[Document subti tle]

NETWORK
SECURITY
PRABIN POUDEL
 Network Security2018

INTERNATIONAL SCHOOL OF MANAGEMENT AND TECHNOLOGY

GAIRIGAUN, TINKUNE, KATHMANDU
NEPAL

BTEC HND in Computing

Unit 17: Network Security Unit Code: L/615/1646

Year: 2020 Assessment No: 01 Due

Assignment Launch Date: 12 March 2020 Date: 12 May 2020

Assignment Title: NIC Asia Bank Network System

Teacher Name: Suman Koirala

Iv’s Name :

Student Name: Pearson Reg No:

Final Grade:

Assignment submission format

Each student has to submit their assignment as guided in the assignment brief. The students are guided what sort of
information is to produce to meet the criteria targeted. Some tasks might require group work, but the student has to
produce individual assignment.

Scenario I

NIC ASIA Bank has its antecedents in NIC Bank which was established on 21st July 1998. The Bank was rechristened
as NIC ASIA Bank after the merger of NIC Bank with Bank of Asia Nepal on 30th June 2013. This was a historic
merger in the annals of Nepalese financial landscape as the first of its kind merger between two successful commercial
banks in the country. Today, NIC ASIA has established itself as one of the most successful commercial banks in Nepal.
NIC ASIA Bank is now, one of the largest private sector commercial banks in the country in terms of capital base,
balance-sheet size, number of branches, ATM network and customer base. The Bank has 270 branches, 37 extension
counters, 22 branch less banking and 289 ATMs across Nepal with a network covering all major financial centers of
the country.

Recently bank has decided to open a provincial headquarter for control and management of operation and services in
PRABIN POUDEL / 2
Third Semester)
each province of Nepal. And you have been appointed as a Network Engineer in Provincial Headquarter of Karnali
Province. You have been given the responsibility of collecting and eliciting requirements, planning, designing and
implementing fully operational and functional secured network along with test plans. You need to document the test
plans, testing procedure, tested results along with expected results and actual outcome and provide fruitful
recommendations for further enhancement and bolstering of network security and finally present it in the form of report
to the CEO of your company.

Part 1
LO1 Examine Network Security principles, protocols and standards.
LO2 Design a secure network for a corporate environment.

Task A
Prepare a report covering the following topics:

1. Conduct a detailed analysis of Network Security principles and aspects covering devices needed to implement a
secured network.

2. Discussions of possible Network Security protocols and associated technologies that will enable a secure
network for the regional headquarter of State 5.

Task B
Design and implement a network prototype using a network simulator (or lab devices), which incorporates high levels
of Network Security features with the following requirements:
- Firewall configurations.
- Switches configurations.
- Routers configurations.
- Devices configurations.
- IP addressing.
- Subnetting, etc.
You also need to provide the following written material as a formal report:
1. A rationale about the selection of the networking devices for the prototype.
2. A detailed explanation of how the security protocols will work with IPv4 and IPv6.

Part 2
LO3 Configure Network Security measures for the corporate environment.

LO4 Undertake the testing of a networking using the test plan.

Task A

Configure Network Security measures for the corporate environment.

1. Discuss about various cryptographic types of Network Security and configure network security for the given
scenario selecting suitable appliances and encryption mechanism.

PRABIN POUDEL / 3
Third Semester)
 2. Provide a manual for the implemented network security along with scripts/files/screenshots with comments.

3. Discuss what do you mean by Quality of Service in relation to Network Security Configuration and its need in
efficient network planning and implementation.

Task B

Implement test and diagnose networked systems

1. Produce a test plan to evaluate this design for security testing of the network.
2. Provide documentation (scripts/files/screenshots) of the testing of the network after comprehensively testing
the network according to the devised test plan.

3. Discuss the significance of upgrades and security requirements in your recommendations.

4. Critically analyses the implemented network according to the test plan considering the planning, designing, and
implementation and testing procedures.

Pass Merit Distinction

LO1 Examine Network Security p rinciples, protocols and standards
P1 Discuss the different types of M1 Compare and contrast at least
Network Security devices.. two major Network LO1 & 2 D1 Discuss, using

Security protocols. examples, the importance of

P2 Examine Network Security
protocols. Network Security.

LO2 Design a secure network for a corporate environment

P3 Investigate the purpose and M2 Create a design of a secure
requirements of a secure network network according to a given
scenario.
according to a given scenario.

P4 Determine which network

hardware and software to use in this
network.

LO3 Examine Network Security p rinciples, protocols and standards.

P5 Configure Network Security for M3 Provide Network Security D2 Discuss what is meant by Quality
your network. configuration scripts / files of Service (QoS) in relation to
/screenshots with comments. Network Security configuration.
P6 Discuss different
cryptographic types of Network
Security.

LO4 Design a secure network for a corporate environment

PRABIN POUDEL / 4
Third Semester)
P7 Create a Test Plan for your M4 Provide scripts /files / D3 Critically evaluate the design,
screenshots of the testing of your planning, configuration and testing
network.
network. of your network.
P8 Comprehensively test your
M5 Make some improvement
network using the devised Test Plan.
recommendations.

Mention all the grades awarded in this assignments:

Note: Please access HN Global for additional resources support and reading for this unit. For further guidance and
support on report writing please refer to the Study Skills Unit on HN Global. Link to www.highernationals.com

Other Recommendations:
✓ It should be the student’s own work – plagiarism is unacceptable.
✓ Clarity of expression and structure are important features.
✓ Your work should be submitted as a well presented, word-processed document with headers and footers, and
headings and subheadings, both in hard and soft copies.

