Unit 17 - Network Security - Assignment

Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title BTEC Higher National Diploma in Computing
Assessor Internal Verifier

Unit 17- Network Security
Unit(s)
Assignment title Secure Network for AstraZeneca Campus

K.D.K. Nithya Jayawardhane
Student’s name
List which assessment Pass Merit Distinction
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST
Do the assessment criteria awarded match

those shown in the assignment brief? Y/N
Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the Y/N
student work?
Has the work been assessed
Y/N
accurately?
Is the feedback to the student:
Give details:
• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N
• Identifying opportunities for

improved performance? Y/N
• Agreeing actions? Y/N
Does the assessment decision need

Y/N
amending?
Assessor signature Date
Internal Verifier signature Date

Programme Leader signature
Date
(if required)
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-1-
Confirm action completed
Remedial action taken
Give details:
Assessor signature Date
Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
Unit 17
Assignment 01
-2-
Higher Nationals – Summative Assignment Feedback Form
Student Name/ID K.D.K. Nithya Jayawardhane E029658
Unit Title Unit 17- Network Security
Assignment Number 1 Assessor

09.11.2021 Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:
LO1 Examine Network Security principles, protocols and standards.
Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2 Design a secure network for a corporate environment.

Descripts
LO3 Configure Network Security measures for the corporate environment.

Descripts
LO4 Undertake the testing of a network using a Test Plan.

Pass, Merit & Distinction P7 P8 M4 M5 D3
Descripts
Grade: Assessor Signature: Date:
Resubmission Feedback:
Grade: Assessor Signature: Date:
Internal Verifier’s Comments:
Signature & Date:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions
have been agreed at the assessment board.
Unit 17
Assignment 01
-3-
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use
previous page as your cover sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
Word Processing Rules
1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No,
and Page Number on each page. This is useful if individual sheets become detached for any
reason.
5. Use word processing application spell check and grammar check function to help editing your
assignment.
Important Points:
1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory
information. eg: Figures, tables of comparison etc. Adding text boxes in the body except for the
before mentioned compulsory information will result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions
will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you
may apply (in writing) for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade.
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will
then be asked to complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using
HARVARD referencing system to avoid plagiarism. You have to provide both in-text citation
and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be
reduced to A REFERRAL or at worst you could be expelled from the course.
Unit 17
Assignment 01
-4-
Student Declaration
I hereby, declare that I know what plagiarism entails, namely, to use another’s work and to present it
as my own without attributing the sources in the correct way. I further understand what it means to
copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the
assignments for this program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my
own, and where I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding
agreement between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not
attached to the attached.
nithya.jayawardhana@gmail.com 09.11.2021
Student’s Signature: Date:
(Provide E-mail ID) (Provide Submission Date)
Unit 17
Assignment 01
-5-
Feedback Form
Formative Feedback : Assessor to Student
Action Plan
Summative feedback
Feedback: Student to Assessor.
Assessor’s
Date
Signature
Student’s
Signature Date
Unit 17
Assignment 01
-6-
Assignment Brief
Student Name /ID Number K.D.K. Nithya Jayawardhane E029658
Unit Number and Title Unit 17- Network Security
Academic Year 2021/22
Unit Tutor Mr. Kavindu Chethiya
Assignment Title Secure Network for AstraZeneca Campus
Issue Date
Submission Date
IV Name & Date
Submission Format:
The submission should be in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of headings,
paragraphs and subsections as appropriate, and all work must be supported with evidence. You must
provide in-text citations and the reference list using Harvard referencing system.
Unit Learning Outcomes:
LO1. Examine Network Security principles, protocols and standards.

LO2. Design a secure network for a corporate environment.
LO3. Configure Network Security measures for the corporate environment.
LO4 Undertake the testing of a network using a Test Plan.
Unit 17
Assignment 01
-7-
Assignment Brief and Guidance:
AstraZeneca Campus is an education institute with 2 remote campuses and the main campus in
Colombo. The Web server, Moodle server and the Mail servers are located at the main campus which
uses high speed Internet leased line connection from the ISP. The Moodle Server which is used to do
practical can only be accessed from the local network at the main campus. The main campus network
connectivity is provided via wired connections. Layer 2 and Layers 3 security should be implemented on the
main branch. Wireless connectivity is provided for the students only for Internet access and strict control
of data usage and URL filtering is required.
The management of the institute is planning to extend the facilities available in the main campus
network to the students in remote campuses through a VPN connectivity and also to minimize the
possibility of cyber-attacks to the main campus network to comply with the current network security
standards.
Assuming you have been appointed as the new network security analyst of AstraZeneca Campus,
prepare a network security architectural design with your suggestions and recommendations to
improve the security standard. In the designing process, you may consider the following aspects;
1. Main campus LAN need to be a Gigabit Ethernet and all Network devices need to be compatible with
each other for maximum performance.
2. All the network devices should be manageable and only secure logins need be allowed on all devices.
3. AAA should use for Network Device login Authentication where possible and Syslog Server should
use for record logging events, while having NTP server for time.
4. All publicly available resources including public web servers need to be separated from the main
network and should move to a separate subnet. Only Secure Web Access should be enabled for web
servers.
5. Network design should follow the Hierarchical Network Design Model.
6. End user authentication and managing of security polices need to centralized.
7. Internet usage management and URL filtering need to be enforced.
8. Communication between the Head office and the Branch offices need to be highly secured.
Unit 17
Assignment 01
-8-
9. Quality of service (QoS) should be implemented where possible.
(Hint: Clearly state your assumptions. You are allowed to assume the current network setup
according to the services available and propose the improvements according to your assumptions)
Activity 1
1.1 Discuss different types of network security hardware and software that are used in modern network
design.
1.2 Examine network security protocols and standards for secure network design while comparing and
contrasting at least two major network security protocols that can be implemented into the given
context.
Activity 2
2.1 Investigate the purpose and requirements of a secure network for the network of AstraZeneca
campus while reviewing the importance of network security to the organization.
2.2 Determine which HW/SW are suitable for AstraZeneca campus and provide a suitable IP allocation
plan using 172.30.0.0/16 network. Create a network design (blue print) for internal and branch
network of AstraZeneca (Public servers should be separated from the Internal Network).
Activity 3
3.1 Configure all the network devices to achieve the highest level of security and design and describe
the cryptographic types and other security related concepts and technologies used for the design.
(Provide configuration scripts/files/screenshots with comments)
3.2 Download open source PfSense firewall and configure basic firewall settings including DMZ and
VPN configurations. (Provide configuration scripts/files/screenshots with comments). Review how
QoS can be integrated into Network security configurations
Activity 4
4.1 Create a test plan and test your network (LAN and WAN). Critically evaluate the test results.
(Provide test configuration scripts/files/screenshots with comments.)
4.2 Make improvement/ recommendations to the re-designed network of AstraZeneca while critically
evaluating the design, plan, configuration, and testing of the implemented network.
Unit 17
Assignment 01
-9-
Acknowledgement
To conclude this assignment successfully I got the support from my parents, lectures and from
my friends. I thanks all who supports me and special thanks go my lectures Mr. Kavindu
Chethiya who enhanced my knowledge about Network Security subject.
Table of Contents
Introduction ......................................................................................................................... - 13 -
1.1 Discuss different types of network security hardware and software that are used in modern
network design. ................................................................................................................... - 14 -
1.1.1 Network Security Hardware ................................................................................ - 14 -
1.1.1.1 Router .............................................................................................................. - 14 -
1.1.1.2 Switch............................................................................................................... - 15 -
1.1.1.3 Network Access Control (NAC) .................................................................... - 15 -
1.1.1.4 Firewalls .......................................................................................................... - 16 -
1.1.2 Network Security Software ................................................................................... - 19 -
1.1.2.1 Wireshark ........................................................................................................ - 19 -
1.1.2.2 Metasploit ........................................................................................................ - 20 -
1.1.2.3 Nessus............................................................................................................... - 20 -
1.1.2.5 Snort................................................................................................................. - 20 -
1.2 Examine network security protocols and standards for secure network design while
comparing and contrasting at least two major network security protocols that can be
implemented into the given context. ................................................................................... - 21 -
1.2.1 Hyper Text Transfer Protocol Secure (HTTPS) ................................................. - 21 -
1.2.2 Secure Shell (SSH) ................................................................................................. - 21 -
1.2.3 IPSec – Internet protocol security ........................................................................ - 22 -
1.2.4 DNSSEC – Domain Name System Security ........................................................ - 22 -

