ASSIGNMENT 1 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Phung Huu Minh Khanh Student ID GDD210033

Class GCD1102 Assessor name HienNQ

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature Km

Grading grid

P1 P2 P3 P4 M1 M2 D1

Page | 1
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:

Page | 1
Table of Contents
List of Figures. ................................................................................................................................................. 3
Task 1: Identify types of security threat to organizations. Give an example of a recently publicized
security breach and discuss its consequences (P1) ........................................................................................ 4
1. IT threats.............................................................................................................................................. 4
1.1. Malware Attacks .......................................................................................................................... 4
1.2. Social engineering ........................................................................................................................ 7
1.3. Network Attack ............................................................................................................................ 9
1.4. Application Attack ...................................................................................................................... 10
Task 2: Describe at least 3 organizational security procedures (P2) ............................................................ 11
1. Acceptable Use Policy (AUP) ............................................................................................................. 11
2. Access Control (ACP) ......................................................................................................................... 12
3. Information Security .......................................................................................................................... 13
4. Change Management ........................................................................................................................ 13
Task 3: Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS
(P3)................................................................................................................................................................ 13
1. Firewall .............................................................................................................................................. 13
2. Intrusion Detection System (IDS) ...................................................................................................... 15
3. Firewall threat-risk ............................................................................................................................ 16
3.1. Insider Attacks ............................................................................................................................ 16
3.2. Missed Security Patches ............................................................................................................. 17
3.3. Configuration Mistakes .............................................................................................................. 17
3.4. A Lack of Deep Packet Inspection .............................................................................................. 17
3.5. DDoS Attacks .............................................................................................................................. 17
Task 4: Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can
improve Network Security (P4) .................................................................................................................... 18
1. DMZ (Demilitarized zone). ................................................................................................................. 18
2. Static IP .............................................................................................................................................. 21
3. NAT .................................................................................................................................................... 23

Page | 2
References .................................................................................................................................................... 26

List of Figures.
Figure 1: Type of Malware Attacks. ............................................................................................................... 4
Figure 2: Computer viruses. ........................................................................................................................... 5
Figure 3: Trojans Horse................................................................................................................................... 6
Figure 4: Spyware. .......................................................................................................................................... 7
Figure 6: Baiting. ............................................................................................................................................. 8
Figure 7: Scareware. ....................................................................................................................................... 9
Figure 8: Pretexting. ....................................................................................................................................... 9
Figure 9: SQL Injection. ................................................................................................................................. 10
Figure 10: Application Attacks ...................................................................................................................... 11
Figure 12: Session Hijacking Attack. ............................................................................................................. 11
Figure 13: AUP. ............................................................................................................................................. 12
Figure 14: Firewall. ....................................................................................................................................... 14
Figure 15: IDS Diagram. ................................................................................................................................ 15
Figure 16: DDoS Attack. ................................................................................................................................ 18
Figure 17: DMZ. ............................................................................................................................................ 19
Figure 18: How DMZs work? ........................................................................................................................ 19
Figure 19: Static IP Address. ......................................................................................................................... 22
Figure 20: Network Address Translation ...................................................................................................... 23

Page | 3
Task 1: Identify types of security threat to organizations. Give an example of a recently publicized
security breach and discuss its consequences (P1)
1. IT threats
A threat is an occurrence that has the potential to take advantage of a vulnerability (an attack just
waiting to happen) and harm the network. Those in the digital sphere frequently resemble threats
in the real sphere. Threats including theft, vandalism, and eavesdropping have all spread from the
physical world into cyberspace, usually through the Internet. However, there are some notable
distinctions in terms of the range of these attacks' applicability, the degree of automation required,
and the spread (or propagation) of attack methods.
1.1. Malware Attacks
A malware attack is a common cyberattack where malware (normally malicious software)
executes unauthorized actions on the victim’s system. The malicious software (a.k.a. virus)
encompasses many specific types of attacks such as ransomware, spyware, command and
control, and more. Criminal organizations, state actors, and even well-known businesses have
been accused of (and, in some cases, caught) deploying malware. Like other types of cyber-
attacks, some malware attacks end up with mainstream news coverage due to their severe
impact. How malware attacks include:
• Malware can infect a device in a variety of ways, including through email attachments
that contain links or files that must be opened by the user in order for the malware to
run.
• This category of assault includes: computer viruses, Trojan horses, worms and spyware.

Figure 1: Type of Malware Attacks.

