WGU Capstone proposal; spot flaws in my "security" theory
bermovick
Member Posts: 1,135 ■■■■□□□□□□
Ugh, what a terrible title. Anyway.
I'm not testing if this is a valid proposal (although anyone is more than welcome to weigh in on that). I'll be emailing a course mentor regarding that. What I'm concerned about is the feasibility of the method I came up with of securing the edge router:
So my idea was setting up the network a small branch office for a fictitious corporation. Cheaply, securely.
Basically I'd go through after basic installation of PCs, securing the network (port-security on the switch, etc). For the edge, in order for this to be a cheap turnup (first branch office, tentative expansion), rather than having its own firewall, etc, I'd configure a crypto P2P vpn back to the corp office over DSL (probably business class, I'd think), configure a /32 route out the DSL interface to bring up the tunnel and a /0 over the tunnel to the corporate infrastructure which is better equipped for firewalls, content filtering, whatever (beyond my scope). Then an ACL applied inbound on the dsl interface denying any traffic that's not coming from the other endpoint of the tunnel.
My theory that the ACL blocks everything not coming from the corporate router (specifically the 1 address configured on the branch router as 'tunnel destination X'). Combined with then VPN dropping non-encrypted traffic coming in, this seems to be pretty secure (perhaps add an ACL to the VTY lines to prevent spoofing? Spoofing is a bit confusing)
Conscious incompetence is a terrible thing...
I'm POSITIVE there's flaws in this, and perhaps I'm overthinking this ("write to the rubric", right?), but I don't want something unrealistic or some OBVIOUS that I'm missing so I look like an idiot even suggesting that the C-level person or whoever the project sponsor is would even suggest something like that (even though the taskstream people probably wouldn't even know).
I'm not testing if this is a valid proposal (although anyone is more than welcome to weigh in on that). I'll be emailing a course mentor regarding that. What I'm concerned about is the feasibility of the method I came up with of securing the edge router:
So my idea was setting up the network a small branch office for a fictitious corporation. Cheaply, securely.
Basically I'd go through after basic installation of PCs, securing the network (port-security on the switch, etc). For the edge, in order for this to be a cheap turnup (first branch office, tentative expansion), rather than having its own firewall, etc, I'd configure a crypto P2P vpn back to the corp office over DSL (probably business class, I'd think), configure a /32 route out the DSL interface to bring up the tunnel and a /0 over the tunnel to the corporate infrastructure which is better equipped for firewalls, content filtering, whatever (beyond my scope). Then an ACL applied inbound on the dsl interface denying any traffic that's not coming from the other endpoint of the tunnel.
My theory that the ACL blocks everything not coming from the corporate router (specifically the 1 address configured on the branch router as 'tunnel destination X'). Combined with then VPN dropping non-encrypted traffic coming in, this seems to be pretty secure (perhaps add an ACL to the VTY lines to prevent spoofing? Spoofing is a bit confusing)
Conscious incompetence is a terrible thing...
I'm POSITIVE there's flaws in this, and perhaps I'm overthinking this ("write to the rubric", right?), but I don't want something unrealistic or some OBVIOUS that I'm missing so I look like an idiot even suggesting that the C-level person or whoever the project sponsor is would even suggest something like that (even though the taskstream people probably wouldn't even know).
Latest Completed: CISSP
Current goal: Dunno
Current goal: Dunno
Comments
-
JoJoCal19 Mod Posts: 2,835 ModOk so what is the title of your Capstone? You basically need to come up with a subject/title, and then an abstract (what it will entail). For example mine was "Implementing a Mobile Device Security Plan". It was about a company who had an outdated information security plan that did not account for the unique threats facing mobile devices that are now in use at the company.
From what you typed, I think you're going a bit too low level with it with the ACLs and all that, but that's just my opinion. I kept mine high level and with the controls that were implemented, I just said "wifi on smartphones will be disabled to prevent connecting to unsafe networks" and "appstores will be restricted to prevent the installation of unauthorized apps". If you get too low level it could trip you up and require way too much details throughout the rest of your prospectus and capstone. A lot of the sections feed into each other so it could become a real PITA. But if that's what you want then that's cool. Your topic could be something like "Implementing a Low-cost, Secure Network in a Small Business".Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
EnderWiggin Member Posts: 551 ■■■■□□□□□□You seem to have a good idea of how to keep unwanted traffic from getting in, but what about stopping unwanted traffic from getting out? The biggest security flaw is always the end-users.
-
TranceSoulBrother Member Posts: 215As JoJoCal mentioned, think big picture. Start big and keep the details as examples.
Talk about "securing the IT infrastructure for a SOHO" or "network hardening a la carte for small business" or "cybersecurity considerations for small business" then all the talk about implementation, risk analysis, cost benefit and the like would feed from it. You can even provide appendices like your ACL rules or sample network diagram/config for a SOHO... -
bermovick Member Posts: 1,135 ■■■■□□□□□□Hmm.... big picture, eh? Sigh, I'm terrible at coming up with ideas to flesh out enough (it takes me longer to come up with what to write about/enough ideas than actually writing them once I have the 'shape' in my mind).
Ender: The plan was for the default-route at the branch side to send outbound traffic into the corporate network (hub and spoke), since the HQ would do filtering/etc.
Thanks for the input everyone. I'll have to see if I can flesh this out enough without getting into the details too deep.Latest Completed: CISSP
Current goal: Dunno -
TranceSoulBrother Member Posts: 215Hmm.... big picture, eh? Sigh, I'm terrible at coming up with ideas to flesh out enough (it takes me longer to come up with what to write about/enough ideas than actually writing them once I have the 'shape' in my mind).
Don't think too much. Start with a problem statement, since that's what you will build your abstract and business proposal around.
It needs to be just that: a statement, a sentence, a phrase that just says in so many words what you want to do with your project. Think of the "elevator speech" that if you were in an elevator with someone and he has a job opening or money for a startup, you have 20 seconds to tell him enough about you to hire you or enough about your project to secure a meeting for potential funding. You have 20 seconds a.k.a one or two sentences for your project, ok?
Then, you can build the entire write up around it.
Read back what JJ and myself wrote earlier. That's already a framework for what you're trying to do with your project, without the extra details of all the network traffic that's hiding your forrest by some trees. -
JoJoCal19 Mod Posts: 2,835 ModI gave you a topic based on what you wrote. From there think of like 3 aspects of the implementation to cover. Just avoid getting too technical with jargon and details like hub and spoke, ACLs, etc.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework