Professional Documents
Culture Documents
Security
Husni Ismail Hisni
COL/E-002035
Assessment Title & No’s :Security Design for Kandy Metro Campus
Date of Submission:
Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late
submissions will not be accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be
accepted for failure to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as
illness, you may apply (in writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL.
You will then be asked to complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you
properly reference them, using the HARVARD referencing system, in you text and any
bibliography, otherwise you may be guilty of plagiarism.
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to
present it as my own without attributing the sources in the correct way. I further understand what
it means to copy another’s work.
Wi-Fi access points areprovided for the students to access to the network via wireless
connectivity and they are allowed with unrestricted Internet access which causes many security
and ethical problems and need to be controlled. Currently Campus lecturers also use the same
recourses as students for their day today duties which needs some kind of centralized
Administration and separation of access rights.
The management of the institute is planning to extend the facilities available in the main campus
network to the students in remote campuses through a VPN connectivity and also to improve
the security standards of the main campus network to comply with the current network security
standards.
Assuming you have been appointed as the new network security consultant of Kandy
MetroCampus, prepare a network security architectural design with your suggestions and
recommendations to improve the security standard. In the designing process, you may consider
the following aspects;
• Understand the Weakness of current network design, and its impact for the company
Social and Commercial environment.
• Propose and Design an improved network with network security solutions.
• Implement the Proposed network design and manage network security solutions.
You are allowed to assume the current network setup according to the services available and
propose the improvements according to your assumptions, but make sure to Clearly state your
assumptions.
1. Discuss and evaluate the network security of the current system.(LO 1.1)
2. Highlight the current and common threats and their impact to the system. (LO 1.3)
3. Design a network plan (stating all your assumptions) and a basic network security
solution for the head office of Kandy Metro Campus. Propose how you would enhance
the security in the communication between the head office and the branch office. (LO
2.1, M1.1,Activity 1)
4. Discuss how your proposed network design can impact the above network. (LO 1.2)
5. Evaluate the design and state how your design will provide security to the network. (LO
2.2)
6. Using above design, implement the solution, such that it includes different levels of
security to increase the complexity. (LO 3.1, M2.5)
7. Test the above network solution to full fill the requirements and document them.
(LO 3.2, LO 3.3, Activity 2)
8. State how you can manage the above solution and state network security policies and
practices you could implement for smoother management of this network. (LO 4.1) (LO
4.2)
9. Recommend how you are going to increase the performance and security of this network,
if changes are required in future. (LO 4.3, D1.1)
Assessor: Signature:
Executive Summary
This is about designing a network plan for the Kandy Metro Campus. The design was used
implementing Vlans. With all the given factors and with the research done regarding a
implementation of this new network design will enhance the Campus and the security threats of
this network is identified and better solutions were found and implemented.
Thank You!
Contents
Acknowledgement......................................................................................................................2
Task 1.........................................................................................................................................3
Discuss and evaluate the network security of the current system. (LO 1.1)..............................3
Network security of the current system.....................................................................................3
TABLE OF FIGURES
Discuss and evaluate the network security of the current system. (LO 1.1)
Introduction
Introduction
IT security pros have to contend with an increasing number of loose confederations of
individuals dedicated to political activism, like the infamous Anonymous group. Politically
motivated hackers have existed since hacking was first born. The big change is that more of it is
being done in the open, and society is acknowledging it as an accepted form of political activism.
Nowadays cyber-threats are becoming a daily headache for IT security staff, it supports to have
some guidance, or at least identify what to look out for. As a small company doing business on
the web, you need to be aware of these methods so you can be extra vigilant when online.
1. Interception
2. Interruption
3. Modification
4. Fabrication
Interception
An interception means that some unauthorized party has gained access to an asset. The outside
party can be a person, a program, or a computing system. Examples of this type of failure are
illicit copying of program or data files, or wiretapping to obtain data in a network. Although a
loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the
interception can be readily detected.
(informit.com, 11/4/2010)
Interruption
(informit.com,11/4/2010)
Modification
If an unauthorized party not only accesses but tampers with an asset, the threat is a modification.
For example, someone might change the values in a database, alter a program so that it performs
an additional computation, or modify data being transmitted electronically. It is even possible to
modify hardware. Some cases of modification can be detected with simple measures, but other,
more subtle, changes may be almost impossible to detect.
(genesisdatabase.wordpress.com)
Fabrication
(genesisdatabase.wordpress.com)
D-DOS attack
Security Measure:
Limit the rate of router to prevent form web server being overwhelmed
Use of firewall and pack sniffing technique for controlling high packet traffic
(blogs.cisco.com)
A data breach is an occurrence in which sensitive, secured or confidential data has potentially
been seen, stolen or utilized by an individual unapproved to do as such. In case of small
organization data breaches may involve personal information and intellectual property.