✓ You are expected to undertake research on this subject using books from the Library, and resources available
on the Internet.

✓ Any sources of information should be listed as references at the end of your document and these
sources should be referenced within the text of your document using APA referencing style ✓ Your report
should be illustrated with screen-prints, images, tables, charts and/or graphics.
✓ All assignments must be typed in Times New Roman, size 12, 1½ spacing.

I declare that all the work submitted for this assignment is my own work or, in the case of group work, the work of
myself and the other members of the group in which I worked, and that no part of it has been copied from any source. I
understand that if any part of the work submitted for this assignment is found to be plagiarized, none of the work
submitted will be allowed to count towards the assessment of the assignment.

Assignment Prepared By: Signature: Date: 9 March 2020

Suman Koirala

PRABIN POUDEL / 5
Third Semester)
Brief Checked By: Signature: Date: 11 March 2020
Dhruba Babu Joshi

PRABIN POUDEL / 6
Third Semester)
Table of Contents
Section A................................................................................................................................................4

Introduction............................................................................................................................................4

Introduction........................................................................................................................................5

Network Security objectives..................................................................................................................5

 Confidentiality:...........................................................................................................................5

 Integrity:......................................................................................................................................6

 Availability:.................................................................................................................................6

Cost benefits analyses of the security....................................................................................................6

Classifying Vulnerabilities.....................................................................................................................7

Classifying Countermeasures.................................................................................................................8

 Administrative.............................................................................................................................8

 Physical.......................................................................................................................................8

 Logical.........................................................................................................................................8

Recognizing the current network threats................................................................................................9

Potential Attackers..............................................................................................................................9

Attack method..................................................................................................................................10

Reconnaissance............................................................................................................................10

Social engineering........................................................................................................................10

Privilege escalation......................................................................................................................11

Back Doors...................................................................................................................................11

Code Execution............................................................................................................................11

Attack Vectors..................................................................................................................................12

Man in the middle attack..................................................................................................................12

Fundamental security to design the network........................................................................................13

Rule of least privilege.......................................................................................................................13

PRABIN POUDEL / 7
Third Semester)
PRABIN POUDEL / 8
Third Semester)
 Network Security2018

Defense in depth...............................................................................................................................13

Separation of duties..........................................................................................................................13

Auditing............................................................................................................................................14

Network along with the security devices.............................................................................................14

About the Devices................................................................................................................................14

Router...............................................................................................................................................15

Principle to operate Router...........................................................................................................15

Hub...................................................................................................................................................15

Principle to operate HUB.............................................................................................................15

Switch...............................................................................................................................................15

Multi-Layer Switch..........................................................................................................................16

Firewall.............................................................................................................................................16

HIDS (Host-Based Intrusion Detection System)..............................................................................16

Repeater............................................................................................................................................17

Bridges..............................................................................................................................................17

Wireless Devices..............................................................................................................................17

Load Balancer...................................................................................................................................17

VPN Connector................................................................................................................................18

Network Protocols................................................................................................................................18

Data Encryption Standard (DES).....................................................................................................18

Advance Encryption Standard..........................................................................................................19

Disk Encryption................................................................................................................................20

Symantec Drive Encryption.........................................................................................................20

Gilisoft Full Disk Encryption.......................................................................................................20

2. Integrity (Hashing)....................................................................................................................20

SHA1............................................................................................................................................21

PRABIN POUDEL / 9
Third Semester)
 Network Security2018

SHA2............................................................................................................................................21

SHA3............................................................................................................................................21

Different between RADIUS and TACACS.........................................................................................21

Comparing types of VPN.....................................................................................................................22

Devices Configuration with Screen Shots............................................................................................23

Router Configuration........................................................................................................................23

Site to site VPN................................................................................................................................31

PRABIN POUDEL / 10
Third Semester)
 Network Security2018

Section A
Configure Network Security measures for the corporate environment. Prepare a report which
includes the following:

1. Configure Network Security for your network (within the Bank- NIC Asia) and discuss about
various cryptographic types of Network Security and configure network security for the given
scenario selecting suitable appliances and encryption mechanism.

2. Provide a manual for the implemented network security along with scripts/files/screenshots with
comments.

3. Discuss on Quality of Service (QoS) in relation to Network Security Configuration and its need in
efficient network planning and implementation.

Introduction
As the network Engineer of the NIC Asia bank of the Karnali province I have the responsibility to
make the full functional network system in the karnali branch where I have to design, implement
and needed to do some test plan whether the implemented system works as per the requirement of
the NIC Asia bank or not and at the end of the phase I have to demonstrate details about what I did in
the network system to make more secure and the robust in the form of report and submit to the CEO
of the bank of NIC Asia bank.

Taking about this task I need to explain the points that are going to include in the reports with
general concept of the network security. After describing the points that are going to take place in the

PRABIN POUDEL / 11
Third Semester)
 Network Security2018

report need to describe the fundamentals of the network security by including the network security
and common network security threats. After that objectives of the network security with the cost
benefits analyses of security and gradually need to explain the vulnerabilities and their
countermeasures by observing the current network with some of the fundamental security principal
to design the network likewise need to elaborate the required network devices used in the NIC ASIA
Bank. At last the task will end with the conclusion where all the work done in this task will
summarized.

