Ns Final Assignment

Network
Security
Husni Ismail Hisni
COL/E-002035
Unit 46 – Network Security (NS – 17 – 001)
ESOFT METRO CAMPUS
SUBMISSION DATE : 28/04/2018

Assignment Brief
BTEC Level 4-5 HNC/HND Diploma (QCF)
To be filled by the Student

Name of the Student : M.Husni Ismail
Edexcel No : Registration No: COL/E-002035 Batch No: 68
Unit Assessment Information
Qualification : Higher National Diploma in Computing and Systems Development
Unit Code & Title : Unit 46 – Network Security (NS – 17 – 001)
Assessment Title & No’s :Security Design for Kandy Metro Campus
Learning outcomes and grading opportunities:

LO 01:Understand the impact on the social and commercial environment of network security
design
Learning Outcomes LO1.1 LO1.2 LO1.3
LO 02: Be able to design network security solutions

Learning Outcomes LO2.1 LO2.2
LO 03: Be able to implement network security solutions

LO 04:Be able to manage network security solutions
Merit and Distinction Descriptor

M1 M2 M3 D1 D2 D3
Date Issued : Date Due :
Date of Submission:
Assessor : Date Assessed:
Internal Verifier (IV): Date of IV:
All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 2 of 79

General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment.
Use previous page as your cover sheet and be sure to fill the details correctly.
2. This entire brief should be attached in first before you start answering.
3. All the assignments should prepare using word processing software.
4. All the assignments should print in A4 sized paper, and make sure to only use one side
printing.
5. Allow 1” margin on each side of the paper. But on the left side you will need to leave
room for binging.
6. Ensure that your assignment is stapled or secured together in a binder of some sort and
attach the Softcopy (CD) of your final document, system on last page.
Word Processing Rules

1. Use a font type that will make easy for your examiner to read. The font size should be 12
point, and should be in the style of Time New Roman.
2. Use 1.5-line word-processing. Left justify all paragraphs.
3. Ensure that all headings are consistent in terms of size and font style.
4. Use footer function on the word processor to insert Your Name, Subject, Assignment No,
and Page Number on each page. This is useful if individual sheets become detached for
any reason.
5. Use word processing application spell check and grammar check function to help edit
your assignment.
6. Ensure that your printer’s output is of a good quality and that you have enough ink to
print your entire assignment.
Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late
submissions will not be accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be
accepted for failure to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as
illness, you may apply (in writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL.
You will then be asked to complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you
properly reference them, using the HARVARD referencing system, in you text and any
bibliography, otherwise you may be guilty of plagiarism.

9. If you are caught plagiarizing, you could have your grade reduced to A REFERRAL or at
worst you could be excluded from the course.
Statement of Originality and Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to
present it as my own without attributing the sources in the correct way. I further understand what
it means to copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the PearsonUK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the
assignments fir this program.
4. I declare therefore that all work presented by me for every aspect of my program, will be
my own, and where I have made use of another’s work, I will attribute the source in the
correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding
agreement between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is
not attached to the attached.
Student’s Signature:HUSNI ISMAIL

Date:27/04/2018

Assignment Brief
Kandy Metro Campus is an education institute with 2 remote campuses and the main campus
in Kandy. The Web server, File server and the Mail servers are located at the main campus
which uses 8Mbps Internet leased line connection from the ISP. The Necessary resources are
stored in File Server which is used to do practical and other activities can only be accessed from
the local network at the main campus. The main campus has 3 main labs and network
connectivity is provided via wired network using Cat 5 which need to be extend to Reception
Area, Accounts Division, Library andStaff Room with increased network speed. All the
departments should be restricted to their own subnet and proper access rights should be
implemented between subnets if required. All the servers are located at lab 1 with
unmanageable Switches and Routers. Students are using their personal devices to connect to the
network and as a result, network throughput is badly affected.
Wi-Fi access points areprovided for the students to access to the network via wireless
connectivity and they are allowed with unrestricted Internet access which causes many security
and ethical problems and need to be controlled. Currently Campus lecturers also use the same
recourses as students for their day today duties which needs some kind of centralized
Administration and separation of access rights.
The management of the institute is planning to extend the facilities available in the main campus
network to the students in remote campuses through a VPN connectivity and also to improve
the security standards of the main campus network to comply with the current network security
standards.
Assuming you have been appointed as the new network security consultant of Kandy
MetroCampus, prepare a network security architectural design with your suggestions and
recommendations to improve the security standard. In the designing process, you may consider
the following aspects;
• Understand the Weakness of current network design, and its impact for the company
Social and Commercial environment.
• Propose and Design an improved network with network security solutions.
• Implement the Proposed network design and manage network security solutions.
You are allowed to assume the current network setup according to the services available and
propose the improvements according to your assumptions, but make sure to Clearly state your
assumptions.

MAIN TASKS:
1. Discuss and evaluate the network security of the current system.(LO 1.1)
2. Highlight the current and common threats and their impact to the system. (LO 1.3)
3. Design a network plan (stating all your assumptions) and a basic network security
solution for the head office of Kandy Metro Campus. Propose how you would enhance
the security in the communication between the head office and the branch office. (LO
2.1, M1.1,Activity 1)
4. Discuss how your proposed network design can impact the above network. (LO 1.2)
5. Evaluate the design and state how your design will provide security to the network. (LO
2.2)
6. Using above design, implement the solution, such that it includes different levels of
security to increase the complexity. (LO 3.1, M2.5)
7. Test the above network solution to full fill the requirements and document them.
(LO 3.2, LO 3.3, Activity 2)
8. State how you can manage the above solution and state network security policies and
practices you could implement for smoother management of this network. (LO 4.1) (LO
4.2)
9. Recommend how you are going to increase the performance and security of this network,
if changes are required in future. (LO 4.3, D1.1)
Practical Observation Sheet

