Professional Documents
Culture Documents
Unit 17 - Network Security - Assignment
Unit 17 - Network Security - Assignment
• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-1-
Confirm action completed
Remedial action taken
Give details:
Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-2-
Higher Nationals – Summative Assignment Feedback Form
Resubmission Feedback:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions
have been agreed at the assessment board.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-3-
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use
previous page as your cover sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No,
and Page Number on each page. This is useful if individual sheets become detached for any
reason.
5. Use word processing application spell check and grammar check function to help editing your
assignment.
Important Points:
1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory
information. eg: Figures, tables of comparison etc. Adding text boxes in the body except for the
before mentioned compulsory information will result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions
will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you
may apply (in writing) for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade.
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will
then be asked to complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using
HARVARD referencing system to avoid plagiarism. You have to provide both in-text citation
and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be
reduced to A REFERRAL or at worst you could be expelled from the course.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-4-
Student Declaration
I hereby, declare that I know what plagiarism entails, namely, to use another’s work and to present it
as my own without attributing the sources in the correct way. I further understand what it means to
copy another’s work.
nithya.jayawardhana@gmail.com 09.11.2021
Student’s Signature: Date:
(Provide E-mail ID) (Provide Submission Date)
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-5-
Feedback Form
Action Plan
Summative feedback
Assessor’s
Date
Signature
Student’s
Signature Date
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-6-
Assignment Brief
Issue Date
Submission Date
Submission Format:
The submission should be in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of headings,
paragraphs and subsections as appropriate, and all work must be supported with evidence. You must
provide in-text citations and the reference list using Harvard referencing system.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-7-
Assignment Brief and Guidance:
AstraZeneca Campus is an education institute with 2 remote campuses and the main campus in
Colombo. The Web server, Moodle server and the Mail servers are located at the main campus which
uses high speed Internet leased line connection from the ISP. The Moodle Server which is used to do
practical can only be accessed from the local network at the main campus. The main campus network
connectivity is provided via wired connections. Layer 2 and Layers 3 security should be implemented on the
main branch. Wireless connectivity is provided for the students only for Internet access and strict control
of data usage and URL filtering is required.
The management of the institute is planning to extend the facilities available in the main campus
network to the students in remote campuses through a VPN connectivity and also to minimize the
possibility of cyber-attacks to the main campus network to comply with the current network security
standards.
Assuming you have been appointed as the new network security analyst of AstraZeneca Campus,
prepare a network security architectural design with your suggestions and recommendations to
improve the security standard. In the designing process, you may consider the following aspects;
1. Main campus LAN need to be a Gigabit Ethernet and all Network devices need to be compatible with
each other for maximum performance.
2. All the network devices should be manageable and only secure logins need be allowed on all devices.
3. AAA should use for Network Device login Authentication where possible and Syslog Server should
use for record logging events, while having NTP server for time.
4. All publicly available resources including public web servers need to be separated from the main
network and should move to a separate subnet. Only Secure Web Access should be enabled for web
servers.
5. Network design should follow the Hierarchical Network Design Model.
6. End user authentication and managing of security polices need to centralized.
7. Internet usage management and URL filtering need to be enforced.
8. Communication between the Head office and the Branch offices need to be highly secured.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-8-
9. Quality of service (QoS) should be implemented where possible.
(Hint: Clearly state your assumptions. You are allowed to assume the current network setup
according to the services available and propose the improvements according to your assumptions)
Activity 1
1.1 Discuss different types of network security hardware and software that are used in modern network
design.
1.2 Examine network security protocols and standards for secure network design while comparing and
contrasting at least two major network security protocols that can be implemented into the given
context.
Activity 2
2.1 Investigate the purpose and requirements of a secure network for the network of AstraZeneca
campus while reviewing the importance of network security to the organization.
2.2 Determine which HW/SW are suitable for AstraZeneca campus and provide a suitable IP allocation
plan using 172.30.0.0/16 network. Create a network design (blue print) for internal and branch
network of AstraZeneca (Public servers should be separated from the Internal Network).
Activity 3
3.1 Configure all the network devices to achieve the highest level of security and design and describe
the cryptographic types and other security related concepts and technologies used for the design.
(Provide configuration scripts/files/screenshots with comments)
3.2 Download open source PfSense firewall and configure basic firewall settings including DMZ and
VPN configurations. (Provide configuration scripts/files/screenshots with comments). Review how
QoS can be integrated into Network security configurations
Activity 4
4.1 Create a test plan and test your network (LAN and WAN). Critically evaluate the test results.
(Provide test configuration scripts/files/screenshots with comments.)
4.2 Make improvement/ recommendations to the re-designed network of AstraZeneca while critically
evaluating the design, plan, configuration, and testing of the implemented network.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
-9-
Acknowledgement
To conclude this assignment successfully I got the support from my parents, lectures and from
my friends. I thanks all who supports me and special thanks go my lectures Mr. Kavindu
Chethiya who enhanced my knowledge about Network Security subject.
