Paper Example: Designing Compliance within the LAN-to-WAN Domain

The following pitch has been organized at the four states Financial Services Chief Information Officer’s (CIO) direction for addressing the concerns that relate to information haven in the domain for the Lan-to-WAN for the operation sites of Virginia, Florida, Arizona, as well as California (VFAC). The VFAC’s sites are located in the four states and must exchange information as well as access requests between the sites (Posey, 1). Due to the inherently subtle nature of financial information, the Chief Information Officer is concerned with various specific areas which include:

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

They are protecting the privacy of data across the WAN. With the sites of VFAC distributed across the United States, data is expected to be conveyed across the Internet, and proper protection for that information is essential.

Filtering undesirable traffic for the network from the Internet. Besides performance hindrance, unwanted traffic in DDoS attacks, SPAM email form, and many others create crucial security concerns (Posey, 1).

Riddling the circulation to the cyberspace that does not obey the acceptable use policy (AUP) of the organization for the Web- internet misuse can form vulnerabilities, diminish productivity, affect network performance, and possibly create compliance concerns.

With a zone that permits access for unidentified users but belligerently controls the exchange of information with internal resources- the sites that face the public help in driving business as well as providing communication means with the current along with the potential clients. However, they can form noteworthy vulnerabilities if the precise controls are not instigated (Posey, 1).

Having an are that is designed to trap assailants to monitor assailants’ activities- a system of intrusion detection integrating a honeypot serves a vital role in combating as well as identifying threats to the data system.

Allowing ways of monitoring the trafficking for the network as a way of identifying as well as blocking unusual activity- the prevention system of intrusion is also perilous to information system security maintenance.

Hiding internal Internet Protocol address- hiding this address can provide advanced security by complicating the topology of the network as well as making attacks on particular resources more difficult.

Allowing the operating system as well as application patch management- patch management is decisive in preventing vulnerability as well as maintaining compliance.

To address these concerns, hardware along with software control combination is recommended, and each state will be constituted with a similar strategy.

Understanding the graphical depiction of the design that is proposed (Cisco, 1).

At the meeting core, the site’s security requirement will be an ASA referring to Cisco Adaptive Security Appliance. The ASA will accomplish several vital functions, and the first one is providing the site-to-site virtual private network (VPN) abilities to permit all the sites to be merged by encrypted VPN shafts across the Internet. However, this will help in ensuring that there is security in all WAN traffic and that no information that passes between the states will be exposed. Besides, the ASA provides the capacity for VPN for all users for VFAC, requiring access to the resources of VFCA while working remotely, for instance, telecommunicating, traveling, and many others.

In addition to the capabilities of VPN, the ASA offers stateful inspection as well as filtering of all outbound as well as inbound traffic (ArticSoft Technologies Limited, 1). Stateful inspection, as well as filtering, is the same as typical packet scrutiny along with clarifying expect that the packet state is considered to determine the inspection along with filtering level that may be required. For instance, after a novel connection is established and first packets inspected for validity establishment, innovative packets on a similar connection can be tracked in case they meet confident criteria. In this site-to-site case, the VPN networks between all four sites, performance will be provided.

The ASA also offers a system of Intrusion Prevention (IPS) module, along with the capabilities of the Intrusion Detection System (IDS). The module of IPS uses entrenched signature liberty to relate against anomalies as well as misappropriation in real-time to perceive unauthorized activity. When detected, the module of IPS can automatically dismiss the specific connection as well as block the host permanently. It can as well be constituted with a honeypot employing methods like configuring a distinct VLAN where in place of terminating connections as well as blocking multitudes, the ASA upholds a host statistics’ database to analyze for reprehensible activity. ASA uses such database for tracking suspicious activities as well as provide reports that are related to the intimidations for use in defining the suitable course of action moving forward.

To enforce a legislative acceptable use policy for the use of the Internet, each location will be constructed with a Web Security Appliance (WSA) of Cisco (Cisco, 1). The Web Security Appliance is a detected utilization that offers a secure web pathway to secure as well as control web traffic. While it offers the extensive capabilities of web security, the primary VFAC usage will be URL riddling with the analysis of dynamic content to mitigate liability, compliance, as well as productivity risks.