Unit 17
Assignment 01
- 10 -
1.2.5 VSTP - VLAN Spanning Tree Protocol ............................................................... - 22 -
1.2.2 Network Standards ................................................................................................ - 23 -
2.1 Investigate the purpose and requirements of a secure network for the network of AstraZeneca
campus while reviewing the importance of network security to the organization. ............. - 24 -
2.1.1 Purpose of the Network Security ......................................................................... - 24 -
2.1.2 Basic Network Security Requirements ................................................................ - 25 -
2.1.3 Importance of Network Security for a University .............................................. - 26 -
2.1.4 Importance of Network Security to Organization .............................................. - 27 -
2.2 Determine which HW/SW are suitable for AstraZeneca campus and provide a suitable IP
allocation plan using 172.30.0.0/16 network. Create a network design (blue print) for internal
and branch network of AstraZeneca (Public servers should be separated from the Internal
Network). ............................................................................................................................. - 28 -
2.2.1 Selected Hardware Devices for AstraZeneca ............................................................. - 28 -
2.2.1.1 Router .............................................................................................................. - 28 -
2.2.1.2 Switch............................................................................................................... - 29 -
2.2.1.3 Servers ............................................................................................................. - 30 -
2.2.2 Selected Software Devices for AstraZeneca Campus ......................................... - 31 -
2.2.2.1 Ubuntu Operating System ............................................................................. - 31 -
2.2.2.2 pfsence Firewall .............................................................................................. - 31 -
2.2.2.3 Wireshark ........................................................................................................ - 32 -
2.2.4 Blue print of the design ......................................................................................... - 33 -
3.1 Configure all the network devices to achieve the highest level of security and design and
describe the cryptographic types and other security related concepts and technologies used for
the design. (Provide configuration scripts/files/screenshots with comments) .................... - 35 -
3.1.1 Security Implementations ..................................................................................... - 35 -
3.1.1.1 Device Security Implementations .................................................................. - 35 -
3.1.1.2 SSH Implementations ..................................................................................... - 37 -
Unit 17
Assignment 01
- 11 -
3.1.1.3 AAA Server Implementation ......................................................................... - 38 -
3.1.1.4 Syslog Server Records .................................................................................... - 40 -
3.1.1.5 NTP Server ...................................................................................................... - 41 -
3.1.1.6 Layer 2 and Layer 3 Implementations ......................................................... - 42 -
3.1.2 Cryptography ......................................................................................................... - 44 -
3.1.2.1 Symmetric Encryption ................................................................................... - 45 -
3.1.2.2 Asymmetric Encryption ................................................................................. - 47 -
3.1.2.3 Hash Functions ............................................................................................... - 48 -
3.2 Download open source PfSense firewall and configure basic firewall settings including
DMZ and VPN configurations. Review how QoS can be integrated into Network security
configurations. ..................................................................................................................... - 49 -
3.2.1 PfSense firewall ...................................................................................................... - 49 -
3.2.2 IPsec VPN ............................................................................................................... - 51 -
3.2.2.1 IPsec VPN Configurations ............................................................................. - 52 -
3.2.3 QoS for a Network ................................................................................................. - 55 -
3.2.3.1 Characteristics of Network Traffic Managed by QoS ................................ - 55 -
3.2.3.3 QoS Configurations ........................................................................................ - 57 -
4.1 Create a test plan and test your network (LAN and WAN). Critically evaluate the test results.
............................................................................................................................................. - 58 -
4.1.1 Test Plan ................................................................................................................. - 58 -
4.2 Make improvement/ recommendations to the re-designed network of AstraZeneca while

critically evaluating the design, plan, configuration, and testing of the implemented network. -
65 -
4.2.1 Future Enhancement ............................................................................................. - 65 -
References ........................................................................................................................... - 66 -
Unit 17
Assignment 01
- 12 -
Introduction
AstraZeneca Campus is an education institute with 2 remote campuses and the main campus
in Colombo. The management of the institute is planning to extend the facilities available in
the main campus network to the students in remote campuses through a VPN connectivity
and also to minimize the possibility of cyber-attacks to the main campus network to comply
with the current network security standards.
I have been appointed as the new network security analyst of AstraZeneca Campus, so I
prepared a network security architectural design with my suggestions and recommendations to
improve the security standard.
Unit 17
Assignment 01
- 13 -
Activity 1
1.1 Discuss different types of network security hardware and software that are used
in modern network design.
1.1.1 Network Security Hardware
1.1.1.1 Router
Router is a layer 2 device used to interconnect different type of networks together. A

router has two essential capacities, way assurance utilizing an assortment of
measurements, and sending parcels starting with one network then onto the next.
Directing measurements can remember load for the connection between devices, deferral,
transmission capacity, and unwavering quality, or even jump count (for example the
quantity of devices a parcel should go through to arrive at its objective). Basically, routers
will do all that extensions and switches will do, in addition to additional. Routers have the
ability of looking further into the information outline and applying network
administrations dependent on the objective IP address. Destination and Source IP
addresses are a piece of the network header added to a bundle embodiment at the network
layer.
Figure 1: Router
Unit 17
Assignment 01
- 14 -
1.1.1.2 Switch
Switch is a layer 2 device used to connect computers together. It is intelligence device,

can broadcast message to exact destination. A switch can have ports like 4,8,16,32,64,96
or more. Currently there is a L3 switch with switch and router hybrid.
Generally, a switch is a bridge with more than one port and a buffer, which boosts its
efficiency (a large number of ports means less traffic) and performance. The switch is
able to perform error checking before directing data, so it avoids forwarding packets that
have errors as well as only forwarding good packets to the correct port. Therefore, the
switch divides the collision domain of hosts, but does not divide their broadcast domains.
. Figure 2: Switch
1.1.1.3 Network Access Control (NAC)
NAC is a network security control device that confines the accessibility of network assets
to endpoint devices that follow your security strategy. Some NAC arrangements can
consequently fix resistant devices to guarantee they are secure prior to permitting them to
get to the network. Network access control does a great deal to improve the endpoint
security of a network. Prior to giving admittance to the network, NAC actually looks at
the device's security settings to guarantee that they meet the predefined security strategy;
for instance, it may check whether the host has the most recent antivirus programming
and the most recent patches. If the conditions are met, the device is permitted to enter the
network. If not, NAC will isolate the endpoint or interface it to the visitor network until
the legitimate security upgrades are made to agree with strategy. NAC can utilize
specialists to evaluate the device's security or it very well may be agentless.
Unit 17
Assignment 01
- 15 -
Figure 4: NAC
1.1.1.4 Firewalls
Firewall may be a network security device that keeps uninvited guests from browsing your
network. It guards traffic at ports that is exchange information with external devices and
filter traffic coming from unsecured sources. The different sorts of firewalls incorporate
software, hardware or a mixture of both. All have different uses, strengths, and
weaknesses.
1.1.1.4.1 Packet Filtering Firewall
A packet-filtering firewall is an essential and straightforward sort of network security