Table of Contents
Introduction ......................................................................................................................... - 13 -
1.1 Discuss different types of network security hardware and software that are used in modern
network design. ................................................................................................................... - 14 -
1.1.1.2 Switch............................................................................................................... - 15 -
1.1.2.3 Nessus............................................................................................................... - 20 -
1.1.2.5 Snort................................................................................................................. - 20 -
1.2 Examine network security protocols and standards for secure network design while
comparing and contrasting at least two major network security protocols that can be
implemented into the given context. ................................................................................... - 21 -
2.1 Investigate the purpose and requirements of a secure network for the network of AstraZeneca
campus while reviewing the importance of network security to the organization. ............. - 24 -
2.2 Determine which HW/SW are suitable for AstraZeneca campus and provide a suitable IP
allocation plan using 172.30.0.0/16 network. Create a network design (blue print) for internal
and branch network of AstraZeneca (Public servers should be separated from the Internal
Network). ............................................................................................................................. - 28 -
2.2.1.2 Switch............................................................................................................... - 29 -
3.1 Configure all the network devices to achieve the highest level of security and design and
describe the cryptographic types and other security related concepts and technologies used for
the design. (Provide configuration scripts/files/screenshots with comments) .................... - 35 -
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 11 -
3.1.1.3 AAA Server Implementation ......................................................................... - 38 -
3.2 Download open source PfSense firewall and configure basic firewall settings including
DMZ and VPN configurations. Review how QoS can be integrated into Network security
configurations. ..................................................................................................................... - 49 -
4.1 Create a test plan and test your network (LAN and WAN). Critically evaluate the test results.
............................................................................................................................................. - 58 -
References ........................................................................................................................... - 66 -
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 12 -
Introduction
AstraZeneca Campus is an education institute with 2 remote campuses and the main campus
in Colombo. The management of the institute is planning to extend the facilities available in
the main campus network to the students in remote campuses through a VPN connectivity
and also to minimize the possibility of cyber-attacks to the main campus network to comply
with the current network security standards.
I have been appointed as the new network security analyst of AstraZeneca Campus, so I
prepared a network security architectural design with my suggestions and recommendations to
improve the security standard.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 13 -
Activity 1
1.1 Discuss different types of network security hardware and software that are used
in modern network design.
1.1.1.1 Router
Figure 1: Router
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 14 -
1.1.1.2 Switch
Generally, a switch is a bridge with more than one port and a buffer, which boosts its
efficiency (a large number of ports means less traffic) and performance. The switch is
able to perform error checking before directing data, so it avoids forwarding packets that
have errors as well as only forwarding good packets to the correct port. Therefore, the
switch divides the collision domain of hosts, but does not divide their broadcast domains.
. Figure 2: Switch
1.1.1.3 Network Access Control (NAC)
NAC is a network security control device that confines the accessibility of network assets
to endpoint devices that follow your security strategy. Some NAC arrangements can
consequently fix resistant devices to guarantee they are secure prior to permitting them to
get to the network. Network access control does a great deal to improve the endpoint
security of a network. Prior to giving admittance to the network, NAC actually looks at
the device's security settings to guarantee that they meet the predefined security strategy;
for instance, it may check whether the host has the most recent antivirus programming
and the most recent patches. If the conditions are met, the device is permitted to enter the
network. If not, NAC will isolate the endpoint or interface it to the visitor network until
the legitimate security upgrades are made to agree with strategy. NAC can utilize
specialists to evaluate the device's security or it very well may be agentless.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 15 -
Figure 4: NAC
1.1.1.4 Firewalls
Firewall may be a network security device that keeps uninvited guests from browsing your
network. It guards traffic at ports that is exchange information with external devices and
filter traffic coming from unsecured sources. The different sorts of firewalls incorporate
software, hardware or a mixture of both. All have different uses, strengths, and
weaknesses.
The principle benefit of packet-filtering firewalls is the speed at which the firewall
activities are accomplished, in light of the fact that a large portion of the work happens at
Layer 3 or beneath and complex application-level information isn't needed. Frequently,
packet-filtering firewalls are utilized at the actual fringe of an association's security
networks. For instance, packet-filtering firewalls are exceptionally compelling in securing
against denial-of-service (DoS) assaults that intend to bring down delicate frameworks on
inside networks.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 16 -
1.1.1.4.2 Stateful Firewall
Among the foremost ubiquitous sorts of shields available, stateful inspection firewalls
allow or block traffic supported technical properties, like specific protocols, states, or
ports.
Stateful Inspection firewalls make the filtering decisions to work out whether data is
allowed to undergo to the user. These decisions are often supported rules established by
the administrator when fixing the pc and firewall.
The firewall also can make its own decisions supported previous interactions it is
"learned" from. For example, traffic types that caused disruptions within the past would
be filtered call at the longer term.
A proxy firewall is as on the brink of an actual physical barrier as it's possible to urge.
Unlike other sorts of firewalls, it acts as an intermediary between external networks and
computers, preventing direct contact between the two a guard at a doorway, it essentially
looks at and evaluates incoming data. If no problem is detected, the info is allowed to
undergo to the user.
The downside to this kind of heavy security is that it sometimes interferes with incoming
data that isn't a threat, leading to delays in functionality.
Next Generation
Evolving threats still demand more intense solutions, and next generation firewalls stay
top of this issue by combining the features of a standard firewall with network intrusion
prevention systems.
