalls provide protection between networks. In this network there is one physical Firewall device that separates the LAN from the WAN/Internet. This is good, but it is not the best practice for an enterprise level company. “All modern switches and routers have firewall capabilities. These capabilities just need to be turned on and properly configured.” (Network Security Best Practices, 2021) The Router and both Switches in the diagram are probably equipped with a firewall that should be activated to further protect each segment of the network from outside attacks. Firewalls are helpful at the Network Layer and at the Transport Layer.
SNHU Energy is set for rapid expansion over the next two years, adding two new remote office locations and up to 120 additional employees. In the previous milestone the current network architecture was identified, as well as potential issues with scalability. Moving forward SNHUEnergy needs to focus on security and the scalability of their network. In some aspects, this will mean completely altering their current processes, and in other aspects only slight changes are necessary. This milestone will outline the essential networking changes that need to be made for the future of the company.
It is time for SNHU Energy to adopt a new network architecture for continued communication between multiple locations. As previously stated, the Subnet Mask used on the current network diagram shows that SNHUEnergy is using a Class C network. This type of network has limited usable IP addresses and is better suited for smaller companies and private home networks. If SNHUEnergy runs the risk of reaching capacity very quickly. If they want to continue communication between all offices and departments, they want to create a network that will scale with them for the next ten years. This means they will need to switch to a Class B network. “Class B networks are defined as being between 128.0.0.0 and 191.255.255.255. In modern CIDR notation, a class B network would have the subnet mask /16, there would be a total of 16,384 possible networks and 65,536 possible individual host IP addresses per network.” (Hawthorne, 2019) The mask for a Class B network is 255.255.0.0.
Using the Class B network model, SNHU Energy will be able to connect all of the offices, employees and hardware they need going forward. This plan currently includes offices in Dallas, Memphis, Kansas City and Houston. The best practice should be to allow room for even more expansion in the network plan, since this is a projected ten-year model.
Aside from scalability, SNHU Energy had some major issues with network security and remote connectivity. There are three key areas of improvement that need to be incorporated into the new network plan.
Firewalls
Firewalls are essential for network security in any Local Area Network (LAN). “A firewall can be a router with access control lists (ACLs), a dedicated hardware box, or software running on a PC or UNIX system.” (Meeting Security Goals with Firewall Topologies, 2021) Whatever configuration is used, they all serve to stop unauthorized data packets from entering the secure network environment that could corrupt the system. In the current Network Diagram, SNHUEnergy has one firewall deployed between the Wide Area Network (WAN) and the Router at one office location. The growing network will need to utilize additional firewalls to create a more secure network. It is now recommended that firewalls be deployed (Cisco White Papers: Deploying firewalls throughout your organization, 2006):
· Where the private corporate network meets the public internet
· Throughout the enterprise network in key internal locations
· At the WAN edge of branch office locations
SNHUEnergy should not only utilize router firewalls at every office location, but also firewalls at Switch locations that segment the LAN. This will provide further protection within the network. Internal firewalls can provide added security in the event that a cybersecurity attack makes it past the perimeter firewall. Utilizing Level 3 Switches that are equipped with Firewalls will protect each VLAN in the Subnet.
VPN tunnels instead of SSH
Sending packets of data across the open internet is not secure. SNHUEnergy will be sending personal data from the HR and Payroll Departments from one remote office to another. This data needs to be protected from outside access by a process that provides encryption for confidentiality and integrity of the data transfer. Currently SNHUEnergy is using Secure Socket Shell (SSH) to create remote access tunnels for network administration. Instead of using SSH, the recommended way for SNHUEnergy to utilize secure tunnelling is to use Internet Protocol security (IPsec) for securing packets sent through site-to-site Virtual Private Network (VPN) tunnels. “VPN is a technology that allows for two geographically separate networks to connect and share data across insecure networks like the Internet.” (Halbach, 2018)The VPN tunnels can not only connect each of the four offices moving forward, but employees travelling for work or working remotely from home can connect to the VPN to access or transfer company data. Internet Protocol resides in the Network Layer of the OSI Model. “IPsec are protocols that define the cryptographic algorithms used to encrypt, decrypt and authenticate packets, as well as the protocols needed for secure key exchange and key management.” (Loshin, 2018)
Network Segmentation
Currently SNHUEnergy’s network is segmented by Virtual Local Area Networks (VLANs) by device type. For example, Servers are on a their own VLAN and all Employee Computers are on different VLAN. Several changes are needed to the network to provide better security, functionality and management of the network. Key arguments for changing the VLAN configuration are (Lorenzen, 2018):
· IT employees will have an easier time managing the network by segmenting the network by department instead of by device type. This would mean creating separate VLANs for Email, Payroll, Accounting, HR, Billing, and Operations.
· Segmenting the network in this way controls access across departments and permission can be set up according to security needs. This means that the HR employees at the Dallas office will be able to easily share information with the HR department in Kansas City and in Houston because that will be I the same VLAN.
· VLANs can each have firewall and security features, so, for example, if one area is breached, all the servers will not be compromised, just the server for the department on that VLAN.
· Businesses can set up a Guest VLAN to provide a Wireless Access Point to visiting customers or vendors without allowing access to the secured internal network. This creates another level of security beyond the firewall.
The changes recommended for network architecture are visually represented in the suggested Network Diagrams Below.
This diagram is a visual representation for the solutions outlined in this report. It shows the Subnet segmented into VLANs that are logically grouped by department. The VLANs are labelled with Class B network addresses. The diagram also shows the addition of External Firewalls for both Office locations, and the addition of internal Firewalls at the Switches. Lastly, the SSH tunnel has been converted into a VPN tunnel in which data packets are protected by IPsec protocols. This diagram can be used as a template for all additional offices that will be added in the next two years. The plan is scalable and the same aspects of network segmentation and security will be used at every location added to provide continuity within the company.
As mentioned previously, SNHUEnergy should be using VPN tunnels instead of SSH tunnels to securely communicate between remote office LANs. This section of the report will describe what technology is necessary for creating and securing VPN tunnels as well as the network and infrastructure.
Software as a Service has been around for a while, but with the increased adoption of Cloud Computing, Network as a Service (NaaS) is becoming a popular option for businesses. “Network as a Service (NaaS) is an emerging model for organizations to consume network infrastructure through flexible operating expense (OpEx) subscriptions, inclusive of hardware, software, management tools, licenses, and lifecycle services.” (What's driving the trend toward NaaS?, 2021)NaaS allows IT professionals to control and secure the company’s network virtually instead of having to be on-site. Combining a NaaS with a Cloud Computing platform would decrease downtime from network equipment malfunctions. It can also mitigate security issues by centralizing data into one location that can be securely accessed by VPN tunneling and that also offers redundancy for data backup and recovery.
If SNHUEnergy migrates their data to a Cloud Computing platform, they will eliminate the inconvenience if having their data spread out across the country. For example, the central office may need access to the payroll server that physically exists in a remote office and even in a different state. If there is a storm and the electricity goes out at that office, the server cannot be accessed by anyone else in the company. If the company as a whole uses Cloud Storage any employee can securely access any data from any location without network inconsistencies. It would be as simple as logging into the Virtual Network. Other benefits of Cloud Computing that will benefit SNHUEnergy include (Basu, 2021):
Cost. With Cloud Computing you only pay for what you use. Purchasing more data storage or more application access can be done with the click of a mouse. There is also no need to pay for a team of IT employees on site. The service will have its own professionals available to maintain the cloud.
Flexibility. Instead of investing in a complicated server infrastructure, SNHUEnergy could scale up in data storage by simply paying for more storage. The would be no need to purchase more servers and more equipment when it’s time to expand operations. Setting up a new remote office will be as easy as plugging in a computer and logging into a virtual desktop on the cloud computing platform.
The recommended Cloud Computing tool is Microsoft (MS) Azure. MS Azure is a cloud computing platform that offers secure site to site VPN gateways. After migrating company data to MS Azure, the remote offices can use these VPN gateways to securely access the data that will be encrypted for transfer. “More than 95 percent of Fortune 500 companies trust their business on Azure today, and many of them take advantage of Azure hybrid capabilities to fuel innovation and deliver great business outcomes.” (Microsoft Azure: The only consistent, comprehensive hybrid cloud, September ) The main reason these companies trust MS Azure with their data is the high level of security offered. “Azure offers the broadest built-in security and management capabilities to ensure that Linux and Windows resources across cloud and on-premises are monitored, backed up, secure, and resilient in a unified way.” (Microsoft Azure: The only consistent, comprehensive hybrid cloud, September )
Microsoft Azure can be paired with a company that provides NaaS like Perimeter 81. Perimeter 81 has an integration option for Microsoft Azure. The two will work seamlessly together to provide data storage and manage a secure network architecture. “Essentially, IT logs into their NaaS panel via a web browser and begins setting up their organization’s network: Deploying gateways in specific regions near their offices, branches, and remote employees then running encrypted tunnels between them and resources in the cloud or local environment.” (Network as a Service (NaaS): Unified, Empowered Networking for IT, 2021)
MS Azure VPN Gateways are secure by design. “Gateways are the entryway to these parts of the network, and traffic is encrypted between user devices and the gateways or resources these devices are trying to access.” (Network as a Service (NaaS): Unified, Empowered Networking for IT, 2021) Perimeter 81 adds to the security by offering many network security features including (Reduce your network’s attack surface with Zero Trust Network Access, 2021):
Multi-Factor Authentication. Authenticates employee logins and provides secure access to the protected network.