firewall. It has channels that look at approaching and active packets against a standard
arrangement of rules to conclude whether to permit them to go through. As a rule, the rule
set (here and there called an entrance list) is predefined, in light of an assortment of
measurements. Rules can incorporate source/objective IP addresses, source/objective port
numbers, and conventions utilized. Packet filtering happens at Layer 3 and Layer 4 of the
OSI model.
The principle benefit of packet-filtering firewalls is the speed at which the firewall
activities are accomplished, in light of the fact that a large portion of the work happens at
Layer 3 or beneath and complex application-level information isn't needed. Frequently,
packet-filtering firewalls are utilized at the actual fringe of an association's security
networks. For instance, packet-filtering firewalls are exceptionally compelling in securing
against denial-of-service (DoS) assaults that intend to bring down delicate frameworks on
inside networks.
Unit 17
Assignment 01
- 16 -
1.1.1.4.2 Stateful Firewall
Among the foremost ubiquitous sorts of shields available, stateful inspection firewalls
allow or block traffic supported technical properties, like specific protocols, states, or
ports.
Stateful Inspection firewalls make the filtering decisions to work out whether data is
allowed to undergo to the user. These decisions are often supported rules established by
the administrator when fixing the pc and firewall.
The firewall also can make its own decisions supported previous interactions it is
"learned" from. For example, traffic types that caused disruptions within the past would
be filtered call at the longer term.
1.1.1.4.3 Proxy Firewall
A proxy firewall is as on the brink of an actual physical barrier as it's possible to urge.
Unlike other sorts of firewalls, it acts as an intermediary between external networks and
computers, preventing direct contact between the two a guard at a doorway, it essentially
looks at and evaluates incoming data. If no problem is detected, the info is allowed to
undergo to the user.
The downside to this kind of heavy security is that it sometimes interferes with incoming
data that isn't a threat, leading to delays in functionality.
Next Generation
Evolving threats still demand more intense solutions, and next generation firewalls stay
top of this issue by combining the features of a standard firewall with network intrusion
prevention systems.
In fact, threat-specific next gen firewalls are designed to look at and identify specific
dangers, like advanced malware, at a more granular level. More frequently employed by
businesses and complicated networks, they supply a holistic solution to filtering out
dangers.
Unit 17
Assignment 01
- 17 -
Figure 4: Firewall Types
1.1.1.4.4 IDS
An IDS improves online protection by detecting a programmer or vindictive programming

on a network so you can eliminate it quickly to forestall a break or different issues, and
utilize the information logged about the occasion to more readily guard against
comparable interruption episodes later on. Putting resources into an IDS that empowers
you react to assaults rapidly can be definitely less exorbitant than correcting the harm
from an assault and managing the ensuing legitimate issues.
HIDS – Host-based Intrusion Detection System
Host-based IDSs are intended to screen, distinguish and react to movement and assaults
on a given host. Much of the time, assailants target explicit frameworks on corporate
networks that have classified data. They will frequently attempt to introduce checking
projects and take advantage of different weaknesses that can record client movement on
a specific host. Some host-based IDS instruments give strategy the board, measurable
investigation and information criminology at the host level. Host-based IDSs are best
utilized when an interloper attempts to get to specific documents or different
administrations that dwell on the host PC. Since assailants fundamentally center around
working framework weaknesses to break into hosts, by and large, the host-based IDS is
incorporated into the working frameworks that the host is running.
NIDS – Network-based Intrusion Detection System
Network traffic based IDSs catch network traffic to recognize gatecrashers. Regularly,
these frameworks fill in as bundle sniffers that read through approaching traffic and utilize
explicit measurements to survey whether a network has been compromised. Different web
Unit 17
Assignment 01
- 18 -
and other restrictive conventions that handle messages among outside and inside
networks, like TCP/IP, NetBEUI and XNS, are helpless against assault and require extra
ways of distinguishing malignant occasions. Much of the time, interruption discovery
frameworks experience issues working with encoded data and traffic from virtual private
networks. Speed over 1Gbps is likewise an obliging element, albeit current and expensive
network-based IDSs have the capacity to work quickly over this speed.
1.1.1.5 IPS
An IPS is an organization security device that can recognize gatecrashers, yet in addition
keep them from effectively dispatching any known assault. Interruption counteraction
frameworks consolidate the capacities of firewalls and interruption location frameworks.
Notwithstanding, carrying out an IPS on a powerful scale can be exorbitant, so
organizations ought to painstakingly evaluate their IT hazards prior to making the venture.
Also, some interruption avoidance frameworks are not quite as quick and strong as certain
firewalls and interruption identification frameworks, so an IPS probably won't be a
suitable arrangement when speed is an outright prerequisite.
Figure 5: IDS and IPs
1.1.2 Network Security Software

1.1.2.1 Wireshark
Wireshark appeared under the label of Ethereal. The control center driven instrument is
an extraordinary convention analyzer, demonstrated chiefly after Tcpdump. Wireshark
gives an outline of the continuous organization. It permits clients to see TCP meeting
remade streams. For security and gadget asset reasons, many lean toward Tcpdump,
Unit 17
Assignment 01
- 19 -
however Wireshark stays the most well-known parcel sniffer. Every day refreshes are
acquired for the gadget to suit its vigorous bundle sniffing capacity.
1.1.2.2 Metasploit
Metasploit is accessible in the open source and business Pro form for engineers or security
experts. Clients might utilize this organization security instrument from Rapid7 to check
for more than 1,500 activities, including security for network division. It additionally
empowers associations to lead distinctive wellbeing evaluations and reinforce in general
organization security so they are more exhaustive and touchy.
1.1.2.3 Nessus
Any place an organization has insufficient security settings or broken updates, this product
remedies mistakes and further develops their organization respectability. Nessus
recognizes and fixes weaknesses that are distinguished, including patches that were
missing or deficient, programming bugs, or other general mistakes in applications, PCs,
and working frameworks.
1.1.2.4 Aircrack
An assortment of breaking devices for WEP and WPA, Aircrack gives the best answers
for cell phone security on the web. For breaking calculations, Aircrack is vigorous
programming. Airdecap for the unscrambling of the WEP/WPA document and airplay for
parcel infusion is likewise remembered for the suite. There are numerous different
apparatuses remembered for this suite to make a strong assortment of Information
Security applications. Aircrack is an across the board answer for quite some time security
assignments.
1.1.2.5 Snort
It is an open-source IDS that upholds each working framework and equipment. The
product investigates conventions, look/congregations substance, and distinguishes
various assaults in network security. Snort is a viable interruption recognition and
Unit 17
Assignment 01
- 20 -
avoidance system because of its straightforward arrangement, adaptable standards, and
crude parcel examination.
1.2 Examine network security protocols and standards for secure network design
while comparing and contrasting at least two major network security protocols that
can be implemented into the given context.
1.2.1 Hyper Text Transfer Protocol Secure (HTTPS)
The HTTPS protocol is used to ensure data security between two or more systems. It used
Secure Socket Layer (SSL) to establish an encrypted link, now called Transport Layer
Security (TLS). HTTPS protects data from cyber-attacks for the duration of the transfer
from browser to webserver because it encrypts the data during transmission. Although
cybercriminals may capture the data packets, their strong encryption will prevent their
ability to decode them.
1.2.2 Secure Shell (SSH)
An SSH protocol, invented in 1995, secures data communication over a network using
cryptographic techniques. Logging in remotely or executing specific tasks remotely is
possible via the command-line. SSH incorporates different features of FTP. The latest
versions are SSH-1 and SSH-2.
The SSH convention has three layers:
 The transport layer. Guarantees secure correspondence between the server and the
customer, screens information encryption/unscrambling, and ensures the
respectability of the association. It additionally performs information storing and
pressure.
 The verification layer. Behaviors the customer verification methodology.
 The network layer: Oversees correspondence channels after the verification.
Unit 17
Assignment 01
- 21 -
1.2.3 IPSec – Internet protocol security
IPSec is a protocol that offers authentication, integrity, and privacy between two entities,
which is classified by the IETF IPSec Work Group. Management of cryptographic keys
can be achieved manually or dynamically by using an IETF-specific protocol named
Internet Key Exchange (IKE).
IPSec,
• Compresses at Layer 3
• Mutual node verification
• Can verify users, but needs L2TP
• Crypto implementation agnostic
• Client-to-client, or node-to-node (bulk)
• Compulsory for IPv6 implementation
• Does not work with NAT, except NAT-Transversal (NAT-T) is used
1.2.4 DNSSEC – Domain Name System Security
DNSSEC is a set of extensions that adds security to the Domain Name System (DNS)
protocol by enabling the validation of DNS responses. DNSSEC provides authentication
of denial of existence, data integrity, and origin authority. As a result of DNSSEC, DNS
protocols are significantly less susceptible to certain types of attacks, such as DNS
spoofing.
DNSSEC,
 Provide authentication and integrity of DNS answers
 Designed to protect against cache poisoning
 Uses public key scheme, but does not do encryption
1.2.5 VSTP - VLAN Spanning Tree Protocol
VSTP (VLAN Spanning Tree Protocol) allows Juniper Networks switches to run Spanning
Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) instances for each VLAN
Unit 17
Assignment 01
- 22 -
that is enabled for VSTP. The VSTP protocol optimizes intelligent tree spanning for
networks with multiple VLANs by defining best paths within each VLAN instead of across
the entire network.
Criteria SSH IPSec

Application For encrypting offers authentication,
communication between integrity, and privacy
two computers between two entities
Security Strongly encrypted Strongly encrypted
Authentication SSH uses public key Two way authentication
encryption in order to using shared secrets or
authenticate the remote digital certificates
users
Connection Complexity High bandwidth is required Can be challenging to
nontechnical users
Connection Options Does not work with NAT, Only specific devices with
except NAT-T ( NAT- specific configurations can
Transversal) is used connect
Table 1: SSH & IPSec
1.2.2 Network Standards
ISO/IEC 27002
ISO 27002 is the friend standard for ISO 27001. Associations can't ensure to ISO 27002,
however the standard guides ISO 27001 execution by giving best practice direction on
applying the controls recorded in Annex of the norm.
ISO/IEC 27031
ISO 27031 gives a structure of strategies and cycles further developing an association's
ICT status to guarantee business congruity.
Unit 17
Assignment 01
- 23 -
Accomplishing consistence to ISO 27031 assists associations with understanding the
dangers to ICT administrations, guaranteeing their wellbeing in case of a spontaneous
episode.
ISO/IEC 27032
ISO 27032 is the global standard contribution direction on network safety the board. It
gives direction on tending to a wide scope of network protection chances, including client
endpoint security, network security, and basic framework assurance.
ISO/IEC 27701
ISO 27701 indicates the prerequisites for a PIMS (security data the board framework) in
light of the necessities of ISO 27001. It is reached out by a bunch of security explicit
prerequisites, control destinations and controls. Associations that have executed ISO
27001 will actually want to utilize ISO 27701 to stretch out their security endeavors to
cover protection the executives. This can assist exhibit consistence with information
assurance laws, for example, the CCPA and the EU GDPR.
Activity 2
2.1 Investigate the purpose and requirements of a secure network for the network of
AstraZeneca campus while reviewing the importance of network security to the
organization.
2.1.1 Purpose of the Network Security
In network security, the underlying infrastructure is protected from unauthorized access,

misuse, malfunction, modification, destruction, or improper disclosure by taking
preventative measures. The implementation of these measures ensures that computers,
users, and programs are able to perform their critical functions securely. In order to secure
a network, a complex combination of hardware devices is needed, such as routers, firewalls,
Unit 17
Assignment 01
- 24 -
and anti-malware software. Information security analysts work for government agencies
and businesses to implement security plans and continuously monitor their effectiveness.
2.1.2 Basic Network Security Requirements
The primary goal of the organization is to divide information between its clients arranged
locally or distantly. There is also the possibility of undesired users hacking the network in
a way that can prove harmful to the network or a user. There are not many essential focuses
which should be trailed by network overseer to give the organization a satisfactory security.
1. Networks are intended to share information. Accordingly, the organization should be

obviously arranged to recognize the shareable information and non-shareable information.
2. The organization ought to likewise clear with whom the shareable information could be
shared.
3. With the expansion of framework security, the cost for its administration will likewise
increment as needs be, along these lines a compromising level among security and costs
ought to be set up according to the prerequisite of the organization security framework
strategy. This will generally rely fair and square of safety expected to apply in the
organization, by and large security necessities and the successful execution of picked level
of safety.
4. Division of the obligations concerning the organization security should be plainly

characterized among clients and framework overseer.
5. The necessities for protection have to be specific inside a network security policy of the
enterprise that suggests the valuable data and their related cost to the business. After
defining the specific network security policy and figuring out the clear cut responsibilities
with inside the enterprise, the system administrator have to be made then accountable for
making sure that the security policy is correctly implemented to the organization
environment, which includes the present networking infrastructure.
Unit 17
Assignment 01
- 25 -
2.1.3 Importance of Network Security for a University
Considering the excessive quantity of online communications and have a look at

substances in higher education, it's important that university students have easy and secure
get right of entry to a secure and strong network. Such a massive challenge, however,
hardly ever runs easily for the college IT department while looking to maintain network
security in such an open operating environment.
Data Breaches Are a Growing Threat to Higher Education Institutions
The developing range of cyber threats focused on faculties and universities is a startling
reality. Last year, there had been multiple breaches of individually identifiable records at
professional institutions. Network vulnerabilities, hacked e-mail accounts, and phishing
incidents probably uncovered sensitive data of thousands of college employees and
college students. The data breaches yielded their names, birth dates, addresses, e-mail
addresses, phone numbers, and social safety numbers.
Remote Network Access for Students and Faculty

Many professors take running sabbaticals for a term, or more, and need continuous access
to their documents without visiting their office. Similarly, college students may want to
access their college mail server to show in a paper while away from school. In current
weeks, WFH has even grow to be a necessity. This is why remote access need to be
addressed on your governance policy.
Identify Vulnerabilities
Preparedness is based on an accurate evaluation or audit of the IT environment. Evaluating
organizational regulations and practices, assessing implementation and the college’s
technology infrastructure is the most effective manner to gauge risk level. Once risks and
vulnerabilities had been identified, most effective then can they be addressed.
Follow National Guidelines

Nationally identified standards, along with NIST, offer practical frameworks for
universities to increase and enhance their cyber security programs and policies. It
Unit 17
Assignment 01
- 26 -
facilitates higher edu institutions cope with such things as encryption, port access, and
multi-factor authentication.
Security Updates
Most universities offer users with virus scanning software free of charge. Just as the IT
branch must keep patches up to date, users additionally need to keep their software
current. Now is a essential time to cope with dealer vulnerabilities. Encourage the campus
network to replace their software, antivirus program, and operating system.
Set a Backup Schedule

The College’s catastrophe restoration plan need to have already got a fixed backup
schedule. In case of a ransomware attack, essential facts garage may be restored quickly.
Cloud-primarily based totally answers make this manner computerized and assist mitigate
the hazard of downtime and facts loss.
Secure Network Access

Faculty and college students need to understand the significance of the use of the virtual
private network while connecting college systems hosted on campus. Network encryption
provides an additional layer of security for remote operations.
Enforce Password Changes

Users need to be required to apply strong passwords and change them every semester.
Stressing the usage of specific passwords decreases the risk of malicious attacks the use
of account credentials stolen from social media and different service providers.
Recommending or offering free password supervisor services may be beneficial in
implementing this policy.
2.1.4 Importance of Network Security to Organization
Network security is one of the main parts of any business. With individuals working from
their beds and sending business messages from their lounge chair, networks are
inescapable – they are generally your home. Accordingly, it is presently like never before
important to make network security your need.
Unit 17
Assignment 01
- 27 -
Security is a necessity for every organization, no matter how big or small. However,
network security shouldn't be overlooked by the individual either. Network security
decisions must be made by anyone who accesses the internet and wants to maintain the
security of their accounts.
Your workstations are protected from harmful spyware by network security. It also
ensures the security of sharing data. The network security infrastructure provides several
levels of protection against Man inter middle attacks by breaking up the information into
multiple segments, encrypting these segments, and transmitting them independently,
which prevents eavesdropping.
While no network is safe to assaults, a steady and proficient network security framework
is fundamental to ensuring your information which is viewed as a gold mine. A decent
network security framework assists organizations with diminishing the danger of
information burglary, harm, customer doubt, reputational and financial harms, and the
rundown continues. In any case, similar to a boat needs a decent chief to protect it, any
business network needs a decent network security engineer who can shield them and steer
them past grieved waters.
2.2 Determine which HW/SW are suitable for AstraZeneca campus and provide a
suitable IP allocation plan using 172.30.0.0/16 network. Create a network design
(blue print) for internal and branch network of AstraZeneca (Public servers should
be separated from the Internal Network).
2.2.1 Selected Hardware Devices for AstraZeneca
2.2.1.1 Router
Router is a layer 2 device used to interconnect different type of networks together. It can
choose best root among alternative roots. Router contain a processor, digital memory and
input-output interfaces. Router need operating system can be run on them (Cisco IOS,
DD-WRT).
Unit 17
Assignment 01
- 28 -
Cisco 2911 Router
I chose cisco 2911 router for my design because of its features. On the Cisco 2911
Integrated Services Router, you will find embedded hardware encryption acceleration,
voice and video capabilities of digital signal processors (DSPs), firewalls, intrusion
prevention, voice mail, and application services. Furthermore, the platforms support the
widest range of wired and wireless connectivity options in the industry, including T1/E1,
T3/E3, xDSL, copper and fiber GE.
Figure4: Cisco 2960 Router
2.2.1.2 Switch
Switch is a layer 2 device used to connect computers together. It is intelligence device,

can broadcast message to exact destination. A switch can have ports like 4,8,16,32,64,96
or more. Currently there is a L3 switch with switch and router hybrid.
Cisco 2950-24 Switch

The Cisco WS-C2950-24 is an Ethernet networking switch with 24 ports. The chosen
switch for the network is that. In the Cisco Catalyst 2950 Series, the Cisco Catalyst 2950-
24 is a standalone, fixed-configuration, managed 10/100 switch that provides
connectivity. In addition to its SI software capabilities, this wire-speed desktop switch
provides Cisco IOS functionality to facilitate basic data, video, and voice services in your
network. It also includes advanced features such as Quality of Service (QoS).
Unit 17
Assignment 01
- 29 -
Figure5: Cisco 2950-24 Switch
2.2.1.3 Servers
Many people count as a server is similar to a PC desktop, that's a huge misconception.

