Assignment 2 Computer Networking[1]

8/9/2019 Assignment 2 Computer Networking[1]

1/29

Task 1

1.1 Exponentially weight moving average (EWMA) of RTTThe formula for calculating RTT grid EWMA for each segment is

EWMAt = Yt + ( 1- ) EWMAt-1 for t = 1, 2, ..., n. Where

EWMA0 is the mean of historical data (target) Yt is the observation at time t n is the number of observations to be monitored including EWMA0 0 < 1 is a constant that determines the depth of memory of the EWMA.

As we do not have the values for segment zero, for the 1 segment calculation Ihave considered as 1. For the rest of the segments calculations I haveconsidered as 0.2 Using the above formula following are the results and graphfrom the RTT grid given

The EWMA for each segment is in the EWMA column.

1.2 Variance of RTTVariance for the RTT grid is calculated using formula

s2ewma = ( /(2- )) s2 Wheres is the standard deviation calculated from the RTT data.

is 0.2


2/29

Using the above formula the Variance of RTT for this RTT grid is given in thecolumn Variance for EWMA.

1.3 Time out intervalUsing the EWMA and Variance the time out interval is calculated as using the

following formula

UCL = EWMA0 + ksewma and LCL = EWMA0 - ksewma Where K is the factor set to aconstant 3

Using the above formula and the given RTT grid the UCL is 265 and LCL isnegative of 168.

Using these calculations the following EWMA graph is plotted

The results from the above graph indicates that 11, 17, 27 gives the time outresults

TASK 2

2.1 Network address translation router ( NAT Router )A small home office (SOHO) LAN has six workstations, which are connected

together via an Ethernet. This small network is connected to the internet bymeans of an NAT router i.e. network address translation router. The NAT router

Page 2


3/29

enables to obtain IP addresses for these six workstations. To be able tounderstand how let see how NAT router operates.

2.2 Operation of a NAT routerNAT is described in RFC 1631. The original intention of NAT was, like classlessinter domain routing (CIDR), to slow the depletion of available IP address space

by allowing many private IP addresses to be represented by some smallernumber of public IP addresses. Since that time, users have found NAT to be auseful tool for network migrations and mergers, server load sharing, and creating"virtual servers." NAT devices divide their world into the inside and the outside.Typically the inside is a private enterprise or ISP, and the outside is the publicInternet or an Internet-facing service provider. Additionally, a Cisco NAT deviceclassifies addresses as either local or global. A local address is an address that isseen by devices on the inside, and a global address is an address that is seen bydevices on the outside. Given these four terms, an address may be one of fourtypes:

Inside local (IL)Addresses assigned to inside devices. These addressesare not advertised to the outside.

Inside global (IG)Addresses by which inside devices are known to theoutside.

Outside global (OG)Addresses assigned to outside devices. Theseaddresses are not advertised to the inside.

Outside local (OL)Addresses by which outside devices are known to theinside.

In other words NAT translates traffic coming into the private network and leavingthe private network. Therefore NAT helps improve security on the network byreusing IP addresses.

Basic NAT router, (http://www.ciscopress.com/articles/article.asp?p=25273)

NAT Advantages and Disadvantages

NAT advantages:

Use of a single registered IP address for an entire networkLowers ISP support burdenTransparent to end systems in some cases

Page 3


4/29

Delays need for IPv4 replacementMask the true internal IP addresses of the internal network

NAT disadvantages:

Breaks end-to-end model

Enables end-to-end address conflictsIncreases local support burden and complexityCertain applications do not work properly in conjunctionIncreases the probability of mis-addressing

2.4 Obtaining IP addresses for the workstations in the Home officenetwork using NAT router

A NAT router can obtain IP addresses in several ways; these can be broadlyclassified in to three ways

1. Static

2. Dynamic3. Overloading

2.5 Static NAT

Static NAT (also called inbound mapping) is the first mode we're going to talkabout and also happens to be the most uncommon between smaller networks.Static NAT was mainly created to allow hosts on your private network to bedirecly accessible via the Internet using real public IP. Static NAT is alsoconsidered a bit dangerous because a misconfiguration to your firewall or otherNAT-enabled device can result in the full exposure of the machine on your privatenetwork to which the public IP Address maps, and we'll see the security risks lateron this page.

Static NAT allows the mapping of public IP Addresses to hosts inside the internalnetwork. In simple english, this means you can have a computer on your privatenetwork that exists on the Internet with its own real IP.

The diagram below shows exactly how Static NAT works:

Page 4


5/29

Figure Source: http://www.firewall.cx/nat-static-part1.php

In this diagram we can see that we have our private network connected to theInternet via the router, which has been configured for Static NAT mode. In thismode each private host has a single public IP Address mapped to it, e.g privatehost 192.168.0.1 has the public IP Address 203.31.218.208 mapped to it.

Therefore any packets generated by 192.168.0.1 that need to be routed to theInternet will have their source IP field replaced with IP Address 203.31.218.208.

All IP translations take place within the router's memory and the whole process istotally transparent to both internal and external hosts. When hosts from theInternet try to contact the internal hosts, their packets will either be dropped orforwarded to the internal hosts depending on the router's & firewall configuration.

Implementation of Static NAT Example

Imagine the server (192.168.0.20) that needs to be secure, but also allow certain

customers to gain access to various services it offers for development purposes.At the same time, we need to give the customers access to a special databaselocated on our main file server (192.168.0.10):

Figure Source: http://www.firewall.cx/nat-static-part1.php

In this case, Static NAT, with a set of complex filters to make sure only authorisedIP Addresses get through, would do the job just fine.

Also, if you wanted a similar setup for the purpose of using only one service, e.g

http, then you it is suggested off using a different NAT mode simply because itoffers better security and is more restrictive.

