1

C700 – Performance Assessment

Joshua Farrow

College of Information Technology, Western Governors University

Ron Mendell

September 8, 2022
 2

Contents
Company A’s Network Problems........................................................................................4

Zenmap and OpenVAS........................................................................................................7

Company B’s Network Problems....................................................................................8

Correcting Problems and Improvement.........................................................................10

Merged Network Topology.................................................................................................1

OSI Model and TCP/IP Protocol Stack Layers...................................................................2

Justification of Merged Network Topology........................................................................2

Secure Network Design Principles......................................................................................1

Secure Hardware / Software Components...........................................................................2

Regulatory Compliance Requirement..................................................................................2

Integration Problems............................................................................................................3

Managing or Mitigating Integration Problems................................................................3

References............................................................................................................................5
 3

C700 – Performance Assessment

Company A’s Network Problems

First, starting with the organizational chart, it is recommended to add a Compliance and

Risk Management department. If the merger is going to move the position of IT director to Chief

Information Officer (CIO), it would also make sense to create a Chief Information Security

Officer (CISO) role. If money does not permit another C-level position, the recommendation

would be to create a Corporate Information Systems Manager (CISM) position underneath the

CIO. This would provide the company with resources capable of directing corporate security

policy and standards.

The current structure does not provide much in the way of a Security Operations Center,

and this merger will give the best opportunity to establish one. The recommendation is to

incorporate the Help Desk and Network Operations Center into an overarching Security

Operations Center. Assuming that the CISM route above is chosen, this position would be placed

within the SOC, with a Security Administrator position also added to this area. It is also

recommended to provide cross-training to the networking and security teams so that they are

each familiar with the basics of the other’s department. The help desk technicians should also

receive basic-level security training to ensure that the main, front-line defense is trained

appropriately on security matters.

Moving on to the components that make up the network, several issues need to be

remediated immediately:
 4

Networking Devices:

1) Cisco 2960 switches were retired and reached end-of-life (EOL) on

October 31, 2019. (Cisco Systems, Inc., 2016). Recommend upgrading

to a newer model of the same or different brand.

2) Cisco 2811 routers were retired and reached EOL on November 1,

2016. (Cisco Systems, Inc., n.d.). Recommend upgrading to a newer

model of the same or different brand.

3) Cisco PIX 515E firewalls were retired and reached EOL on May 25,

2007. (Cisco Systems, Inc., n.d.). Recommend upgrading to a newer

model of the same or different brand.

Operating Systems:

1) Microsoft Windows Server 2008 reached EOL on January 14, 2020.

(Microsoft, Inc., 2022). Recommend upgrading to a newer model of

the same or different brand.

2) Microsoft Windows 7 reached EOL on January 14, 2020. (Microsoft,

Inc., n.d.). Recommend upgrading to a newer model of the same or

different brand.

Finally, several policy issues need to be addressed:

1) Open common ports on several workstations utilized for remote desktop capability.

a. It needs to be determined if any software-based firewall (i.e., Windows Firewall)

is being utilized to explicitly list what sources can access these devices remotely.

2) Inactive user accounts are not being removed.

 5

a. Inactive accounts pose a security threat by providing the potential for former

employees or attackers to take advantage of these accounts somehow. Inactive

accounts need to be disabled and deleted after a specified time.

3) Full access privileges granted to non-administrative user accounts

a. Allowing non-administrative user accounts to have full-access privileges opens

the door for malicious events, whether done purposefully or accidentally.

4) Regular password changes are not enforced.

a. Password retirement and refreshing should occur regularly. This ensures password

reuse is avoided, and any credentials an attacker may have stolen will eventually

be made unusable.