PC’s can maintain a server operating system, however this regularly doesn’t work with
inside the identical manner a server device does. A server is made to manage, store, send
data and process information all the time. It will work 24 hours a day and is extraordinarily
dependable as compared to a desktop. There are some of the capabilities you could locate
on a server, a good way to offer you with the quality network to your enterprise including:
Dual processor – this refers to a device having separate processors. Instructions and
information are sent via all processors permitting computer systems and networks to carry
out quicker than compared to the usage of only a desktop PC.
Redundancy – this indicates the information you desire to store is saved in multiple
location. Meaning, if it became to ever move down for any because you have it saved in
another location, so information isn't always lost.
Hot-swappable components – a hot-swap component means that if for any cause your
server has a lack of power, device failure or storage device failure you're capable of
change components at the same time as your pc device stays in operation.
Scalable –It means you're capable to meet current needs and additionally future needs.
Unit 17
Assignment 01
- 30 -
2.2.2 Selected Software Devices for AstraZeneca Campus
2.2.2.1 Ubuntu Operating System
Ubuntu is a finished Linux operating system, unreservedly accessible with both community
and expert help. The Ubuntu people group is based on the thoughts revered in the Ubuntu
Manifesto: that product ought to be accessible for nothing, that product apparatuses ought
to be usable by individuals in their nearby language and regardless of any handicaps, and
that individuals ought to have the opportunity to tweak and change their product in the
manner they see fit.
Ubuntu will consistently be for nothing, and there is no additional expense for the enterprise
version.
Ubuntu is reasonable for both work area and server use. The current Ubuntu discharge
upholds Intel x86 (IBM-viable PC), AMD64 (x86-64), ARMv7, ARMv8 (ARM64), IBM
POWER8/POWER9 (ppc64el), IBM Z zEC12/zEC13/z14 and IBM LinuxONE
Rockhopper I+II/Emporer I+II (s390x).
Ubuntu incorporates large number of pieces of software, beginning with the Linux kernel
version form 5.4 and GNOME 3.28, and covering each standard desktop application from
word processing and spreadsheet applications to web access applications, web server
software, email software, programming languages and tools.
2.2.2.2 pfsence Firewall
pfsense is a brand of firewall and switch programming that is allowed to utilize and redo
as long as you have the right equipment—that is, anything from a specific switch to an old
PC you rescued. pfsense was first made in 2004 as a component of the task "m0n0wall"
that expected to make full element, inserted firewall programming.
Unit 17
Assignment 01
- 31 -
But unlike other free software accessible on the web, the usefulness that pfsense offers
permits it to rival commercial firewalls. Furthermore, contingent upon the degree of
assurance and security you're searching for, alongside your specialized information, you
can tweak the pfsense firewall to suit organization requirements.
2.2.2.3 Wireshark
Wireshark is a free and open-source packet analyser used for a variety of applications,
including educational programs, analysis, software development, communication
protocol development, and network troubleshooting. The packets are tracked so that each
is filtered to meet our specific needs. It is also used by network security engineers to find
problems with their networks.
The Wireshark application is free to use and is used to intercept the data back and forth.
It is also known as a free packet sniffer. This sets the network card to an unselective mode,
so it accepts all packets received.
Unit 17
Assignment 01
- 32 -
2.2.4 Blue print of the design
Router
Branch
Internet
Server Room
Head Office
Firewall
Switches
End user
Devices
Recept
Account IT Scien
Vlan Net_team
Vlan Vlan Vlan
100 Vlan 160
110 130 140
Copper Cross-Over
Copper Straight-Through
Wireless
One PC represent all the users in a department.
Unit 17
Assignment 01
- 33 -
Management IT
Dept. Reception Network team
Faculty Faculty
Block Size 32 64 64 32
Network Address 172.30.2.0 172.30.1.16 172.30.1.74 172.30.1.138
First usable 172.30.2.1 172.30.1.17 172.30.1.75 172.30.1.139
Last usable 172.30.2.32 172.30.1.72 172.30.1.136 172.30.1.169
Broadcast Address 172.30.1.33 172.30.1.73 172.30.1.137 172.30.1.170
SNM 255.255.255.224 255.255.255.192 255.255.255.192 255.255.255.224
Table 2: IP Allocation Table
Figure 6: Design of the Network
Unit 17
Assignment 01
- 34 -
Activity 3
3.1 Configure all the network devices to achieve the highest level of security and
design and describe the cryptographic types and other security related concepts and
technologies used for the design. (Provide configuration scripts/files/screenshots
with comments)
3.1.1 Security Implementations
3.1.1.1 Device Security Implementations
All devices which are in network are secured using passwords.
Head Office Router
Unit 17
Assignment 01
- 35 -
Head Office Core Switch
Head Office Sub Switches
Unit 17
Assignment 01
- 36 -
Branch security also ensure like this.
3.1.1.2 SSH Implementations
There are two components to SSH - the client and the server. SSH is used to connect a
client machine (such as a PC) to a remote SSH server (such as a router). A network
administrator can run commands on the remote device once the connection has been
established.
Unit 17
Assignment 01
- 37 -
3.1.1.3 AAA Server Implementation
In an enterprise, AAA servers act as a central point of authentication, authorization, and

accounting (AAA) services for user requests to access resources. AAA servers usually
interact with network access and gateway servers, as well as databases and directories that
contain user information. Remote Authentication Dial-In User Service (RADIUS) is the
current standard by which devices or applications communicate with AAA servers.
Unit 17
Assignment 01
- 38 -
Unit 17
Assignment 01
- 39 -
3.1.1.4 Syslog Server Records
Syslog has been used for decades as a method of transporting messages from network
devices to a logging server known as a syslog server.
Unit 17
Assignment 01
- 40 -
3.1.1.5 NTP Server
NTTP stands for Network Time Protocol. It is an Internet protocol used to synchronize
computers to a time reference and to synchronize their clocks.
Unit 17
Assignment 01
- 41 -
3.1.1.6 Layer 2 and Layer 3 Implementations
RSTP Configurations
Unit 17
Assignment 01
- 42 -
LACP Configurations
Unit 17
Assignment 01
- 43 -
Access Control Implementations
NAC solutions provide network visibility and access management by enforcing policies on
corporate devices and users.
3.1.2 Cryptography
Cryptography is the study of disguising data with the end goal that nobody aside from the
expected beneficiary can uncover it. The cryptographic practice includes the utilization of
Unit 17
Assignment 01
- 44 -
an encryption calculation that changes the plaintext into ciphertext. The collector unravels
the ciphertext text with the assistance of a common or chose key.
Cryptography joins the utilization of different calculations, otherwise called figures, to
perform encryption or decoding. These calculations are a whole arrangement of guidelines
and contain calculations that render various qualities of a standard cryptosystem. While
some of them guarantee non-disavowal and trustworthiness, others guarantee privacy and
confirmation.
The kinds of encryptions rely on the numbers and jobs played by the keys utilized for
encryption. Therefore, the characterization dependent on keys is symmetric encryption and
awry encryption key calculations. Cryptographic conventions that don't join keys and are
irreversible are known as hash capacities. This article presents sorts of cryptography based
on shifting numbers and jobs of keys utilized in encryption.
3.1.2.1 Symmetric Encryption
Symmetric or secret key cryptography utilizes a solitary/indistinguishable shared key for

