Cluster 7

CLASS ACTIVITY #1. PART A

Robert A Mera
IT CERT #4-NETWORKING | IEA COLLEGE OF TAFE
PGIICT40418 Certificate 4 in Information Technology
Networking Cluster 7
Unit of Competency: PGIICTNWK421 - Install, configure and test network security

Class Activities / Tasks

Summary of your tasks are as follows;

2.1 Implement required level of perimeter security to meet organizational asset security requirements
and according to identified threats and vulnerabilities

2.2 Assess and implement server and network hardening techniques and measures

2.3 Implement secure authentication and user account controls to secure data integrity and transmission

1|Page
Certificate 4 in Information Technology Networking Cluster 7 Session 2 Class Activities
Network Scenario 2 – Simulated Organisation LAN

Scenario: LAN/WAN Physical Topology

Features of this network

Physical
- Switches used in LANs are plug and play unmanaged switches.
- Single cable connecting all switches and gateway router.
- All end devices are connected to the physical access point via category 5 straight through cables to nearest switch
- All wireless end devices are connected to the LAN via wireless access points / routers using WPA TKIP
- Some cables are not secured in proper cable conduits or ducts.
- Few desktop data cables are exposed on the floor.
- LAN has domain network.
- All servers, computers, switches and routers are in the same LAN subnet (Single subnet 192.168.10.0).

Software
- All Workstations are running MS Windows 7 Professional.
- All computers are members of a domain / active directory.
- Computers currently allow flash drive, DVD access.
- Computers allow local logins on workstations as well.
- All workstations use DHCP server leased IP addresses.
- All workstations use Avira Antivirus Free version which is each week.
- All servers have Avira Business Edition and are updated once a month as well.
- End users are given direct internet access. There is not a proxy server put in place.

Future Plans
- Host Website in LAN to publish to internet
- Host Remote Access to Office
- Establish Secured site to site links as well as secure LANS
 2|Page
Certificate 4 in Information Technology Networking Cluster 7 Session 2 Class Activities
Critical Asset Security Requirements
Assume this table to be a portion of the organisations data security requirements
Asset / Asset / Device CIA Security TRIAD CIA Security TRIAD CIA Security TRIAD

Device Configs Confidentiality Integrity Availability
Routers - Physically locked - Encrypted passwords - Redundant LAN and
- Usernames - Data or link encryptions and WAN
- Passwords authentication protocols such as - Network Load
- Access Control Lists WPA2, PPP, IPsec VPN Tunnels Balancing
- Firewall - Data or link hashing algorithm as - GLBP, HSRP or
- DMZ AES, RSA, 3DES, HMAC, MD5, SHA-1 VRRP
- RADIUS Authentication - Quality of Service (QoS)
- TACACS+ Authentication
- Multifactor authentications
Switches - Managed Switches - Encrypted passwords - VTP Configurations
(Access - Physically locked - Data or link encryptions and - STP or RSTP
Points) - Usernames authentication protocols such as - Console Access
- Passwords WPA2, PPP, IPsec VPN Tunnels - Telnet Access
- Switch Port Security - Data or link hashing algorithm as - Etherchannel
- Access Control Lists AES, RSA, 3DES, HMAC, MD5, SHA-1 (LACP / PAGP)
- RADIUS Authentication - Quality of Service (QoS)
- TACACS+ Authentication
- Secure Console Access
- Secure Telnet Access
- Secure Remote Access
- Shutdown unused ports
Wireless - Physically locked - Encrypted passwords - Mesh Wireless
Access - Usernames - Data or link encryptions and Topology
Points - Passwords authentication protocols such as - SSID STP or RSTP
- Switch Port Security WPA2, PPP, IPsec VPN Tunnels - Remote
- Access Control Lists - Data or link hashing algorithm as Management
- Firewall AES, RSA, 3DES, HMAC, MD5, SHA-1
- RADIUS Authentication - Quality of Service (QoS)
- TACACS+ Authentication
- Secure Console Access
- Secure Telnet Access
- Secure Remote Access
MS File - Physically locked - Encrypted passwords - Network Load
Server - Usernames - Data or link encryptions and Balance
- Passwords authentication protocols WPA2, PPP, - Redundant NICs
- Access Control Lists IPsec VPN Tunnels - Backups
- Firewall - Data or link hashing algorithm as - Security Updates
- Antivirus /Antimalware AES, RSA, 3DES, HMAC, MD5, SHA-1
- NTFS Security - Quality of Service (QoS)
- Active Directory
MS Web - Physically locked - SSL Authentication - Network Load
Server - Usernames - host in DMZ Balance
(Future) - Passwords - Encrypted passwords - Redundant NICs
- Access Control Lists - Data or link hashing algorithm as - Backups
- Firewall AES, RSA, 3DES, HMAC, MD5, SHA-1 - Security Updates
- Antivirus /Antimalware - ADDS or LDAP Security - Hosted in
- NTFS Security Perimeter or DMZ
- Active Directory
Authentication

3|Page
Certificate 4 in Information Technology Networking Cluster 7 Session 2 Class Activities
2.1 Implement required level of perimeter security to meet
organizational asset security requirements and according to identified
threats and vulnerabilities