Introduction
As the requirement of the NIC bank need to create the full functional network system along with the
test plan where each and every aspects will checked and the connection between the head office and
this branch office need to be connected via remotely. Where at first I will design the network
topology by following the requirement of the NIC bank and after the approval I will visit the karnali
branch to implement the network in the bank. All the required resources like networking devices,
servers are already NIC bank team member will provide in the work place. I think the whole
implementation of full functional network system will be complete around in 2 month. Where all the
goals will identified and break down the scopes and stored in the GANNT chart and follow it to
accomplish the goals in the given time.

Network Security objectives

All the risk that come inside the networks and how it can be neutralized by some of the network
procedures and policy can consider as the network security objectives. All the data in the networks
are globally accessible and openly rounded here and there so making it’s secure is the key
responsibility of the Network engineers because the end users have no idea about their data they just
wants their work easy and need to complete. So in the network security have their major security
objectives which are:-

 Confidentiality:
All the data are moved in the network or rest in the storage media like server, local
workstation, and cloud storage and so on. Confidentiality lies upon the security of the data or
prevent from the unauthorized access to the data. So in the network security data are
encrypted before it sending to the networks which will reduces the chance of accessibility
and can use different network for the confidential data transmission where also all the
confidential data can be encrypted before sending it to the networks.

PRABIN POUDEL / 12
Third Semester)
 Network Security2018

 Integrity:
All the data can only accessed by the authorized users and systems and only they can make
changes in those confidential data consider as the integrity for the data. Integrity of the data
maintains is failure if the data is corrupted.

 Availability:
Availability terms lies upon the systems and data of the organization. When the data is
required for the authorized user and it cannot be available due to the DDOS attacks and the
failure of the network which impact for the organization will be significant and the users
who associated with the network as the business tool. The network failure will leads to the
loss of the organization revenue so the data needs to be available for 24 hours.

Cost benefits analyses of the security

For any organization security is equally important like others works. Security may be physical or
technology but as the network engineer mine responsibilities is to protect the assets of the
organization from the technical environment. Protecting organization assets is not only the factor to
consider also protecting from whom is also the main factors to observe. Security for the organization
assets could be tangible items (Computers, Camera, and people) and intangible items (database
information of the client and the organization, contact list and accounting information). Being
familiar with the items (assets) worth, location and exposure will help you to analyze effectively the
cost and time required to secure those assets.

In the network design and systems the vulnerability is the main exploitable weakness for the
organization in technical environments. It can be identified in the operating systems, system designs,
applications and protocols and the most interesting obstacle is it is growing day by day with the
growth of the technology.

The main danger for an assets is consider as the threat. If any vulnerability lies upon the systems of
the organization and it is unknown to the users and administration that the threat is potential and not
realized yet. If someone tried to access in the network from various process and successfully
accessed or try to make adjustment of the network against the assets then the threat is realized. Those
particular who take the benefits of the vulnerability is describe as the malicious actors in the
technical term and the way they took to perform vulnerability attack known as the threat vector or
threat agent.

PRABIN POUDEL / 13
Third Semester)
 Network Security2018

To somehow mitigate the latent risk as the safeguard consider as a countermeasure. So, vulnerability
are either eliminating or reducing by it and to exploit the risk at least reduces the possibility threat
agent. For example you have joined the new device in the network making it highly vulnerable and
if that device removed from the network and block all the data transmitting with others device then
you have successfully mitigated all of those upcoming vulnerability. You have completely removed
that device from the network so it cannot consider as the assets connected with the network: though
but it safer then to connect it.

We do not spend double money of the value of assets to make it secure because it will not make any
sense and it is just wastage of money. For example If you buy a new bike in $100 and you put some
security tools on it to make secure in $200 or attached the siren in $150 to make secure then it is just
a silly plan.

If you analyze the data and understand how worth those data are because all the data are equally
important but more valuable data like customers information and the account information are very
confidential data so , Treating (security) them need to be high then others data to make it safe.

Just accepting the risk (the all-or-nothing approach) is not really acceptable. Any how you have to
implement any security measures to mitigate with the risk. Moreover those similar security devices
like firewalls and intrusion prevention systems (IPS) by allowing cost benefits by protecting multiple
devices simultaneously. Always select appropriate security tools that can easily measure and mitigate
the risk by taking care of the budget but the main point is you cannot completely eliminate the risk
but you can find the way to mitigate with it or try to make it balance.

Classifying Vulnerabilities
Understanding the weak point of the network or systems in the organization or found the
vulnerabilities act on the systems of the networks will be the best way to neutralize the threats by
observing its impact in the system or networks. In the organization latent network vulnerabilities are
surrounded with the one or more following: -

 Hardware Vulnerabilities
 Physical access to network resources
 Malicious software
 Software vulnerabilities
 Human factor

PRABIN POUDEL / 14
Third Semester)
 Network Security2018

 Policy flaws
 Protocol weaknesses
 Design errors
 Misconfiguration

To know the threat better created the database by the production of network devices like Cisco and
others similar company categorized those threats in the public domain. There is the dictionary which
is based on the security vulnerabilities and exposure which was publicly known as the Common
vulnerabilities and exposures (CVE). Searching engines will help to search your query and help to
visit the websites as required of query which is also known as the National Vulnerabilities Database
which is standards-based vulnerability information of repository. (Using URL in the browser will not
be the best way to search the information by search it on your favorite search engine will avoid the
risk of the changing URL time to time).