In fact, threat-specific next gen firewalls are designed to look at and identify specific
dangers, like advanced malware, at a more granular level. More frequently employed by
businesses and complicated networks, they supply a holistic solution to filtering out
dangers.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 17 -
Figure 4: Firewall Types
1.1.1.4.4 IDS
Host-based IDSs are intended to screen, distinguish and react to movement and assaults
on a given host. Much of the time, assailants target explicit frameworks on corporate
networks that have classified data. They will frequently attempt to introduce checking
projects and take advantage of different weaknesses that can record client movement on
a specific host. Some host-based IDS instruments give strategy the board, measurable
investigation and information criminology at the host level. Host-based IDSs are best
utilized when an interloper attempts to get to specific documents or different
administrations that dwell on the host PC. Since assailants fundamentally center around
working framework weaknesses to break into hosts, by and large, the host-based IDS is
incorporated into the working frameworks that the host is running.
Network traffic based IDSs catch network traffic to recognize gatecrashers. Regularly,
these frameworks fill in as bundle sniffers that read through approaching traffic and utilize
explicit measurements to survey whether a network has been compromised. Different web
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 18 -
and other restrictive conventions that handle messages among outside and inside
networks, like TCP/IP, NetBEUI and XNS, are helpless against assault and require extra
ways of distinguishing malignant occasions. Much of the time, interruption discovery
frameworks experience issues working with encoded data and traffic from virtual private
networks. Speed over 1Gbps is likewise an obliging element, albeit current and expensive
network-based IDSs have the capacity to work quickly over this speed.
1.1.1.5 IPS
An IPS is an organization security device that can recognize gatecrashers, yet in addition
keep them from effectively dispatching any known assault. Interruption counteraction
frameworks consolidate the capacities of firewalls and interruption location frameworks.
Notwithstanding, carrying out an IPS on a powerful scale can be exorbitant, so
organizations ought to painstakingly evaluate their IT hazards prior to making the venture.
Also, some interruption avoidance frameworks are not quite as quick and strong as certain
firewalls and interruption identification frameworks, so an IPS probably won't be a
suitable arrangement when speed is an outright prerequisite.
Wireshark appeared under the label of Ethereal. The control center driven instrument is
an extraordinary convention analyzer, demonstrated chiefly after Tcpdump. Wireshark
gives an outline of the continuous organization. It permits clients to see TCP meeting
remade streams. For security and gadget asset reasons, many lean toward Tcpdump,
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 19 -
however Wireshark stays the most well-known parcel sniffer. Every day refreshes are
acquired for the gadget to suit its vigorous bundle sniffing capacity.
1.1.2.2 Metasploit
Metasploit is accessible in the open source and business Pro form for engineers or security
experts. Clients might utilize this organization security instrument from Rapid7 to check
for more than 1,500 activities, including security for network division. It additionally
empowers associations to lead distinctive wellbeing evaluations and reinforce in general
organization security so they are more exhaustive and touchy.
1.1.2.3 Nessus
Any place an organization has insufficient security settings or broken updates, this product
remedies mistakes and further develops their organization respectability. Nessus
recognizes and fixes weaknesses that are distinguished, including patches that were
missing or deficient, programming bugs, or other general mistakes in applications, PCs,
and working frameworks.
1.1.2.4 Aircrack
An assortment of breaking devices for WEP and WPA, Aircrack gives the best answers
for cell phone security on the web. For breaking calculations, Aircrack is vigorous
programming. Airdecap for the unscrambling of the WEP/WPA document and airplay for
parcel infusion is likewise remembered for the suite. There are numerous different
apparatuses remembered for this suite to make a strong assortment of Information
Security applications. Aircrack is an across the board answer for quite some time security
assignments.
1.1.2.5 Snort
It is an open-source IDS that upholds each working framework and equipment. The
product investigates conventions, look/congregations substance, and distinguishes
various assaults in network security. Snort is a viable interruption recognition and
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 20 -
avoidance system because of its straightforward arrangement, adaptable standards, and
crude parcel examination.
1.2 Examine network security protocols and standards for secure network design
while comparing and contrasting at least two major network security protocols that
can be implemented into the given context.
The HTTPS protocol is used to ensure data security between two or more systems. It used
Secure Socket Layer (SSL) to establish an encrypted link, now called Transport Layer
Security (TLS). HTTPS protects data from cyber-attacks for the duration of the transfer
from browser to webserver because it encrypts the data during transmission. Although
cybercriminals may capture the data packets, their strong encryption will prevent their
ability to decode them.
An SSH protocol, invented in 1995, secures data communication over a network using
cryptographic techniques. Logging in remotely or executing specific tasks remotely is
possible via the command-line. SSH incorporates different features of FTP. The latest
versions are SSH-1 and SSH-2.
The SSH convention has three layers:
The transport layer. Guarantees secure correspondence between the server and the
customer, screens information encryption/unscrambling, and ensures the
respectability of the association. It additionally performs information storing and
pressure.
The verification layer. Behaviors the customer verification methodology.
The network layer: Oversees correspondence channels after the verification.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 21 -
1.2.3 IPSec – Internet protocol security
IPSec is a protocol that offers authentication, integrity, and privacy between two entities,
which is classified by the IETF IPSec Work Group. Management of cryptographic keys
can be achieved manually or dynamically by using an IETF-specific protocol named
Internet Key Exchange (IKE).
