Professional Documents
Culture Documents
ASSIGNMENT NUMBER: 2
ASSIGNMENT NAME: Consulting and Designing networking systems for Gold Star
1
Summative Feedback:
Internal verification:
2
Assignment 2
Contents
I. DHCP....................................................................................................................................................... 4
II. Mail server.............................................................................................................................................7
III. DNS.......................................................................................................................................................... 8
IV. Web server............................................................................................................................................9
3
Lo1 Well-known Application Layer Protocols and Services
I. DHCP
DHCP stands for Dynamic Host Configuration Protocol. Accordingly, DHCP is a protocol that
assigns IP addresses to all devices accessed on the same network via the DHCP server integrated
on the router.
In addition, DHCP also has the task of providing the necessary parameters of the network to
the devices. Specifically, information about subnet masks, default gateways and DNS services.
How DHCP works:
o Basically, the way DHCP works is simple. That is, when a device wants to access the
signaling network, DHCP will perform the sending of a request from the router. The
router then assigns the available IP address.
o Specifically, when there is a need to connect to the network, the device sends a DHCP
DISCOVER request to the server. Next, DHCP server conducts a search for the available
IP address, then, provides the card and DHCP OFFER package.
o Once the address is obtained, the device uses a DHCP REQUEST file pack to reply back
to the server. At this point, the server will send confirmation that the device already
has IP, as well as the time of use until replaced with a new address.
o Because of this mechanism of operation, for small-scale or household networks,
routers act as DHCP servers. As for larger network models, a router will not be able to
manage all devices, so devices should need a dedicated server to perform IP leveling.
1. DHCP server
A DHCP server is a server that makes a network connection. It responds to information when a
workstation (DHCP client) broadcasts a request. In addition, DHCP server is also tasked with
transmitting information in the most reasonable way to devices, and at the same time, performing
default gateway or subnet mask configurations.
2. DHCP client
4
DHCP Client is defined as a workstation running DHCP service. DHCP Client is used to make
registrations, update information about IP addresses along with DNS records for itself. Specifically,
when an IP address or TCP/IP parameter is needed to work in the network, DHCP Client will send a
request to DHCP Server.
3. Advantages of DHCP
DHCP has a function that allows automatic configuration. As a result, the network connection
speed of the devices is faster.
Help manage scientific IP addresses, avoid IP duplication and more stable networking.
IP addresses, TCP/IP parameters are easily managed through stations.
Network administrators can arbitrarily change configurations and IP parameters according to
the needs used to upgrade infrastructure.
Allow devices to move back and forth between networks and receive new IP addresses
automatically.
4. Disadvantages of DHCP
Despite many outstanding advantages, DHCP is not immune to some limitations. Concrete:
The use of dynamic IP addresses is not suitable for fixed devices, with high frequency of
continuous access such as printers, file servers.
DHCP is only suitable for small or home network models.
5. Communication messages between DHCP server and DHCP client
DHCP Discover: This is a packet of information sent to the DHCP server by a device that
requires an IP address to access the network.
DHCP Offer: This is an information package containing AN IP address, additional TCP/IP
configuration. DHCP Offer is sent a response to the client by the DHCP server after receiving
DHCP Discover.
DHCP Request: This is the information package that DHCP Client responds to the server about
IP acceptance, after it receives a DHCP Offer.
DHCP Acknowledge: This is the package of information that the DHCP server responds to the
client to determine that it has accepted the DHCP Request, and, at the same time, orients the
optional parameters to perform the client's access to the TCP/IP network, as well as complete
the boot system.
DHCP NAK: If the client does not use an IP address because it is no longer valid or has been
used by another machine, the DHCP server sends a DHCP NAK package. After that, the client
must re-implement the subscription process.
DHCP Decline: When the DHCP Client decides the parameters in the offer are not valid, it
sends the DHCP Decline package to the server and at this point the client must rework the
subscription process.
5
DHCP Release: This is the packet that DHCP Client sends to the server to free up the IP
address, and at the same time, performs the deletion of existing subscribers.