Classifying Countermeasures
Recognizing the assets value and the act of the vulnerability inside the organization network or
systems will help you to make safer those assets from the threats against the vulnerability and also
can take the countermeasure of the successful attacks to reduce the risk. Some of the common
control methods used to implement the countermeasures are described below:-

 Administrative
In Administrative all the written policies, procedures, guidelines and standards are consist. As
the example consider as the AUP (Acceptable Use Policy) where each users are agreed on the
network. For better understanding another example is Change Control Process where each
and every users need follow this process while changing any aspect of the networks. Also in
the administrative tools allow the background monitor to understand the user’s behaviors on
the network.

 Physical
This is the security of physical devices like server networks, equipment’s and infrastructure.
Example: - physical control is the redundant system. (Backup planning for uninterruptable
power supply).

 Logical
This types of countermeasures mostly known as the technical controls which includes

PRABIN POUDEL / 15
Third Semester)
 Network Security2018

intrusion prevention systems, firewall, password, access list, VPN tunnel and more others.

All the countermeasures are not build equal and all the countermeasures purpose are not same but
working together with these above mention counter measures will allow you to prevent, detect,
correct, and recover, all while acting as a restrictive to a threat found in the system.

Recognizing the current network threats

Understanding threat is more important to update or implementing the security of the networks
because day by day threats are increasing with their different impacts so understanding the particular
threat will only help to avoid those kind of threat but understanding the nature of threat will gave the
hint about the threat that may be new in network. So some of the common networks threat are
descried below:-

Potential Attackers
Each and every seconds in the world many attack are done by different actors with some purpose and
those attacks are done by making target of network resource, a section of critical infrastructure, or a
desired set of proprietary data. Instead of analyzing or making list of those dozen of attacks which
could arise vulnerable activities in networks so it’s better to begin by looking at the types of
antagonists that may behind the attacks:-

 Criminals
 Terrorist
 Government agencies
 Competitors
 National States
 Hackers
 Disgruntled employees
 Anyone with access to a computing device

Including the backer/cracker there are many terms used to recognize those individuals such as:-
script-kiddie, backtvisit, and the list goes on. As the security specialist of the network every
individuals have the responsibility to create the secure environment inside the network so for that
you need to have the clear vision about the actor behaviors for that having the clear concept about the
networking will help you to observe their behaviors but this statement did not support that every
individuals need to be hackers by creating the affecting way to arise vulnerability but having the

PRABIN POUDEL / 16
Third Semester)
 Network Security2018

concept about those types of threats and attacks will make you aware and can took the best steps to
secure the networks.

Most of the attack are happen for the economical purpose and targeted the most reputed organization
whose status and welfare are high among the population, country and worldwide, So it will be easy
to black mail them by giving threat of deleting the data or changing it. Some of the attack are also
performed intendent and unintended by throwing their net wide and hurt organizations.

Taking example of the old days faced attacks are much simpler. Basically in that time have the
instructions of war dialing and things like that. Viruses facing in that time fairly new but it was all
about notoriety. In the late 1990’s and 2000s seen the increasing number of viruses and malwares
and it was about the fame.

Most of the attacks are done by making target of economic achievement from the targeted
organization by hacking their confidential data and erased those data from their systems and
demanding money to give back those data. Also may the growth of new technology as well as the
people graduate from this field lead to this activity. Also the attackers are being motivated by the
government or from the industrial companion.

Attack method
Attackers did not want to reveal their identity while creating vulnerable activity inside any networks
so they have several of techniques which help to hide their identity which are described below:-

Reconnaissance
This is the procedure to identifying the information about the networks also it include scanning the
network and figuring out the IP address of those networks with the related port open for them in
devices. This is the first step taken where identifying the details about the network and determine the
potential vulnerability.

Social engineering
It is the one of best and tough way to get access in the systems due the weakest vulnerability in the
secured systems (data, applications, devices, networks) such as the users. If the users are somehow
agree to reveal the information then it will be easier to the attackers by using the some of other
method of reconnaissance. Which are done through e-mail or misdirection of web page, which output
is while clicking those emails by users may reach those information to the attackers. Social

PRABIN POUDEL / 17
Third Semester)
 Network Security2018

engineering are also done in the person or over the phone.

Phishing to the current links that looks like the valid and authentic resources to the user. When the
user click on those phishing links needs to reveal the confidential data like username and passwords.

Pharming is used to retrieve all the user confidential information through the customers URL to a
valid resources to the malicious one which will appear like valid and authentic to the user. After
clicking those URL by the user each and every click will extract all the confidential information from
the user.

Privilege escalation
It is the procedure where attackers will try to access in some level (Authorized or not) and achieving
even the greater level of access. For example: - Some way attackers get the user mode access in the
router and then uses a brute-force attack against the router, determining what the enable secret is for
privilege level 15 access.

Back Doors
If you achieve something that you are willing to achieve and work hard for that then you defiantly
want achieve more than that in less effort. Similarly once the attacks performed in the network
attackers want further access in the network probable in the easiest way. So the backdoor application
can installed inside the network for the further access or gaining the information required for the
further access.

Many of the backdoors application are installed by the users by clicking links without realizing that it
will be the network threat. Most of the backdoors application are consider as the virus or a worm but
often known as the malware.