the encryption and decryption process. The sender and the beneficiary using this
cryptographic strategy choose to furtively share the symmetric key prior to starting
scrambled correspondence to utilize it later for decoding the ciphertext. A portion of the
instances of symmetric key encryption calculations are AES, DES, 3DES. Another
innovation that fuses shared keys is Kerberos, which utilizes an outsider known as Key
Distribution Centre for safely sharing the keys.
The key that imparting parties’ trade can be a secret phrase or code. It can likewise be an
irregular series of numbers or characters that should be produced utilizing a protected
pseudo arbitrary number age (PRNG).
The size of the key straightforwardly interfaces with the strength of the cryptographic
calculation. That is, an enormous size key fortifies the encryption with less possibilities of
effective breaking. For example, Data Encryption Standard (DES) with a 56-cycle size is
at this point not a protected encryption standard because of its little key size.
Unit 17
Assignment 01
- 45 -
Types of Symmetric Algorithms
Symmetric encryption algorithms are of two sorts:
1. Stream Algorithms
Not at all like block algorithms, do stream algorithms divide the information into blocks. It
encodes each byte in turn while the information is being streamed as opposed to saving it
in the memory.
2. Block Algorithms
Block encryption algorithms partition the message into fixed-size blocks of information
and afterward scramble each square of information in turn with the assistance of a chose
secret key. Square codes utilize various modes like Electronic Codebook (ECB), Output
Feedback (OFB), Cipher Block Chaining (CBC), and so forth that train how to partition the
hinder and encode information.
Uses of Symmetric Encryption
Despite the fact that it is being used for a long time, symmetric encryption is as yet
respected and used for effectiveness and speed. Symmetric encryption burns-through
somewhat low framework assets in contrast with other encryption strategies. Because of
these properties, associations utilize symmetric encryption for quick mass information
encryption like data sets.
The most well-known application regions for symmetric encryption are banking and
applications including card exchanges to give high protection from fraud. In financial areas,
Personal Identification Information must be kept in extraordinary mystery. It is additionally
alluring to affirm whether the sender is the individual he professes to be.
Unit 17
Assignment 01
- 46 -
In addition, AES, a replacement of the Triple-DES, is an ideal calculation for a remote
organization that consolidates the WPA2 convention and controller applications. AES is
the favoured decision for speedy scrambled information move to a USB, for Windows
Encrypting File System (EFS), and utilized for plate encryption procedures.
3.1.2.2 Asymmetric Encryption
Asymmetric or public-key encryption is a sort of cryptography that utilizes a couple of

related keys to scramble the information. One is a public key though the other is known as
a private key. The public key is known to any individual who needs to send a mysterious
message to shield it from unapproved access. The message scrambled by the public key
must be unscrambled utilizing the beneficiary's private key against it.
The private key is just known by a beneficiary or clients who can keep quiet. At the point
when somebody needs to convey or move a document, they encode the information with
the planned beneficiary's public key. Then, at that point, the beneficiary will utilize their
private key to get to the secret message. Since the security of the framework joining
asymmetric key algorithms totally relies upon the mystery of the private key, it achieves
classification.
Uses of Asymmetric Encryption
The most well-known utilization of asymmetric encryption is the protected exchange of the
symmetric key and advanced marks. The utilization of asymmetric encryption in advanced
marks helps in giving non-disavowal in information trade. This occurs with the assistance
of the sender carefully marking information with their private key while the beneficiary
decodes it with the sender's public key. Henceforth, it accomplishes honesty and non-
renouncement.
A computerized mark is an advanced likeness a unique finger impression, seal, or manually

written mark. It is being used in the business for the confirmation of computerized archives
and information. They are additionally utilized in encoded messages where a public key
scrambles the information and private key unscrambles it.
Unit 17
Assignment 01
- 47 -
One more utilization of asymmetric encryption is SSL/TLS cryptographic conventions
which assist with setting up secure connections between internet browsers and sites. It
utilizes asymmetric encryption to share the symmetric key and afterward utilizes symmetric
encryption for quick information transmission. Digital currencies like Bit coin likewise use
public-key encryption for secure exchanges and interchanges.
3.1.2.3 Hash Functions
Cryptographic hash functions take a variable length of data and encrypt it into an
irreversible fixed-length yield. The yield is called hash esteem or a message digest. It very
well may be put away instead of the accreditations to accomplish security. Afterward, when
required, the accreditation like a secret key is made to go through the hash function to check
its genuineness.
Properties of Hash Functions
These are properties that sway the security of hashing and credential storage.
 It is non-reversible. Subsequent to making a hash of a document or a secret word

through a hash function, it is difficult to return/translate the text, in contrast to
encryption, it doesn't join the utilization of keys. A dependable hash function should
make it truly difficult to break the hashed accreditations/documents to their previous
state.
 It follows the torrential slide impact. A slight change in secret phrase ought to
unusually and essentially affect the secret word overall.
 A similar info creates a similar hash output.
 Non-consistency property should make the hash eccentric from the accreditation.
 A dependable hash function guarantees no two secret phrase hashes to a similar
overview esteem. This property is called crash obstruction.
Uses of Cryptographic Hash Functions
Unit 17
Assignment 01
- 48 -
Hash functions are broadly utilized for secure data exchanges in digital forms of money by
noticing the namelessness of the client. Bitcoin, the biggest and most true stage for digital
money, utilizes SHA-256. While the IOTA stage for the web of things utilizes its own
cryptographic hash function called twist.
Nonetheless, it assumes an imperative part in a lot more areas of processing and innovation
for data respectability and genuineness. This utilization is conceivable through its property
of determinism. It likewise finds its uses in computerized signature age and check. It can
likewise be utilized to confirm records and message authenticity.
3.2 Download open source PfSense firewall and configure basic firewall settings
including DMZ and VPN configurations. Review how QoS can be integrated into
Network security configurations.
3.2.1 PfSense firewall
Virtual Appliances
Netgate virtual appliances with pfSense Plus software stretch out your applications and
availability to approved clients all over, through Amazon AWS and Microsoft Azure cloud
administrations. Organization your representatives, accomplices, clients, and different
gatherings to share assets in site-to-cloud, cloud-to-cloud, and virtual private cloud (VPC)
network.
Solutions
Giving complete organization security answers for the endeavour, huge business and
SOHO, Netgate arrangements with pfSense Plus software unite the most cutting edge
innovation accessible to make ensuring your organization simpler than any time in recent
memory. Our items are based on the most dependable stages and are designed to give the
most significant levels of execution, strength and certainty.
Product Support
Their staff has direct admittance to the pfSense advancement group. Having a pfSense
engineer prepared to respond to your inquiries and give "best practice" exhortation will
Unit 17
Assignment 01
- 49 -
supplement your IT assets and increase the value of your group. On the off chance that you
buy your equipment machine from the pfSense store, our experience with the items will
permit our help group to give start to finish arrangements incorporating all parts of the
equipment and the firewall application.
Professional services
They know the difficulties you face are muddled. Netgate staff can assist you with carrying
out successful answers for take care of those issues. They will help you plan, plan, execute,
work, and deal with the right innovation system to further develop the manner in which you
work together. From network security to high-accessibility to firewall transformations, we
give powerful arrangements so you can zero in on maintaining your business.
Importance of PfSense firewall

1. Easy to use
 Configuration and administration are quick and simple thanks to a web-based
interface - even for users without much experience with networking
 With Zabbix monitoring features, you can view key operating metrics such as
network utilization, CPU load, and disk space usage
 Detailed documentation and YouTube videos provide detailed tutorials
2. All the Features you need

 Contains packet filtering, stateful packet inspection, proxy servers, and next
generation firewalls
 The package manager allows you to customize our features to meet specific needs
 including VPN and router capabilities as well
3. Proven Reliability and resilience