1.1.1. Computer viruses

A malicious software program that secretly loads into a user's computer and carries out
malicious deeds is known as a computer virus.
They are usually brought on by humans. However, since they are produced and
dispersed, no one has direct control over how they diffuse. A virus that has infected a
computer attaches itself to another software so that when the host program runs, the
virus's actions are also activated. It has the ability to replicate itself, attaching to other

Page | 4
 files or programs and infect them in the process. However, not all computer infections
are harmful. However, the majority of them carry out malicious acts, like erasing data.
Some viruses wreak remain dormant until a specific event (as intended) is started, which
triggers their code to run in the computer. Some viruses cause havoc as soon as their
code is executed, while others wait till that event is initiated. When software or
documents with viruses are moved from one computer to another over a network, a
disk, file-sharing protocols, or through contaminated email attachments, viruses are
disseminated. Different stealth techniques are employed by some infections to evade
detection by antivirus software. Some viruses, for instance, can infect files without
making them larger, while others attempt to avoid detection by terminating the
processes connected to antivirus software before they are discovered. When they infect
a host file, some vintage viruses make certain that the "last changed" date stays the
same.

Figure 2: Computer viruses.

There are different ways that a virus can be spread or attack, such as:
• Downloading free games, toolbars, media players and other software.
• Visiting an infected and unsecured website
• Clicking on advertisement
• Clicking on an executable file
• Using of infected removable storage devices, such USB drives Opening spam
email or clicking on URL link
• Installing free software and apps
1.1.2. Trojans Horse
The term "trojan" or "trojan horse" refers to a computer virus. It is a sort of computer
program that conceals itself as common applications like utilities, games, and
occasionally even antivirus software. Once it has been installed on the computer, it can
damage file allocation systems, delete data from the hard disk, and kill background
system operations.

Page | 5
 Figure 3: Trojans Horse.

Trojans are typically introduced through email attachments. These emails have been
altered to make them appear genuine. As soon as the user opens the connected file and
downloads it, the system is harmed. A Trojan can also be included as part of online
shareware and freeware downloads. Even though not all freeware contains Trojans,
only downloading software and freeware from reliable sources is advised. Additionally,
it is essential that you choose carefully while having the installation done. Trojans can
be used in a variety of ways, depending on the attacker's goals. Identity theft, data theft,
computer crashes, espionage, and user activity monitoring are a few examples. Trojans
are typically recognized by the majority of anti-virus programs and do not affect the
computer unless they are executed. Additionally, they are not self-replicating but can
join a virus that spreads to other machines on the network. One may maintain a
computer safe and secure by installing reputable anti-virus software, updating
computer virus definitions, being cautious when opening email attachments, even if
they appear to be legitimate, and paying attention to system security popup
notifications. How Trojans House attacks include:
• The victim gets an email with a file attachment that appears to be an authentic
official email. When the victim clicks on the attachment file, any malicious code
contained in it could begin to run immediately.
• In that situation, the victim is not aware of or suspects that the attachment is a
Trojan horse.
1.1.3. Spyware
The term "spyware" refers to a class of software that seeks to steal confidential or
organizational data. It is accomplished by carrying out a series of activities without the
necessary user permissions, occasionally even discreetly. Advertising, gathering
personal data, and altering user configuration settings of the computer are all common

Page | 6
 activities of spyware. Adware, tracking cookies, system monitors, and Trojans are the
most common categories for spyware. Freeware and shareware bundles with hidden
components are the most popular ways for spyware to enter a computer. A spyware
program that has been installed successfully begins sending data from that machine in
the background to a different location.

Figure 4: Spyware.

Spyware is frequently used today to serve pop-up ads depending on user behavior and
search history. However, spyware that is employed maliciously is hard to distinguish
since it is buried in the computer's system files. Keyloggers are one of the easiest and
most common but harmful. It is used to capture keystrokes that might be fatal because
it can capture passwords, credit card numbers, and other sensitive data. It is also
purposefully installed on some business computers and shared networks to monitor
user activity. When spyware is present on a computer, it can change user settings,
permissions, and administrative rights. This can lock users out of their own computers
and, in rare situations, result in complete data loss. Spyware is designed to monitor a
computer. Background-running spyware can also lead to an increase in processes and
more frequent crashes. A computer is frequently slowed down as well. The best method
to stay safe is to use reliable antivirus and antispyware programs. More importantly,
exercise caution when installing freeware programs by properly eliminating the pre-
checked settings. Spyware attacks that it may automatically set up shop on your
computer, be a secret component of software packages, or be installed as regular
malware like misleading advertisements, emails, and instant messaging.
1.2. Social engineering
The term "social engineering" is used to describe a wide range of malevolent behaviors carried
out through interactions with other people. Users are duped into divulging critical information
or committing security blunders via psychological manipulation. Attacks by social engineers

Page | 7
may involve one or more steps. To prepare for an assault, a perpetrator first looks into the
target in order to learn background details like probable points of entry and lax security
measures. The attacker next makes an effort to win over the victim's trust and offer incentives
for later security-breaking activities, such disclosing confidential information or allowing access
to vital resources. Attacks using social engineering can be carried out anywhere there is a
chance of human interaction. The five most typical types of digital social engineering attacks
are listed below.
1.2.1. Baiting
As the term suggests, baiting attacks use a fictitious promise to spark a victim's curiosity
or sense of avarice. In order to steal their personal information or infect their systems
with malware, they trick users into falling for a trap. The most despised type of baiting
spreads malware using tangible media. Infected flash drives are frequently used as bait
by attackers, who place them in plain sight where potential victims are sure to see them
(e.g., bathrooms, elevators, the parking lot of a targeted company). The lure has a
legitimate appearance, including a label that presents it as the business's payroll list.
Out of curiosity, the victims pick up the bait and place it into their home or office
computer, which causes the system to automatically download malware.