Page 5
http://www.firewall.cx/nat-static-part1.phphttp://www.firewall.cx/nat-static-part1.phphttp://www.firewall.cx/nat-static-part1.phphttp://www.firewall.cx/nat-static-part1.php


6/29

Static NAT requires one public IP Address for each mapping to a private IPAddress. This means that we will not be able to map a public IP Address to morethan one private IP Address.

With this setup in mind, the Static NAT table of Firewall No.1 would look like this:

Firewall No.1 Static NAT TableExternal Public IP Address Mapped to Internal Private IP Address

203.31.218.2 Firewall No.1 Public Interface203.31.218.3 192.168.100.2 - Public WebServer in DMZ203.31.218.4 192.168.100.3 - Public MailServer in DMZ

203.31.218.5 192.168.200.2 - Firewall No.2 of Private Net.

Table Source: http://www.firewall.cx/nat-static-part1.php

As you can see, this table is a good summary of what is happening in the diagramabove. Each external IP Address is mapped to an internal private IP Address andif we want to restrict access to particular hosts then we can simply put an accesspolicy (packet filters) on Firewall No.1.

2.6 Dynamic NAT

Dynamic NAT is the second NAT mode we're going to talk about. Dynamic NAT,

just like Static NAT, is not that common in smaller networks but you'll find it usedwithin larger corporations with complex networks.

The way Dynamic NAT differentiates from Static NAT is that where Static NATprovides a one-to-one internal to public static IP mapping, Dynamic NAT does thesame but without making the mapping to the public IP static and usually uses agroup of available public IPs.

While looking at Static NAT for every private IP Address that needs access to theInternet we would require one static public IP Address. This public IP Address ismapped to our internal host's IP Address and it is then able to communicate withthe rest of the world.

With Dynamic NAT, we also map our internal IP Addresses to real public IPAddresses, but the mapping is not static, meaning that for each session ourinternal hosts communicate with the Internet, their public IP Addresses remainthe same, but are likely to change. These IPs are taken from a pool of public IPAddresses that have been reserved by our ISP for our public network.

With Dynamic NAT, translations don't exist in the NAT table until the routerreceives traffic that requires translation. Dynamic translations have a timeoutperiod after which they are purged from the translation table, thus making themavailable for other internal hosts.

The diagram below illustrates the way Dynamic NAT works:

Page 6
http://www.firewall.cx/nat-static-part1.phphttp://www.firewall.cx/nat-static-part1.php


7/29

Figure Source : http://www.firewall.cx/nat-dynamic-part1.php

The diagram above is our example network and shows our router, which isconfigured to perform Dynamic NAT for the network. We requested 4 public IPsfrom our ISP (203.31.218.210 to 203.31.218.213), which will be dynamicallymapped by our router to our internal hosts. In this particular session ourworkstation, with IP Address 192.168.0.1, sends a request to the Internet and isassigned the public IP address 203.31.218.210. This mapping between theworkstation's private and public IP Address will remain until the session finishes.

The router is configured with a special NAT timeout and, after this timeout isreached (no traffic sent/received during that time), the router will expire theparticular mapping and reuse it for a different internal host.

2.7 Overloading NAT

NAT Overload is the most common NAT method used throughout all networksthat connect to the Internet. This is because of the way it functions and thelimitations it can overcome, and we'll explore all of these in the next two pages.

This NAT mode is also know by other names, like NAPT (Network Address PortTranslation), IP Masquerading and NAT with PAT (Port Address Translation). Thedifferent names logically come from the way NAT Overload works, and you'llunderstand this by the time we're finished with the topic.

NAT Overload is a mix of Static & Dynamic NAT with a few enhancements thrownin (PAT- Port Address Translation) to make it work the way we need. By now you

understand how both Static & Dynamic NAT work so we won't get into the detailsagain. NAT Overload takes a Static or Dynamic IP Address that is bound to the

Page 7


8/29

public interface of the gateway (this could be a PC, router or firewall appliance)and allows all PCs within the private network to access the Internet.

The diagram below shows you how a single session is handled by a NAT Overloadenabled device:

The host on a private network, its IP Address is 192.168.0.1 and it's sending apacket to the Internet, more specifically to IP Address 200.0.0.1, which we'reassuming is a server. The Port, which is 23, tells us that it's trying to telnet to200.0.0.1, since this is the default port telnet uses.

As the original packet passes through the router, the Source IP Address field ischanged by the router from 192.168.0.1 to 203.31.218.100. However, notice thatthe ports are not changed.

The reason the Source IP Address is changed is obvious: The router's public IPAddress must be placed in the Source IP Address field of the packet so the serverwe're trying to telnet to knows where the request is coming from so it can thensend the reply. That takes care of making sure the packet from the server thatwe use TELNET to finds its way back to the router's public interface. From there,the router needs to know which host on the private network it must send the

reply to. Some might think that this example is pretty much the way a Static NATrouter would behave, and if you're thinking just that you're totally right! In orderto understand how a NAT Overload enabled router is different from Static NAT,we must add at least one more host in the private network, which we'll do rightnow. NAT Overload overcomes this limitation by using one public IP Address forall private hosts, but utilising the thousands of ports available in order to identifyeach private host's session.

2.8 Obtaining IP address for the internet interface using NAT router

A NAT router obtains the IP address for the internet interface by overlappingtechnique. When an internal network uses a set of registered IP addresses on

Page 8


9/29

internet, the NAT router maintains a lookup table of these IP addresses just sothe NAT router can intercept the registered IP address and replace then withregistered unique IP addresses. This is applicable to IP addresses both in internalnetwork and external network.