Code Execution
When attackers get the access in any device of any organization or any individuals they can do
numerous actions toward the device. The types of the action is fully depended upon the level of
access that attacker has or can achieve and is relate with the permission allowed to the account
cooperated by the attacker. The availability of code execution with in the devices is the most
shattering actions available to an attackers. The code execution will leave the adverse impact in the
confidentiality (Attackers can view all the data available in the devices), Integrity (Can modify the
system configuration of the device by the attackers), Availability (Through the modification of the

PRABIN POUDEL / 18
Third Semester)
 Network Security2018

code attacker can active denial service) of the device.

Attack Vectors
Attackers can be anywhere may be inside the organization and outside of the organization but the
attackers inside the organization are more dangerous for the organization so now a days in the
corporate network BOYD rules are implemented to avoid the internal illegal interaction with the
data. BOYD stands for the “Bring your own device” which somehow avoid the users illegal
interaction with the data but some of the users through the curiosity they can also use the backdoor
application to interact with the data illegally so for that can implement security policy on the server
for the limited access to the each particular users. Which will not completely avoid the risk but open
the way of mitigating those risk.

Using the security policy without any granted by making compulsory authentication for user before
their devices connected to the network (For that can implement 802.1X and Cisco Access Control
Server [ACS]). Which means before connecting to the network user profiling are analyzed and only
gave the access in the network also can implement the Network Admission Control (NAC) or an
Identity Service Engine (ISE) to enforce such policy. In addition can implement more security policy
such as switch port (port security) and many more.

Man in the middle attack

While communicating two devices attackers take place between those devices consider as the man in
the middle attack with the intension to perform reconnaissance or to manipulate the data as it moves
between them. This types of attack are perform in the layer 2 and layer 3. The attacker main purpose
is eavesdropping so that attacker can monitor all the traffic of the network.

If this types of attack happen in the layer 2 then attackers spoof their mac address of the devices to be
on the similar LAN of the network to make them believe that the connecting device (attacker) is the
layer 2 address of its default gateway. This types of attacks are known as the ARP poisoning. All the
frames are traveling one device to others device through the switch at the layer 2 address where the
attacker also took place in that similar network. As the formality after receiving all the frames
attackers will forwarded all the frames to the correct destination so the sender and receiver will not
got any doubt that the third person was reviewing their data and easily attacker will see those frames
traveling between two devices. So to avoid this kind of risk can implement the Dynamic routing
protocol (ARP) inspection (DAI) on the switches to avoid the spoofing of the layer 2 address.

PRABIN POUDEL / 19
Third Semester)
 Network Security2018

In the layer 3 the man in middle attack are performed where a rogue router being placed on the
network and then fooling the others routers into the new router has the best path to travel the frames.
This process will interrupt the flow of the network traffic through the rogue router and again
permitted to steal the network data. So these types of attacks are normalized by using routing
authentication protocols and filtering information from being advertised or learned on specific
interfaces.

The best way to secure the confidential transit data through the encryption methods. If you
implementing the plain text protocols for the management, such as: Telnet or HTTP then the attacker
who implemented the man in the middle attack can easily review all the plain text data packets and
as the output all the data passes through the attacker devices and review by the data packets
including the username and password that are used in the devices. So implementing management
protocols enables encryption all the data packets such as Secure Shell (SSH) and Hypertext
Transfer Protocol Secure (HTTPS) are consider as best approaches and implementing VPN
protection clear text sensitive data is also considered a best approach.

Fundamental security to design the network

Security are the essential for any place to make the data and environment secured so likewise the
security are also have many types but few of the needed security to design the network will discuss
below:-

Rule of least privilege

In this security option provided the minimum access to the required network resources and not many
more than that.

Defense in depth
In this security procedure suggest that security need to implement nearly every point of the network.
The principle to implement this option is that the single security technology fails, additional levels,
or mechanisms, of security are still in place to protect the data, applications, and devices on the
network.

Separation of duties
When you place each individual users in the same place then user might be much familiar with the
data of the organization and the chances of vulnerability increase so rotating all the employee as per
their duty day by day will can reduce the chances to create vulnerability inside the systems.

PRABIN POUDEL / 20
Third Semester)
 Network Security2018

And also by using the security policy can divide the department and only allow the limited users in
each department also one department user cannot view the others department data which will reduce
the vulnerability somehow if some of them trying to create then they can addressed easily by using
the auditing features.

Auditing
This security option will allow to make the record about the activities done inside the network.
Mostly features of this will automatically adapt by the authentication, authorization, and accounting
(AAA). When some the activities done inside the network then those activities are record and send it
in the accounting server. When the separation-of-duties approach is used those who are trying to
make changes on the network cannot be able to have directly access and modify or delete the
accounting records which are kept in the accounting server.

Network along with the security devices

Before implementing the network mainly the prototype of the network will design and as per the
design network administrator will work further:-

About the Devices

Device are the main requirement for any network in terms of the connection and passing the data

PRABIN POUDEL / 21
Third Semester)
 Network Security2018

frames one place to other place so few of the necessary devices to design the network are described
below:-

Router
Combining two or more networks of the organization in the one device called router. Router is used
figure out the best route that used for the transmission. It works in the network layer 3 of OSI model.

Principle to operate Router

 Manage the routing Table
Its main work is to manage the routing table, to figure out the most reliable routes all the
nodes included in the routers.
 Controlling Data Traffic
While carrying the data packet here and there to figure out the most efficient possible routes
time of that time it will get traffic.