Security measure:
Encrypting all the sensitive information and shred them before disposing.
Retain the third party and limiting the staffs to access system and devices.
(getcybersafe.gc.ca)
Malicious threat
Malicious threat includes Computer viruses, Trojan, worm and spyware. It is code or software
that is particularly intended to damage, steal, disrupt, or as a rule inflict some other “terrible” or
illegitimate activity on information, hosts, or network.
Security measure:
Install antivirus software into the system and download updates to ensure that software
has the latest fixes for new viruses, Trojans, worms and bots.
Ensure that antivirus software can scan email and the all the files downloaded from the
internet.
(getcybersafe.gc.ca)
Phishing
Phishing is the process to gain sensitive information like usernames, passwords and credit card
information, frequently for malicious reasons, by taking on the appearance of a dependable
element in an electronic correspondence.
Keep websites certificates up to date so that users are assured the legitimacy of the
websites.
Educate users about the best practices that they should follow and observe when using
Internet services.
(getcybersafe.gc.ca)
Data breaches
A data breach is an occurrence in which sensitive, secured or confidential data has potentially
been seen, stolen or utilized by an individual unapproved to do as such. In case of small
organization data breaches may involve personal information and intellectual property.
Security measure:
Encrypting all the sensitive information and shred them before disposing.
Retain the third party and limiting the staffs to access system and devices.
(purevpn.com)
Computer worm
A computer worm is a software program that can copy itself from one computer to another,
without human interaction. Worms can replicate in great volume and with great speed. For
example, a worm can send copies of itself to every contact in your email address book and then
send itself to all the contacts in your contacts’ address books.
(bhconsulting.ie)
A Rootkit is a program that is installed on a computer without the user’s knowledge, similar to
malware. The program can be visible or hidden and may couple itself with a larger software
package.
Security measure:
Install trustable (and genuine) antivirus and firewall to avoid Rootkit and Botnet threats.
Choose passwords that are hard for others to guess. Use a combination of capital and
small letters along with numbers.
Follow good security practices and appropriate precautions while surfing the web.
Never install any unwanted program or click a link sent to you by unknown users or bots.
(blogs.cisco.com)
Spyware
Spyware refers to a program that sends users pop-ups, redirect them to various websites, and
monitors browsing activity and so on.
Security measure:
(purevpn.com)
Introduction
Following a structured set of steps when developing and implementing network security will
help you address the varied concerns that play a part in security design. For the Kandy Metro
Campus the network solution would be implementing Vlans.
Vlans
A VLAN is a group of devices on one or more LANs that are configured to communicate as if
they were attached to the same wire, when in fact they are located on a number of different LAN
segments. Because VLANs are based on logical instead of physical connections, they are
extremely flexible.
By confining the broadcast domains, end-stations on a VLAN are prevented from listening to or
receiving broadcasts not intended for them. Moreover, if a router is not connected between the
VLANs, the end-stations of a VLAN cannot communicate with the end-stations of the other
VLANs.
Since Kandy Metro Campus is a small network and each Vlan has only 4 PCs connected to the
Switches, a 8 block Ip addresses would be best enough.
Network Design
Network Plan
This is the network plan designed for the Kandy Metro Campus
PC Configuration
Vlan 10 PC
Vlan 20
Vlan 40
The above design is implemented using Vlans as a solution the existing network plan.
Vlans
There are five primary reasons why VLANs are used:
Cost
Security
Performance
Manageability
Availability
Cost
The cost of implementing Vlans is much cheaper. Has this is flat network anybody can get access
to the network. One way to separate that is to put a layer three device like a router in between.
That way anybody on this switch can't get to anybody on this switch. The problem with that is
that there's a cost to that; it's more expensive. VLANs pretty much keep it inexpensive by having
the same switch.
Security
VLANs logically separate network traffic preventing devices from listening to any network
traffic on other Virtual Local Area Networks. They also offer additional security by VLAN
device assignment.
There are two common methods used to assign a device (computer, PC, printer, etc.) to a VLAN:
Performance
Manageability
Using a VLAN would allow the PCs to be connected to the same switches as other devices on
the network. Fewer switches = less management.
Switch features such as VLAN Trunk Protocol (VTP), make it easy to distribute VLANs across a
physical network environment.
Availability
VLANs offer the ability to reduce the size your failure domain. If a device has a damaged
Network Interface Card (NIC) it may broadcast enough traffic to impact every host in the
VLAN.
VLANs help to restrict sensitive traffic originating from an enterprise department within itself.
Even though many administrators and IT managers are aware of VLAN technologies and
concepts, that doesn't necessarily hold true when it comes to VLAN security.