This means a NAT router translates internal addresses to registered uniqueaddresses and translates external registered addresses to addresses that are

unique to the internal network.For example lets say IP range 237.16.32.103 is a registered IP address used byan external network, the NAT router translates the addresses to a unique addressfor the internal network 237.16.32.10 to avoid any conflict as shown in the figurebelow

Therefore the NAT router obtains a unique IP address for the internet interface.

Obtaining IP address for internet interface, (How stuff works, 2000)

Therefore when ever a computer with unregistered IP addresses on the internalnetwork tries to communicate with Internet the NAT router translates all theunregistered IP address on the internal network to unique registered IP addressthereby obtaining a IP address for the internet interface.

The unique IP addresses on the internal network are called inside globaladdresses. The outside local addresses i.e. addresses on the external networkare called outside global addresses.

All computers on the LAN communicate with the means of the inside globaladdresses.

When one of the computers on these LANs tries to communicate with anexternal network a packet is sent to the NAT router.

The NAT router checks the look up table to check if destination IP is alreadyavailable, if it is, NAT translates the packet and creates an entry in thetranslation table.

If not, then the NAT router drops the packet.

Instead the NAT router translates the packet using an inside global address.

The computer now on the external network sends this packet to its owninside global address. The source address on the packet is an outsideglobal address. The destination address is an inside global address.

The NAT router looks up address translation table to determine if thedestination address is already available, this address will already bemapped to a computer on the LAN

The NAT router translates the inside global address of the packet to the

inside local address, and sends it to the destination computer

Page 9


10/29

Task 3

3.1 Hypertext transfer protocol (HTTP)

HTTP is a request/response standard between a client and the server, here theclient is the end user and the server is the web site. The end user is also calleduser agent. The server is called the origin server as it stores files and images.HTTP uses TCP (transmission control protocol)/IP (internet protocol) as its majorprotocols; these are the most popular applications of HTTP on the internet.

When a HTTP end user starts a request, HTTP establishes a TCP connection toparticular port on the host server. The HTTP server receiving the request from

end user waits for message the end user is sending, based upon the messagesent the HTTP server send back a status line, such as HTTP/1.1 200 OK therebydisplaying the requested information from the host server. These resources canalso be identified using Uniform resource locators (URLs) using the HTTP toretrieve these resources.

3.2 HTTP persistent connection

HTTP persistent connection is also called as HTTP keeps alive.

HTTP keep alive connection uses one TCP connection to send and receive severalHTTP requests and responses instead of using a new TCP connection for every

single request/response pair. The nature of a TCP connection is a stream basedprotocol, to be able to reuse an already existing connection, HTTP should have away to indicate the end of the previous response and the beginning of the nextone. In order to be able to do this all responses on the TCP connection shouldhave a self defined message length and self demarcation.

The self demarcation process can be achieved by setting content length headeror by having an encoded entity when transfer large chunk of messages orresponses. Each chunk of message or response should be start with specific sizeand end with a special last chunk.

3.3 Advantages of HTTP persistent connections

1. Persistent connections reduce lag to large extents as the end user does notrequire a new TCP connection after the first request has been initiated.

2. The server will maintain a persistent connection inspite of an errorresponse from the server.

3. Long lasting connections

4. Less network trafficking due to fewer TCP connections to the host server.

5. This type of connection signals the closing down on the connection bothbetween the client and the server.

3.4 HTTP Pipelining

Page 10


11/29

Pipelining

This allows client to make multiple request without waiting for each response.This gives the better utilization for the connection. The server processed requestconcurrently. This sends the response in the order request complete. This wouldminimize waiting time. But it cant be possible to identify responses with arequest in http. In HTTP/1.0, end of recourse implicitly defined by end of

transmutation.HTTP pipelining is a process that in which several HTTP requests are written on asingle socket instead of waiting for relevant responses. The requester then waitsfor the responses to arrive in the order which they have requested responses.However requires both the client and server to support it. HTTP pipelining is onlysupported by HTTP/1.1. Depending upon bandwidth limitations and networklatencies significant delays can be expected. Pipelining requires non failingservers in case the client requires the server to pipeline.

3.5 Advantages of HTTP pipelining

1. Pipelining reduces the number of TCP/IP packets.

2. Due to this the traffic on the network reduces, thereby improving the speedand accessibility of the network.

3. This also improves page loading time, thereby reducing the waiting timesespecially on high latency connections.

HTTP/1.1 caching:

Caching is stores the information (or) data temporarily storing for responses. Thisis mainly useful for reduces the responses time and network load also. And savemoney by avoiding access to internet.

The following are the catching point locations

1. At the client2. The server3. An Intermediate (proxy)

Client catching or client control of catching

Client can change the response of catching by using catching control headerdirectives the request. The following request are used in client catching

1. Max-age: Max time in seconds an invalidate response it acceptable value ofzero.

2. Max state:3. Mini-fresh: Minimum freshness which is required

3.6 Advantages of client caching

1. Reduces network traffic as it store data in cache of a local computer.

2. Reduces user response time.3. Reduces server loads.

Page 11


12/29

3.7 Internet protocols used to retrieve mails

There are several internet protocols used to retrieve e-mails from mail servers,three of these are

1. Internet message access protocol2. Post office protocol

3. Simple mail access protocol

3.8 Internet Message Access Protocol

Internet Message Access Protocol also known as IMAP, allows an e-mal client toaccess e-mail on a remote server by means of an internet protocol operating onport 143.

The latest version of IMAP is IMAP4 named by RFC 3501 supports both online andoffline modes of operation.

In IMAP the e-mail client leaves messages on the server until the user deletesthem. IMAP allows several users to access the same mailbox at the same time.Local copies of these messages are stored in an e-mail store by means of atemporary cache.