Activit Activity Learning Date Signature

y Outcome
No (LO)
1 Design a basic network security (LO 2.1, D
solution for the above scenario 3.4)
2 Test the above network security (LO 3.2,
solution to fulfill the requirements and 3.3, D 3.4)
document them
Possibl
e
Outcomes/Criteria for PASS Page Feedback
eviden
ce
LO1Understand the impact on the social and commercialenvironment of network
securitydesign
1.1 evaluate the network security of the Task 1

current system
1.2 discuss the potential impact of a Task 4

proposed networkdesign
1.3 discuss current and common threats and Task 2

their impact
LO2Be able to design networksecurity solutions
2.1 design a network security solution to Task 3

meet a givenspecification
2.2 evaluate design and analyze feedback Task 5
LO3Be able to implement networksecurity solutions
3.1 using a design, implement a complex Task 6

network securitysolution
3.2 systematically test the complex network Task 7

securitysolution
3.3 document and analyze test results Task 7
LO4Be able to manage networkSecurity solutions.
4.1 manage a network security solution Task 8
4.2 analyze ongoing network security policies Task 8

and practices

4.3 recommend potential change Task 9
management
Grade Descriptor for MERIT Possible evidence Feedback

M1 Identify and apply strategies to Justify Network
find appropriate solutions security you have
M1.1 Effective judgments have been suggested via task 3
made
M2 Select /design appropriate Design Network

methods/techniques security according to
M2.5 the design of methods/techniques the requirement via
has been justified task 6
M3 Present and communicate Documentation is

appropriate findings well structured
M3.3 A range of methods of adhering to the
presentation have been used andtechnical formatting
language has been accurately used guidelines with non-
overlapping facts.
Data provided are
accurate, reliable and
consistent

Grade Descriptor for DISTINCTION Possible evidence Feedback
D1 Use critical reflection to Justify how your
evaluate own work and justify recommendation
valid conclusions can improve
D1.1Conclusions have been arrived at network security via
through synthesis of ideashave been task 8
justified
D2 Take responsibility Gantt chart must be

formanaging and organizing provided at the
activities appendix section and
D2.3 Activities have been managed submit the work on
time.
D3 Demonstrate
convergent/lateral/creative Via Practical
thinking demonstration(Activ
D3.4 problems have been solved ity 1 and 2)

Strengths: Weaknesses:
Future Improvements & Assessor Comment:
Assessor: Signature:
Internal Verifier’s Comments:
Internal Verifier: Signature:
Executive Summary
This is about designing a network plan for the Kandy Metro Campus. The design was used
implementing Vlans. With all the given factors and with the research done regarding a
implementation of this new network design will enhance the Campus and the security threats of
this network is identified and better solutions were found and implemented.

Acknowledgement
In performing this assignment, I had to take the help and guideline of some respected persons,
who deserve the greatest gratitude. The completion of this assignment gives me much Pleasure. I
would like to show my gratitude to Ms.Ama Kulathilaka for giving me a good guideline for the
assignment throughout numerous consultations. I would also like to expand my deepest gratitude
to all those who have directly and indirectly guided me in writing this assignment.

Many people, especially my classmates itself, have made valuable comment suggestions on this
assignment which gave me an inspiration to improve my assignment. I thank my respected
lecturer for the valuable guidelines she gave me.
Thank You!
Contents
Acknowledgement......................................................................................................................2
Task 1.........................................................................................................................................3
Discuss and evaluate the network security of the current system. (LO 1.1)..............................3
Network security of the current system.....................................................................................3

Conclusion..................................................................................................................................4
Task 2.........................................................................................................................................5
Introduction................................................................................................................................5
Task 3.......................................................................................................................................10
Introduction..............................................................................................................................10
Vlans........................................................................................................................................10
IP Class and Range for the Network........................................................................................11
IP allocation table for company................................................................................................11
Network Design.......................................................................................................................12
Network Plan............................................................................................................................12
Network Implementation.........................................................................................................13
Configuration for the router.....................................................................................................13
Configuration for the Switches................................................................................................15
Configuring Trunk Ports to the Switch....................................................................................18
PC Configuration.....................................................................................................................20
Server Configuration................................................................................................................22
Task 4.......................................................................................................................................23
Vlans........................................................................................................................................23
Task 5.......................................................................................................................................25
Advantages of Vlan Security....................................................................................................25
Task 6.......................................................................................................................................26
Introduction..............................................................................................................................26
Implementation of Security levels to the current network design............................................26
Port Security.............................................................................................................................28
Implementing Access Control list............................................................................................31
Show ACL Command..............................................................................................................31
Task 7.......................................................................................................................................32
Introduction..............................................................................................................................32
Security Passwords in the network..........................................................................................37
Test case...................................................................................................................................38
Task 08.....................................................................................................................................42

Network Monitoring and Management....................................................................................42
SNMP (Simple Network Management Procedure)..................................................................42
Syslog (System logs)................................................................................................................43
CDP (Cisco Discovery Protocol).............................................................................................43
Netflow.....................................................................................................................................43
Roles of policies and Procedure in Information Security........................................................43
Policies.....................................................................................................................................44
Standards..................................................................................................................................44
Procedures................................................................................................................................45
Guidelines................................................................................................................................45
Examples of Information Security Policy................................................................................46
Task 9.......................................................................................................................................48
Future Enhancements...............................................................................................................48
Improve Security......................................................................................................................49
Conclusion................................................................................................................................51
TABLE OF FIGURES
Figure 3.1 Network

Plan…………………………………………………………………………………………………
………………..22
Figure 3.2 Configuration for the

router……………………………………………………………………………………………22
Figure 3.3 Server LAN

Configuration………………………………………………………………………………………
………23
Figure 3.4 Implementing SUB-Ifs to the

Router……………………………………………………………..………………23
Figure 3.5 Implementing SUB-Ifs to the

Router…………………………………………………………………..…………24
Figure 3.6 Basic Configuration Switch

1…………………………………………………………………………………….……25

2…………………………………………………………………………………….……26

3…………………………………………………………………………….……………26
Figure 3.9 Lab 2 Switch Configuration (Reception)