Part A. Question and Answer

1. Explain the following terms and their function in networking

a) Perimeter network- A network perimeter is the secured boundary between the private and locally managed side
of a network, often a company’s intranet, and the public facing side of a network, often the Internet.
 Border Routers: Routers serve as the traffic signs of networks. They direct traffic into, out of, and
throughout networks. The border router is the final router under the control of an organization before
traffic appears on an untrusted network, such as the Internet.
 Firewalls: A firewall is a device that has a set of rules specifying what traffic it will allow or deny it to pass
through it. A firewall typically picks up where the border router leaves off and makes a much more
thorough pass at filtering traffic.
 Intrusion Detection System (IDS): This functions as an alarm system for your network that is used to detect
and alert on suspicious activity. This system can be built from a single device or a collection of sensors
placed at strategic points in a network.
 Intrusion Prevention System (IPS): Compared to a traditional IDS which simply notifies administrators of
possible threats, an IPS can attempt to automatically defend the target without the administrator's direct
intervention.
 De-Militarized Zones / Screened Subnets: DMZ and screened subnet refer to small networks containing
public services connected directly to and offered protection by the firewall or other filtering device.
https://www.barracuda.com/glossary/network-perimeter
b) DMZ network- DMZ Network (sometimes referred to as a “demilitarized zone”) functions as a sub-
network containing an organization's exposed, outward-facing services. It acts as the exposed point to an
untrusted network, commonly the Internet. The goal of a DMZ is to add an extra layer of security to an
organization's local area network. A protected and monitored network node that faces outside the
internal network can access what is exposed in the DMZ, while the rest of the organization's network is
safe behind a firewall. When implemented properly, a DMZ Network gives organizations extra protection
in detecting and mitigating security breaches before they reach the internal network, where valuable
assets are stored.
https://www.barracuda.com/glossary/dmz-network
c) Perimeter security-Perimeter Security Protocols are put in place in a network to monitor and report
suspicious and malicious activities in a perimeter network.

2. List 5 different security threats that a perimeter router or device can be exposed to.

1. Unauthorized access
Unauthorized access refers to attackers accessing a network without receiving permission. Among the causes
of unauthorized access attacks are weak passwords, lacking protection against social engineering, previously
compromised accounts, and insider threats.

2. Distributed Denial of Service (DDoS) attacks

Attackers build botnets, large fleets of compromised devices, and use them to direct false traffic at your
network or servers. DDoS can occur at the network level, for example by sending huge volumes of SYN/ACC
 packets which can overwhelm a server, or at the application level, for example by performing complex SQL
queries that bring a database to its knees.

3. Man in the middle attacks

A man in the middle attack involves attackers intercepting traffic, either between your network and external
sites or within your network. If communication protocols are not secured or attackers find a way to circumvent
that security, they can steal data that is being transmitted, obtain user credentials and hijack their sessions.

4. Code and SQL injection attacks

Many websites accept user inputs and fail to validate and sanitize those inputs. Attackers can then fill out a
form or make an API call, passing malicious code instead of the expected data values. The code is executed on
the server and allows attackers to compromise it.

5. Privilege escalation
Once attackers penetrate your network, they can use privilege escalation to expand their reach. Horizontal
privilege escalation involves attackers gaining access to additional, adjacent systems, and vertical escalation
means attackers gain a higher level of privileges for the same systems.
https://www.cynet.com/network-attacks/network-attacks-and-network-security-threats/

3. List 5 different examples of perimeter security that can be applied to mitigate or prevent these
attacks listed in previous task to occur.

Segregate Your Network

 A basic part of network security is dividing a network into zones based on security requirements. This
can be done using subnets within the same network, or by creating Virtual Local Area Networks
(VLANs), each of which behaves like a complete separate network. Segmentation limits the potential
impact of an attack to one zone, and requires attackers to take special measures to penetrate and gain
access to other network zones.

Regulate Access to the Internet via Proxy Server

 Do not allow network users to access the Internet unchecked. Pass all requests through a transparent
proxy, and use it to control and monitor user behavior. Ensure that outbound connections are actually
performed by a human and not a bot or other automated mechanism. Whitelist domains to ensure
corporate users can only access websites you have explicitly approved.

Place Security Devices Correctly

 Place a firewall at every junction of network zones, not just at the network edge. If you can’t deploy
full-fledged firewalls everywhere, use the built-in firewall functionality of your switches and routers.
Deploy anti-DDoS devices or cloud services at the network edge. Carefully consider where to place
strategic devices like load balancers – if they are outside the Demilitarized Zone (DMZ), they won’t be
protected by your network security apparatus.

Use Network Address Translation

 Network Address Translation (NAT) lets you translate internal IP addresses into addresses accessible on
public networks. You can use it to connect multiple computers to the Internet using a single IP address.
This provides an extra layer of security, because any inbound or outgoing traffic has to go through a
NAT device, and there are fewer IP addresses which make it difficult for attackers to understand which
host they are connecting to.
 Monitor Network Traffic
 Ensure you have complete visibility of incoming, outgoing and internal network traffic, with the ability
to automatically detect threats, and understand their context and impact. Combine data from different
security tools to get a clear picture of what is happening on the network, recognizing that many attacks
span multiple IT systems, user accounts and threat vectors.