IMAP sends all e-mail messages to a server; this server then stores all messagesin the recipients mailbox. The recipient then retrieves these messages by meansof an e-mail client or a web browser that uses one of the several e-mail retrievalprotocols.

3.9 Post Office ProtocolPost Office Protocol also known as POP is an application layer internet protocolused to retrieve e-mails from a remote server. POP can be used when on atemporary internet network. For example when using a dial up connection POPallows the end user to retrieve e-mails when connected to the internet. Whenoffline these e-mails could still be accessed and edited. All mail messagesretrieved are stored locally on end users computer, all message retrieved arethen deleted from the server and then disconnect from the server.

3.10 Simple Mail Access Protocol

Simple Mail Access Protocol as known as SMAP is a simpler and efficientalternative to IMAP, SMAP is an application layer internet protocol used toretrieve e-mails stored on a server. The SMAP connection enables the outgoingmessages to be sent out only once, the copies of these e-mails are then storedon the server itself. SMAP is still in development stages therefore when the e-mailservers do not support SMAP the server can always down grade to IMAP just tosupport the e-mail retrieval service.

Differences between IMAP, POP and SMAP

IMAP

Page 12


13/29

Retrieves e-mail messages from both online and offline servers.

E-mail messages can be downloaded to a local PC, the messages will

remain on the server till the end user deletes them.

Allows multiple clients to access same mailbox

Suitable only for permanent internet connection

Used in large networks such as college campuses. With IMAP, messages can be retrieved as fast the server can deliver.

Can transmit small coded attachments

Multiple mailboxes can be created and edited on the server.

Supports for server side folders

Due to its searching mechanism it slows down the server speeds

POP

Retrieves e-mail messages from online servers only E-mail messages can only be retrieved when network is connected,

messages can be connected to a local PC, once downloaded to the local PC,

and messages will be automatically deleted from the server.

Allows only one mail client to access one mailbox

Suitable only for dial up internet connections

Can be used only in small networks.

With POP, messages can either be downloaded from the web or can be

accessed when connected to

Can transmit only very small attachments

Only allows offline message stores.

Does not support server side folders.

10.Does not slow down the server searching speeds as the server itself is

connect to a slow speed network.

SMAP

Retrieves e-mail messages from both online and offline servers

E-mail messages can be downloaded to a local PC, copies of thesemassages will still be available on the server.

Allows multiple clients to access same mailbox.

Suitable for both permanent and dial up internet connections.

Can be used for both large and small networks where the server can

support.

With SMAP, copies of messages can be downloaded and messages can also

be accessed online.

Can transmit very large raw and decoded attachments.

Page 13


14/29

Unicode folders are maintained on the server.

Supports large server side folders, which are a maintained in a hierarchical

manner.

Does not slow down server speeds.

Task 4

4.1 Integrated service (IntServ) and its effect on internet connection

Integrated service guarantees Quality of service (QoS) on a network by specifyingcertain elements on the network thereby enabling fine grained quality of service.

This is very helpful while transmitting high quality media and big packets ofinformation such as sound and video, IntServ makes sure the network connectionis not lost during such transmission process therefore making sure best qualitymedia is received by the end user without any interruption.

To guarantee such Quality of Service, all routers involved in the network shouldbe enabled for IntServ; therefore every application that needs fine grained QoSneeds to a make individual reservation to guarantee fine gained QoS.

The applications reservation can be described by the use of flow spec, this flowspec in two set of operations determines what does the traffic look like anddetermines what type of guarantee is required based on the traffic.

These two operations are called TSPEC (traffic specification) and RSPEC (requestspecification).

The underlying mechanism to send the fine grained QoS is determined byResource reservation protocol commonly known as RSVP in networking.

Lets us now see what activities TSPEC, RSPEC and RSVP individually perform toprovide an integrated service.

TSPEC Imagine there is a token bucket which collects token till the bucket is fullat a constant speed. Each token identifies a packet of information, all packets ofinformation having token can be sent across on a network and the ones that donot hold the token will not be transmitted and therefore no received.

Therefore the speed at which these tokens arrive in the bucket determines thespeed of the traffic flow, whereas the depth of the bucket itself determines thelimitations of speed of the traffic.

Therefore using token bucket algorithm TSPEC determines the speed at which thepackets of information arrive in the network and the modulations of traffic

RSPEC - helps specify the requirements of the flow. This is nothing but the settingone can specify on their network client which determines the how the speed of

Page 14


15/29


16/29

DiffServ enables assigns each packet of information to a certain class by meansof classify and mark mechanism. These packets of information once assigned toa class with the means of pre Hop behaviour transmits the packet of informationbased on its class.

Therefore differentiated service on a network can be obtained by classification

and marking of packets of information which are then transmitted by Pre-Hopbehaviour through the router.

4.3 Difficulties of implementing IntServ

IntServ depends heavily on RESV and the flow specs these RESVs contain.However this process is based on the PATH messages created every 30 secondsat the back of QoS transmission which spread through the entire network.

When the network involved is small, these messages and RESVs aremanageable, however when the networks grow larger in size more pathmessages are created and more RESVs are created, therefore leading to lot ofconfusion, therefore it becomes very difficult to keep a track of reservations themultiple flow specs will create.

Therefore the whole integrated service architecture becomes confusing.

This will mean in order to manage the reservations a multiple level approach willbe needed to be applied. This means every single user reservations will need tobe managed individually. Which again means a small network is created for every

user within a large network

Task 5

5.1 Security Clauses and Control Objectives of ISO standard 17799

ISO standard 17799: 2005 code of Practice for Information SecurityManagement

In 2005, the International Organization for Standardization [jointly with theInternational Electromechanical Commission (ISO/IEC)] published the secondedition of their international standard. The standards full title is ISO standard17799: 2005 for Information Security Management. This standard establishes thebaseline requirements to form an INFOSEC program in any size or type oforganization, both public and private sector.

