BOLTON HEALTH SERVICE SECURE NETWORK DESIGN

02 Jul BOLTON HEALTH SERVICE SECURE NETWORK DESIGN

LO1: Perform a risk assessment for a given network security scenario and design a defensive strategy to address the

risks that you have identified.

LO2: Devise a firewall security policy and implement it using appropriate hardware and/or software.

Assignment Brief Introduction
The Internet has changed the approaches and attack vectors used by criminals in a massive way. The requirements for a

criminal to geographically close to their target is no longer a requirement. Attackers can probe and gain access to any

unprotected network from the comfort of their local internet café; no physical presence, no violence simply following

a logical processes and careful analysis of the information retrieved from a probed network is sufficient for the

criminal to obtain sensitive data such as credit card and deeply personal details. Therefore the design and development

of a secure network that provides a defence in depth strategy is paramount in todays business environment.
Assignment Brief and Overview of Research Scope

You are required to design and document a secure network for a medium sized doctors office that includes the

development of a shell script that includes all of the configuration elements for a Linux based iptables based firewall.
For this written assignment you are expected to research and develop two areas of network security. This assignment will

provided you with a deep yet rounded understanding of the approaches required to protect networks from outside attack

without restricting use for the authorised users of the network.
The assignment will consist of at least a minimum of three thousand words (excluding appendices, bibliography and

contents page) and will require independent research covering the following two aspects of risk assessment for the

design of a secure network that takes a defensive strategy to address the risks that you have identified and devise a

firewall security policy and implement it using appropriate hardware and/or software.
1. Risk Assessment and Secure Network Design: Under take a risk assessment to determine services, protocols, connection

directions, security classifications for data, access control, overall network security and Host and server security.

Design the secure network contrasting technologies and techniques to define the best strategy to mitigate the attack

vectors identified based upon the protocols and risk analysis. This will include a detailed network diagram outlining

ingress and egress points and full topology diagram that provides a defence in depth strategy.
2. Devise the firewall policy: Provide detailed instructions for the configuration of the firewall and rational for the

rules applied based upon the identified network services highlighted from the risk analysis as identified in part one.

This must be submitted as a shell script with detailed information on each of the rules that have been identified and

how this related to the information security strategy and the defence in depth strategy

For both areas you will need to consider and research contemporaneous security practices for network design and

deployment. Furthermore you will need to provide comparisons and justify your approaches for the topological design,

deployment of technologies and why you have chosen the strategies and technologies. It may well be worth researching to

see if there are existing practices within the NHS for this sort of development.

Please use the papers provided in the Case Study lectures on Moodle 2 to help you understand the topic and how to write

at the required academic level. This is a piece of applied research and should be documented as such.

Case Study area of research.
Bolton Health Service medium sized medical practice.

The assignment will consider the environment of a medium sized doctors office and surgical practice. There will be a

number of assumptions that can be made in terms of the requirements of the services such as internal servers and

external connection requirements, protocols and services that are used will be standard ports for those services. For

example, SSH prot 22, DNS port 53, SMTP port 25, https port 80 etc etc. There is also some specialist equipment for

medical imaging an example of one can be found here

https://www.philips.co.uk/healthcare-product/HC781342/ingenia-30t-mr-system that contains some basic specifications.

Assumptions can also be made about this equipment and how the data is stored and transmitted assume a standard network

protocol appropriate to the task is used.

Consider Information Security: This is a prerequisite exercise for the main element of the assignment brief.

Understanding an organizations data is the first step to securing their network. Data will have different

confidentiality and reliability requirements depending on whether it is medical, personal or general. Use the titles of

medical, personal and general as the classifications of the data and consider how each class is to be handled in the

context of the access permissions for the various roles in the organization. For example a Doctor would need to see all

medical and personal information where as a receptionist would only require to personal.
Planning The Network through risk analysis (1): Network security requires: 1) Identifying the services, protocols/ports,

connections, software and hardware technologies used within the network, and 2) allocating services to virtual or

physical computers, based on their Criticality/Sensitivity classification and role-based access control. This is all

undertaken through the process of risk analysis.
In this case study of the doctors office you must complete research in order to undertake risk analysis to determine an

appropriate design of a secure network for the required services including appropriate controls to securely protect the

data. The first step would be to determine which network services are allowed to enter and leave the network, and in

which directions connections normally originate and identify potential attack vectors that could be exploited based upon

Application Level protocols and transport and addressing protocols. The second step considers which applications can be

stored together on physical or virtual machines, based on access control (who can access what) and the Criticality

classification. Based on the Criticality classification, you will then define the required controls for each

service/host and technology used. The design and implementation of the network and technology needs will be based upon

the risk analysis you have identified and based upon the services that are required for this busy doctors surgery and

must to protect the organizations data, hosts and LANs from unauthorised access from the Internet, inside and wireless

networks.
Finally, you are required to develop a topological diagram that has a colour code the different systems according to

their level of security. Please use the floor plan of the office to help with the topological diagram
Figure 1: Floor Plan for Bolton Health Service.