Automatic WIF Security. WIFI connections are automatically routed through the secure server.
DNS Filtering. Malicious websites and connections are denied access, even if employees click on them.
Zero-Trust Access. All internal and external connections to the network must be verified.
NaaS is a great alternative to relying on a physical network for data transfer between remote locations and across the WAN, but it will still be important to physically secure the LAN at each office location. The addition of firewalls, as previously discussed, will help to secure each segment of the LAN. This is especially important when offering WAP’s that employees can join from company and personal devices. Keeping the insecurities of the WAN separate from the workspace is imperative.
If the current Routers and switches are outdated and do not come equipped with firewalls they will need to be upgraded. External Firewalls that separate the LAN from the WAN are important, but it is also necessary to offer a second level of protection by integrating internal firewalls. These should be set up at each VLAN.
No equipment changes will be needed to set up MS Azure and Perimeter 81 services. SNHUEnergy will essentially be migrating to a Software-Defined Network (SDN). “Software-defined networking (SDN) is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network.” (Software-Defined Networking (SDN), 2021)SNHUEnergy will simply purchase a subscription to these services and train employees on the use of these services.
SNHUEnergy is growing rapidly and changes need to occur. With those changes come a few challenges. Adopting new technology will not be easy for employees. SNHUEnergy will need a plan for not only training current employees on MS Azure Cloud Computing practices, but they also need to adopt a curriculum for training incoming employees. Thankfully Microsoft, as well as many third-party technology companies, have trainings available. The Microsoft Partner Network offers online and in-person trainings for businesses looking to begin cloud computing with MS Azure. They have classes on everything from Azure Fundamentals to configuring and deploying virtual machines. (Partner Network, 2021)
One positive that came out of the recent COVID-19 pandemic was the advancement of remote work and remote learning as an established practice. A lot of companies, moving forward are going to continue having employees work remotely to save money on facility costs. “Some companies plan to remain 100% remote post-pandemic, while others -- including companies like Reddit and Microsoft -- will take a hybrid approach, giving workers more flexibility about where they work.” (Vasal, 2021) This means that the business of Cloud Computing and virtual networks for remote connectivity is only going to expand in the future. This not only connects remote workers but creates new ways for international and global companies to connect their offices without worrying about secure connections. One of the biggest security risks is the use of devices on unsecured networks. By utilizing an SDN that is controlled through VaaS in a centralized and consistent way, SNHUEnergy will control the security of the entire network virtually, eliminating the risks that come with network inconsistencies at each office or remote location.
Another reason that adoption of these technologies is low risk is the financial investment. MS Azure and Perimeter 81 are subscription services that offer superior data and network security. They can be cancelled or scaled back to save money at any time. Security can scale with the company, adding extra security feature with the click of a mouse. If SNHUEnergy purchases servers and infrastructure to build a server farm for the anticipated growth and that growth doesn’t happen, they have wasted a lot of money on that investment. Securing a Network and hiring a team of employees to monitor security is also very expensive. These services are included with the subscription services, usually with services accessible 24 hours a day, 7 days a week if a security emergency should arise.
SNHUEnergy Inc. currently has a standard network infrastructure that is sufficient for their current needs. However, with the projected growth of the company scalability an issue moving forward. With the suggested network and infrastructure changes, SNHUEnergy will be able to scale up for the next ten years with no issues.
References
Application Layer Security and the OSI Model. (2016, October 11). Retrieved from Finjan Cybersecurity: https://blog.finjan.com/application-layer-security-and-the-osi-model/
Basu, C. (2021). The Advantages of Cloud Computing for Business. Retrieved from Chron: https://smallbusiness.chron.com/advantages-cloud-computing-business-21914.html
(2006). Cisco White Papers: Deploying firewalls throughout your organization. Cisco.
Halbach, B. (2018, October 26). Security Risks – Business to Business VPNs. Retrieved from 3keylogic: https://www.3keylogic.com/2018/10/18/306/
Hawthorne, M. (2019, August 16). Class B Network. Retrieved from Technipages: https://www.technipages.com/definition/class-b-network#:~:text=Class%20B%20networks%20are%20defined,host%20IP%20addresses%20per%20network.