…………………………………………………………………….……27
Figure 3.10 Lab 2 Switch Configuration (Accounts)

…………………………………………………………………………27
Figure 3.11 Lab 3 Switch Configuration (Library)

……………………………………………………….……………………28
Figure 3.12 Lab 3 Switch Configuration (Staff)

………………………………………………………………………..………29
Figure 3.13 Trunk Ports to the Switch (Lab 2)

………………………………………………………………………….………30

…………………………………………………………………………….……31
Figure 3.15 Vlan 10

PC…………………………………………………………………………………………………
…………….……32
Figure 3.16 Vlan 20

PC…………………………………………………………………………………………………
………….………32
Figure 3.17 Vlan 30

PC…………………………………………………………………………………………………
………………….33
Figure 3.18 Vlan 40

PC…………………………………………………………………………………………………
…………………33
Figure 3.19 Server

Configuration………………………………………………………………………………………
……………..34

Figure 6.1 enable
password……………………………………………………………………………………………
………………..35
Figure 6.2 enable secret

password……………………………………………………………………………………………
……36
Figure 6.3 enabling console

password……………………………………………………………………………………………
.37
Figure 6.4 enabling telnet

password……………………………………………………………………………………………
…..37
Figure 6.5 encrypting

passwords…………………………………………………………………………………………
…………37
Figure 6.6 telnet password to the

switch…………………………………………………………………………………………38
Figure 6.7 Connected ports to the

network……………………………………………………………………………………39
Figure 6.8 veiwing of MAC-

Address…………………………………………………………………………………….
…………40
Figure 6.9 Implementing Port

security……………………………………………………………………………………..……41
Figure 6.10 Port security verification

command…………………………………………………………………………..…41
Figure 6.11 Port

down………………………………………………………………………………………………
……………………42
Figure 6.12 Recovering Disabled

ports………………………………………………………………………………….…………42
Figure 6.13 Implementing Access Control

list…………………………………………………………….……………………42

Figure 6.14 Show ACL
Command…………………………………………………………………………………………
….………43
Figure 7.1 Router

Information…………………………………………………………………………………………
………………44
Figure 7.2 Router

Information…………………………………………………………………………………………
………………44
Figure 7.3 Vlans on LAB

2……………………………………………………………………………………………………
……………45
Figure 7.4 Vlans on LAB

3……………………………………………………………………………………………………
……………45
Figure 7.5 Security Passwords in the

network…………………………………………………………………………………46
Figure 7.6 Security Passwords in the

network……………………………………………………………………..…………46
Figure 7.7 Security Passwords encryption in the

network………………………………………………………………..47
Figure 7.8 Security Passwords encryption in the

network……………………………………………..…………………48
Figure 7.9 Ping one client using the CLI of

another………………………………………………………………..…………49

another…………………………………………………………………………49

another………………………………………………………………………49
Figure 7.12 To ensure that the connection to the gateway is

working……………………………………………50

Task 1
Discuss and evaluate the network security of the current system. (LO 1.1)
Introduction

As networks grow and interconnect with other networks, including the Internet, those networks
are exposed to a greater number of security risks. Not only does the number of potential attackers
grow along with the size of the network, but the tools available to those potential attackers are
always increasing in terms of sophistication.
Network security of the current system

 In regards to the current network security the network is flat network, which means it’s
not broken into segments. There is a high security threat to the network when the network
is flat.
 The Subnets of the network are not restricted to certain authorizes.
 Proper access rights are not implemented as everyone uses the same network in the
campus.
 Students connecting their personnel devices can use the network in means of their own
use which can harm the network.
 Students can leak highly confidential data in the network used by the lectures for the
purpose of storing exam paper, etc.
 The WiFi is not Password protected which means anyone can login to the network and
use the WiFi.
 System get slow due to no proper systematic authorization in the network. This will also
lead to poor connections within the network.
 Students and the lectures share the same network.
 Unrestricted and unlimited internet access will lead to make a financial impact in the
organization and it’s also a low risk to the network.
 Network access to everyone will have ethical problems.
 The use of unmanageable switches will harm the network.
 If ones personnel data is stolen there will be legal or regulatory investigations and
consequences.

Conclusion
The network is a flat network with a lot of threats to the administration of the campus.

Task 2
Introduction
IT security pros have to contend with an increasing number of loose confederations of
individuals dedicated to political activism, like the infamous Anonymous group. Politically
motivated hackers have existed since hacking was first born. The big change is that more of it is
being done in the open, and society is acknowledging it as an accepted form of political activism.
Nowadays cyber-threats are becoming a daily headache for IT security staff, it supports to have
some guidance, or at least identify what to look out for. As a small company doing business on
the web, you need to be aware of these methods so you can be extra vigilant when online.
There are 4 major types of Network threats
1. Interception
2. Interruption
3. Modification
4. Fabrication
Interception
An interception means that some unauthorized party has gained access to an asset. The outside
party can be a person, a program, or a computing system. Examples of this type of failure are
illicit copying of program or data files, or wiretapping to obtain data in a network. Although a
loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the
interception can be readily detected.
(informit.com, 11/4/2010)
Interruption

In an interruption, an asset of the system becomes lost, unavailable, or unusable. An example is
malicious destruction of a hardware device, erasure of a program or data file, or malfunction of
an operating system file manager so that it cannot find a particular disk file.
(informit.com,11/4/2010)
Modification
If an unauthorized party not only accesses but tampers with an asset, the threat is a modification.
For example, someone might change the values in a database, alter a program so that it performs
an additional computation, or modify data being transmitted electronically. It is even possible to
modify hardware. Some cases of modification can be detected with simple measures, but other,
more subtle, changes may be almost impossible to detect.
(genesisdatabase.wordpress.com)
Fabrication
An unauthorized party might create a fabrication of counterfeit objects on a computing system.

The intruder may insert spurious transactions to a network communication system or add records
to an existing database. Sometimes these additions can be detected as forgeries, but if skillfully
done, they are virtually indistinguishable from the real thing.
(genesisdatabase.wordpress.com)
D-DOS attack
A distributed Denial of Service (DDOS) attack is a challenge to make an online service

inaccessible by overpowering it with traffic from numerous sources. It focus on wide range
banking information and confidential data of any organization.
Security Measure:
 Limit the rate of router to prevent form web server being overwhelmed
 Use of firewall and pack sniffing technique for controlling high packet traffic
(blogs.cisco.com)

Data breaches
A data breach is an occurrence in which sensitive, secured or confidential data has potentially
been seen, stolen or utilized by an individual unapproved to do as such. In case of small
organization data breaches may involve personal information and intellectual property.
Security measure:
 Encrypting all the sensitive information and shred them before disposing.
 Retain the third party and limiting the staffs to access system and devices.
(getcybersafe.gc.ca)
Malicious threat
Malicious threat includes Computer viruses, Trojan, worm and spyware. It is code or software
that is particularly intended to damage, steal, disrupt, or as a rule inflict some other “terrible” or
illegitimate activity on information, hosts, or network.
Security measure:
 Install antivirus software into the system and download updates to ensure that software
has the latest fixes for new viruses, Trojans, worms and bots.
 Ensure that antivirus software can scan email and the all the files downloaded from the
internet.
Phishing
Phishing is the process to gain sensitive information like usernames, passwords and credit card
information, frequently for malicious reasons, by taking on the appearance of a dependable
element in an electronic correspondence.

Security Measure:
 Keep websites certificates up to date so that users are assured the legitimacy of the
websites.
 Educate users about the best practices that they should follow and observe when using
Internet services.
Data breaches
A data breach is an occurrence in which sensitive, secured or confidential data has potentially
been seen, stolen or utilized by an individual unapproved to do as such. In case of small
organization data breaches may involve personal information and intellectual property.
Security measure:
 Encrypting all the sensitive information and shred them before disposing.
 Retain the third party and limiting the staffs to access system and devices.
(purevpn.com)
Computer worm
A computer worm is a software program that can copy itself from one computer to another,
without human interaction. Worms can replicate in great volume and with great speed. For
example, a worm can send copies of itself to every contact in your email address book and then
send itself to all the contacts in your contacts’ address books.
(bhconsulting.ie)
Rootkits and Botnets
A Rootkit is a program that is installed on a computer without the user’s knowledge, similar to
malware. The program can be visible or hidden and may couple itself with a larger software
package.

Botnet on the other hand is a terminology derived from the idea of bot networks and is simply an
automated program/bot. The targeted computer is attacked via virus or malicious codes by botnet
attackers.
Security measure:
 Install trustable (and genuine) antivirus and firewall to avoid Rootkit and Botnet threats.
 Choose passwords that are hard for others to guess. Use a combination of capital and
small letters along with numbers.
 Follow good security practices and appropriate precautions while surfing the web.
 Never install any unwanted program or click a link sent to you by unknown users or bots.
(blogs.cisco.com)
Spyware
Spyware refers to a program that sends users pop-ups, redirect them to various websites, and
monitors browsing activity and so on.
Security measure:
 Don’t click on links presented to you via pop-up windows.

 Use the pop-up window’s ‘X’ icon located on the top-right of the popup to close the ad
instead of clicking on ‘close’ button presented in the pop-up.
 Even if an installation has been started, cancel immediately to avoid further damage.
 Do not install an anti-spyware or anti-virus program presented to you in a pop-up or ad.
(purevpn.com)

Task 3
Introduction
Following a structured set of steps when developing and implementing network security will
help you address the varied concerns that play a part in security design. For the Kandy Metro
Campus the network solution would be implementing Vlans.
Vlans
A VLAN is a group of devices on one or more LANs that are configured to communicate as if
they were attached to the same wire, when in fact they are located on a number of different LAN
segments. Because VLANs are based on logical instead of physical connections, they are
extremely flexible.
By confining the broadcast domains, end-stations on a VLAN are prevented from listening to or
receiving broadcasts not intended for them. Moreover, if a router is not connected between the
VLANs, the end-stations of a VLAN cannot communicate with the end-stations of the other
VLANs.

IP Class and Range for the Network
The IP class for the network used would be the Class C. Class C addresses are used for small
networks. The three high-order bits in a class C address are always set to binary 1 1 0. The next
21 bits (completing the first three octets) complete the network ID. The remaining 8 bits (last
octet) represent the host ID. This allows for 2,097,152 networks and 254 hosts per network.
More IP will be wasted if we use class A and B.
Since Kandy Metro Campus is a small network and each Vlan has only 4 PCs connected to the
Switches, a 8 block Ip addresses would be best enough.
IP allocation table for company

Dept. Vlan Bloc Network Broadcast Usable SNM Default
Name ID k ID/CIDR ID/CIDR Range Gatewaay
Size
Reception Vlan 8 192.168.4. 192.168.4.7/ 192.168.4.1/ 255.255. 192.168.4.1
10 0/29 29 192.168.4.6 255.248
Accounts Vlan 8 192.168.4. 192.168.4.15 192.168.4.9/ 255.255. 192.168.4.8
20 8/29 /29 192.168.4.14 255.248

Library Vlan 8 192.168.4. 192.168.4.23 192.168.4.17 255.255. 192.168.4.1
30 16/29 /29 / 255.248 6
192.168.4.22
Staff Vlan 8 192.168.4. 192.168.4.25 192.168.4.25 255.255. 192.168.4.2
40 24/29 /29 / 255.248 4
192.168.4.30
Network Design
Network Plan
This is the network plan designed for the Kandy Metro Campus