IPSec,
• Compresses at Layer 3
• Mutual node verification
• Can verify users, but needs L2TP
• Crypto implementation agnostic
• Client-to-client, or node-to-node (bulk)
• Compulsory for IPv6 implementation
• Does not work with NAT, except NAT-Transversal (NAT-T) is used
DNSSEC is a set of extensions that adds security to the Domain Name System (DNS)
protocol by enabling the validation of DNS responses. DNSSEC provides authentication
of denial of existence, data integrity, and origin authority. As a result of DNSSEC, DNS
protocols are significantly less susceptible to certain types of attacks, such as DNS
spoofing.
DNSSEC,
Provide authentication and integrity of DNS answers
Designed to protect against cache poisoning
Uses public key scheme, but does not do encryption
VSTP (VLAN Spanning Tree Protocol) allows Juniper Networks switches to run Spanning
Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) instances for each VLAN
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 22 -
that is enabled for VSTP. The VSTP protocol optimizes intelligent tree spanning for
networks with multiple VLANs by defining best paths within each VLAN instead of across
the entire network.
ISO/IEC 27002
ISO 27002 is the friend standard for ISO 27001. Associations can't ensure to ISO 27002,
however the standard guides ISO 27001 execution by giving best practice direction on
applying the controls recorded in Annex of the norm.
ISO/IEC 27031
ISO 27031 gives a structure of strategies and cycles further developing an association's
ICT status to guarantee business congruity.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 23 -
Accomplishing consistence to ISO 27031 assists associations with understanding the
dangers to ICT administrations, guaranteeing their wellbeing in case of a spontaneous
episode.
ISO/IEC 27032
ISO 27032 is the global standard contribution direction on network safety the board. It
gives direction on tending to a wide scope of network protection chances, including client
endpoint security, network security, and basic framework assurance.
ISO/IEC 27701
ISO 27701 indicates the prerequisites for a PIMS (security data the board framework) in
light of the necessities of ISO 27001. It is reached out by a bunch of security explicit
prerequisites, control destinations and controls. Associations that have executed ISO
27001 will actually want to utilize ISO 27701 to stretch out their security endeavors to
cover protection the executives. This can assist exhibit consistence with information
assurance laws, for example, the CCPA and the EU GDPR.
Activity 2
2.1 Investigate the purpose and requirements of a secure network for the network of
AstraZeneca campus while reviewing the importance of network security to the
organization.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 24 -
and anti-malware software. Information security analysts work for government agencies
and businesses to implement security plans and continuously monitor their effectiveness.
The primary goal of the organization is to divide information between its clients arranged
locally or distantly. There is also the possibility of undesired users hacking the network in
a way that can prove harmful to the network or a user. There are not many essential focuses
which should be trailed by network overseer to give the organization a satisfactory security.
2. The organization ought to likewise clear with whom the shareable information could be
shared.
3. With the expansion of framework security, the cost for its administration will likewise
increment as needs be, along these lines a compromising level among security and costs
ought to be set up according to the prerequisite of the organization security framework
strategy. This will generally rely fair and square of safety expected to apply in the
organization, by and large security necessities and the successful execution of picked level
of safety.
5. The necessities for protection have to be specific inside a network security policy of the
enterprise that suggests the valuable data and their related cost to the business. After
defining the specific network security policy and figuring out the clear cut responsibilities
with inside the enterprise, the system administrator have to be made then accountable for
making sure that the security policy is correctly implemented to the organization
environment, which includes the present networking infrastructure.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 25 -
2.1.3 Importance of Network Security for a University
The developing range of cyber threats focused on faculties and universities is a startling
reality. Last year, there had been multiple breaches of individually identifiable records at
professional institutions. Network vulnerabilities, hacked e-mail accounts, and phishing
incidents probably uncovered sensitive data of thousands of college employees and
college students. The data breaches yielded their names, birth dates, addresses, e-mail
addresses, phone numbers, and social safety numbers.
Identify Vulnerabilities
Preparedness is based on an accurate evaluation or audit of the IT environment. Evaluating
organizational regulations and practices, assessing implementation and the college’s
technology infrastructure is the most effective manner to gauge risk level. Once risks and
vulnerabilities had been identified, most effective then can they be addressed.
Security Updates
Most universities offer users with virus scanning software free of charge. Just as the IT
branch must keep patches up to date, users additionally need to keep their software
current. Now is a essential time to cope with dealer vulnerabilities. Encourage the campus
network to replace their software, antivirus program, and operating system.
Network security is one of the main parts of any business. With individuals working from
their beds and sending business messages from their lounge chair, networks are
inescapable – they are generally your home. Accordingly, it is presently like never before
important to make network security your need.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 27 -
Security is a necessity for every organization, no matter how big or small. However,
network security shouldn't be overlooked by the individual either. Network security
decisions must be made by anyone who accesses the internet and wants to maintain the
security of their accounts.
Your workstations are protected from harmful spyware by network security. It also
ensures the security of sharing data. The network security infrastructure provides several
levels of protection against Man inter middle attacks by breaking up the information into
multiple segments, encrypting these segments, and transmitting them independently,
which prevents eavesdropping.