Hoffman, C. (2015, June 9). VPN vs. SSH Tunnel: Which is more secure? Retrieved from How-To-Geek: https://www.howtogeek.com/118145/vpn-vs.-ssh-tunnel-which-is-more-secure/
IT 640 Final Project Guidelines. (2021, March). SNHU. SNHU.
Lorenzen, M. (2018, June 20). The Importance of Using VLANs to Segment Network Traffic. Retrieved from LinkedIn: https://www.linkedin.com/pulse/importance-using-vlans-segment-network-traffic-mike
Loshin, P. (2018, May). IPsec (Internet Protocol Security). Retrieved from TechTarget: https://searchsecurity.techtarget.com/definition/IPsec-Internet-Protocol-Security
Loshin, P., & Cobb, M. (2021). Secure Shell(SSH). Retrieved from TechTarget: https://searchsecurity.techtarget.com/definition/Secure-Shell
Lutkevich, B. (2021). TCP (Transmission Control Protocol). Retrieved from TechTarget: https://searchnetworking.techtarget.com/definition/TCP#:~:text=TCP%20(Transmission%20Control%20Protocol)%20is,of%20data%20to%20each%20other.
Lynn, S. (2013, December 27). The ABC's of IP Adresses. Retrieved from PCMag: https://www.pcmag.com/news/the-abcs-of-ip-addresses
Meeting Security Goals with Firewall Topologies. (2021, February 19). Retrieved from Cisco Certified Expert: https://www.ccexpert.us/network-design-2/meeting-security-goals-with-firewall-topologies.html
Microsoft Azure: The only consistent, comprehensive hybrid cloud. (September , 25 2018). Retrieved from Microsoft: https://azure.microsoft.com/en-us/blog/microsoft-azure-the-only-consistent-comprehensive-hybrid-cloud/
Mitchell, B. (2020, November 17). 255.255.255.0 subnet mask networks. Retrieved from Lifewire: https://www.lifewire.com/255-255-255-0-ip-networking-818371
MySQL Internals Manual. (2021). Oracle.
Network as a Service (NaaS): Unified, Empowered Networking for IT. (2021). Retrieved from Perimeter 81: https://www.perimeter81.com/resources/network-as-a-service?accountid=2597329217&utm_source=google&utm_medium=cpc&utm_campaign=12791319574&utm_adgroup=125090651710&utm_feeditem=&utm_target=kwd-918527774853&utm_phylocation=9028634&utm_matchtype=b&utm_networ
Network Security Best Practices. (2021). Retrieved from Netwrix: https://www.netwrix.com/network_security_best_practices.html
Pandey, H., & Thiyari, K. (2020, February 4). Layers of the OSI model. Retrieved from GeeksforGeeks.org: https://www.geeksforgeeks.org/layers-of-osi-model/
Partner Network. (2021). Retrieved from Microsoft: https://partner.microsoft.com/en-US/azureskills
Rathnam, L. (2018, October 5). What is a layer 3 switch and why would your network need it? Retrieved from TechGenix: https://techgenix.com/layer-3-switch/
Real Time Transport Protocol (RTP). (2020, June 24). Retrieved from GeeksforGeeks: https://www.geeksforgeeks.org/real-time-transport-protocol-rtp/
Reduce your network’s attack surface with Zero Trust Network Access. (2021). Retrieved from Perimeter 81: https://www.perimeter81.com/zero-trust-network-access
Routers, switches, firewalls, etc. (2021). Retrieved from the networkengineer.com: https://thenetworkengineer.com/hardware/routers-switches-firewalls-etc/
Schulzrinne, H. (2003). RTP Profile for Audio and Video Conferences with Minimal Control. Internet Standard.
Shaw, K. (2020, October 4). The OSI model explained and easily remember its 7 layers. Retrieved from networkworld.com: https://www.networkworld.com/article/3239677/the-osi-model-explained-and-how-to-easily-remember-its-7-layers.html
Software-Defined Networking (SDN). (2021). Retrieved from VMWare: https://www.vmware.com/topics/glossary/content/software-defined-networking
Vasal, K. (2021, March 11). The pandemic forced a massive remote-work experiment. Now comes the hard part. Retrieved from CNN Business: https://www.cnn.com/2021/03/09/success/remote-work-covid-pandemic-one-year-later/index.html
Weinberg, N. (2018, March 16). What is MPLS: What do ou need to know about mulit-protocol label switching. Retrieved from networkworld.com: https://www.networkworld.com/article/2297171/network-security-mpls-explained.html
What's driving the trend toward NaaS? (2021). Retrieved from Cisco: https://www.cisco.com/c/en/us/solutions/enterprise-networks/network-as-service-naas.html
Comentarios