 Achieving this level of visibility can be difficult with traditional security tools. Cynet 360 is an integrated
security solution offering advanced network analytics, which continuously monitors network traffic,
automatically detect malicious activity, and either respond to it automatically or pass context-rich
information to security staff.

Use Deception Technology

 No network protection measures are 100% successful, and attackers will eventually succeed in
penetrating your network. Recognize this and place deception technology in place, which creates
decoys across your network, tempting attackers to “attack” them, and letting you observe their plans
and techniques. You can use decoys to detect threats in all stages of the attack lifecycle: data files,
credentials and network connections.
https://www.cynet.com/network-attacks/network-attacks-and-network-security-threats/

4. Explain how these security entities work in a network

a) Telnet-Telnet A terminal emulation protocol, part of the TCP/IP suite of protocols and common in the
Unix world, that provides remote terminal-connection services. The most common terminal emulations
are for Digital Equipment Corporation (DEC) VT-52, VT-100, and VT-220 terminals, although many
companies offer additional add-in emulations.
b) Secure Shell (SSH)- is a network protocol that gives users, particularly system administrators, a secure
way to access a computer over an unsecured network. In addition to providing secure network services,
SSH refers to the suite of utilities that implement the SSH protocol. Secure Shell provides strong
password authentication and public key authentication, as well as encrypted data communications
between two computers connecting over an open network, such as the internet. In addition to providing
strong encryption, SSH is widely used by network administrators for managing systems and applications
remotely, enabling them to log in to another computer over a network, execute commands and move
files from one computer to another.
https://searchsecurity.techtarget.com/definition/Secure-Shell
c) RADIUS Authentication-Remote Authentication Dial-In User Service Abbreviated RADIUS. A third party
authentication server attached to a network. Remote users dial in to the server, and the access server
requests authentication services from the RADIUS server. The RADIUS server authenticates users and
gives them access to network resources. The access server is acting as a client to the RADIUS server.
d) TACACs Authentication- Terminal Access Controller Access-Control System (TACACS, /ˈtækæks/) refers
to a family of related protocols handling remote authentication and related services for networked
access control through a centralized server. The original TACACS protocol, which dates back to 1984, was
used for communicating with an authentication server, common in older UNIX networks; it spawned
related protocols:
 Extended TACACS (XTACACS) is a proprietary extension to TACACS introduced by Cisco
Systems in 1990 without backwards compatibility to the original protocol. TACACS and
XTACACS both allow a remote access server to communicate with an authentication server in
order to determine if the user has access to the network.
  Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by
Cisco and released as an open standard beginning in 1993. Although derived from TACACS,
TACACS+ is a separate protocol that handles authentication, authorization, and accounting
(AAA) services. TACACS+ have largely replaced their predecessors.
https://en.wikipedia.org/wiki/TACACS
e) QoS-Quality of Service Abbreviated QoS. The network requirements to support a specific application.
Different types of networks and network traffic have a different QoS. QoS includes the ability to
guarantee the delivery of time-sensitive data, control the bandwidth, set priorities for specific network
traffic, and provide an appropriate level of security. QoS is often associated with the delivery of data such
as live video, while at the same time maintaining sufficient bandwidth for the delivery of normal network
traffic, perhaps at a lower data rate.
f) IPsec VPN (Internet Protocol Virtual Private Network)- Internet Protocol Security (IPsec) is a secure
network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted
communication between two computers over an Internet Protocol network. It is used in virtual private
networks (VPNs).
IPsec includes protocols for establishing mutual authentication between agents at the beginning of a
session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows
between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or
between a security gateway and a host (network-to-host). IPsec uses cryptographic security services to
protect communications over Internet Protocol (IP) networks. It supports network-level peer
authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay
protection.
https://en.wikipedia.org/wiki/IPsec
g) NAT- Network Address Translation (NAT):
NAT, in which the Private IP address or local address are translated into the public IP address. NAT is used
to slow down the rate of depletion of available IP address by translates the local IP or Private IP address
into global or public IP address. NAT can be a one-to-one relation or many-to-one relation.
h) PAT- Port Address Translation (PAT):
In PAT, Private IP addresses are translated into the public IP address via Port numbers. PAT also uses IPv4
address but with port number. It have two types:
1. Static
2. Overloaded PAT
https://www.geeksforgeeks.org/difference-between-network-address-translation-nat-and-port-address-
translation-pat/
i) Static NAT Port Forwarding- Static NAT (SNAT), also known as port forwarding, is a port-to-host NAT.
With static NAT, when a host sends a packet from a network to a port on an external or optional
interface, static NAT changes the destination IP address to an IP address and port behind the firewall. If a
software application uses more than one port and the ports are selected dynamically, you must either
use 1-to-1 NAT, or check whether a proxy on your Firebox manages this kind of traffic. Static NAT also
operates on connections from networks that your Firebox protects.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-
US/Fireware/nat/nat_static_config_about_c.html