While no network is safe to assaults, a steady and proficient network security framework
is fundamental to ensuring your information which is viewed as a gold mine. A decent
network security framework assists organizations with diminishing the danger of
information burglary, harm, customer doubt, reputational and financial harms, and the
rundown continues. In any case, similar to a boat needs a decent chief to protect it, any
business network needs a decent network security engineer who can shield them and steer
them past grieved waters.
2.2 Determine which HW/SW are suitable for AstraZeneca campus and provide a
suitable IP allocation plan using 172.30.0.0/16 network. Create a network design
(blue print) for internal and branch network of AstraZeneca (Public servers should
be separated from the Internal Network).
2.2.1.1 Router
Router is a layer 2 device used to interconnect different type of networks together. It can
choose best root among alternative roots. Router contain a processor, digital memory and
input-output interfaces. Router need operating system can be run on them (Cisco IOS,
DD-WRT).
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 28 -
Cisco 2911 Router
I chose cisco 2911 router for my design because of its features. On the Cisco 2911
Integrated Services Router, you will find embedded hardware encryption acceleration,
voice and video capabilities of digital signal processors (DSPs), firewalls, intrusion
prevention, voice mail, and application services. Furthermore, the platforms support the
widest range of wired and wireless connectivity options in the industry, including T1/E1,
T3/E3, xDSL, copper and fiber GE.
2.2.1.2 Switch
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 29 -
Figure5: Cisco 2950-24 Switch
2.2.1.3 Servers
Dual processor – this refers to a device having separate processors. Instructions and
information are sent via all processors permitting computer systems and networks to carry
out quicker than compared to the usage of only a desktop PC.
Redundancy – this indicates the information you desire to store is saved in multiple
location. Meaning, if it became to ever move down for any because you have it saved in
another location, so information isn't always lost.
Hot-swappable components – a hot-swap component means that if for any cause your
server has a lack of power, device failure or storage device failure you're capable of
change components at the same time as your pc device stays in operation.
Scalable –It means you're capable to meet current needs and additionally future needs.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 30 -
2.2.2 Selected Software Devices for AstraZeneca Campus
Ubuntu is a finished Linux operating system, unreservedly accessible with both community
and expert help. The Ubuntu people group is based on the thoughts revered in the Ubuntu
Manifesto: that product ought to be accessible for nothing, that product apparatuses ought
to be usable by individuals in their nearby language and regardless of any handicaps, and
that individuals ought to have the opportunity to tweak and change their product in the
manner they see fit.
Ubuntu will consistently be for nothing, and there is no additional expense for the enterprise
version.
Ubuntu is reasonable for both work area and server use. The current Ubuntu discharge
upholds Intel x86 (IBM-viable PC), AMD64 (x86-64), ARMv7, ARMv8 (ARM64), IBM
POWER8/POWER9 (ppc64el), IBM Z zEC12/zEC13/z14 and IBM LinuxONE
Rockhopper I+II/Emporer I+II (s390x).
Ubuntu incorporates large number of pieces of software, beginning with the Linux kernel
version form 5.4 and GNOME 3.28, and covering each standard desktop application from
word processing and spreadsheet applications to web access applications, web server
software, email software, programming languages and tools.
pfsense is a brand of firewall and switch programming that is allowed to utilize and redo
as long as you have the right equipment—that is, anything from a specific switch to an old
PC you rescued. pfsense was first made in 2004 as a component of the task "m0n0wall"
that expected to make full element, inserted firewall programming.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 31 -
But unlike other free software accessible on the web, the usefulness that pfsense offers
permits it to rival commercial firewalls. Furthermore, contingent upon the degree of
assurance and security you're searching for, alongside your specialized information, you
can tweak the pfsense firewall to suit organization requirements.
2.2.2.3 Wireshark
Wireshark is a free and open-source packet analyser used for a variety of applications,
including educational programs, analysis, software development, communication
protocol development, and network troubleshooting. The packets are tracked so that each
is filtered to meet our specific needs. It is also used by network security engineers to find
problems with their networks.
The Wireshark application is free to use and is used to intercept the data back and forth.
It is also known as a free packet sniffer. This sets the network card to an unselective mode,
so it accepts all packets received.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 32 -
2.2.4 Blue print of the design
Router
Branch
Internet
Server Room
Head Office
Firewall
Switches
End user
Devices
Recept
Account IT Scien
Vlan Net_team
Vlan Vlan Vlan
100 Vlan 160
110 130 140
Copper Cross-Over
Copper Straight-Through
Wireless
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 33 -
Management IT
Dept. Reception Network team
Faculty Faculty
Block Size 32 64 64 32
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 34 -
Activity 3
3.1 Configure all the network devices to achieve the highest level of security and
design and describe the cryptographic types and other security related concepts and
technologies used for the design. (Provide configuration scripts/files/screenshots
with comments)
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 35 -
Head Office Core Switch
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 36 -
Branch security also ensure like this.
