Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

A corporation has two domain system servers (DNS), one web server, and SMTP serv

ID: 3771159 • Letter: A

Question

A corporation has two domain system servers (DNS), one web server, and SMTP server. All servers and their connecting routers are in the same subnet. A layer 3 switch is connected thru EtherChannel to another subnet.

The webserver and SMTP server are needed to communicate with Internet.

For security purposes, web access to SMTP and DNS servers are denied. The DNS servers should communicate only with each other and the Internet.

For this network, you are required to implement the following Layer 2 and Layer 3 services

Implement a switch to switch connectivity using Trunking and aggregating links

Implement a PVLAN solution hosting DNS WWW and SMTP servers

For security implement VACL and PACL in Critical Subnet

Provide a verification plan for the above solution

Provide a technical proposal that addresses all issues described above.

.

Explanation / Answer

Virtual LANs (VLANs) are a well-established and world-proven fundamental of Ethernet local-area networks (LANs).

However, their contribution to layered perimeter security is often overlooked or at least undervalued. This section outlines three ways in which VLANs can be utilised to improve security at the perimeter of a network and to add an extra layer of segregation and classification to traffic crossing inter-network boundaries.

Ethernet VLANs are defined by the IEEE 802.1q standard1 . The standard calls for four additional bytes of data to be added to the standard Ethernet header, including a 12-bit region to be used to designate VLAN membership.

Therefore, up to 4096 unique VLANs can be created on a switch. In reality however, this number is reduced by hardware capabilities and the use by Cisco of certain VLAN numbers for reserved or otherwise special functions.

Some of the more obvious security applications of VLANs are well documented. Many network architects use VLANs to segregate those users and departments that have no need to converse with one another.

For example in a company of several hundred users it is likely that there are specific sales, engineering, finance and marketing departments.

Usually the workstations of end-users in one department will have no need to converse with workstations of end-users in other departments;

rather they will only need to communicate with workstations in their own department plus shared central hosts such as file, print and email servers as well as network gateways such as routers and firewalls.

It therefore makes good sense to separate these departments into separate IP subnets and separate VLANs

If a security consultant were brought in and tasked with improving the perimeter security of this imaginary network he or she may first consider splitting the servers onto multiple physical DMZs so that each type of service (SMTP, WWW, FTP, etc) has a dedicated DMZ.

However, this might not be an option due to limitations in the firewall hardware, reluctance to re-address servers or any other reason.

In such an instance PVLANs could be a useful means of adding an extra layer of security to the existing network architecture, thus helping to provide defence in depth. Let us assume that only the following DMZ communications are necessary:

· The two SMTP servers need to communicate with one another · All servers need to send log messages to the syslog server · All servers need to communicate with hosts outside the DMZ

Limitations

There is a noteworthy limitation with PVLANs in that a layer 3 device can forward traffic between isolated ports.

If a host on an isolated port is compromised, an intruder may be able to send traffic in such a way that it goes from the compromised host to the gateway router or firewall (which will be on a promiscuous port) and is then routed back out the same interface to a host on a different isolated port. This would require the attacker to set a false ARP entry on the compromised host or set a static route to a host in the local subnet

Related Questions

A corporation borrowed money from a bank to build a Plant. The corporation is to
Question #2452334
A corporation borrowed money from a bank to build a building. The long-term note
Question #2420983
A corporation called an outstanding bond obligation four years before maturity.
Question #2467440
A corporation creates a sinking fund in order to have $560,000 to replace some m
Question #2722106
A corporation declared and issued a 15% stock dividend on November 1. The follow
Question #2376028
A corporation distributes property with a fair market value of $50,000, an adjus
Question #2743268
A corporation had 10,000 shares of $10 par value common stock outstanding when t
Question #2388019
A corporation had 10,000 shares of $10 par value common stock outstanding when t
Question #2388021
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
A corporation has the following balance sheet (liabilities side) Current liabili
Next
A corporation has two operating divisions--an Atlantic Division and a Pacific Di

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.