6. How to handle IP conflict errors with DHCP
Although DHCP's role is to automatically assign IP to devices, sometimes DHCP itself
encounters errors that cause IP conflict errors. In this case, to fix it, the administrator simply
performs the release of duplicate IP addresses. If the error has not been fixed, restart the
router. However, when you have used both of the above but cannot, it means that the error
arises not due to DHCP or router.
7. Possible attacks with DHCP configuration
In fact, there may be two situations where DHCP is attacked: using an illegal DHCP Client workstation
and an illegal DHCP server.
When DHCP Client Is Illegal:
In this case, the client workstation is in a situation where it requires sending a continuous IP
level to the server. And the server will automatically issue IP to the client that is not authentic
until the address is out. Of course, the result is to deplete the address source for legitimate
workstations, causing the system to stagnate, many workstations cannot access the network.
This type of attack is very simple, done easily with only bandwidth without wasting a lot of
time for hackers.
When DHCP servers are illegal:
When hackers break down the network's protective wall, they gain control of the DHCP server
and infiltrate to control the system. There are usually three types of illegal DHCP server
attacks.
o DoS network: Hackers set up an IP strip, subnet mask that prevents workstations from
logging into the system, leading to DoS network.
o DNS redirect: Through DNS changes to workstations, visits will be led to fake websites
containing malicious code, viruses for the purpose of stealing users' information.
o Man-in-the-middle: This type of attack targets the default port by converting them to
a hacker's machine. This means that requests from the client sent to the Default
gateway will be automatically transferred to the hacker's machine before reaching the
default port. From there, hackers easily copy, level all the information of the visitor.
However, this type of attack only helps hackers see the information sent online.
External content sent to the client workstation is not intrusive.
8. Security solutions for DHCP
Each type of attack will have its own DHCP security solution. Concrete:
Illegal DHCP Client attacks: To deal with this type of attack, you use high-security switches.
They will help limit the number of MAC addresses per port. As a result, the system will not
occur when there are too many MAC addresses used on one port at the same time. When
multiple addresses exceed the specified level, the port will stop serving and they can only be
re-operated at the time set by the administrator.
Man-in-the-middle attack: You use a highly secure DHCP snooping switch as a security
solution for DHCP against this type of attack. The switches have the effect of limiting the
connection with suspicious signs from DHCP to the ports. At the same time, only highly
reliable connections allow the DHCP response packet to work. Of course, only this port is
entitled to connect to the real server.
solutions commonly used to secure DHCP servers:
o Secure data storage using the NTFS file system.
o Regularly update new versions of windows and software.
o Regularly scan for viruses for the system
o Screening and removal of unnecessary software or services
o Use a firewall to secure DHCP servers.
6
o Use physical security for servers
II. Mail server
Mail Server is a server system that is individually configured to send and receive mail on the Internet.
Simply understand Mail Server is like a post office on the Internet is a data center, storing information
retrieval on the internet. Your mail is sent before reaching the recipient's email inbox, it must be via
mail server.
7
the recipient's mailbox. The queue of letters is the Local Queue. To enhance security and keep the
email server system safe. Before the message is sent to the user, the local queue and remote
queue will conduct a virus scan. Then check the spam to be sure of the quality of the message
sent. Avoid the case of mail servers being blacklisted as IP spam.
Local Mailboxes: Mailboxes are the inboxes of accounts with the company's mail server account
registered.
Email Authentication: Email Authentication is the feature that confirms the identity of users when
accessing email inbox. This feature helps you secure your own correspondence information. In
other words, Alternate Email is a form of backup email. When you forget your mail server
password, you can use this email to help you get your password back quickly.
The MX record is about showing the way for email to go to your mail server. The MX Record is
usually accompanied by an A record that will point to the IP address of the mail server. A Pref
parameter has a numerical value to indicate the priority of the mail server. The smaller the Pref
value, the higher the priority.
3. Current mail server services
Independent Mail Server
The independent Mail Server system is designed for separate organizations for the purpose of
handling large workloads, processing more flexibly for mail and data services. For some large
businesses that want their data only the manager himself should use mail server independently.