The first principle in securing a VLAN network is physical security. If an organization does not
want its devices tampered with, physical access must be strictly controlled. Core switches are
usually safely located in a data center with restricted access, but edge switches are often located
in exposed areas.
Task 6
Introduction
Unlike hubs, switches are able to regulate the flow of data between their ports by creating almost
“instant” networks that contain only the two end devices communicating with each other at that
moment in time. Data frames are sent by end systems, and their source and destination addresses
are not changed throughout the switched domain.
Using passwords and assigning privilege levels is a simple way of providing terminal access
control in your network.
Enable password
Specifies a secret password, saved using a non-reversible encryption method. (If enable
password and enable secret are both set, users must enter the enable secret password.)
Enabling a telnet password will not allow anyone to access the network remotely.
Encrypting passwords
By encrypting the passwords no one will be able to read it, whilst typing.
Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the workstations that are allowed to access the port. When you assign secure
MAC addresses to a secure port, the port does not forward packets with source addresses outside
the group of defined addresses. If you limit the number of secure MAC addresses to one and
assign a single secure MAC address, the workstation attached to that port is assured the full
bandwidth of the port.
Showing MAC-Address
Introduction
The network testing problem is important because networks are hard to build correctly, and even
networks that appear to work most of the time may have subtle bugs that require intermittent
action, such as re-starting network elements. Sometimes, the bugs prevent all communication.
Sometimes, the bugs interfere with only one application. Sometimes, the bugs prevent the
network from carrying the required load. Sometimes, the bugs expose the network to security
violations. The goal of testing is to find faults in the network in order to correct them, but even
just knowing the limitations of a given kind of network, without correcting faults, can save
endless pain - i.e., knowing what loads it can carry, how frequently devices must be rebooted,
how large it can scale, what security vulnerabilities it has.
The network testing problem is especially hard because networks are dynamic. The component
network elements change. The configuration of a given network element may also change. The
connectivity of the network may change because components enter and leave; it may also change
because of failures. In this context, network testing must address how to determine the
correctness of a collection of tested network components, combined in any of a range of
configurations. In this project, we assume that the individual components of the network have
already been tested, and the question to be determined is whether the network as designed and
configured will support the desired services.
Penetration Testing
Router Information
Test Unit: LAN Client Ping Test 1 Test Designed by: Husni Ismail
Test Unit: LAN Client Ping Test 2 Test Designed by: Husni Ismail
Test Unit: LAN Client Ping Test 3 Test Designed by: Husni Ismail
Test Unit: LAN Client Ping Test 4 Test Designed by: Husni Ismail
SNMP V1
SNMP V2 - Default version
SNMP V3 – Latest version
Features of SNMP V3
Login attempt
Console terminal
Syslog servers
Cisco Discovery Protocol (CDP) messages received from a neighbor Cisco device are not
forwarded to any other devices by default. This means that Cisco Discovery Protocol (CDP) is
passed only to directly connected Cisco devices. Each Cisco device (which supports Cisco
Discovery Protocol (CDP)) stores the messages received from neighbor devices in a table that
can be viewed using the show CDP neighbors command.
Netflow
Routers that have the Netflow feature enabled generate Netflow records. These records are
exported from the router and collected using a NetFlow collector. The NetFlow collector then
processes the data to perform the traffic analysis and presentation in a user-friendly format.
NetFlow collectors can take the form of hardware-based collectors (probes) or software-based
collectors
Information Security Policyshould address all data, programs, systems, facilities, other tech
infrastructure, users of technology and third parties in a given organization, without exception.
Policies
Policies are formal statements produced and supported by senior management. They can be
organization-wide, issue-specific or system specific. Your organization’s policies should reflect
your objectives for your information security program. Your policies should be like a building
foundation; built to last and resistant to change or erosion.
Driven by business objectives and convey the amount of risk senior management is
willing to accept.
Easily accessible and understood by the intended reader
(frsecure.com, N,D)
Standards
Standards are mandatory actions or rules that give formal policies support and direction. One of
the more difficult parts of writing standards for an information security program is getting a
company-wide consensus on what standards need to be in place. This can be a time-consuming
process but is vital to the success of your information security program.
Used to indicate expected user behavior. For example, a consistent company email
signature.
Might specify what hardware and software solutions are available and supported.
(frsecure.com, N.D.)
Procedures
Procedures are detailed step by step instructions to achieve a given goal or mandate. They are
typically intended for internal departments and should adhere to strict change control processes.
Procedures can be developed as you go. If this is the route your organization chooses to take it’s
necessary to have comprehensive and consistent documentation of the procedures that you are
developing (frsecure.com, N.D.).