5) Network segmentation needs to be implemented to virtually separate different

components. Segmenting servers, printers, and workstations on their respective

VLANs is recommended.
 6

Zenmap and OpenVAS

 7

Company B’s Network Problems

Figure 1

Company B’s current topology can be seen above in Figure 1. The WinXP, Win7, and

Ubuntu18 machines appear in a DMZ, with all core servers placed behind the OPNsense

firewall. It did not appear that any of the “DMZ” machines were able to reach the servers behind

the firewall. This seems to be due to a missing route on the router in front of the firewall. Due to

this, an external scan of the “DMZ” was chosen as the preferred scanning method. From this

scan, two significant security impacts were found on Company B’s network:

1) The use of an unsupported Windows XP machine. (Discovered via OpenVAS).

2) The use of an open telnet port. (Discovered via Nmap).

Impact of Windows XP Machine

Official support for Windows XP ended on April 8, 2014 (Microsoft Inc., n.d.). Besides

an emergency patch release for XP SP3 in 2017 regarding the WannaCry exploit (Horowitz,
 8

2017), there has been no other support for Windows XP. Due to this, it has been highly

recommended that organizations upgrade all existing XP machines to Windows 10. Continuing

to utilize Windows XP in the merged environment will bring significant risks in the inability to

mitigate the operating system's vulnerabilities.

Impact of Open Telnet Port

The Nmap scan results revealed that Telnet was in use via the OPNsense firewall. Upon

further examination, it was determined that the firewall currently port-forwards all Telnet traffic

to 192.168.25.4 (see Figure 2 below), which corresponds to the Windows 2008 R2 server. A

connection was established from the external Kali machine to this server, and utilizing the admin

credentials allowed a remote console on the server to be accessed.

Figure 2
 9

Correcting Problems and Improvement

Windows XP Machine

The simplest way to remediate this problem would be to replace it with a

Windows 10 machine. Care would need to be taken to ensure that any software running on the

device is upgraded accordingly. This would only be important if the machine were hosting

software that had the potential to negatively impact the company should it be made unavailable.

Otherwise, simply replacing the machine will suffice. If the device is not needed, the suggestion

would be eliminating it. This solution will ensure that all machines on the network are capable of

being upgraded and supported by official channels.

Open Telnet Port

It is best practice to replace Telnet connections with the SSH protocol. This ensures that

all data is encrypted, including any passwords passed to the machine. Suppose there is software

that is dependent on the Telnet protocol. In that case, it is recommended to find a replacement,

especially if the device hosting the connection will be publicly accessible in any way. This

solution ensures that only encrypted tunneling options exist within the network.
 1

Merged Network Topology

``
 2

OSI Model and TCP/IP Protocol Stack Layers

Components OSI Layer TCP/IP Layer

Layer 3 Switch 3 2
Firewall 3 2
Workstations / Desktops 7 4
Laptops 7 4
Printer 7 4
Servers 7 4

Justification of Merged Network Topology

Components Retained

Switches. It was determined that the current switches (4 x Cisco 2960 48-port, 3 x Cisco

2960 24-port) were far past their end-of-life date and needed to be replaced. Four 48-port, full-

POE, and four 24-port, full-POE FortiSwitches were chosen to replace the Cisco switches. These

are layer-3 switches and thus incorporate the capability for routing. The reason for selecting

Fortinet switches was purely due to personal preference. As it stands, any current model and

brand would create a more robust security posture than what the Cisco 2960s were previously

providing. The FortiSwitches have been paired up with a three-year, 24x7 FortiCare warranty.

Firewall. It was determined that the current firewall (Cisco PIX 515E) was already far

past its end-of-life date. A FortiGate 80F was chosen to replace the Cisco firewall. Due to its

features and capabilities, the 80F will provide substantially better security performance than the

PIX 515E. The FortiGate has been paired up with a three-year, 24x7 FortiCare warranty.

Servers. Both Windows 2008 R2 servers have been upgraded to Windows Server 2016.

This ensures that none of the servers are without official Windows support.
 1

Components Removed

Border Router. The decision was made to remove the border router, as the new

FortiGate 80F will be able to fill this role without issue. It includes two SPF ports if a fiber

connection is needed. It will also be able to facilitate a DMZ, as well as an internal LAN. Both

network zones will be physically segregated by interfaces, as well as logically, via firewall

policy on the 80F. The 80F will also act as a VPN headend for employees to access specific

resources on the company network.