Also, each site will integrate an extranet to offer a public-facing location for genuine users to request as well as access certain data. All information printed to the extranet is expected to be approved with the policies for VFAC and will be sustained by unidirectional cross-site publishing (Cisco, 1). As a result, this will make sure that the information may be printed only from approved internal materials to the extranet. Furthermore, it will provide hinder broadcast from the resources of an extranet to internal resources to cub exploitation or corruption. Any data that needs extranet transmission will be submitted through the web form that is suitable to the application, for example, document upload, email, and data entry, as well as transmitted to an enthusiastic application server for corroboration as well as processing.

Additionally, all the resources for the network will exist behind an Integrated Service Router (IRS) for CISCO providing traditional routing as well as firewall capabilities (Cisco, 1). As with wholly, routers, address translation of network (NAT) will be utilized in facilitating traffic routing. Additionally, NAT has another advantage of concealing the topology of the internal network by hiding all interior IP addresses effectively from the outside.

To ensure that all connections in the domain for LAN-to-Wan are secured, the (PKI) Public Key Infrastructure will be leveraged. The PKI offers means for non-repudiation, integrity, access control, confidentiality, as well as authentication. To accomplish this, it incorporates encryption algorithms, digital signatures, and certificates, message hashing along with private and public key pairs. Digital certificates are inimitable identifiers that are used for authentication and identification and can be supplied to resources or users like servers as well as applications. These certificates are self-signed as well as self-generated; nevertheless, the third-party certificate use authority permits for wider acceptance as well as certificates’ greater credibility (ArticSoft Technologies Limited, 1). Digital signatures, together with a digital certificate are essential for non-repudiation to authenticate along with encrypting transactions like email messages.

Encryption algorithms are vital for encrypting information by the use of digital signatures and public, along with private primary pairs that are associated with the certificates (ArticSoft Technologies Limited, 1). Message hashing is essential when utilized with or deprived of encryption to ensure the integrity of data using digital signatures for the creation of message digest employed to authenticate the data message. Private as well as public primary pairs are useful for signing, decrypting, encrypting, and authenticating information plus are related to digital signatures and certificates. While these factors are essential to different security controls in the information systems environment for the VFAC, this proposals scope will concentrate on digital certificates used to support the controls of security in the domain of LAN-to-WAN.

The proposed resolution will comprise a certificate issued by Iden Trust as well as mounted on all appliances and servers and for use with valid applications. These credentials will be used for supporting the site-to-site connection and encryption for VPN, offer substantiation of the traffic between diplomacies, as well as offer ways of encrypting as well as authenticating data that is used in certain applications.

Additionally, the patch management system of Ivanti Shavlik and a server of SPLUNK will be used to each site (ArticSoft Technologies Limited, 1). Shavlik offers automated scanning as well as all server’s patching, operating system, clients, as well as applications together with third-party as well as custom packaged application apprises. Fortunately, this solution will address reporting, remediation, vulnerability scanning, compliance, and supportability. SPLUNK will to use for aggregating logs as well as reports for the devices to anchor analysis, reporting, and audit as a comprehensive audit scheme part.

As the security officer of the information system in VFAC, I believe the laid approach in this proposal discourses the areas of concern that are revealed explicitly by the CIO and provides a comprehensive tactic to security on the whole LAN-to-WAN domain. It is also dependable on information security’s best practices with the financial amenities industry.

Sources

ArticSoft Technologies Limited. 2018. An Introduction to PKI (Public Key Infrastructure). https://www.articsoftpgp.com/public_key_infrastructure.htm

Cisco. 2020. Cisco Web Security Appliance Data Sheet. https://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet-c78-729630.html

Posey, B. 2005. A beginner's guide to Public Key Infrastructure. TechRepublic. https://www.techrepublic.com/article/a-beginners-guide-to-public-key-infrastructure/