Hub
Having multiple ports in connectivity devices to connects computers known as the Hub. It accepts
data amplifies them and then broadcast it. During this process data traffic will increased. Now a
day’s switch are replacing the hubs. Which operate through Physical layer (Layer-1) of OSI model.
Used to data transferring.

Principle to operate HUB

 Multiple Ports
The benefits of the hub it contains multiple ports that connects maximum number of
computers while performing in the network infrastructure.
 Data Transferring
When the data packet received by hub for one of its ports from network devices. It will send
the data packet to all the ports included in the networks that increase data traffic a lot. While
the two network devices from the same network send data at same time data collision will
occur.

Switch
It is the process that more than more devices connect for Connecting and sharing their features and
ability, which has certain rules, and limitation, which decided by the network provider or according
to the demand from the organization or user. It performs under OSI model layer 2 of data link.

PRABIN POUDEL / 22
Third Semester)
 Network Security2018

Principle to operate Switch

 Centralized the connections
In the LAN many devices are connected but switch will centralized all the device and
proceed the works.
 To sharing files
This device used to connect in the network to share the features and ability available
in the computer system in a same network.

Multi-Layer Switch
In the multilayer switch that perform under the higher layer of the OSI models. It can perform as the
switch and router in the very fast speed. To perform the routing in multi-layer switch used ASIC
hardware circuits. This varies from common switches, which dwell on a chip and utilize applications
running on it to play out their steering activities.

Firewall
Firewall used to restrict the incoming data packet as well as the outgoing data packet. It used to
control the network traffic flow in the private networks that arises from public networks. It works, as
the filter traffic to control the malicious packet traveling over the public network to private networks
to avoid the malicious packet in the private network. It used to operate to secure the private network
from incoming bugs as being the filter of the network. Basically controls the flow of the data traffic.

HIDS (Host-Based Intrusion Detection System)

An intrusion detection system (IDS) is a product application that breaks down a system for
pernicious exercises or approach infringement and advances an answer to the administration. An IDS
is utilized to make security work force mindful of bundles entering and leaving the observed system.
There are two general kinds of frameworks: a host-based IDS (HIDS) and a system based IDS
(NIDS).

A HIDS investigates the activity to and from the particular PC on which the interruption
identification programming introduced. A host-based framework likewise can screen key framework
records and any endeavor to overwrite these documents.

Nevertheless, contingent upon the span of the system, either HIDS or NIDS conveyed. For example,
if the span of the system is little, at that point NIDS is normally less expensive to execute and it
requires less organization and preparing than HIDS. In any case, a HIDS is for the most part more

PRABIN POUDEL / 23
Third Semester)
 Network Security2018

flexible than a NIDS.

Repeater
In computerized correspondence frameworks, a repeater is a network device that gets an advanced
signal on an electromagnetic or optical transmission medium and recovers the signal along the
following leg of the medium. In electromagnetic media, repeaters defeat the weakening caused by
free-space electromagnetic-field difference or link misfortune. A progression of repeaters make
conceivable the expansion of a signal over a separation.

Bridges
A system connect joins two generally isolate PC systems to empower correspondence amongst them
and enable them to fill in as a solitary system. Extensions utilized with local area network (LANs) to
stretch out their range to cover bigger physical regions than the LAN can generally reach. Bridges
are common—but more insightful than—straightforward repeaters, which additionally expand
signals extend.

Bridges device examine approaching system activity and decide if to forward or dispose of it as per
its planned goal.

Wireless Devices
Wireless devices used to connect the network without wire or cable. The operation principles of the
wireless devices perform through the radio signals that transmitted from antenna routers and
switches that signals are grabbed by Wi-Fi recipients, such has PCs and mobile phones are prepared
with Wi-Fi recipients. Whenever the PC gets the signals within the scope of 100-150 feet for switch
it interface the gadget quickly. The scope of the Wi-Fi is relies on the earth, indoor or open-air
ranges. The Wi-Fi cards will read the signals and make a web association amongst client and system.
The speed of the gadget utilizing Wi-Fi association increments as the PC gets nearer to the
fundamental source and speed will be slow if Pc gets away from the device or the fundamental
source.

Load Balancer
To prohibit over loading in the networking Load balancer used to balance the server and virtual
machine with in the clustering to discard overflow any host and improved the performance. It
controlled the overloading by controlling as well as managing the trafficking in networks.

PRABIN POUDEL / 24
Third Semester)
 Network Security2018

VPN Connector
VPN connectors used to give safely accessed to the private networks of organizations through the
public networks. It relays the security for the organization and made safe all the information of the
organization instead of accessing from the public networks. Site to site and Remote access VPN are
the types of the VPN. Also the reason behind to operate the VPN connectors are to make services
effective towards the organization, low costing and the main as I described above for the effective
security.

Network Protocols
1. Confidentiality (Encryption):-
In the confidentiality all the data are moved in the network and stored in the server or cloud.
So all the data can accessible globally from unauthorized person that’s way all the data are
encrypted and stored in the server or cloud also all the data moved in the network are
encrypted.

Data Encryption Standard (DES)

This algorithm is design to encipher and decipher blocks of data consisting of a 64-bit under
control of a 56 bit. DES as known as the archetypal block cipher. Which is derive as an
algorithm which takes the fixed-length string of plain text bits and convert in to the cipher
text bit string of the same length. Nowadays many of the organization implement the 3DES
due to the inherent weakness of DES which added the strength until they can afford to update
their equipment’s to AES capabilities.