Components Added

DMZ Switch. A DMZ switch was added to the topology to allow for future scalability of

the DMZ. The switch will not play a substantial part in the network’s security but will provide

better functionality in the future, should more resources be needed within the DMZ.

Cost Breakdown of Additions/Upgrades

Item Description Qty Price Totals

FortiSwitch 224D-FPOE FortiSwitch - 24 Port - Full POE 4 $ 1,229.99 $ 4,919.96
FortiCare - 3 Yrs FortiCare for 224D-FPOEs 4 $ 459.99 $ 1,839.96
FortiSwitch 248E-FPOE FortiSwitch - 48 Port - Full POE 4 $ 2,365.99 $ 9,463.96
FortiCare - 3 Yrs FortiCare for 248E-FPOEs 4 $ 999.99 $ 3,999.96
FortiGate 61F FortiGate 61F /w 3 year FortiCare 1 $ 3,561.99 $ 3,561.99
Windows 10 Upgrade License Laptop and Workstation O/S Upgrades 15 $ 277.99 $ 4,169.85
Windows Server 2016 License Upgrade for Windows 2008 R2 Servers 2 $ 883.00 $ 1,766.00
Dell Precision 3260 Compact Windows XP Replacement 1 $ 1,081.99 $ 1,081.99
      Total Cost $ 30,803.67
         
      Budgeted $ 35,000.00
      Total Cost $ 30,803.67
      Over/Under $ 4,196.33
 1

Secure Network Design Principles

Network Segmentation

The merged network will include network segmentation physically and virtually.

Physical segmentation will be accomplished by segregating the DMZ on a separate physical

interface on FortiGate 80F. This ensures that traffic between the DMZ and all other interfaces

can be adequately controlled via firewall policy.

Logical segmentation will be achieved by separating similar hardware groups into

different VLANs. As shown in the topology diagram, three VLANs have been created: users,

printers, and servers. Security policy will be applied to the FortiSwitches to filter which traffic is

allowed to pass between VLANs.

Defense-in-Depth

Initially, six PCs had remote access open to the public internet. This created a significant

security hole by allowing an attacker direct access to the corporate network. The need for

employees to remotely access their workstations still exists, so a VPN has been created to enable

employees to connect to the corporate network in a much safer and more secure manner. The

VPN is facilitated by the FortiGate 80F and requires the use of the FortiClient VPN software on

any device the employee wants to use to connect to the VPN. Should an attacker attempt to break

into the network, they would first need to be able to sign in to the VPN as an authorized

employee. Any attacks they perform would then need to get past the network and operating

system firewalls on the workstations and servers. Since all the machines are now at current

operating systems, the attacker would have to find an unpatched machine to take over. The

chances of this occurring have dropped significantly with the new network design.
 2

Secure Hardware / Software Components

Hardware Component

FortiGate 80F Firewall. The new FortiGate 80F firewall provides security in the

form of firewall policies, as an intrusion protection system, web filtering, SSL certificate

inspection, and antivirus. Being set up as a border device, the firewall will be the first line of

defense against attacks, so it must have multiple capabilities to defend the network adequately.

Software Component

Windows Server 2016. As a current operating system, Windows Server 2016 has

a built-in, host-based firewall (Windows Advanced Firewall) and built-in antivirus software

(Windows Defender). This gives the organization a much more robust security posture as it

relates to the various servers utilized in the environment. This will reduce the number of attack

vectors on the server and helps attribute to defense-in-depth.

Regulatory Compliance Requirement

With the merger of Company B, the organization will be required to comply with the

Gramm-Leach-Bliley Act (GLBA). The merged network topology specifically complies with

requirement 16 CFR 314.4(c)(1), which states:

Implementing and periodically reviewing access controls, including technical and, as

appropriate, physical controls to:

(i) Authenticate and permit access only to authorized users to protect against the

unauthorized acquisition of customer information; and

(ii) Limit authorized users' access only to customer information that they need to

perform their duties and functions or, in the case of customers, access their data.