Figure 3.1 Network Plan

Network Implementation
Configuration for the router

Basic Configuration - The router is configured with a hostname and the banner is named. The
time is also set in the router.
Figure 3.2 Configuration for the router
Server LAN Configuration

Figure 3.3 Server LAN Configuration
Implementing SUB-Ifs to the Router
Figure 3.4 Implementing SUB-Ifs to the Router

Figure 3.5 Implementing SUB-Ifs to the Router
Configuration for the Switches

Basic Configuration Switch 1
Figure 3.6 Basic Configuration Switch 1


Lab 2 Switch Configuration (Reception)
Figure 3.9 Lab 2 Switch Configuration (Reception)
Lab 2 Switch Configuration (Accounts)

Figure 3.10 Lab 2 Switch Configuration (Accounts)
Lab 3 Switch Configuration (Library)
Figure 3.11 Lab 3 Switch Configuration (Library)

Lab 3 Switch Configuration (Staff)
Figure 3.12 Lab 3 Switch Configuration (Staff)

Configuring Trunk Ports to the Switch (Lab 2)
Configuring Trunk Ports to the Switch (Lab 3)

PC Configuration
Vlan 10 PC

Figure 3.15 Vlan 10 PC
Vlan 20
Figure 3.16 Vlan 20

Vlan 30
Figure 3.17 Vlan 30
Vlan 40

Figure 3.18 Vlan 40

Server Configuration
Figure 3.19 Server Configuration

Task 4
Introduction
The above design is implemented using Vlans as a solution the existing network plan.
Vlans
There are five primary reasons why VLANs are used:
 Cost
 Security
 Performance
 Manageability
 Availability
Cost
The cost of implementing Vlans is much cheaper. Has this is flat network anybody can get access
to the network. One way to separate that is to put a layer three device like a router in between.
That way anybody on this switch can't get to anybody on this switch. The problem with that is
that there's a cost to that; it's more expensive. VLANs pretty much keep it inexpensive by having
the same switch.
Security
VLANs logically separate network traffic preventing devices from listening to any network
traffic on other Virtual Local Area Networks. They also offer additional security by VLAN
device assignment.
There are two common methods used to assign a device (computer, PC, printer, etc.) to a VLAN:

 Port based – A switch port is manually configured to be a member of a specific
VLAN(s). Any device connected to this port will belong to the VLAN. Physical security
such as restricted access to the location of the physical switch is required.
 MAC based – the VLAN membership is based on the MAC address of the device. This
method offers additional security at the cost of increased management.
Performance
Performance is increased by reducing broadcast traffic in the campus.
Manageability
Using a VLAN would allow the PCs to be connected to the same switches as other devices on
the network. Fewer switches = less management.
Switch features such as VLAN Trunk Protocol (VTP), make it easy to distribute VLANs across a
physical network environment.
Availability
VLANs offer the ability to reduce the size your failure domain. If a device has a damaged
Network Interface Card (NIC) it may broadcast enough traffic to impact every host in the
VLAN.

Task 5
Advantages of Vlan Security

VLANs provide enhanced network security. In a VLAN network environment, with
multiple broadcast domains, network administrators have control over each port and user. A
malicious user can no longer just plug their workstation into any switch port and sniff the
network traffic using a packet sniffer. The network administrator controls each port and whatever
resources it is allowed to use.
VLANs help to restrict sensitive traffic originating from an enterprise department within itself.
Even though many administrators and IT managers are aware of VLAN technologies and
concepts, that doesn't necessarily hold true when it comes to VLAN security.
The first principle in securing a VLAN network is physical security. If an organization does not
want its devices tampered with, physical access must be strictly controlled. Core switches are
usually safely located in a data center with restricted access, but edge switches are often located
in exposed areas.
Just as physical security guidelines require equipment to be in a controlled space, VLAN-based

security requires the use of special tools and following a few best security practices to achieve
the desired result.

These best practices include:
 Removing console-port cables and introducing password-protected console or virtual

terminal access with specified timeouts and restricted access policies
 Applying the same commands to the virtual terminal (telnet/Secure Shell) section and
creating an access-list to restrict telnet/SHH access from specific networks and hosts.
 Avoiding use of using VLAN1 (the default VLAN) as the network data VLAN
 Disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP,
UDLD)
 Deploying VTP domain, VTP pruning and password protections.
 Controlling inter-VLAN routing through the use of IP access lists.
Task 6
Introduction
Unlike hubs, switches are able to regulate the flow of data between their ports by creating almost
“instant” networks that contain only the two end devices communicating with each other at that
moment in time. Data frames are sent by end systems, and their source and destination addresses
are not changed throughout the switched domain.
Implementation of Security levels to the current network design

Enabling Passwords to the Router
Using passwords and assigning privilege levels is a simple way of providing terminal access
control in your network.
Enable password
Establishes a password for a privilege command mode.

Figure 6.1 enable password
Enable Secret Password
Specifies a secret password, saved using a non-reversible encryption method. (If enable
password and enable secret are both set, users must enter the enable secret password.)
Figure 6.2 enable secret password
Enabling Console password
Figure 6.3 enabling console password
Enabling Telnet password
Enabling a telnet password will not allow anyone to access the network remotely.
Figure 6.4 enabling telnet password
Encrypting passwords
By encrypting the passwords no one will be able to read it, whilst typing.