 Several hundred thousand Netgate appliances, 3rd party appliances, virtual
machines, and cloud instances are being utilized across every continent
 Highly reliable and stable
 Can be configured as a High Availability (HA) cluster for business continuity
Unit 17
Assignment 01
- 50 -
4. Excellent overall solution value
 Features (firewall, router, and VPN), price-performance, and ease of use combine
to make this an unbeatable value
 Trusted by service providers, consumers, and businesses
 Globally recognized support options offering high levels of assurance
3.2.2 IPsec VPN
IPsec VPN securely connects all your web sites at the identical private network the usage
of Internet connectivity as the data communications network. This sort of VPN is
deployed among a safety equipment or firewall at every location, making sure a stable
IPsec tunnel among sites. The LAN sits at the back of those safety gadgets and software
program isn’t required on laptops, desktops, or servers to allow VPN connectivity among
places. VPN network topologies are to be had in a hub and spoke or meshed configuration.
The most important advantages of those sorts of data networking offerings are price, the
capacity to apply present Internet connectivity for data transport, and smooth integration
of far off customers with VPN software program. IPsec VPN connectivity does have its
flaws in that the quality of service (QoS) isn't always regular because of Internet network
congestion or bad overall performance. Also, there may be multiplied capacity for
network downtime if best the usage of one Internet reference to no failover connectivity.
IPsec VPN networks are an excellent preference for organizations with restricted IT
budgets, many far off customers, or simple programs and uptime requirements.
Unit 17
Assignment 01
- 51 -
3.2.2.1 IPsec VPN Configurations
Head Office
Unit 17
Assignment 01
- 52 -
Branch
Unit 17
Assignment 01
- 53 -
Unit 17
Assignment 01
- 54 -
3.2.3 QoS for a Network
To solve the issues of network blockage because of a heap of dynamic clients using the
assets of the switch, Quality of Service (QoS) ought to be carried out. Nature of Service
(QoS) is an innovation that orders and focuses on network traffic types, for example,
touchy and non-delicate information traffic.
Delicate information traffic, similar to voice traffic and video traffic, requires a reliable
data transmission as they are working continuously. While non-touchy information
traffic, similar to web perusing and email, requires non-ensured transfer speed as the
application can retransmit the dropped bundles again because of organization blockage.
The applications that utilization User Datagram Protocol (UDP), like voice traffic and
video traffic, require QoS execution as they don't ensure the conveyance of a message, in
contrast to Transmission Control Protocol (TCP) that can retransmit the parcel misfortune
and assurance the message conveyance. With QoS, network execution and client
experience will be streamlined.
3.2.3.1 Characteristics of Network Traffic Managed by QoS
Quality of Service (QoS) instruments empowers us to deal with these four organization
traffic QoS attributes:
1. Bandwidth – it is the most extreme measure of information each second. It is at times

alluded to as the speed or limit of the connection. This is generally estimated as pieces
each second (bps). On network gadgets, similar to switches and switches, the bandwidth
is related per interface. The interface bandwidth can either be Ethernet (10 Mbps), Fast
Ethernet (100 Mbps), or Gigabit Ethernet (1000 Mbps).
2. Delay – the time it takes for a message to go from the source gadget to the objective
gadget. It is at times alluded to as idleness. A high dormancy will create a setback for
Unit 17
Assignment 01
- 55 -
traffic to show up on the objective gadget and along these lines causes a slower reaction
time while building up an association with a particular gadget or application.
3. Jitter – it is the variety of the single direction delay of a sequential parcel that is being
sent. For instance, the principal parcel is sent and the subsequent bundle is sent after 50
milliseconds (ms), the time it takes for the subsequent bundle to be sent after the primary
parcel was sent is the jitter, and it is 50 ms.
4. Loss – it happens when the cradle of the switch is full, and new approaching parcels
are being dropped. Having an excess of parcel loss will make the getting gadget get a
fragmented message.
3.2.3.2 QoS Mechanisms
Recorded underneath are the most generally utilized QoS apparatuses to deal with the
QoS attributes of organization traffic:
1. Classification – applied to the switch's interface and arranges if the bundle requires QoS
execution or not.
2. Marking – it denotes the bundles dependent on classification. It puts a worth on the

bundle header so the parcel can be effortlessly perceived all through the organization
dependent on its classification.
3. Congestion Management – focuses on the transmission of every parcel by queuing on

every interface.
4. Congestion Avoidance – drops bundles right on time to keep away from congestion.
5. Queuing – stores bundle into the cradle and hold until it is their chance to exit on the
switch's interface.
Unit 17
Assignment 01
- 56 -
6. Policing – authorizes rate limit by dropping down or marking the bundles.
7. Shaping – authorizes rate limit by delaying the bundles and store them in the switch's
cushion for a specific measure of time.
3.2.3.3 QoS Configurations
Here are the steps on how to configure and implement QoS in our network,
 Identify the traffic and its requirements. Analyze the data packets to determine if
it is voice traffic, web traffic, application traffic, or email traffic, and then apply
QoS accordingly.
 Classify the traffic. Put a value on the packet headers of traffic that is classified
and marked.
 Define QoS policies for each class. Determine whether a specific packet class
should be allowed, dropped, or rate-limited.
 Assign the policy to the interface
Unit 17
Assignment 01
- 57 -
Activity 4
4.1 Create a test plan and test your network (LAN and WAN). Critically evaluate the
test results.
4.1.1 Test Plan
AstraZeneca Campus Network

Test Plan
07.11.2021
Unit 17
Assignment 01
- 58 -
Introduction
This test plan is planned to give direction to developers in the identification and
adjustment of connectivity issues within a network plan. It might likewise be valuable to
IT professionals who support these network.
Prerequisites
The prerequisites abilities and information needed for different jobs is itemized
underneath.
Prerequisites for Developers

 Developers who need to successfully investigate the AstraZeneca network
configuration should be to some extent tolerably knowledgeable about the
accompanying.
 Appropriate understanding a wide range of equipment including routers, switches,
wires and other fundamental hardware.
 Knowledge on IP tending to and some normal systems administration conventions
like IPv4 and IPv6.
 Knowledge on different Networking Services like catalogs, records, disseminated
applications, email, HTTP, FTP, DNS and another normal administrations.
 Knowledge on security upkeep utilizing encryption, firewalls, IDS, anti-virus, anti-
spam and so on
 Knowledge on ISP/Communication Providers and Virtual Private Networks
(VPNs).
Prerequisites for IT Professionals

IT professionals who help developers ought to be alright with the utilization of,
 IP Setup
 Wireless Modems/Routers
 Cloud Services
Unit 17
Assignment 01
- 59 -
General Prevention
Give on some direction on how the developers can diminish the probability of blunders
happening in the network plan. As an example,
There are a couple of normal explanations behind helpless organization and connectivity
issues. More organizations depend on a copper-based, broadband, membership
administration. An ordinary issue emerges when lines are cut or harmed during a
development project nearby. One more typical justification for connectivity issues is
information server disappointment. Switch issues can likewise be the wellspring of the
issue. Any hardware disappointment can prompt a total organization disappointment.
Without a reinforcement or excess framework to assume control over, activities
depending on availability can go to a sudden end.
Testing of Implementations
Test Password Protection

Test Case Test Action Test Type Expected Result
No Outcome
1 Checking Enter Normal Logging to √
Password Password Device
Wrong Error Error √
Password message
displayed
Unit 17
Assignment 01
- 60 -
SSH Testing
No Outcome
1 Checking ssh –l with Normal Logging to √
Remote correct Device
login username
ssh –l with Error Error √
Wrong message
username displayed
Unit 17
Assignment 01
- 61 -
Unit 17
Assignment 01
- 62 -
AAA Server Testing

No Outcome
1 Checking Correct Normal Logging to √
Username username Device
and and
Password password
Wrong Error Error √
username message
and displayed
password
Unit 17
Assignment 01
- 63 -
Port Security Testing