Eleven Security CLAUSES

ISO 17799 provides a set of clauses considered to be good starting point forimplementing on INFOSE program. The recommended controls are typicallybased on legislative requirements or common practice within the INFOSEC

Page 16


17/29

community. The standard itself contains 11 security control clauses. Thefollowing are the eleven security clauses

1. Organization of assets and resources.

2. Security policy.

3. Personnel security.

4. Physical and environmental security.

5. Asset management.

6. Information security incident management

7. Communications and operations management.

8. Business continuity management.

9. Systems development and maintenance.

10. Compliance

11. Access control.

The eleventh clauses are the new edition of ISO/IEC 17799. In this totalprescribed 39 main security categories. Each security category provides it ownstatement what to be achieved. Due to the Human Firewall Councils definition,the term INFOSEC program now has some meaning and is starting to gain

acceptance within the business community. However, it is prudent to keep inmind that an INFOSEC program may not always fit neatly into the categoriesdescribed by the Human Firewall Council. This structure may work well for largecorporations, but small and medium-sized organizations will likely have tocombine functionality across these categories to produce an integrated andholistic INFOSEC program.

Achieving such alignment requires leadership, management, andteamwork. The CIO is without question a key player in integrating all theelements of an INFOSEC program into the businesss operational mindset.However, the CIO depends on other management staff to fulfil critical securityfunctions.

5.2 ISO 17799

As per International Standards Organization, ISO 17799 provides guidelines for

Initiating information security in an organisation

Implementing information security in an organisation

Maintaining information security in an organisation and

Improving information security management in an organisation

5.3 Objectives of clauses

Page 17


18/29

1) System PolicyObjective: System policy looks at providing management direction andsupport for information security.

2) Organizing Information SecurityObjectives:

a) Managing information security within the organization

b) Makes sure information is securely maintained and processing facilitieswith respect to external parties.

3) Asset ManagementObjectives:

a) Appropriate protection of organizational assets by achieving andmaintaining them.

b) Makes sure all organisational information receives an appropriate level ofprotection.

4) Human Resources SecurityObjectives:

a) Makes sure that all employees, all contractors and relevant third parties areall suitable for the jobs they are considered for, understand theirresponsibilities in order to reduce the risk of abuse of any organisationalproperty

b) Make sure that all the above parties are aware of IS threats and theirresponsibilities in maintaining the risks as low as possible, and make sureall these parties are able to support the organization's security policies

c) Make sure all persons enter and leave the organization in an orderly and

controlled manner.5) Physical and Environmental Security

Objectives:

a) Preventing unauthorized persons from having physical access, anyinterference and any damage to organization's information and premises.

b) Prevent loss, theft and damage of assets

c) Make sure any interruptions to the organizational activities are prevented.

6) Communications and Operations ManagementObjectives:

a) Makes sure all information processing facilities and their operations aresecure

b) Make sure information security and service delivery along with 3rd partyagreements are maintained at an appropriate level

c) Minimize the risk of systems failures

d) Protect the integrity of information and software

e) Makes sure the integrity of information, its availability and its processingfacilities are all maintained properly.

f) Ensure the protection of information in networks and of the supportinginfrastructure

g) Preventing unauthorized parties from disclosing, modifying, removing ordestroying of assets.

Page 18


19/29

h) Preventing unauthorized disruption of any business activities.

i) Maintain the security of information and/or software exchanged internallyand externally.

j) Ensure the security of e-commerce services

k) Detecting any unauthorized information processing activities

7) Access ControlObjectives:

a) Providing controlled access to information

b) Makes sure all users have authorised access

c) Preventing unauthorized access to information systems

d) Preventing unauthorized user access thereby preventing information frombeing compromised and preventing processing facilities from beingcompromised

e) Preventing unauthorized access to networked services

f) Preventing unauthorized access to operating systems

g) Preventing unauthorized access to information within application systems

h) Makes sure information security with respect to mobile computing and telenetworking facilities are maintained properly.

8) Information Systems Acquisition, Development and MaintenanceObjectives:

a) Makes sure security is an integral part of information systems

b) Preventing loss, errors or unauthorized modifications of information withinapplications

c) Protects the confidentiality, integrity or authenticity of information via

cryptographyd) Makes sure all system files are kept securely

e) Maintains the security of application system information and software

f) Reducing/managing risks that result from exploitation of publishedvulnerabilities

9) Information Security Incident ManagementObjectives:

a) Ensure that security information is communicated in a manner allowingcorrective action to be taken in a timely fashion

b) Ensure a consistent and effective approach is applied to the managementof IS issues

10) Business Continuity ManagementObjectives:

a) Prevents any interruptions to business activities and to protect criticalprocesses from the effects of major failures/disasters

b) Makes sure all business activities are resumed as soon as possible bykeeping down time as low as possible.

11) ComplianceObjectives:

a) Avoid the breach of any law, regulatory or contractual obligation and of anysecurity requirement.

Page 19


20/29

b) Makes sure systems comply with internal security policies/standards

c) Maximize the effectiveness of and minimize associated interference fromand to the systems audit process

5.4 Clauses and types of businesses

All clauses cannot be implemented in all types of businesses, therefore let us nowsee what clauses are applicable to which type of business and also outline whatwill be required to enable an organization to meet the objectives

Clause 1

System Policy

Objective: System policy looks at providing management direction andsupport for information security

Applicable to: This clause can be applicable to any business trying toimplement Information security.

This shows managements commitment to information security and high

set of rules that are to be followed for protecting the assets.To do to meet objectives:

To formulate information security policy document which outlinethe security policies suitable for the organisation

This document should contain a clear definition of informationsecurity that is to be achieved in the organisation, its scope andobjectives.