Figure 6.5 encrypting passwords
Enabling Telnet password to the switch
Figure 6.6 telnet password to the switch
Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the workstations that are allowed to access the port. When you assign secure
MAC addresses to a secure port, the port does not forward packets with source addresses outside
the group of defined addresses. If you limit the number of secure MAC addresses to one and
assign a single secure MAC address, the workstation attached to that port is assured the full
bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is
reached, when the MAC address of a workstation attempting to access the port is different from
any of the identified secure MAC addresses, a security violation occurs.
The following Screenshots are provided while implementing port security:
Connected ports to the network
Figure 6.7 Connected ports to the network
Showing MAC-Address

Figure 6.8 veiwing of MAC-Address
Implementing Port security
Figure 6.9 Implementing Port security
Port security verification command
Figure 6.10 Port security verification command

Port down
Figure 6.11 Port down
Recovering Disabled ports
Figure 6.12 Recovering Disabled ports

Implementing Access Control list
Figure 6.13 Implementing Access Control list
Show ACL Command
Figure 6.14 Show ACL Command

Task 7
Introduction
The network testing problem is important because networks are hard to build correctly, and even
networks that appear to work most of the time may have subtle bugs that require intermittent
action, such as re-starting network elements. Sometimes, the bugs prevent all communication.
Sometimes, the bugs interfere with only one application. Sometimes, the bugs prevent the
network from carrying the required load. Sometimes, the bugs expose the network to security
violations. The goal of testing is to find faults in the network in order to correct them, but even
just knowing the limitations of a given kind of network, without correcting faults, can save
endless pain - i.e., knowing what loads it can carry, how frequently devices must be rebooted,
how large it can scale, what security vulnerabilities it has.
The network testing problem is especially hard because networks are dynamic. The component
network elements change. The configuration of a given network element may also change. The
connectivity of the network may change because components enter and leave; it may also change
because of failures. In this context, network testing must address how to determine the
correctness of a collection of tested network components, combined in any of a range of
configurations. In this project, we assume that the individual components of the network have
already been tested, and the question to be determined is whether the network as designed and
configured will support the desired services.
Penetration Testing

Penetration tests are typically performed using manual or automated technologies to
systematically compromise servers, endpoints, web applications, wireless networks, network
devices, mobile devices and other potential points of exposure. Once vulnerabilities have been
successfully exploited on a particular system, testers may attempt to use the compromised system
to launch subsequent exploits at other internal resources – specifically by trying to incrementally
achieve higher levels of security clearance and deeper access to electronic assets and information
via privilege escalation.
Show Commands in the Network Plan
Router Information

Figure 7.1 Router Information

Figure 7.2 Router Information

Vlans on LAB 2
Figure 7.3 Vlans on LAB 2

Vlans on LAB 3
Figure 7.4 Vlans on LAB 3

Security Passwords in the network
Figure 7.5 Security Passwords in the network
Figure 7.6 Security Passwords in the network
Security Passwords encryption in the network
Figure 7.7 Security Passwords encryption in the network

Figure 7.8 Security Passwords encryption in the network

Test case
Project Name: Kandy Metro Campus Test case
Test Unit: LAN Client Ping Test 1 Test Designed by: Husni Ismail
Test Type: White Box Test Designed date: 25.03.2018
Test Case ID: Lo1 Test Execution date: 25.03.2018
Test Title: Network Security Consultant Test Execution Time: 09:00 AM
Description: To ensure that the connection within VLAN is working
Steps Expected Result Actual Result Status (Pass/Fail)
Ping one client using the Successfully All received “PASS”

CLI of another
Figure 7.9 Ping one client using the CLI of another

Description: To ensure that the connection among VLAN is working

CLI of another
Table 7.2 Test case 2

Description: To ensure that the connection among NETWORKS is working

CLI of another

Description: To ensure that the connection to the gateway is working

CLI of another
Figure 7.12 To ensure that the connection to the gateway is working

Task 08
Network Monitoring and Management

Network monitoring and management plays a big role in securing the network. Network
monitoring uses tools such follows
 SNMP (Simple Network Management Procedure)

 Syslog (System logs)
 CDP (Cisco Discovery Protocol)
 Net Flow
SNMP (Simple Network Management Procedure)

SNMP is an application layer protocol used to manage and monitor network devices and their
functions. SNMP provides a common language for network devices to relay management
information within single- and multivendor environments in a local area network (LAN). SNMP
manger is the software that run on a PC or Server and monitors the network devices. SNMP
agent runs on the network device. The exchange of information between SNMP agent and SNMP
manger is called as MIB (Management information base).
There are 3 SNMP versions
 SNMP V1
 SNMP V2 - Default version
 SNMP V3 – Latest version
Features of SNMP V3
 Message integrity (not modified)

 Authentication
 Encryption

Syslog (System logs)
Syslog is a way for network devices to send event messages to a logging server – usually known
as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used
to log different types of events. For example, a router might send messages about users logging
on to console sessions, while a web-server might log access-denied events.
Destinations for Syslog messages
 Login attempt
 Console terminal
 Syslog servers
CDP (Cisco Discovery Protocol)

CDP is a Cisco Proprietary that runs on the data link layer and enabled by default. is used to
share information about other directly connected Cisco equipment,such as the Operating
system version and IP address.
Cisco Discovery Protocol (CDP) messages received from a neighbor Cisco device are not
forwarded to any other devices by default. This means that Cisco Discovery Protocol (CDP) is
passed only to directly connected Cisco devices. Each Cisco device (which supports Cisco
Discovery Protocol (CDP)) stores the messages received from neighbor devices in a table that
can be viewed using the show CDP neighbors command.
Netflow
Routers that have the Netflow feature enabled generate Netflow records. These records are
exported from the router and collected using a NetFlow collector. The NetFlow collector then
processes the data to perform the traffic analysis and presentation in a user-friendly format.
NetFlow collectors can take the form of hardware-based collectors (probes) or software-based
collectors

Netflow will track the number of packets sent, bytes sent, packet size, etc.
Verification Command – Router#showip cache flow
Roles of policies and Procedure in Information Security

Introduction
Institutions create Information Security for a variety of reasons:
 To establish a general approach to information security