There are two components to SSH - the client and the server. SSH is used to connect a
client machine (such as a PC) to a remote SSH server (such as a router). A network
administrator can run commands on the remote device once the connection has been
established.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 37 -
3.1.1.3 AAA Server Implementation
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 38 -
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 39 -
3.1.1.4 Syslog Server Records
Syslog has been used for decades as a method of transporting messages from network
devices to a logging server known as a syslog server.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 40 -
3.1.1.5 NTP Server
NTTP stands for Network Time Protocol. It is an Internet protocol used to synchronize
computers to a time reference and to synchronize their clocks.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 41 -
3.1.1.6 Layer 2 and Layer 3 Implementations
RSTP Configurations
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 42 -
LACP Configurations
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 43 -
Access Control Implementations
NAC solutions provide network visibility and access management by enforcing policies on
corporate devices and users.
3.1.2 Cryptography
Cryptography is the study of disguising data with the end goal that nobody aside from the
expected beneficiary can uncover it. The cryptographic practice includes the utilization of
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 44 -
an encryption calculation that changes the plaintext into ciphertext. The collector unravels
the ciphertext text with the assistance of a common or chose key.
Cryptography joins the utilization of different calculations, otherwise called figures, to
perform encryption or decoding. These calculations are a whole arrangement of guidelines
and contain calculations that render various qualities of a standard cryptosystem. While
some of them guarantee non-disavowal and trustworthiness, others guarantee privacy and
confirmation.
The kinds of encryptions rely on the numbers and jobs played by the keys utilized for
encryption. Therefore, the characterization dependent on keys is symmetric encryption and
awry encryption key calculations. Cryptographic conventions that don't join keys and are
irreversible are known as hash capacities. This article presents sorts of cryptography based
on shifting numbers and jobs of keys utilized in encryption.
The key that imparting parties’ trade can be a secret phrase or code. It can likewise be an
irregular series of numbers or characters that should be produced utilizing a protected
pseudo arbitrary number age (PRNG).
The size of the key straightforwardly interfaces with the strength of the cryptographic
calculation. That is, an enormous size key fortifies the encryption with less possibilities of
effective breaking. For example, Data Encryption Standard (DES) with a 56-cycle size is
at this point not a protected encryption standard because of its little key size.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 45 -
Types of Symmetric Algorithms
1. Stream Algorithms
Not at all like block algorithms, do stream algorithms divide the information into blocks. It
encodes each byte in turn while the information is being streamed as opposed to saving it
in the memory.
2. Block Algorithms
Block encryption algorithms partition the message into fixed-size blocks of information
and afterward scramble each square of information in turn with the assistance of a chose
secret key. Square codes utilize various modes like Electronic Codebook (ECB), Output
Feedback (OFB), Cipher Block Chaining (CBC), and so forth that train how to partition the
hinder and encode information.
Despite the fact that it is being used for a long time, symmetric encryption is as yet
respected and used for effectiveness and speed. Symmetric encryption burns-through
somewhat low framework assets in contrast with other encryption strategies. Because of
these properties, associations utilize symmetric encryption for quick mass information
encryption like data sets.
The most well-known application regions for symmetric encryption are banking and
applications including card exchanges to give high protection from fraud. In financial areas,
Personal Identification Information must be kept in extraordinary mystery. It is additionally
alluring to affirm whether the sender is the individual he professes to be.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 46 -
In addition, AES, a replacement of the Triple-DES, is an ideal calculation for a remote
organization that consolidates the WPA2 convention and controller applications. AES is
the favoured decision for speedy scrambled information move to a USB, for Windows
Encrypting File System (EFS), and utilized for plate encryption procedures.
The private key is just known by a beneficiary or clients who can keep quiet. At the point
when somebody needs to convey or move a document, they encode the information with
the planned beneficiary's public key. Then, at that point, the beneficiary will utilize their
private key to get to the secret message. Since the security of the framework joining
asymmetric key algorithms totally relies upon the mystery of the private key, it achieves
classification.
The most well-known utilization of asymmetric encryption is the protected exchange of the
symmetric key and advanced marks. The utilization of asymmetric encryption in advanced
marks helps in giving non-disavowal in information trade. This occurs with the assistance
of the sender carefully marking information with their private key while the beneficiary
decodes it with the sender's public key. Henceforth, it accomplishes honesty and non-
renouncement.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 47 -
One more utilization of asymmetric encryption is SSL/TLS cryptographic conventions
which assist with setting up secure connections between internet browsers and sites. It
utilizes asymmetric encryption to share the symmetric key and afterward utilizes symmetric
encryption for quick information transmission. Digital currencies like Bit coin likewise use
public-key encryption for secure exchanges and interchanges.
Cryptographic hash functions take a variable length of data and encrypt it into an
irreversible fixed-length yield. The yield is called hash esteem or a message digest. It very
well may be put away instead of the accreditations to accomplish security. Afterward, when
required, the accreditation like a secret key is made to go through the hash function to check
its genuineness.
These are properties that sway the security of hashing and credential storage.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 48 -
Hash functions are broadly utilized for secure data exchanges in digital forms of money by
noticing the namelessness of the client. Bitcoin, the biggest and most true stage for digital
money, utilizes SHA-256. While the IOTA stage for the web of things utilizes its own
cryptographic hash function called twist.
Nonetheless, it assumes an imperative part in a lot more areas of processing and innovation
for data respectability and genuineness. This utilization is conceivable through its property
of determinism. It likewise finds its uses in computerized signature age and check. It can
likewise be utilized to confirm records and message authenticity.