Guidelines
Guidelines are recommendations to users when specific standards do not apply. Guidelines are
designed to streamline certain processes according to what the best practices are. Guidelines, by
nature, should open to interpretation and do not need to be followed to the letter.
(frsecure.com, N.D.)
E-Mail Policy
An effective internet and email policy that will help employees understand what is expected of
them as it affects their work is a must for employers. You want to go on record to define what
employees can do from work provided devices or employee-owned devices that are used for or
involve your employees, your workplace, or your company (thebalance.com, N.D.).
A Strong Password is defined as a password that is reasonably difficult to guess in a short period
of time either through human guessing or the use of specialized software (cmu.edu,5/5/2010).
This Physical Security Policy will help ensure the physical security of organizational computer
systems and information by specifying responsibilities for physical security.This Physical
Security Policy is intended to ensure that physical computer resources and information resources
are properly protected physically (comptechdoc.org, N.D.).
Firewall Policy
Backup policies
Performing consistent, regular backups of critical business data is a vitally important part of any
recovery strategy. When treated as an afterthought or merely as a checkbox item on an annual IT
audit, the risks of losing critical data are significantly elevated. For these reasons, it is important
to establish a disciplined regimen of data protection defined by a set of clear backup policies that
can be closely followed and monitored by IT and business stakeholders alike
(searchdatabackup.techtarget.com,N.D.).
Future Enhancements
Improve Performance
When LANs had only a few users, performance was usually very good. Today, however, when
most computers in an organization are on LANs, performance can be a problem. Performance is
usually expressed in terms of throughput (the total amount of user data transmitted in a given
time period).
We can improve the performances of the network by upgrading the existing hardware to
the latest version, perhaps getting down the best in performances hardware. Ex: Cisco
products.
By upgrading to Fibre-optic cable which has an amazing bandwidth and is often
restricted by the hardwareeither side of the cable rather than the bandwidth of the cable
itself. In fiber optic transmission, optical cables are capable of providing low power loss,
which enables signals can be transmitted to a longer distance than copper cables.
Network maintenance basically means you have to do what it takes in order to keep a network up
and running and it includes a number of tasks:
Modern dashboards for network performance monitoring do a great job of reporting status and
statistics. In general, these dashboards provide views of aggregated information that make them
useful when looking for historical data or trends. But when there is a problem on your network,
these dashboards often fall short in providing real-time, actionable information about individual
network trouble areas.
Improve Security
Hardware Firewall
A firewall is a protective system that lies, in essence, between your computer network and the
Internet. When used correctly, a firewall prevents unauthorized use and access to your network.
The job of a firewall is to carefully analyze data entering and exiting the network based on your
configuration. It ignores information that comes from an unsecured, unknown or suspicious
locations. A firewall plays an important role on any network as it provides a protective barrier
against most forms of attack coming from the outside world. This could help the proposed
network plan.
IDS/IPS
Digital Certificates
An attachment to an electronic message used for security purposes. The most common use of a
digital certificate is to verify that a user sending a message is who he or she claims to be, and to
provide the receiver with the means to encode a reply.
An individual wishing to send an encrypted message applies for a digital certificate from
a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the
applicant's public key and a variety of other identification information. The CA makes its own
public key readily available through print publicity or perhaps on the Internet.
The recipient of an encrypted message uses the CA's public key to decode the digital certificate
attached to the message, verifies it as issued by the CA and then obtains the sender's public key
and identification information held within the certificate. With this information, the recipient can
send an encrypted reply. (webopedia.com)
Digital Signatures
A digital signature is a mathematical technique used to validate the authenticity and integrity of a
message, software or digital document.The digital equivalent of a handwritten signature or
Biometric Authentication
Biometric authentication is a user identity verification process that involves biological input, or
the scanning or analysis of some part of the body.
Biometric authentication methods are used to protect many different kinds of systems - from
logical systems facilitated through hardware access points to physical systems protected by
physical barriers, such as secure facilities and protected research sites.
Security experts often differentiate biometric authentication from other types of authentication,
such as knowledge-based authentication, which involves passwords or other pieces of
information unique to a specific user. Another broad-level type is known as "property-based
authentication," where authentication relies on a user-held object, such as a key or card.
(techopedia.com)
Conclusion
Using the above mentioned technologies will help improve this campus to better advanced
technology campus.
Self-Criticism
Strengths Weaknesses
The support I got to gather all information. It took a long time to find the information
about the advanced technology.
Gantt chart
Activity Undertaken Time in days
March 2018 4-10 10-14 14-21 21-29
Task 2
Current and common threats
and their impact
Task 3
Task 4
Potential impact of a proposed
network design
Task 5
Vlans Security
Task 6
Implementation of security
solution
Task 7
Task 9
Future Enhancements
Finalizing the project