 To detect and forestall the compromise of information security such as misuse of data,
networks, computer systems and applications.
 To protect the reputation of the company with respect to its ethical and legal
responsibilities.
 To observe the rights of the customers; providing effective mechanisms for responding to
complaints and queries concerning real or perceived non-compliances with the policy is
one way to achieve this objective.
Information Security Policyshould address all data, programs, systems, facilities, other tech
infrastructure, users of technology and third parties in a given organization, without exception.
Policies
Policies are formal statements produced and supported by senior management. They can be
organization-wide, issue-specific or system specific. Your organization’s policies should reflect
your objectives for your information security program. Your policies should be like a building
foundation; built to last and resistant to change or erosion.
 Driven by business objectives and convey the amount of risk senior management is
willing to accept.
 Easily accessible and understood by the intended reader

 Created with the intent to be in place for several years and regularly reviewed with
approved changes made as needed.
(frsecure.com, N,D)
Standards
Standards are mandatory actions or rules that give formal policies support and direction. One of
the more difficult parts of writing standards for an information security program is getting a
company-wide consensus on what standards need to be in place. This can be a time-consuming
process but is vital to the success of your information security program.
 Used to indicate expected user behavior. For example, a consistent company email
signature.
 Might specify what hardware and software solutions are available and supported.
(frsecure.com, N.D.)
Procedures
Procedures are detailed step by step instructions to achieve a given goal or mandate. They are
typically intended for internal departments and should adhere to strict change control processes.
Procedures can be developed as you go. If this is the route your organization chooses to take it’s
necessary to have comprehensive and consistent documentation of the procedures that you are
developing (frsecure.com, N.D.).
Guidelines
Guidelines are recommendations to users when specific standards do not apply. Guidelines are
designed to streamline certain processes according to what the best practices are. Guidelines, by
nature, should open to interpretation and do not need to be followed to the letter.
 Are more general vs. specific rules.

 Provide flexibility for unforeseen circumstances.

 Should NOT be confused with formal policy statements.
(frsecure.com, N.D.)
Examples of Information Security Policy

Information Security Policy
The objectives of an IT security policy is the preservation of confidentiality, integrity, and

availability of systems and information used by an organization’s members (lse.ac.uk, N.D.).
E-Mail Policy
An effective internet and email policy that will help employees understand what is expected of
them as it affects their work is a must for employers. You want to go on record to define what
employees can do from work provided devices or employee-owned devices that are used for or
involve your employees, your workplace, or your company (thebalance.com, N.D.).
Guidelines for Password management
A Strong Password is defined as a password that is reasonably difficult to guess in a short period
of time either through human guessing or the use of specialized software (cmu.edu,5/5/2010).
Physical Security Policy
This Physical Security Policy will help ensure the physical security of organizational computer
systems and information by specifying responsibilities for physical security.This Physical
Security Policy is intended to ensure that physical computer resources and information resources
are properly protected physically (comptechdoc.org, N.D.).
Firewall Policy

Any hardware and/or software designed to examine network traffic using policy statements
(ruleset) to block unauthorized access while permitting authorized communications to or from a
network or electronic equipment (northwestern.edu,N.D.)
Backup policies
Performing consistent, regular backups of critical business data is a vitally important part of any
recovery strategy. When treated as an afterthought or merely as a checkbox item on an annual IT
audit, the risks of losing critical data are significantly elevated. For these reasons, it is important
to establish a disciplined regimen of data protection defined by a set of clear backup policies that
can be closely followed and monitored by IT and business stakeholders alike
(searchdatabackup.techtarget.com,N.D.).

Task 9
Future Enhancements
Improve Performance
When LANs had only a few users, performance was usually very good. Today, however, when
most computers in an organization are on LANs, performance can be a problem. Performance is
usually expressed in terms of throughput (the total amount of user data transmitted in a given
time period).
Better quality hardware
 We can improve the performances of the network by upgrading the existing hardware to
the latest version, perhaps getting down the best in performances hardware. Ex: Cisco
products.
 By upgrading to Fibre-optic cable which has an amazing bandwidth and is often
restricted by the hardwareeither side of the cable rather than the bandwidth of the cable
itself. In fiber optic transmission, optical cables are capable of providing low power loss,
which enables signals can be transmitted to a longer distance than copper cables.
Regular Network Maintenance
Network maintenance basically means you have to do what it takes in order to keep a network up
and running and it includes a number of tasks:

 Troubleshooting network problems.
 Hardware and software installation/configuration.
 Monitoring and improving network performance.
 Planning for future network growth.
 Creating network documentation and keeping it up-to-date.
 Ensuring compliance with company policies.
 Ensuring compliance with legal regulations.
 Securing the network against all kind of threats.
Regular troubleshoot monitoring
Modern dashboards for network performance monitoring do a great job of reporting status and
statistics. In general, these dashboards provide views of aggregated information that make them
useful when looking for historical data or trends. But when there is a problem on your network,
these dashboards often fall short in providing real-time, actionable information about individual
network trouble areas.
Improve Security
Hardware Firewall
A firewall is a protective system that lies, in essence, between your computer network and the
Internet. When used correctly, a firewall prevents unauthorized use and access to your network.
The job of a firewall is to carefully analyze data entering and exiting the network based on your
configuration. It ignores information that comes from an unsecured, unknown or suspicious
locations. A firewall plays an important role on any network as it provides a protective barrier
against most forms of attack coming from the outside world. This could help the proposed
network plan.
IDS/IPS

