Executive Summary

The ever changing world of information technology has its disadvantages and advantages.  One advantage, being the ability to have numerous options when developing a strong system architecture that works well for everyone involved.  Whether employees are physically onsite and in the office or offsite working from home or on the go, we can provide them with a fully functional system wherever the job takes them.  Considering, we have the ability to enhance our network with the technological devices available in today's world, why not start today?  First we will discuss the few architecture options available such as peer-to-peer, client-server, and web-based computing; then I will make a recommendation based on our findings.

“Peer-to-peer architecture treats the computers in a network as equals, with the ability to share files and other resources and to move them between computers.” (Englander, 2014)  This may seem like a great scenario considering it is easy to send and share files with each other, but it can be extremely unsecure and cause major damage if someone's device is infected with a virus.  The client-server system is a workstation communicating with a server for specific actions such as an e-mail, database, or files.  This system would allow security and protection when accessing files from the computer to the server, whereas the peer-to-peer would not. 

A web-based computing system is specifically a computer communicating with a web server to perform tasks through services over the internet.  “The user of a Web-based system interacts with the system using a standard Web browser, enters data into the system by filling out Web-style forms, and accesses data using Web pages created by the system in a manner essentially identical to those used for the Internet.” (Englander, 2014)  This system depends on the network being online 100% of the time which is not likely.  When it comes to security, web-based is not as nearly secure as the client-server system, but is a bit more secure than the peer-to-peer system.

The client-server architecture is the most commonly used system across the region, as it is secure, efficient, and easy to maintain.  The main server would be the domain controller with a terabyte SATA hard drive installed, which contains active directory that allows the server administrator to maintain user accounts, their security profiles, and the corresponding device profiles.  The ability to assign security profiles to each employee restricts access to files and servers they do not need to perform their job.  A firewall and anti-virus software would be setup on the domain controller server so all of the shared files and their respective devices on the domain would be protected and monitored over HTTP and TCP/IP, throughout the company.  Some file exclusions may be setup on the anti-virus software to ensure databases are not corrupted by the scans performed.  The ability to manage updates and patches on multiple devices can be complicated at times, but if we implement network management software we can easily keep an eye on all devices, network performance, and any patches available.  This software can even assist in performing regular updates with schedule tasks.

A protocol specification defines such communication features as data representation, signaling characteristics, message format, meanings of messages, identification and authentication, and error detection. Protocols in a client–server system assure that requests are understood and fulfilled and that responses are interpreted correctly.

  There can even be a server setup specifically for each department within the company, such as a web, file, database, e-mail, and application server.  A file sharing server would maintain all the companies' files and allow each computer/client access simultaneously.  Each and every employee would be able to use the same exact version of the software to access the files.  An external backup performed nightly would eliminate any data loss and downtime spent, if something were to happen to the file server.  Another server could contain the company's database and only certain employees within the company would have access to the database to ensure security. 

In order for the client computers to communicate with the servers we would require networking equipment.  At the front line there is a secure router with a switch connected to it,  that maintains the MAC address of every device on the network and their associated static IP addresses.  This setup would allow the networking team to monitor the devices that access the network at any given point in time.  Each department would have their networking cables dropped through their cubicles and connecting to a switch that communicates with the router.  Respectively speaking, each computer would be directly connected to the switch with Ethernet cables that communicate with the router and down to the server.  Once it has reached the server to receive the information needed it takes the fastest route back to send the requested data to the computer.

Overall, client-server architecture is the most commonly used because it is easier to implement and maintain.  Once web-based computing becomes more feasible and secure other companies may take the initiative to switch.  Luckily, if a company currently utilizes a client-server architecture, it will be quite easy to make the switch with minimal downtime when web-based becomes safer.

References

Englander, I. (2014). The Architecture of Computer Hardware, Systems Software, & Networking An information technology approach. Don FowleY.

Posey, B. (2000, May 26). Understanding the differences between client/server and peer-to-peer networks. Retrieved February 11, 2017, from Tech Republic: http://www.techrepublic.com/article/understanding-the-differences-between-client-server-and-peer-to-peer-networks/

Smith, D. (2003, January). Multi-tiered Architectures and Applications Servers. Retrieved February 11, 2017, from Tokyo PC: http://www.tokyopc.org/newsletter/2003/01/arch_n_app_servers.html

Security Recommendation

When correcting security issues in regards to a web server, there are many parts to take into consideration.  For example, access control methods, physical access controls, risk assessment and even environmental controls, all of which I will cover during this recommendation to assist resolving the security issues we have seen recently. 

First off, we will discuss how to strengthen the current web access control method in place.  Each person who currently has full admin access rights will be given two accounts, one of which for daily work that does not require admin access and another specifically for tasks that do require full admin access.

Secondly, we need to take into consideration that physical access can be a problem, so we will need to secure our physical access controls to the server itself.  A web server hosted on a basic computer for anyone to access is definitely no way to host a server.  A dedicated web server which is stored in a server room protected by a key card access panel would be efficiently secured from possible physical access intrusions.

Thirdly, risk assessment is far too real to ignore in today's world, so we will need to consider the possibilities if something more were to happen.  Create a plan to have a backup system in place, evaluate our risks if the system were to go down, and how long it would take to bring it back online.