Managements support statement for the above.

Basic frame work for setting the objectives and controls

References pointing to all documentation supporting the policies.

All these policies have to be reviewed by the management fromtime to time based on changing business objectives

Clause 2

Organizing Information Security

Objectives:

a) Managing information security within the organization

b) Makes sure information is securely maintained and processingfacilities with respect to external parties.

Page 20


21/29

Applicable to: gsks Scientific labs where new experiments are carriedout on a day to day basis to invent and improve medication available forvarious diseases.

To do to meet objectives:

From a science lab perspective once the Information securitypolicies are set, top management in gsk need to be review and

revisit the security policies on a time to time basis, this will help tomanage and maintain the security of all important informationwithin the lab without and infringement. Thereby making sureimportant to information related to the drugs is not leaked tomedia or to potential competition in the same market.

To make sure the security of information is maintained securely allinformation i.e. observations and test results should be carefullydocumented and archived (both hard and soft copies). Onlyauthorized persons working on the research should be given accessto this data, the applications on which the data is stored and to

research facilities it self. There by ensuring secure processingfacilities.

Clause 3

Asset ManagementObjectives:

a) Appropriate protection of organizational assets by achieving andmaintaining them.

b) Makes sure all organisational information receives an appropriatelevel of protection.

Applicable to: First great western trains.


First great western can protect all its assets by purchasing all theirtrains and related stock from a single supplier, gain exclusivity forthe design and the materials used on their trains and maintain allthe train lines, networks and stations by first great westernemployed staff and systems in order to maintain high security ofinformation (which could itself be an asset and) and also to protect

the assets owned by First great western. Thereby achieving theobjectives of asset management.

Clause 4

Human Resources SecurityObjectives:

a) Makes sure that all employees, all contractors and relevant thirdparties are all suitable for the jobs they are considered for,understand their responsibilities in order to reduce the risk ofabuse of any organisational property

b) Make sure that all the above parties are aware of IS threats and

their responsibilities in maintaining the risks as low as possible, andmake sure all these parties are able to support the organization's

Page 21


22/29

security policies

c) Make sure all persons enter and leave the organization in anorderly and controlled manner.

Applicable to: Heathrow airport

To do to meet objectives: The HR department in Heathrow airport should carry our thorough

background checks on all staff being employed to work in airportpremises, this is to ensure that people with unsuitable backgroundsare not employed as staff.

All staff employed should be thoroughly made aware of the securitypolicies, their job responsibilities and their role in maintain the IS ofthe company during the induction process.

The HR should get all employed staff to sign a statement which willabide the employee to follow and to commit to companies IS.

All staff should be made aware of their working premises to makesure they are aware risks that are involved and put practices/preset operations standards in place for the relevant staff to mitigatethe risks when faced with them. This can be done when training thestaff during the induction process or during day to day trainingprocess.

All the staff that work inside an airport should be given a magneticphoto ID card. All staff should carry these IDs with them at alltimes, especially while entering and leaving the airport security.These cards should be swiped all the clocking machine every time

they enter or leave the premises thereby making sure all staffactivities in sensitive areas are logged. This should be monitoredby management on a regular basis.

CCTV cameras should be maintained at all exit points, which shouldbe monitored 24/7 to ensure there are no trespassers entering intostaff areas.

Clause 5 Physical and Environmental Security

Objectives:

a) Preventing unauthorized persons from having physical access, anyinterference and any damage to organization's information andpremises.

b) Prevent loss, theft and damage of assets

c) Make sure any interruptions to the organizational activities areprevented.

Applicable to: Heathrow airport

To do to meet objectives: CCTV cameras should be maintained at all exit points, which should

Page 22


23/29

be monitored 24/7 to ensure there are no trespassers entering intostaff areas.

All the staff working inside an airport should be given a magneticphoto ID card. All staff should carry these IDs with them at alltimes, especially while entering and leaving the airport securedareas. These cards should be swiped at the entire clocking machine

every time they enter or leave the premises thereby making sureall staff activities in sensitive areas are logged. This should bemonitored by management/security staff on a regular basis.

Also allowing only staff belonging to certain departments tospecific areas of the air port such as allowing only air traffic controlstaff into control stations, this reduces interruption in activities ofcontrol station staff thereby reducing delays in air traffic controland also ensures the safety of the aircrafts landing into the airport.

Claus

e 6

Communications and Operations Management

Objectives:

a) Makes sure all information processing facilities and their operationsare secure

b) Make sure information security and service delivery along with 3rdparty agreements are maintained at an appropriate level

c) Minimize the risk of systems failures

d) Protect the integrity of information and software

e) Makes sure the integrity of information, its availability and itsprocessing facilities are all maintained properly.

f) Ensure the protection of information in networks and of thesupporting infrastructure

g) Preventing unauthorized parties from disclosing, modifying,removing or destroying of assets.

h) Preventing unauthorized disruption of any business activities.

i) Maintain the security of information and/or software exchangedinternally and externally.

j) Ensure the security of e-commerce services

k) Detecting any unauthorized information processing activities

Applicable to: HSBC bank and its banking methods


For smooth communication and operations HSBC bank shouldimplement, safe a secure internal walkie talkie frequencies, securephone lines and HSBC owned chatting softwares using these allstaff can communicate sensitive information internally, therebymaintaining the integrity of the bank.

All banking systems, such as computers, ATMs, locker systems anddata systems should be copy right protected, owned, installed and

maintained by the bank to prevent any infringement from the thirdparties. All these systems should always be backed up with

Page 23


24/29

constant power supply system or battery system to ensure thesesystems operate smoothly at all times.

All sensitive and non sensitive banking information should alwaysbe logged and archived at all time. All these information should bemaintained in password protected systems. Access should be givenonly to relevant authorized personnel.