3.2 Download open source PfSense firewall and configure basic firewall settings
including DMZ and VPN configurations. Review how QoS can be integrated into
Network security configurations.
Virtual Appliances
Netgate virtual appliances with pfSense Plus software stretch out your applications and
availability to approved clients all over, through Amazon AWS and Microsoft Azure cloud
administrations. Organization your representatives, accomplices, clients, and different
gatherings to share assets in site-to-cloud, cloud-to-cloud, and virtual private cloud (VPC)
network.
Solutions
Giving complete organization security answers for the endeavour, huge business and
SOHO, Netgate arrangements with pfSense Plus software unite the most cutting edge
innovation accessible to make ensuring your organization simpler than any time in recent
memory. Our items are based on the most dependable stages and are designed to give the
most significant levels of execution, strength and certainty.
Product Support
Their staff has direct admittance to the pfSense advancement group. Having a pfSense
engineer prepared to respond to your inquiries and give "best practice" exhortation will
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 49 -
supplement your IT assets and increase the value of your group. On the off chance that you
buy your equipment machine from the pfSense store, our experience with the items will
permit our help group to give start to finish arrangements incorporating all parts of the
equipment and the firewall application.
Professional services
They know the difficulties you face are muddled. Netgate staff can assist you with carrying
out successful answers for take care of those issues. They will help you plan, plan, execute,
work, and deal with the right innovation system to further develop the manner in which you
work together. From network security to high-accessibility to firewall transformations, we
give powerful arrangements so you can zero in on maintaining your business.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 50 -
4. Excellent overall solution value
Features (firewall, router, and VPN), price-performance, and ease of use combine
to make this an unbeatable value
Trusted by service providers, consumers, and businesses
Globally recognized support options offering high levels of assurance
IPsec VPN securely connects all your web sites at the identical private network the usage
of Internet connectivity as the data communications network. This sort of VPN is
deployed among a safety equipment or firewall at every location, making sure a stable
IPsec tunnel among sites. The LAN sits at the back of those safety gadgets and software
program isn’t required on laptops, desktops, or servers to allow VPN connectivity among
places. VPN network topologies are to be had in a hub and spoke or meshed configuration.
The most important advantages of those sorts of data networking offerings are price, the
capacity to apply present Internet connectivity for data transport, and smooth integration
of far off customers with VPN software program. IPsec VPN connectivity does have its
flaws in that the quality of service (QoS) isn't always regular because of Internet network
congestion or bad overall performance. Also, there may be multiplied capacity for
network downtime if best the usage of one Internet reference to no failover connectivity.
IPsec VPN networks are an excellent preference for organizations with restricted IT
budgets, many far off customers, or simple programs and uptime requirements.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 51 -
3.2.2.1 IPsec VPN Configurations
Head Office
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 52 -
Branch
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 53 -
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 54 -
3.2.3 QoS for a Network
To solve the issues of network blockage because of a heap of dynamic clients using the
assets of the switch, Quality of Service (QoS) ought to be carried out. Nature of Service
(QoS) is an innovation that orders and focuses on network traffic types, for example,
touchy and non-delicate information traffic.
Delicate information traffic, similar to voice traffic and video traffic, requires a reliable
data transmission as they are working continuously. While non-touchy information
traffic, similar to web perusing and email, requires non-ensured transfer speed as the
application can retransmit the dropped bundles again because of organization blockage.
The applications that utilization User Datagram Protocol (UDP), like voice traffic and
video traffic, require QoS execution as they don't ensure the conveyance of a message, in
contrast to Transmission Control Protocol (TCP) that can retransmit the parcel misfortune
and assurance the message conveyance. With QoS, network execution and client
experience will be streamlined.
Quality of Service (QoS) instruments empowers us to deal with these four organization
traffic QoS attributes:
2. Delay – the time it takes for a message to go from the source gadget to the objective
gadget. It is at times alluded to as idleness. A high dormancy will create a setback for
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 55 -
traffic to show up on the objective gadget and along these lines causes a slower reaction
time while building up an association with a particular gadget or application.
3. Jitter – it is the variety of the single direction delay of a sequential parcel that is being
sent. For instance, the principal parcel is sent and the subsequent bundle is sent after 50
milliseconds (ms), the time it takes for the subsequent bundle to be sent after the primary
parcel was sent is the jitter, and it is 50 ms.
4. Loss – it happens when the cradle of the switch is full, and new approaching parcels
are being dropped. Having an excess of parcel loss will make the getting gadget get a
fragmented message.
Recorded underneath are the most generally utilized QoS apparatuses to deal with the
QoS attributes of organization traffic:
1. Classification – applied to the switch's interface and arranges if the bundle requires QoS
execution or not.
4. Congestion Avoidance – drops bundles right on time to keep away from congestion.
5. Queuing – stores bundle into the cradle and hold until it is their chance to exit on the
switch's interface.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 56 -
6. Policing – authorizes rate limit by dropping down or marking the bundles.
7. Shaping – authorizes rate limit by delaying the bundles and store them in the switch's
cushion for a specific measure of time.