Last but not least, environmental controls may seem irrelevant but they are far from that.  If the server room is not properly cooled it could quickly overheat and become damaged.  Though we may have a proper system in place we need to consider securing our HVAC and cooling system.  Purchasing a large UPS system to keep the server room cool in case of emergencies is the best option to protect the HVAC system.

References

Dulaney, E., & Easttom, C. (2014). CompTIA Security+ Study Guide, Sixth Edition. Indianapolis: John Wiley & Sons,.

Retail Pro. (n.d.). Retrieved from http://www.retailpro.com/

Sales Force. (2016). Retrieved from Salesforce.com

TripWire. (2016). Retrieved from TripWire: http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring/

Wireless attacks and its types. (n.d.). Retrieved December 11, 2016, from Exam Collection: http://www.examcollection.com/certification-training/security-plus-wireless-attacks-and-their-types.html

Network Security

TCP/IP Suite Architectural Layers
Layer	Protocols	Responsibility
Application	HTTP, HTTP Secure, FTP, SMTP, Telnet, DNS, RDP, SNMP, & POP	Give applications access to specific services in order to exchange data.
Transport	TCP & UDP	Provides the application layer with session and datagram communications services (Dulaney & Easttom, 2014).
Internet	IP, ARP, & ICMP	Routes information, gives IP addresses, and packages data.
Network Access	All of the above	Communicates with network adapters to remove and place packets throughout the network.

Encapsulation can be compared to an onion as it has many different layers that are involved.  This process permits the host-to-host protocol to send across the network which through each layer it obtains an additional header of information as it is sent.  This process is extremely important to understand as it can be helpful when troubleshooting data loss and possible vulnerabilities within the network. 

There are encapsulation vulnerabilities that we all need to be aware of as they can be easily exploited.  These are called inter-protocol exploitation considering it is a type of vulnerability that takes advantage of two communication protocols.  The most commonly found protocols that are exploited are SMTP, POP, and many more.

3. When designing a secure network, two technologies of which I would utilize are Virtual Local Area Networks (VLAN) and Demilitarized Zones (DMZ).  A VLAN is a segmentation that allows you to conceal portions of the network from other sections.  The reason of which VLAN's are used in a secure network is it can enclose network traffic to a specific area within the network.  A DMZ is used to send data into three different directions in order to control the traffic.  This gives you the ability to hide servers from people you may not trust on the network.  The key to DMZ is isolation and that in itself is why it is used in the topology of a secure network.

There are three different types of firewalls, one of which is a packet filter firewall, the next being a proxy firewall, and then there is a stateful packet inspection firewall.  All of which secure the network by checking packets but in different ways.  Each firewall is different by how it processes the incoming and outgoing packet, even how it allows or denies them also.

 For example, a packet filter firewall examines incoming packets on specific ports to ensure they contain the correct information for the address it is sending to.  Whereas, a proxy firewall will only examine data, such as packets to decide if it will be forwarded or blocked internally.  Lastly, the stateful packet inspection firewall uses memory and records to track and ensure the packet is traveling the correct channels.

The number one vulnerability within routers is their software as they can be extremely buggy as the ISP sets them up improperly.  The best way to reduce this threat is once a router is installed immediately configure it appropriately for your network usage.  The second router vulnerability that intrigues me is the weak default password that most people do not change.  The obvious way to reduce this issue is to change the password upon setup.

One of the vulnerabilities that affect switches are called finger service, which if it is enabled it allows an attacker to collect credentials and then close the connection.  In order to reduce this risk make sure this service is not enabled at all times.  Switches also have a small service that is enabled by default on older models.  This service allows the user to diagnose and troubleshoot possible issues, but hackers can take advantage of them by launching denial-of-service attacks.  This is another easy vulnerability to avoid if you make sure this service is disabled when not in use.

Intrusion Detection Systems
Type	Description	How it is used
Behavior-Based	Checks for variations of behavior on the network.	Once a deviation in behavior is found it can quickly respond to them.
Signature-Based	Using attack signatures and audit trails it evaluates possible attacks.	If a known attack signature appears it can swiftly eliminate the threat.
Anomaly	Checks for anything out of the ordinary.	When something out of the ordinary shows, it can rapidly contain the threat.
Heuristic	Utilizes algorithms to examine all traffic that passes through the network.	If the algorithm demonstrates a possible threat it is contained.

References

Cisco Router/Switch Common Security Vulnerabilities and Router/Switch Hardening. (n.d.). Retrieved 11 25, 2016, from OmniSecu: http://www.omnisecu.com/ccna-security/cisco-router-switch-security-vulnerabilities-and-hardening.php

Dulaney, E., & Easttom, C. (2014). CompTIA Security+ Study Guide, Sixth Edition. Indianapolis: John Wiley & Sons,.

Horowitz, M. (n.d.). Router Bugs Flaws Hacks and Vulnerabilities. Retrieved 11 25, 2016, from Router Security: http://routersecurity.org/bugs.php

Inter-protocol Exploitation. (2008, 08 15). Retrieved 11 25, 2016, from Hakipedia: http://hakipedia.com/index.php/Inter-protocol_Exploitation