We simply hire the service to configure the installation, operation and maintenance of the system.
These standalone mail servers can sync Outlook remotely and Webmasters connect to the data
base, giving you the power and control you need for large-scale operations.
8
1. DNS functionality
Each website has a name (a domain or URL: Uniform Resource Locator) and an IP address. Ip
addresses consist of 4 groups of numbers separated by dots (IPv4). When you open a Web browser
and enter a website name, you go straight to the website without having to go through entering the
IP address of the website. The process of "translating" a domain name into an IP address for the
browser to understand and access the website is the work of a DNS server. DNS help to go back and
forth to translate the address "IP" into "name" and vice versa. Users just need to remember the
"name", no need to remember the IP address (IP addresses are very difficult numbers to remember).
2. DNS working principles
Each service provider operates and maintains its own DNS server, consisting of machines within
each of its service providers' own sections in the Internet. That is, if a browser searches for the
address of a website, the DNS server that resolves this website name must be the DNS server of
the organization that manages the website and not that of another organization (service provider).
INTERNIC (Internet Network Information Center) is responsible for tracking the domain names and
DNS servers respectively. INTERNIC is an organization founded by NSF (National Science
Foundation), AT&T and Network Solution, responsible for registering internet domains. INTERNIC
is only responsible for managing all DNS servers on the Internet, not the task of resolving names
for each address.
DNS has the ability to query other DNS servers to get a resolved name. The DNS server of each
domain usually has two different things. First, it is responsible for resolving names from machines
inside the domain to Internet addresses, both inside and outside the domain it manages. Second,
they respond to external DNS servers trying to solve the names inside the domain it manages.
DNS servers are capable of remembering names that have just been resolved. To use for next
resolution requests. The number of resolution names saved depends on the size of each DNS.
9
A server can provide both Static and Dynamic content. Static means content that is intact and
easy to set up. Dynamic is content that has been processed or created with data from
database, formatted, pushed into HTTP Template and sent results to users.
2. Popular web servers today
Apache web server was developed by the Apache Software Foundation and is one of
the most famous web servers in the world. This is open source software, supporting
most operating systems such as Unix, Linux, Windows, Mac OS X, FreeBSD, ....
According to statistics, about 60% of computers run on Apache web servers.
Apache web server has easy customizations because it has a modular structure. You
can add or modify modules to the server as you like if you feel it's appropriate.
Compared to any web server, Apache is stable and easy to handle when problems
occur. New versions of the Apache web server are capable of handling more requests
than their predecessors.
10
Web server IIS is a Microsoft product, it has a lot of Apache-like features. However, this is not
open source and adding and editing modules at will is not easy. Web server IIS is capable of
running on all platforms of the Windows operating system.
Web server Nginx is a free open source server. Nginx includes POP3 and IMAP servers. Web
server Nginx has the advantages of stability, high performance, simple configuration and low
resource use. Nginx does not use threads to process requests but uses an event-by-event
(scalable) programming architecture. This programming architecture uses memory when
loaded small and predictable. Nginx currently hosts about 7.5% of domains worldwide. In
recent years, the majority of web hosting companies have used Nginx.
Web server LiteSpeed has a lot of Apache-like features. LiteSpeed is capable of downloading
Apache configuration files directly while also acting as a Drop-in Replacement Apache with
hosting control panels. LiteSpeed can be replaced with Apache web server in about 15 Minutes
with Downtime equals 0. The LiteSpeed web server also has the ability to replace all Apache
features and simplify usage.
11
Web servers need to ensure 24-fourth operation to provide information online to
users. The selection of web servers plays an important role in the flow of information
from the server to the computer. Web server rental service is expanding and growing
constantly, it allows to create many service packages so that businesses can make the
most optimal choice. Among hundreds of thousands of web server service providers,
you need to be knowledgeable and alert to choose a reputable address that provides
quality products
Network security is a term that describes security tools, tactics, and policies designed to monitor,
prevent, and respond to unauthorized network intrusions, while protecting digital assets, including
network traffic. Network security includes hardware and software technologies (including resources
such as savvy security analysts, hunters, troubleshooters, etc.) and is designed to respond to a full
range of potential threats targeting your network.
12
Your network faces threats of all shapes and sizes, and should therefore be prepared to protect,
identify, and respond to a full range of attacks. But the reality is that the biggest danger to most
companies is not 'nightly' threat agents, but well-funded attackers who are targeting specific
organizations for specific reasons. For that reason, your network security strategy needs to be able to
address the different methods these agents can use.
A number of different tools and techniques designed to help you do just that:
Access control: If threat agents can't get into your network, the extent of the damage they'll
be able to do will be extremely limited. But in addition to preventing unauthorized access, be
aware that even authorized users can be potential threats. Access control allows you to
increase network protection by limiting users' access and resources to only parts of the
network that apply directly to the user's personal responsibilities.
Anti-malware: Malware, in the form of viruses, trojans, worms, keyloggers, spyware, etc.
Designed to be transmitted through computer systems and infectious networks. Anti-malware
tools are designed to identify dangerous programs and prevent them from spreading. Anti-
malware and antivirus software can also help solve cases of malware infections, minimizing
damage to the network.
App security: For many attackers, applications are a defensive weakness that can be exploited.
App security helps set security parameters for any app that may be related to your network
security
Data loss prevention (DLP): Often, the weakest link in network security is the human factor.
DLP's technologies and policies help protect employees and other users from abuse and may
compromise sensitive data or allow data to be out of the network.
Email security: As with the DLP, email security is focused on protecting security weaknesses
related to people. Through phishing (often very complex and convincing) strategies, attackers
persuade email recipients to share sensitive information or accidentally load malware into the
targeted network. Email security helps identify dangerous emails and can also be used to
prevent attacks and prevent the sharing of critical data.
Endpoint security: The trend of bring your own device (BYOD) is growing, to the point where
the difference between personal and business computer equipment is almost none.
Unfortunately, sometimes personal devices become targets when users rely on them to access
enterprise networks. Endpoint security adds a layer of protection between remote devices and
enterprise networks
Firewalls: Firewalls act like ports that can be used to secure the border between your network
and the internet. Firewalls are used to manage network traffic, allowing authorized traffic
through while blocking access to unauthorized traffic
Intrusion prevention systems: Intrusion prevention systems constantly scan and analyze
network traffic, so that attacks can be identified and responded to quickly. These systems
usually hold a database of known attack methods, so that threats can be recognized
immediately.
Network segmentation: There are many types of network traffic, each of which is associated
with different security risks. Network segmentation allows you to grant the right traffic access,
while limiting traffic from suspicious sources.
Event Management and Security Information (SIEM): Sometimes gathering the right
information from a variety of tools and resources can be difficult – especially when time is a
problem. SIEM tools and software provide respondents with the data they need to act quickly.
Virtual Private Network (VPN): VPN tools are used to authenticate communication between
secure networks and terminals. Remote access VPNs often use IPsec or Secure Sockets Layer
(SSL) for authentication, creating an encrypted line to block other parties eavesdropping.
13
Web Security: Including tools, hardware, policies, and more, web security is a term to describe
the network security measures that businesses take to ensure secure use of the web when
connecting to an internal network. This helps prevent web-based threats from using the
browser as a point of access to access the network.
Wireless security: In general, wireless networks are less secure than traditional networks.
Therefore, strict wireless security measures are needed to ensure that threat agents are not
accessed.
1. First floor
The first floor has 3 rooms: 1 large staff room, 1 small staff room and server room
14
b) Large staff room
This room is similar to a small staff room but there will be two more rows of computers so the
number of wires needed in this room is as follows:
First row: (6+9+12+15+18) * 2=120(m)
Second row: (12+15+18+21+24) * 2=180(m)
The Whole room: 120+180=300(m)
2. Second Floor
This floor has 4 rooms including: HR, technician room, director and vice director.
a) HR room
This room has only 10 computers, so there is only 1 row of computers, so the number of wires
needed for this room is:
6+9+12+15+18=60 m
b) Technician room
This room also has only 10 computers, so there is a row of computers, so the total number of
wires in this room is similar to HR room is 60m.
c) Director’s District
This area has 2 rooms for and each room has only 1 computer so only about 10m of network
wire for this area.