(Federal Trade Commission, 2002)

 3

This is accomplished in several ways. First, access to the internal network from external

connections is facilitated by the firewall. Any external access requires a corresponding policy to

be in place for access to be granted. The only type of data that is publicly accessible is that which

a firewall policy has defined. Secondly, only authorized, intra-VLAN network traffic is allowed

due to network segmentation. This is accomplished via ACLs on the FortiSwitches, which can

dictate what source subnets and IP addresses can access specific destination VLANs and hosts.

Third, using a domain controller ensures that role-based access controls are implemented. The

domain controller will utilize some form of the LDAP protocol, allowing limited resource access

to only those users who require it. This provides a least-privilege security principle as well.

Integration Problems

The current Windows Server 2012 server will reach end-of-life on October 13, 2026

(Microsoft, Inc., n.d.). This is when the final security update extension expires. Therefore, this

operating system will be obsolete within four years. Once this occurs, the server will no longer

receive security updates and may end up causing adverse effects on the network, thereby creating

a network problem.

At present, there is no policy provided for employee security training. Even with all the

new additions to the network, the users remain the best protection for the environment. With no

user education planned, a widening security threat will emerge as employees become relaxed in

their view of security.

Managing or Mitigating Integration Problems

The simplest way to mitigate the expiration of the 2012 server would be to create an

operating system migration schedule for it and implement this within a year from the end-of-life
 4

date. Adequate funding should also be set aside for purchasing the new operating system. This

would ensure that the server is migrated to the most current operating system and that plenty of

time is provided to mitigate any adverse issues. It would also offer plenty of time to test out the

new operating system on a test machine to ensure no negative impacts on the environment from

migrating to the latest operating system.

Some sort of employee training program must be implemented. This can come from daily

security tip emails, required compliance training, or educational videos. NINJIO is one

recommendation for accomplishing this, as they specialize in providing cybersecurity awareness

training to organizations and their employees. Regardless of the method used, an option must be

determined and made routine. This will ensure that cybersecurity best practices remain fresh in

employees’ minds and provide education for new scams and attacks that are becoming more

widely used by attackers.

 5

References

Cisco Systems, Inc. (2016, November 2). End-of-Sale and End-of-Life Announcement for the

Cisco Catalyst 2960 and 3750 Series Switches Accessories. Retrieved from Cisco:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-

switches/eos-eol-notice-c51-738149.html

Cisco Systems, Inc. (n.d.). Cisco 2811 Integrated Services Router - Retirement Notification.

Retrieved from Cisco: https://www.cisco.com/c/en/us/obsolete/routers/cisco-2811-

integrated-services-router.html

Cisco Systems, Inc. (n.d.). Cisco PIX 515 Firewall - Retirement Notification. Retrieved from

Cisco: https://www.cisco.com/c/en/us/obsolete/security/cisco-pix-515-firewall.html

Federal Trade Commission. (2002, May 23). PART 314 - STANDARDS FOR SAFEGUARDING

CUSTOMER INFORMATION. Retrieved from Code of Federal Regulations:

https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(c)(1)

Horowitz, M. (2017, May 14). Patching Windows XP against WannaCry ransomware. Retrieved

from ComputerWorld: https://www.computerworld.com/article/3196289/patching-

windows-xp-against-wannacry-ransomware.html

Microsoft Inc. (n.d.). Windows XP. Retrieved from Microsoft Docs:

https://docs.microsoft.com/en-us/lifecycle/products/windows-xp

Microsoft, Inc. (2022, February 7). Extended Security Updates for Windows Server Overview.

Retrieved from Microsoft Docs: https://docs.microsoft.com/en-us/windows-server/get-

started/extended-security-updates-overview
 6

Microsoft, Inc. (n.d.). Windows 7 support ended on January 14, 2020. Retrieved from Microsoft

Support: https://support.microsoft.com/en-us/windows/windows-7-support-ended-on-

january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962

Microsoft, Inc. (n.d.). Windows Server 2012. Retrieved from Microsoft Learn:

https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012