Devise the Firewall Policy Network Security Research Element 2: If you are to protect the network, you must be able to

define and develop the rules for the firewalls that are placed throughout the network. These rules must be written as a

BASH script that can be used on the Linux based firewall. Additionally there MUST be a chapter in the main body of the

research paper that discusses the rules you have implemented, why you have implemented them and why they are appropriate

for the services and protocols you have identified from the risk assessment undertaken in research element 1.

Understanding protocols is essential to recognizing attack traffic, attack vectors as well as how attacks can be

manifested at different levels of the TCP/IP stack and programming a firewall is a key skill required for todays

security set. For example, you may need to consider which ports should remain open in and in which direction do

connections normally occur? Sometimes this is not easily known, and some research will need to be taken.
This very technical exercise and each of the practical sessions that have taken place will help you with the development

of the rules. It is expected that you will test your rules to ensure that they work.

Secondary Research Level HE6 It is expected that the Reference List will contain between fifteen to twenty sources. As

a MINIMUM the Reference List should include four refereed academic journals and four academic books.

Marking Guide Assignment

Content 25%

• Structure of report is appropriate to the topic.
• Summary skills in evidence e.g. to select evidence and examples.
• Section included on findings, with sub-headings.
• Conclusion section included, addressing the question in the title.
• Excessive detail moved to one or more appendices.
• Clear knowledge of network security technologies, strategies and approaches .

Report Writing 25%

• Essential sections present: title, introduction/abstract, contents, findings, conclusions, references, and possibly

one or more appendices (following David Rudds guidelines in Cite Me Im Yours available from:

https://www.bolton.ac.uk/library/LibraryPublications/StudySkills/Harvard07.pdf).

• Well written, generally following UK conventions for spelling, grammar and punctuation.
• Well-presented overall, including use of spacing, and consistency in use of fonts and sizes for headings and text.
• Use of graphical elements e.g. tables, pictures etc. where appropriate.
• Homogeneous, not simply a collection of individual submissions.
• Total number of words as a minimum 3000

Research Process and Referencing 25%

• Section included on research objectives, initial ideas, how and why changed, (if at all), final sequence of topics.

i.e. was there a research strategy, and did it help you to draw conclusions?
• Section included on evaluation and comparisons of techniques and technologies. Consider where did you get your best

information? Did you consciously use a variety of sources? What method did you adopt for recording sources?
• Any direct quotes clearly identified as such, and the source stated.
• Correct lay out of a Bibliography
• Correct documentation of sources. E.g. using the Harvard method to link to the list of references.

Individual Contribution to the problem domain 25%

Your individual ideas brought about through research, argument and synthesis of management methodologies. You should let

your individual thoughts based upon sound academic argument shine through.

Additional Marking information:

First class: This piece of work shows evidence of wider research with reference to a number of differing academic

viewpoints. The report has recognised relevantly and discussed in detail, all the required external environmental

factors which affect the management operation of mega events. Several reasoned and logical arguments have been developed

well and supported by a wide range of appropriately researched literature. Reference to two or more academic models is

clear, relevant and informative. Presentation is of a high professional standard, and in the appropriate technical

report style. The high number of appropriate sources has been referenced accurately and to a high standard.

Second class: A clear and informative piece of work with evidence of wider research and discussion. The report has

correctly recognised and discussed, all the required external environmental factors which affect the management

operation of mega events. Some reasoned arguments have been developed and supported by a good number of sources.

Reference to two academic models is clear. Presentation is of a good standard, in the appropriate report style. A good

number of appropriate sources have been referenced well, with most complying with the Harvard style.

Third class: A reasonable attempt has been made at researching the essay but greater in depth discussion and academic

debate is required. The report has recognised the external environmental factors which affect the security of the

network, however mostly the discussion is superficial and lacking in any depth. Reference to two academic models has

been attempted. Presentation of the report is limited, and only the minimum of 5 sources has been provided, with at

least one academic text and two academic journals included.