All activities in these data storage systems should be logged eithermanually or automatically.

CCTV should be used in sensitive areas to monitor who is accessingthe data or systems are certain given time in a day.

All information being sent within and outside of the banks shouldbe carefully logged.

All new clients should be given specific passwords to access theiraccounts and cards.

These passwords should be used by the clients when using online

banking facilities or telephone banking facilities. All client activities within the account should be carefully monitored

at all time.

All the internet networks and telephone networks should beconstantly monitored by the banks compliance team to check allstaff abide by companies IS policies, communication and operationpolicies.

Clause 7

Access ControlObjectives:

a) Providing controlled access to informationb) Makes sure all users have authorised access

c) Preventing unauthorized access to information systems

d) Preventing unauthorized user access thereby preventinginformation from being compromised and preventing processingfacilities from being compromised

e) Preventing unauthorized access to networked services

f) Preventing unauthorized access to operating systems

g) Preventing unauthorized access to information within applicationsystems

h) Makes sure information security with respect to mobile computingand tele networking facilities are maintained properly

Applicable to: Police force


All Police personnel should be given photo ID cards, these ID cardsshould be swiped through the system while accessing sensitiveinformation areas.

All police personnel should be given specific passwords to theirsystem where they log all important information of the case they

would be handling at that point in time. Only certain high ranked police officials should be granted access

Page 24


25/29

to very sensitive information, information data systems, softwaresand areas.

All unauthorized personnel if needed to access the above should beauthorized in written by their supervisors.

Ensure all mobile electronic equipment is fully encrypted usingrelevant data encryption softwares to avoid infringement of anyinformation contained in these device. Any information coming andgoing out should be manually or automatically logged at all times,for example frequencies used by police force should always besecure for communication, these frequencies should be testedbefore used, all conversation on these frequencies should belogged and monitored on day to day to basis

Clause 8

Information Systems Acquisition, Development and MaintenanceObjectives:

d) Makes sure security is an integral part of information systems

e) Preventing loss, errors or unauthorized modifications of informationwithin applications

f) Protects the confidentiality, integrity or authenticity of informationvia cryptography

g) Makes sure all system files are kept securely

h) Maintains the security of application system information andsoftware

i) Reducing/managing risks that result from exploitation of published

vulnerabilities

Applicable to: Police force


All major information systems, software and data should all bebacked up regularly using system back up techniques orsoftwares.

All data should be made confidential by laying policies on how datacan be distributed or sent within the force and outside the force.

All data being sent and received should be encrypted by relevantsoftwares

All system files should be backed up on secondary storage devicessuch data storage servers or drives owned by the police force.Therefore ensuring all data is secure.

Using authentic original softwares on systems, application anddevices will avoid any third party infringement.

Page 25


26/29

Clause 9

Information Security Incident ManagementObjectives:

a) Ensure that security information is communicated in a mannerallowing corrective action to be taken in a timely fashion

b) Ensure a consistent and effective approach is applied to themanagement of IS issues

Applicable to: Systems Helpdesk in an IT company


The systems helpdesk in any organisation should always log anysystem failures or errors using problem logging softwares such asRemedy.

The root cause for these failures should be detected and then fixedASAP with the help of service desk personals.

All these steps should be logged for future use.

These failures should be tested in quality testing environment andsystem patches should be released to fix such failurespermanently.

These patches or upgrades should be deployed to each and everysystem used in the organisation.

Clause 10

Business Continuity ManagementObjectives:

a) Prevents any interruptions to business activities and to protectcritical processes from the effects of major failures/disasters

b) Makes sure all business activities are resumed as soon as possibleby keeping down time as low as possible.

Applicable to: Any organisation


Maintain business continuity team

This business continuity team should maintain a record of namesand contact details of the entire employee force, clients andsuppliers related to the company.

This is to ensure all the above parties are kept informed when anydisruption is caused to the business due to natural calamities suchas storms/hurricanes/earthquakes or due to disaster such as fireaccidents.

These teams should have contingency plans to run business offsiteif required based on how long the recovery process will take,making sure all business activities are resumed as soon as

possible. For example, in GE capital Leeds in year 2004, the roof of one of its

Page 26


27/29

offices was blown off due to heavy gale winds, later entire officewas flooded as its started to rain. Hence all staff had to be senthome due to security reasons, however the business continuityteam kept constant touch with the employees, keeping theminformed about when they could report to work again, businesscontinuity team also set up a fully functional office in the same

business park by sharing floor spaces with other companies in thesame business park, which helped GE to resume business asnormal with 48 hours.

Clause 11

ComplianceObjectives:

a) Avoid the breach of any law, regulatory or contractual obligationand of any security requirement.

b) Makes sure systems comply with internal securitypolicies/standards

c) Maximize the effectiveness of and minimize associatedinterference from and to the systems audit process

Applicable to: Any organisation


Maintain a corporate governance team.

This team should look out for any type of compliance breaches asystem or company may commit in day to day operations of thecompany or system.

For example the governance team looking after a particularsensitive system

Should segregate duties

Based on the segregation of duties, roles should be assigned

Based on the roles a person can perform, certain systemtransaction should be exclusively provided to relevant person orpersons.

Where roles breach compliance laws, alternatives should be lookedat.

Ensuring all operations are carried out well within law orcontractual obligations.

The same is applicable to entire systems and their processes in anorganisation.

Thereby minimizing associated interference.

Page 27


28/29

Reference

Andrew S. Tanenbaum(2002) Computer networks availablefrom:http://books.google.co.uk/books?id=Pdz64SJRBAC&printsec=frontcover&dq=computer+networks [12th July 2009]

Larry L. Peterson, Bruce S. Davie (2007) Computer networks: a systems approachavailable from:http://books.google.co.uk/books?id=fknMX18T40cC&printsec=frontcover&dq=computer+networks [12th July2009]

John Y. Hsu (1996) Computer networks: architecture, protocols, and softwareavailable from:http://books.google.co.uk/books?id=2PpSAAAAMAAJ&q=computer+networks&dq=computer+networks&pgis=1[12th July 2009]

Anonymous (n.d)ISO/IEC 17799:2000 Code of practice for information securitymanagement -Published by ISO and the British Standards Institute[http://www.iso.org/]

Anonymous (n.d) ISO/IEC 17799:2005, Information technology Securitytechniques Code ofPractice for information security management. Published byISO[http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html]

Anonymous (n.d) ISO/IEC TR 13335-3 (Guidelines for the Management of ITSecurity: Techniques for the Management of IT Security) Published by ISO.

[http://www.iso.org/][12th July 2009]

Anonymous (n.d) Information Security Policies Made Easy, by Charles CressonWood. Published by Information Shield, Inc. 2005.[http://www.informationshield.com] [12th July 2009]

Anonymous (n.d)information Security Roles and Responsibilities Made Easy, byCharles Cresson Wood. Published by Information Shield, Inc. 2002-2005.[http://www.informationshield.com] [12th July 2009]

Anonymous (n.d) ISO/IEC 27001 Information security management systems Requirements, Due for release in late 2005. [12th July 2009]

Page 28
http://books.google.co.uk/books?id=Pdz64SJRBAC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=Pdz64SJRBAC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=fknMX18T40cC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=fknMX18T40cC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=2PpSAAAAMAAJ&q=computer+networks&dq=computer+networks&pgis=1http://books.google.co.uk/books?id=2PpSAAAAMAAJ&q=computer+networks&dq=computer+networks&pgis=1http://www.iso.org/http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.htmlhttp://www.iso.org/http://www.informationshield.com/http://www.informationshield.com/http://books.google.co.uk/books?id=Pdz64SJRBAC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=Pdz64SJRBAC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=fknMX18T40cC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=fknMX18T40cC&printsec=frontcover&dq=computer+networkshttp://books.google.co.uk/books?id=2PpSAAAAMAAJ&q=computer+networks&dq=computer+networks&pgis=1http://books.google.co.uk/books?id=2PpSAAAAMAAJ&q=computer+networks&dq=computer+networks&pgis=1http://www.iso.org/http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.htmlhttp://www.iso.org/http://www.informationshield.com/http://www.informationshield.com/


29/29

Windows IT Pro, A Division of Penton Media Inc, (2009) [online] New York, NY,Available at

http://windowsitpro.com/article/articleid/39744/what-types-of-network-address-translation-nat-exist.html [Accessed 8 July 2009]

University of Aberdeen, (2009) [online] Aberdeen, UK, Available at

http://www.erg.abdn.ac.uk/users/gorry/eg3567/inet-pages/router.html [Accessed8 July 2009]

Internet Engineering Task Force, (2009) [online] California, USA, Available at

http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-05.txt[Accessed 10 July 2009]

Sun Microsystems, Inc., (2009) [online] Santa Clara, CA, Available at

http://java.sun.com/j2se/1.5.0/docs/guide/net/http-keepalive.html [Accessed 9July 2009]

World Wide Web, (2009) [online] Europe, Available at

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2 [Accessed 11July 2009]

Mark Nottingham, (2009) [online] USA, Available at

http://www.mnot.net/blog/2007/06/20/proxy_caching [Accessed 9 July 2009]

University of Wisconsin, (2009) [online] USA, Available at

http://pages.cs.wisc.edu/~cao/talks/icache/sld002.htm [Accessed 9 July 2009]

Prasad SVS [2008], Information security guidelines,Brigade corporation, USA.

David Lineman[2006], Security Policy ISO 17799, 1st edition, Houston, TX.

William R. Cheswick, Steven M. Bellovin [2000], Firewalls and Internet Security:Repelling The Wily Hacker, Addison-Wesley Professional Computing, NJ.

National Institute of Standards and Technology (NIST) [online] Gaithersburg, MD,Available at 20899-1070http://www.itl.nist.gov/div898/handbook/pmc/section3/pmc324.htm [Accessed 9July 2009]
http://windowsitpro.com/article/articleid/39744/what-types-of-network-address-translation-nat-exist.htmlhttp://windowsitpro.com/article/articleid/39744/what-types-of-network-address-translation-nat-exist.htmlhttp://www.erg.abdn.ac.uk/users/gorry/eg3567/inet-pages/router.htmlhttp://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-05.txthttp://java.sun.com/j2se/1.5.0/docs/guide/net/http-keepalive.htmlhttp://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2http://www.mnot.net/blog/2007/06/20/proxy_cachinghttp://pages.cs.wisc.edu/~cao/talks/icache/sld002.htmhttp://www.itl.nist.gov/div898/handbook/pmc/section3/pmc324.htmhttp://windowsitpro.com/article/articleid/39744/what-types-of-network-address-translation-nat-exist.htmlhttp://windowsitpro.com/article/articleid/39744/what-types-of-network-address-translation-nat-exist.htmlhttp://www.erg.abdn.ac.uk/users/gorry/eg3567/inet-pages/router.htmlhttp://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-05.txthttp://java.sun.com/j2se/1.5.0/docs/guide/net/http-keepalive.htmlhttp://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2http://www.mnot.net/blog/2007/06/20/proxy_cachinghttp://pages.cs.wisc.edu/~cao/talks/icache/sld002.htmhttp://www.itl.nist.gov/div898/handbook/pmc/section3/pmc324.htm

Assignment 2 Computer Networking[1]

Documents