Intrusion detection is the process of monitoring the events occurring in your network and
analyzing them for signs of possible incidents, violations, or imminent threats to your security
policies. Intrusion prevention is the process of performing intrusion detection and then stopping
the detected incidents. These security measures are available as intrusion detection systems (IDS)
and intrusion prevention systems (IPS), which become part of your network to detect and stop
potential incidents. (juniper.net)
Digital Certificates
An attachment to an electronic message used for security purposes. The most common use of a
digital certificate is to verify that a user sending a message is who he or she claims to be, and to
provide the receiver with the means to encode a reply.
An individual wishing to send an encrypted message applies for a digital certificate from
a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the
applicant's public key and a variety of other identification information. The CA makes its own
public key readily available through print publicity or perhaps on the Internet.
The recipient of an encrypted message uses the CA's public key to decode the digital certificate
attached to the message, verifies it as issued by the CA and then obtains the sender's public key
and identification information held within the certificate. With this information, the recipient can
send an encrypted reply. (webopedia.com)
Digital Signatures
A digital signature is a mathematical technique used to validate the authenticity and integrity of a
message, software or digital document.The digital equivalent of a handwritten signature or

stamped seal, but offering far more inherent security, a digital signature is intended to solve the
problem of tampering and impersonation in digital communications. Digital signatures can
provide the added assurances of evidence to origin, identity and status of an electronic document,
transaction or message, as well as acknowledging informed consent by the signer.
(searchsecurity.techtarget.com)
Biometric Authentication
Biometric authentication is a user identity verification process that involves biological input, or
the scanning or analysis of some part of the body.
Biometric authentication methods are used to protect many different kinds of systems - from
logical systems facilitated through hardware access points to physical systems protected by
physical barriers, such as secure facilities and protected research sites.
Security experts often differentiate biometric authentication from other types of authentication,
such as knowledge-based authentication, which involves passwords or other pieces of
information unique to a specific user. Another broad-level type is known as "property-based
authentication," where authentication relies on a user-held object, such as a key or card.
(techopedia.com)
Conclusion
Using the above mentioned technologies will help improve this campus to better advanced
technology campus.

Conclusion
As mentioned above with all the given factors and with the research done regarding a
implementation of this new network design will enhance the Campus. The problems faced earlier
were clearly mentioned and the solutions. With the introduction of the newly proposed network,
it will be easy for them to overcome the problems that they had to face thereby making the
network more secured and efficient. So, I suggest that if these networks are properly
implemented in the particular Campus there would be less problems and threats to the network.

Referencing
 Boitnott, J. (2015) 6 effective ways to enhance workplace productivity.
[ONLINE]Available at: http://www.inc.com/john-boitnott/6-effective-ways-to-enhance-
workplace-productivity.html [Accessed: 02 April 2018].
 Employee productivity software (2016) [ONLINE] Available at:

http://www.veriato.com/solutions/increase-productivity [Accessed: 05 April 2018]

 Ramey, K. (2016) The advantages and disadvantages of technology in the workplace.
[ONLINE]Available at: http://www.useoftechnology.com/technology-workplace-2/
[Accessed: 08 April 2018].
 2015 (2000) Ethical issues in electronic information systems.[ONLINE] Available at:

http://www.colorado.edu/geography/gcraft/notes/ethics/ethics.html [Accessed: 08 April
2018].
Self-Criticism
Strengths Weaknesses
The support I got to gather all information. It took a long time to find the information
about the advanced technology.

The necessary information was obtained
easily.
The project was completed successfully

within the time framework given.
Referred to useful articles which helped a lot

in completing on time.
Gantt chart
Activity Undertaken Time in days
March 2018 4-10 10-14 14-21 21-29
April 2018 1-7 7-14 14-16 16-20 20-24 27-28

Task 1
Network security of the current
system
Task 2
Current and common threats
and their impact
Task 3
Network security solution to

meet a given specification
Task 4
Potential impact of a proposed
network design
Task 5
Vlans Security
Task 6
Implementation of security
solution
Task 7
Document and analyze test results

Task 8
Network security policies and

practices
Task 9
Future Enhancements
Finalizing the project

Ns Final Assignment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ns Final Assignment

Uploaded by

Copyright:

Available Formats

Network

Unit 46 – Network Security (NS – 17 – 001)

ESOFT METRO CAMPUS

SUBMISSION DATE : 28/04/2018

To be filled by the Student

Edexcel No : Registration No: COL/E-002035 Batch No: 68

Unit Assessment Information

Qualification : Higher National Diploma in Computing and Systems Development

Unit Code & Title : Unit 46 – Network Security (NS – 17 – 001)

Learning outcomes and grading opportunities:

LO 02: Be able to design network security solutions

LO 03: Be able to implement network security solutions

Merit and Distinction Descriptor

Date Issued : Date Due :

Assessor : Date Assessed:

Internal Verifier (IV): Date of IV:

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 2 of 79

Word Processing Rules

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 3 of 79

Statement of Originality and Student Declaration

1. I know that plagiarism is a punishable offence because it constitutes theft.

Student’s Signature:HUSNI ISMAIL

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 4 of 79

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 5 of 79

Practical Observation Sheet

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 6 of 79

1.1 evaluate the network security of the Task 1

1.2 discuss the potential impact of a Task 4

1.3 discuss current and common threats and Task 2

LO2Be able to design networksecurity solutions

2.1 design a network security solution to Task 3

2.2 evaluate design and analyze feedback Task 5

LO3Be able to implement networksecurity solutions

3.1 using a design, implement a complex Task 6

3.2 systematically test the complex network Task 7

3.3 document and analyze test results Task 7

LO4Be able to manage networkSecurity solutions.

4.1 manage a network security solution Task 8

4.2 analyze ongoing network security policies Task 8

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 7 of 79

Grade Descriptor for MERIT Possible evidence Feedback

M2 Select /design appropriate Design Network

M3 Present and communicate Documentation is

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 8 of 79

D2 Take responsibility Gantt chart must be

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 9 of 79

Future Improvements & Assessor Comment:

Internal Verifier’s Comments:

Internal Verifier: Signature:

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 10 of 79

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 11 of 79

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 12 of 79

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 13 of 79

Figure 3.1 Network

Figure 3.2 Configuration for the

Figure 3.3 Server LAN

Figure 3.4 Implementing SUB-Ifs to the

Figure 3.5 Implementing SUB-Ifs to the

Figure 3.6 Basic Configuration Switch

All rights reserved ©ESOFT Metro Campus, Sri Lanka Page 14 of 79

Figure 3.8 Basic Configuration Switch

Figure 3.9 Lab 2 Switch Configuration (Reception)

Figure 3.10 Lab 2 Switch Configuration (Accounts)