PRABIN POUDEL / 25
Third Semester)
 Network Security2018

Advance Encryption Standard

AES referred as the symmetric-key algorithm which was developed by the U.S Government
for securing sensitive but unclassified material. Also it known as the iterated chip blocker
that works by repeating same operation at multiple times. It has 128 bit block size.

PRABIN POUDEL / 26
Third Semester)
 Network Security2018

Disk Encryption

Symantec Drive Encryption

This types of encryption provide full disk encryption for all types of data on desktop, laptop
and any removable devices. Which secured from the unauthorized access.

Gilisoft Full Disk Encryption

This types encryption offer of all encryption disk partition including the system partition. It
will secure all types of data automatically on end point hard drive, including the user data,
temporary and delete files and operating system files.

2. Integrity (Hashing)
“Hashing is known as the collection of the string characters converted in to the fixed length
value or the key that represent the original string.” ( Margaret Rouse, 2005) As per the

PRABIN POUDEL / 27
Third Semester)
 Network Security2018

author hashing is the bundle of string character changed in to the fixed length value or the
key which represent the original string. Never the less in mine point of view it grouped all the
string character and transform in to the fixed length value or key which represent the original
string. It is used to index and retrieve all the required data from the database due to the it’s
faster nature to search the items using the shorter hashed key than to figure out it using the
original value. By the national institute of standard and technology introduced for generating
cryptographically secure one-way hash.

SHA1
It has the 160-bits obtain from the message with the minimum length of (264-1)bits and
resemble in to the md5 algorithms.

SHA2
With the different block size SHA-256, SHA-512 and which consist 32-bit and 64-bit words
respectively. It is the family of two similar functions.

SHA3
“It uses the sponge construction in which the message block are Xored in to the initial bit of
the state, which is then invertible permuted.” (HACERTEAM, n.d.)

3. Availability (Redundancy)

Different between RADIUS and TACACS

S.N RADIUS TACACS

1 Combination of many function of the Splits the AAA function in to Different elements.
authorization and authentication Authentication is different from authorization and both of
together. Also has the detailed them are different from accounting.
accounting capability when
accounting is configured for use.

2 Open customary, and execute by Owned by CISCO but well known.

nearly all vendors’ AAA operation.

3 UDP protocols are used. TCP protocols are used

PRABIN POUDEL / 28
Third Semester)
 Network Security2018

4 In terms confidentiality only the All the collection of packets in the frame are encrypted
password is encrypted with regard to among the ACS server and the router (which is the
packets sent back and forth between client)
the ACS server and the router.

5 No explicit command authorization This is supported, and the rules are defined on the ACS
inspection rules can be applied. server about which commands are allowed or disallowed.

6 Provide accounting support, and Allow the accounting support.

usually acknowledged as providing
more detailed or extensive accounting
capability than TACACS+.

Comparing types of VPN

VPN is known as the virtual private network which provide the secure connection to the private
network from any other public networks in the secured way. VPN creates an encrypted connection
known as tunnel and all the connection passes through this tunnel i.e it will keeps data secure and
provide the secured connection from any place to the private networks. The types of VPN:-

1. Remotely VPN:-
Remotely VPN allows to the admin or user to connect the private network over the public
networks securely from any place. It is the connection between the public network and
private network so it may bring few obstacles which will prevent by the remotely VPN in
secured way and makes it private. It is useful to the business as well as the home users too. A
corporate employee used the remotely VPN to access in their network while they traveling.
Home and other private users use this VPN to access the blocked sites.
2.

PRABIN POUDEL / 29
Third Semester)
 Network Security2018

Devices Configuration with Screen Shots

Only designing the network will not complete after it starting responding with each other devices
only it will be completed so few of the device configuration while initializing the network with
screen shots are derived below:-

Router Configuration
Test Carried:- Router Configuration (Giving the Router Name )

Expected Output: - Router name should assign as required of the user.

S.N Steps and their work Screen Shots

(Script)

1 Bring in the User

Exec Mode (By
clicking Enter)

PRABIN POUDEL / 30
Third Semester)
 Network Security2018

2 Type enable and press

enter to go in to the
privileged exec mode.

3 Type configure
terminal and press
enter and insert in
global configuration
mode where you can
give the router name
using the hostname
keyword.

PRABIN POUDEL / 31
Third Semester)
 Network Security2018

3 Type host keyword

and provide the router
name and press enter.

Actual output :- Hence, the router name was successfully created.

Test carried:- Assigning the IP address in the router

Expected output: - Need to implement the IP on the chosen interface.

S.N Steps and their work Screen Shots

PRABIN POUDEL / 32
Third Semester)
 Network Security2018

1 Bring in to the global

configuration mode.

2 Select the Interface to

assigning the IP address by
typing interface fast Ethernet
0/1 or gigabyte Ethernet 0/0.

PRABIN POUDEL / 33
Third Semester)
 Network Security2018

3 After entering to the interface

type ip address 192.168.2.100
255.255.255.0 (Your Ip
address and subnet mask)

4 After assigning IP address type

no shutdown and press enter
your IP will assigned in that
port.

Actual Output:- As expecting implemented script allow to assigin IP address on the selected
interface.