Here are the steps on how to configure and implement QoS in our network,
Identify the traffic and its requirements. Analyze the data packets to determine if
it is voice traffic, web traffic, application traffic, or email traffic, and then apply
QoS accordingly.
Classify the traffic. Put a value on the packet headers of traffic that is classified
and marked.
Define QoS policies for each class. Determine whether a specific packet class
should be allowed, dropped, or rate-limited.
Assign the policy to the interface
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 57 -
Activity 4
4.1 Create a test plan and test your network (LAN and WAN). Critically evaluate the
test results.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 58 -
Introduction
This test plan is planned to give direction to developers in the identification and
adjustment of connectivity issues within a network plan. It might likewise be valuable to
IT professionals who support these network.
Prerequisites
The prerequisites abilities and information needed for different jobs is itemized
underneath.
IP Setup
Wireless Modems/Routers
Cloud Services
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 59 -
General Prevention
Give on some direction on how the developers can diminish the probability of blunders
happening in the network plan. As an example,
There are a couple of normal explanations behind helpless organization and connectivity
issues. More organizations depend on a copper-based, broadband, membership
administration. An ordinary issue emerges when lines are cut or harmed during a
development project nearby. One more typical justification for connectivity issues is
information server disappointment. Switch issues can likewise be the wellspring of the
issue. Any hardware disappointment can prompt a total organization disappointment.
Without a reinforcement or excess framework to assume control over, activities
depending on availability can go to a sudden end.
Testing of Implementations
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 60 -
SSH Testing
Test Case Test Action Test Type Expected Result
No Outcome
1 Checking ssh –l with Normal Logging to √
Remote correct Device
login username
ssh –l with Error Error √
Wrong message
username displayed
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 61 -
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 62 -
AAA Server Testing
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 63 -
Port Security Testing
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 64 -
4.2 Make improvement/ recommendations to the re-designed network of AstraZeneca
while critically evaluating the design, plan, configuration, and testing of the
implemented network.
We can plan future enhancement based on The Internet of things. We can control all the
system of interrelated computing devices, mechanical and digital machines provided with
unique identifiers and the ability to transfer data over a network without requiring human-
to-human or human-to-computer interaction.
The IoT network infrastructure topic section offers comprehensive resources on building
and managing a network architecture capable of handling the Internet of Things. Learn
about the advantages and disadvantages of different technologies and get guidance on
various frameworks and protocols such as Bluetooth LTE and WI-FI.
Wireless networks based on radio wave have two major drawbacks. One is that
information move speeds on the RF range are restricted—which is essential for the
justification for why sending information over a wireless Internet association is quite often
more slow than utilizing an Ethernet interface. The second is that the RF range has a
restricted extension, which prompts obstruction that can upset wireless availability.
A superior arrangement is optical wireless. As the term infers, optical wireless innovation
makes it conceivable to utilize optical light waves, as opposed to radioing waves, as the
spine for wireless interchanges. Utilizing optics, data can be communicated all the more
rapidly and with a lower hazard of obstruction, which implies optical wireless
organizations offer intense execution enhancements over conventional Wi-Fi. They'll
engage MSPs with quicker, more solid methods of conveying network without expecting
clients to be connected.
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 65 -
References
Operations, I. and About, N. (2020) Network Security Devices You Need To Know About.
[Online] Blog.netwrix.com. Available at: < https://blog.netwrix.com/2019/01/22/network-
security-devices-you-need-to-know-about/ > [Accessed on 25th October 2021].
Jigsaw Academy. (2021) Top 10 Network Security Tools (2021). [online] Available at:
<https://www.jigsawacademy.com/blogs/cyber-security/network-security-
tools> [Accessed 26th October 2021].
W3schools.in. 2021. Network Protocols and Its Security. [online] Available at:
<https://www.w3schools.in/cyber-security/network-protocols-and-its-
security/> [Accessed 27th October 2021].
I.S. Partners. 2021. Keeping Your Higher Learning Institution’s Network Secure | I.S.
Partners. [online] Available at: <https://www.ispartnersllc.com/blog/keeping-your-higher-
learning-institutions-network-
secure/#:~:text=Considering%20the%20high%20volume%20of%20online%20communic
ations%20and,safe%20access%20to%20a%20secure%20and%20stable%20network.> [A
ccessed 29th October 2021].
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 66 -
CISO MAG | Cyber Security Magazine. (2021) Why Network Security is Important in
Today’s Digital World. [online] Available at: <https://cisomag.eccouncil.org/importance-
of-network-security/> [Accessed 30th October 2021].
Pfsense.org. (2021) pfSense® - World's Most Trusted Open Source Firewall. [online]
Available at: <https://www.pfsense.org/> [Accessed 2nd October 2021].
Study CCNA. (2021) Quality of Service (QoS) and its Effect on the Network - Study
CCNA. [online] Available at: <https://study-ccna.com/quality-of-service-qos/> [Accessed
4th November 2021].
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 67 -
Grading Rubric
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 68 -
D2 Review what is meant by Quality of
Service (QoS) in relation to Network
Security configuration.
LO4 Undertake the testing of a
network using a Test Plan
P7 Create a Test Plan for your network
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 69 -
K.D.K.N Jayawardhane
Unit 17
Assignment 01
- 70 -