No Outcome
1 Checking Ping Normal Replying √
Connectivity through
allowed port
Ping Error Request √
through not time out
allowed port
Unit 17
Assignment 01
- 64 -
4.2 Make improvement/ recommendations to the re-designed network of AstraZeneca
while critically evaluating the design, plan, configuration, and testing of the
implemented network.
4.2.1 Future Enhancement
We can plan future enhancement based on The Internet of things. We can control all the
system of interrelated computing devices, mechanical and digital machines provided with
unique identifiers and the ability to transfer data over a network without requiring human-
to-human or human-to-computer interaction.
The IoT network infrastructure topic section offers comprehensive resources on building
and managing a network architecture capable of handling the Internet of Things. Learn
about the advantages and disadvantages of different technologies and get guidance on
various frameworks and protocols such as Bluetooth LTE and WI-FI.
Wireless networks based on radio wave have two major drawbacks. One is that
information move speeds on the RF range are restricted—which is essential for the
justification for why sending information over a wireless Internet association is quite often
more slow than utilizing an Ethernet interface. The second is that the RF range has a
restricted extension, which prompts obstruction that can upset wireless availability.
A superior arrangement is optical wireless. As the term infers, optical wireless innovation
makes it conceivable to utilize optical light waves, as opposed to radioing waves, as the
spine for wireless interchanges. Utilizing optics, data can be communicated all the more
rapidly and with a lower hazard of obstruction, which implies optical wireless
organizations offer intense execution enhancements over conventional Wi-Fi. They'll
engage MSPs with quicker, more solid methods of conveying network without expecting
clients to be connected.
Unit 17
Assignment 01
- 65 -
References
Operations, I. and About, N. (2020) Network Security Devices You Need To Know About.
[Online] Blog.netwrix.com. Available at: < https://blog.netwrix.com/2019/01/22/network-
security-devices-you-need-to-know-about/ > [Accessed on 25th October 2021].
Jigsaw Academy. (2021) Top 10 Network Security Tools (2021). [online] Available at:
<https://www.jigsawacademy.com/blogs/cyber-security/network-security-
tools> [Accessed 26th October 2021].
W3schools.in. 2021. Network Protocols and Its Security. [online] Available at:
<https://www.w3schools.in/cyber-security/network-protocols-and-its-
security/> [Accessed 27th October 2021].
Itgovernanceusa.com. (2021) Cybersecurity Standards and Frameworks | IT Governance

USA. [online] Available at: <https://www.itgovernanceusa.com/cybersecurity-standards>
[Accessed 27th October 2021].
Thakur, D. (2021) What is Network Security? Explain Basic Requirements of Network

Security. - Computer Notes. [online] Computer Notes. Available at:
<https://ecomputernotes.com/computernetworkingnotes/security/requirements-of-
network-security> [Accessed 28th October 2021].
I.S. Partners. 2021. Keeping Your Higher Learning Institution’s Network Secure | I.S.
Partners. [online] Available at: <https://www.ispartnersllc.com/blog/keeping-your-higher-
learning-institutions-network-
secure/#:~:text=Considering%20the%20high%20volume%20of%20online%20communic
ations%20and,safe%20access%20to%20a%20secure%20and%20stable%20network.> [A
ccessed 29th October 2021].
Unit 17
Assignment 01
- 66 -
CISO MAG | Cyber Security Magazine. (2021) Why Network Security is Important in
Today’s Digital World. [online] Available at: <https://cisomag.eccouncil.org/importance-
of-network-security/> [Accessed 30th October 2021].
SearchSecurity. (2021) What is AAA server (authentication, authorization, and

accounting)? - Definition from WhatIs.com. [online] Available at:
<https://searchsecurity.techtarget.com/definition/AAA-server> [Accessed 9 November
2021].
Linuxhint.com. 2021. Types of Cryptography. [online] Available at:

<https://linuxhint.com/cryptography-types/> [Accessed 1st November 2021].
Pfsense.org. (2021) pfSense® - World's Most Trusted Open Source Firewall. [online]
Available at: <https://www.pfsense.org/> [Accessed 2nd October 2021].
Study CCNA. (2021) Quality of Service (QoS) and its Effect on the Network - Study
CCNA. [online] Available at: <https://study-ccna.com/quality-of-service-qos/> [Accessed
4th November 2021].
Unit 17
Assignment 01
- 67 -
Grading Rubric
Grading Criteria Achieved Feedback
LO1 Examine Network Security

principles, protocols, and standards
P1 Discuss the different types of

Network Security devices.
P2 Examine Network Security protocols
M1 Compare and contrast at least two
major Network Security protocols.
LO2 Design a secure network for a
corporate environment
P3 Investigate the purpose and

requirements of a secure network
according to a given scenario.
P4 Determine which network
hardware and software to use in this
network
M2 Create a design of a secure network
according to a given scenario.
D1 Review the importance of network
security to an organisation
LO3 Configure Network Security
measures for the corporate
environment
P5 Configure Network Security for
your network.
P6 Discuss different cryptographic

types of Network Security
M3 Provide Network Security
configuration scripts/files/screenshots
with comments.
Unit 17
Assignment 01
- 68 -
D2 Review what is meant by Quality of
Service (QoS) in relation to Network
Security configuration.
LO4 Undertake the testing of a
network using a Test Plan
P7 Create a Test Plan for your network
P8 Comprehensively test your

network using the devised Test Plan.
M4 Provide scripts/files/ screenshots
of the testing of your network.
M5 Make some improvement

recommendations.
D3 Critically evaluate the design,
planning, configuration and testing
of your network.
Unit 17
Assignment 01
- 69 -
Unit 17
Assignment 01
- 70 -

Unit 17 - Network Security - Assignment

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 17 - Network Security - Assignment

Uploaded by

Copyright:

Available Formats

Higher Nationals

Internal verification of assessment decisions – BTEC (RQF)

Assessor Internal Verifier

Assignment title Secure Network for AstraZeneca Campus

Do the assessment criteria awarded match

Is the Pass/Merit/Distinction grade awarded

• Identifying opportunities for

• Agreeing actions? Y/N

Does the assessment decision need

Internal Verifier signature Date

Assessor signature Date

Student Name/ID K.D.K. Nithya Jayawardhane E029658

Unit Title Unit 17- Network Security

Assignment Number 1 Assessor

LO1 Examine Network Security principles, protocols and standards.

Pass, Merit & Distinction P1 P2 M1 D1

Pass, Merit & Distinction P3 P4 M2 D1

LO3 Configure Network Security measures for the corporate environment.

LO4 Undertake the testing of a network using a Test Plan.

Grade: Assessor Signature: Date:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

Word Processing Rules

1. I know that plagiarism is a punishable offence because it constitutes theft.

Formative Feedback : Assessor to Student

Feedback: Student to Assessor.

Student Name /ID Number K.D.K. Nithya Jayawardhane E029658

Unit Number and Title Unit 17- Network Security

Academic Year 2021/22

Unit Tutor Mr. Kavindu Chethiya

Assignment Title Secure Network for AstraZeneca Campus

IV Name & Date

Unit Learning Outcomes:

LO1. Examine Network Security principles, protocols and standards.

1.1.1 Network Security Hardware ................................................................................ - 14 -

1.1.1.1 Router .............................................................................................................. - 14 -

1.1.1.3 Network Access Control (NAC) .................................................................... - 15 -

1.1.1.4 Firewalls .......................................................................................................... - 16 -

1.1.2 Network Security Software ................................................................................... - 19 -

1.1.2.1 Wireshark ........................................................................................................ - 19 -

1.1.2.2 Metasploit ........................................................................................................ - 20 -

1.2.1 Hyper Text Transfer Protocol Secure (HTTPS) ................................................. - 21 -

1.2.2 Secure Shell (SSH) ................................................................................................. - 21 -

1.2.3 IPSec – Internet protocol security ........................................................................ - 22 -

1.2.4 DNSSEC – Domain Name System Security ........................................................ - 22 -

1.2.2 Network Standards ................................................................................................ - 23 -

2.1.1 Purpose of the Network Security ......................................................................... - 24 -

2.1.2 Basic Network Security Requirements ................................................................ - 25 -

2.1.3 Importance of Network Security for a University .............................................. - 26 -

2.1.4 Importance of Network Security to Organization .............................................. - 27 -

2.2.1 Selected Hardware Devices for AstraZeneca ............................................................. - 28 -

2.2.1.1 Router .............................................................................................................. - 28 -

2.2.1.3 Servers ............................................................................................................. - 30 -

2.2.2 Selected Software Devices for AstraZeneca Campus ......................................... - 31 -

2.2.2.1 Ubuntu Operating System ............................................................................. - 31 -

2.2.2.2 pfsence Firewall .............................................................................................. - 31 -

2.2.2.3 Wireshark ........................................................................................................ - 32 -

2.2.4 Blue print of the design ......................................................................................... - 33 -

3.1.1 Security Implementations ..................................................................................... - 35 -

3.1.1.1 Device Security Implementations .................................................................. - 35 -

3.1.1.2 SSH Implementations ..................................................................................... - 37 -