3. device selection
a) Switch 24 port
Device Name: Cisco Switch SG350-28P-K9-EU 28-port Gigabit POE Managed Switch
Product parameters:
15
Reviews:
o The SG350-28p-K9-EU Switch lineup is part of an enterprise-optimized solution with
the ability to power 195W PoE power for 24 RJ ports, which minimizes cost efficiency.
o This Cisco SG350-28p-K9-EU Switch switches provide the features you need to
improve the availability of critical business applications, protect sensitive information,
and optimize network bandwidth to provide more efficient information and
applications.
o Cisco SG350-28p-K9-EU is designed with 26 x 10/100/1000 Ports, 2 SFP Slots, 2 mini-
GBIC ports combos are the perfect solution to improve network performance for small
businesses to save more than those costs.
Featured features:
o Supports Simple Network Management Protocol (SNMP) that allows you to set up and
manage switches and other Cisco devices remotely from a network management
station, improve IT workflows, and volume configuration.
o Encrypted embedded security layer (SSL) that protects migration management data to
and from the switch
o The Extended Access Control List (ACL) restricts sensitive parts of the network to avoid
unauthorized users and protect against cyberattacks.
o Supports advanced network security applications such as IEEE 802.1X port security that
tightly limits access to specific segments of your network. Web-based authentication
provides a consistent interface for validating all types of storage devices and operating
systems, without the complexity of deploying IEEE 802.1X clients per endpoint.
o DoS attack prevention maximizes network uptime when an attack is present.
b) Switch 48 port
Name: Cisco SG350-52-K9-EU 52-port Gigabit Managed Switch
16
Product parameters:
Review:
o This Cisco SG350-52p-K9-EU Switch switches provide the features you need to
improve the availability of critical business applications, protect sensitive
information, and optimize network bandwidth to provide more efficient
information and applications.
o Cisco SG350-52p-K9-EU is designed with 26 x 10/100/1000 Ports, 2 SFP Slots,
2 mini-GBIC ports combos are the perfect solution to improve network
performance for small businesses to save more than those costs.
c) Switch 8 port
Device Name: Cisco Switch SG95D-08 8 ports
Product parameters:
17
d) Router
Device Name: Ubiquiti UniFi AP AC LR
Product parameters:
e) Firewall
Device Name: Cisco Firewall ASA5506-K9
18
Product parameters:
Features:
o Site-to-site VPN support and remote access VPN, providing high-performance,
high security and high availability access to help ensure business continuity.
o Detailed application visibility and control (AVC) supports more than 4,000
application layers and operations based on appropriate intrusion threat
detection (IPS) policies to optimize security efficiency.
o Provides threat prevention and full awareness of users, infrastructure,
applications, and content to detect threats.
o Filter URLs and categories, provide comprehensive alerts and control of web
traffic, and enforce policies across hundreds of millions of URLs in more than
80 categories.
o AMP provides malware detection mechanisms, sandboxes, with a low total
cost of ownership and premium protection value that helps you discover,
understand, and prevent malware and new threats that are ignored by other
layers of security.
Router: 5
19
Switch 8 ports :1
Switch 24 ports: 3
Switch 48 ports: 1
The total number of wires from the server room to the switches in the rooms is: 70m
The total amount of wire salary in the rooms is: 580m
In addition, we also have to use the network press to be able to connect the network to
devices as well as computers, the type of UTP connector we can use is the type of UTP cat6
RJ45, it is sold in boxes, the number of 100 units / box. We have about 85computers, so we
need 170 heads of network, among other devices we need about 40. So, we need to buy three
boxes of the top.