Test carried :- Giving Switch Name

Expected output:- Used script should allow the given name to the switch

S.N Step and their Screen Shots

definition(Scripts)

PRABIN POUDEL / 34
Third Semester)
 Network Security2018

1 Go to the global
configuration mode as
like router.

2 Type hostname and

required switch name
and it will be your switch
name

Actual Output: - As expected used script allow to name the switch.

Switch Configuration

Test Carried :- Applying some security option in the switch

Expected Output: - User exec mode should be secured with password.

S.N Steps and Scripts Screen Shots

1 Go to the global
configuration mode.

PRABIN POUDEL / 35
Third Semester)
 Network Security2018

2 Type line console 0

and press enter to
secure the user exec
mode.

3 Type password and

enter the required
password like cisco
over here.

Actual Output:- As expected User Exec mode is being secured.

Test carried: - Securing the Remote Access.

Expected Output: - Should be secured with password.

S.N Steps Screen Shots

1 Go to the global
configuration mode.

2 Type line vty 0 15 and

press enter.

PRABIN POUDEL / 36
Third Semester)
 Network Security2018

3 Type password and

enter the required
password like over
here:- CiscO123

4 Type login and press

enter.

Actual Output:- It is secured as expected.

Test Carried: - Secure Privileged Exec mode.

Expected output:- Privileged exec mode need to be secured by asking the password.

S.N Steps (scripts) Screen Shots

PRABIN POUDEL / 37
Third Semester)
 Network Security2018

1 Go to the global
configuration mode.

3 Type enable secret

class and press enter
and exit and enter.

4 Strat it from by
typing enable then it
will asked the
password.

Actual Output:- As expected while trying to access in the priviliged mode it asked for the password.

Site to site VPN

Test Carried:- Site to site VPN (Testing ISKMP policy whether it is working or not.)

Testing point (Head Quarter to Branch Office)

S.N Expected output Screen shots

PRABIN POUDEL / 38
Third Semester)
 Network Security2018

1 After executing the

script need to show
the status active and
state.

Actual Output:- As expected after executing the query it show the status active from head quarter to
branch office connection.

Test Carried:- Site to site VPN (Tseting ISKMP policy whether it is working or not.)

Testing point (Branch Office to Head Quarter)

S.N Expected output Screen shots

PRABIN POUDEL / 39
Third Semester)
 Network Security2018

1 After executing the

script need to show
the status active and
state.

Actual Output:- As expected after executing the query it show the status active from branch office
to head quarter connection.

Test Carried:- Site to site VPN (Pinging)

Testing point (Head quarter to branch office)

S.N Expected output Screen shots

PRABIN POUDEL / 40
Third Semester)
 Network Security2018

1 At first pinging
from head quarter
pc to branch office
pc to analyze it is
working or not.

Actual Output:- As expected Sucessfully pinged from head quarter pc to branch office pc.

Test Carried:- Site to site VPN (Pinging)

Testing point (Branch office to Head quarter )

S.N Expected output Screen shots

PRABIN POUDEL / 41
Third Semester)
 Network Security2018

1 At first pinging
from branch office
pc to head quarter
pc to analyze it is
working or not.

Actual Output:- As expected Sucessfully pinged from branch office pc to head quarter pc.

Test Carried:- Site to site VPN (Testing IPSEC transform set)

Testing point (Head quarter to branch office )

S.N Expected output Screen shots

PRABIN POUDEL / 42
Third Semester)
 Network Security2018

1 Now after
executing the
crypto ipsec script
it need to show all
the encrypt and
decrypt packets
while pinging.

Actual Output:- As expected it show the all in encrypted and decrypted number of packets.

Test Carried:- Site to site VPN (Testing IPSEC transform set)

Testing point (Branch office to headquarters )

S.N Expected output Screen shots

PRABIN POUDEL / 43
Third Semester)
 Network Security2018

1 Now after
executing the
crypto ipsec script
it need to show all
the encrypt and
decrypt packets
while pinging.

Actual Output:- As expected it show the all in encrypted and decrypted number of packets.

Test Carried:- Site to site VPN (Testing crypto mapping for IPSEC)

Testing point (Head quarter to branch office)

S.N Expected output Screen shots

PRABIN POUDEL / 44
Third Semester)
 Network Security2018

1 Head quarter to
branch office pc’s
respectively need to
ping and after that
while executing the
crypto ipsec s then
need to upgrade
encrypt and decrypt
packets number
from the above
testing numbers

Actual Output:- As expected it pinged sucessfully.

Test Carried:- Site to site VPN (Testing crypto mapping for IPSEC)

Testing point (Branch Office to Head Quarters )

S.N Expected output Screen shots

PRABIN POUDEL / 45
Third Semester)
 Network Security2018

1 Branch office to
head quater pc’s
respectively need to
ping and after that
while executing the
crypto ipsec s then
need to upgrade
encrypt and decrypt
packets number
from the above
testing numbers

Actual Output:- As expected it pinged sucessfully.

Test Carried:- Site to site VPN (Testing crypto mapping for IPSEC)

Testing point (Head Quarters to Branch Office)

S.N Expected output Screen shots

1 Head Quarters to
Branch Office pc’s
respectively need to
ping and after that
while executing the
crypto ipsec s then
need to upgrade
encrypt and decrypt
packets number
from the above
testing numbers

PRABIN POUDEL / 46
Third Semester)
 Network Security2018

Actual Output:- As expected after pinging twicely the number of enacrypted and decrypted number
inacrases respectively.

PRABIN POUDEL / 47
Third Semester)