This is an archived course. Information may be out of date, some links are broken and email addresses have been removed.

02 Starting off.

* Please reply to the list with queries, doubts, objections. If you
* think I am going too fast, please let me know.
Security Requirements

This tutorial will comprise of designing and implementing a security
infrastructure for a small company.
The basic concepts will scale up to an enterprise or down to a single host.

We will use the standard netblock ( IPv4 documentation subnet,
see RFC 3330 ) as the external subnet assigned to this organisation. The
company uses the domain name


For the purposes of this tutorial, we will consider a small company
with a /24[1] routable netblock[2] from their ISP. The company is dualhomed[3]
and announces routes on both their ISPs. The business needs are not complex.
The company has a small website, but the primary needs of the Internet
connections are email, VPN[4] to their business partners and a limited
amount of web surfing. Some business partners insist on authenticating
packets, while others are satisfied with just ensuring that the data cannot be
read. The company uses a mixture of desktop operating systems internally,
primarily Windows 98 and Windows 2000 professional for users and FreeBSD for
administrators and they have also recently moved into using wireless with
laptops running Windows XP for the sales team. The administrators have remote
access via ssh to their desktops.

Due to recent news about security incidents, company management has decided to
redo their network for security and manageability.

Staffing and requirements are:
The sales team is 75 people, each having a laptop running Windows XP
Senior management is 10 people with Windows 2000 desktops.
There are 5 LAN administrators, and 2 people who handle the router and
servers all using FreeBSD.
There are 3 people in HR and 2 people in the legal department using
Windows 2000 professional.
3 people in helpdesk running Windows 98.
Each person in senior management has a secretary with a desktop running
Windows 98.
There are 8 teams of 25 people each working on software projects.
5 people from each team need to VPN out to various business partners.
Each team has one group leader who always has VPN rights. The
remaining members of the team VPN out as needed. All these users run
Windows 2000 professional.

There is one dedicated networked printer between two teams, for a total of 4
networked printers.
The secretarial pool shares two printers shared by a windows file share.
The remaining people share one networked printer.

The network is SNMP supporting switches with a single router at the edge.
This is a fairly simple setup.
Currently used systems are:
Edge router.
A webserver
A database server.
A mail server
VPN clients
Desktop systems

The requirement is to formulate an economically feasible solution for security.


Starting off, we note that there has been no budget formulated for this
exercise. There have been no decisions made about what resources need to be
protected, and what is the cost of the data and hardware therein. There has
also been no decision on the amount of risk acceptable to management for these
Hence, there has been no budget allocation for this exercise.

The first step is for management to decide what resources are required to be
protected and value those resources. A risk analysis must be performed to
decide on how much budget should be available to protect each unit.

There is no solution which will offer 100% security to any system.
A properly designed and hardened system will be not always sufficent.
There is also a need for monitoring this system, upgrading it.

A firewall is one small component of a security solution. The security
solution must cost less than the resources it is protecting.

If the resources being protected are worth 100 USD, buying a 25000 USD
safe is not justifiable. If the resources are worth 100000 USD, the
25000 USD safe is justified.

Tokyo is still vulnerable to attack by giant lizards. The risk of that
happening is zero. Fort Knox, on the other hand is a high value, high
risk target. The security budget for defending Fort Knox from a would
be theif is necessarily much greater than that for protecting Tokyo
from a giant lizard.

The budget provided to the security group is necessarily a
function of the net worth of resources being protected, and the risk

Once this budgeting is done, then management, administrators and users have to
get together and decide on acceptable usage policies(AUP) for the network.

This is where the actual work for securing the system starts.

Management must support the AUP. If there is no support from management, then
the policy is worthless.
Users must understand the justification for such policies. Policies cannot be
arbitrary. They must allow the users to do their work. They must be explicit
about what is allowed, and what is acceptable behaviour.
Administrators are responsible for enforcement of these policies. An
unenforcable policy is worthless. It is perfectly feasible to make a policy
which cannot be enforced at all.

Policies are the basic specifications of the security design.
A firewall is the implementation of the security policy on a
computing device.
Without clear, well defined policies, no administrator can implement a
security system. has good example of AUP statements.


1> Create an acceptable usage policy for this scenario.

[1] The /24 is the Classless Inter Domain Routing notation for describing a
subnet of 256 IP addresses. To calculate the number of hosts in a subnet /n,
number of addresses = 2^(32-n).
[2] A routable netblock is one which will be carried by large ISPs globally.
This currently stands at a /24.
[3] A dual homed system is one which is connected to two different networks.
In this case, it means that the company is using two different ISPs
simultaneously for access.
[4] A VPN is a Virtual Private Network. This is an encrypted IP tunnel riding
on top of a regular Internet connection.