We should choose the F300 PLUS network plan because it has a bandwidth of
300Mbps and a minimum international bandwidth of 15Mbps. The price for this plan is
$435.02 per month
6. Security software
The type of software to use is Kaspersky Endpoint Security for Business
20
Some features:
Kaspersky Endpoint Security for Business ADVANCED includes Kaspersky Lab's latest
anti-malware technologies, combining signature-based, proactive and web-enabled
protection – for effective, multi-level defense. With automated updates from the
Kaspersky Security Network on the cloud, Kaspersky provides a rapid response to new
and evolving threats.
Cybercriminals are increasingly using unpatched vulnerabilities – in operating systems
and applications – to attack corporate systems and steal data or money. Kaspersky's
patch management and vulnerability scanning function provides centralized control
over the detection of application and OS vulnerabilities – and prioritizes
application/OS patching. Kaspersky Endpoint Security for Business ADVANCED plays
an important role in helping eliminate the risk of criminals exploiting vulnerabilities in
the system.
As enterprise IT network systems become increasingly complex, the task of managing
all the systems on which your business depends has become much more difficult and
time-consuming. Kaspersky Endpoint Security for Business ADVANCED simplifies a
wide range of system management tasks – including configuring, deploying, and
troubleshooting.
Kaspersky Endpoint Security for Business ADVANCED is pre-configured to help you
manage and protect your systems – as soon as it is installed. Moreover, with the
unified, easy-to-use management dashboard offered together with Kaspersky security
center – your IT team can quickly adopt new system management policies and security
configurations.
21
1. Split IP address
I will set the IP address for each room as follows:
Server room: 192.168.1.0/24
Small staff: 192.168.2.0/24
Big room: 192.168.3.0/24
HR room: 192.168.4.0/24
Technician room: 192.168.5.0/24
Manager room: 192.168.6.0/24
2. Router configuration
enable all routers, enable ports and set IP addresses for them.
Configure Router
3. Server configuration
22
a) DHCP
o Set IP address for DHCP server
o service configuration
23
b) Gmail server
24
c) SSH configuration
d) Telnet configuration
Set up telnet on the router
25
e) Firewall configuration
Step 1: Access Global Configuration Mode
Step 2: Configure hostname, domain name, enable password, banner mode
Step 3: Configure AES to encrypt Password
Step 4: VLAN configuration
Step 5: Configure the Default Static Route on the Cisco ASA
Step 6: Configure Telnet, SSH on Cisco ASA
Step 7: Configure NTP on Cisco ASA
Step 8: Configure DHCP Server on Cisco ASA
a) Test
Ping
Set up pings from the computer in the staff small room to the computer in the
technician room
Telnet
26
Check devices that access routers via telnet
SSH
Following the design and construction of this system, I discovered that it is quite beneficial and
effective for the company's operations. Here are my evaluations of the system once it has been built:
Strengths:
o The company's activities are also faster and more cost-effective thanks to the
27
Weaknesses:
o It's hard to upgrade the system.
o The model has not been optimized.
The purpose of maintenance is to prevent and reduce system failures so that the user's productivity
and profit may be increased. Can forewarn organizations of problems that may arise in a short period
of time, allowing them to prepare a backup plan and guaranteeing the most efficient administration
of the operating system. When the system has an issue that can't be fixed, make sure the device is
replaced. The software was checked, data was backed up, and fresh system software utilities were
installed.
Items that need to be maintained on a regular basis:
o Server maintenance
Hardware cleaning
Error handling – software update
Improve the performance of the machine
Data backup
Specifying records and maintenance time.
o Workstation maintenance
Check the configuration, antivirus software of the workstation when connecting to the
server
Back up and store important documents to devices to avoid loss or upside during
maintenance
Optimize system software, applications, and garbage removal.
Make sure the applications are running normally.
o Network maintenance
Although the network architecture has been improved, it is still relatively basic and might fail if a
critical device breaks. as a result, the network structure can be enhanced further in the future:
add routers to increase redundancy
add redundant servers
upgrade to private network
28
bandwidth update
add a security system
29
30