Figure 5: Baiting.

Baiting con games don't always have to be played out in the real world. Online baiting
takes the form of attractive advertisements that direct visitors to harmful websites or
prod them to download malware-laden software
1.2.2. Scareware
Scareware bombards victims with bogus threats and misleading alarms. Users are
tricked into believing their computer is infected with malware, which leads them to
install software that either serves only to profit the perpetrator or is malware in and of
itself. Other names for scareware include fraud ware, deception software, and rogue
scanner software. The legitimate-appearing popup ads that show in your browser as
you browse the internet and contain language such as "Your computer may be infected
with harmful spyware applications" are a frequent type of scareware. Either it offers to

Page | 8
 install the malicious tool for you or it directs you to a malicious website where your
machine is infected. Additionally, spam emails that issue false warnings or urge
recipients to purchase useless or hazardous services are another way that scareware is
disseminated.

Figure 6: Scareware.

1.2.3. Pretexting
Here, an attacker gathers data by telling a string of deftly constructed lies. The con is
frequently started by a perpetrator who poses as someone who needs the victim's
private information to complete a crucial task. The assailant typically begins by gaining
the victim's trust by posing as a coworker, police officer, bank or tax official, or any
person with the authority to know something. Through queries that are allegedly
necessary to verify the victim's identification, the protester collects crucial personal
information. This fraud is used to obtain all kinds of important data and records,
including social security numbers, individual addresses and phone numbers, phone
records, dates of staff vacation, bank records, and even security data pertaining to a
physical plant.

Figure 7: Pretexting.

1.3. Network Attack

A network attack is an effort to enter a company's network without authorization with the
intent of stealing information or carrying out other destructive behavior. Network attacks
generally fall into two categories:

Page | 9
 • Passive: Attackers who obtain access to a network and are able to monitor or steal
sensitive data do so passively, leaving the data unaltered.
• Active: Attackers actively alter data, either by deleting, encrypting, or otherwise
causing it harm, in addition to gaining illegal access to it.
We differentiate between several other forms of assaults and network attacks.
• Endpoint attacks: unauthorized access to user devices, servers, or other endpoints,
usually by malware infection.
• Malware attacks: introducing malware into IT resources, which enables attackers to
take control of systems, steal data, and cause harm. Attacks using ransomware are
also among them.
• Vulnerabilities, exploits and attacks: using software flaws in the organization's
software to compromise, sabotage, or obtain illegal access to systems.
• Advanced persistent threats: These are sophisticated, multi-layered threats that
encompass both network and other assault types.
Attackers' main goal in a network attack is to breach the corporate network perimeter and
obtain access to internal systems. Once inside, attackers frequently mix different attack
tactics, such as corrupting an endpoint, dispersing malware, or taking advantage of a flaw
in a network system.

Figure 8: SQL Injection.

1.4. Application Attack

An application attack involves online criminals entering restricted locations. Attackers
frequently look at the application layer first, looking for application vulnerabilities included
inside the code. Attacks target a variety of applications that represent different
programming languages, including.NET, Ruby, Java, Node.js, Python, and many more, even
if some programming languages are more frequently targeted than others. Both custom
programs and open-source frameworks and libraries have security flaws.

Page | 10
 Figure 9: Application Attacks

1.4.1. Session Hijacking Attack

Session IDs are tampered with during a session hijacking attack. A user's online activity
is tracked using this special ID, which makes subsequent logins quicker and more
effective. Attackers may be able to capture and manipulate the session ID, starting a
session hijacking attack, depending on the strength of the session ID. If successful,
attackers will have access to all data transmitted by the server during that session,
obtaining user credentials to access private accounts.

Figure 10: Session Hijacking Attack.

Task 2: Describe at least 3 organizational security procedures (P2)

1. Acceptable Use Policy (AUP)
An acceptable use policy, also called an AUP, is an agreement between two or more parties that
outlines the appropriate use of access to a corporate network or the internet. This document
describes what users may and may not do when accessing this network. An AUP is useful for
businesses and educational facilities that provide internet access to employees or students. Before
they are granted access to the network, they must agree to these terms and conditions. Likewise,

Page | 11
 when you sign up with an internet service provider, they usually have you sign an AUP that requires
you to follow a certain set of stipulations.

Figure 11: AUP.

Why Is an Acceptable Use Policy Important?

If your business provides internet access, then you need an AUP for these reasons:

Preventing Cybersecurity Threats

Businesses and institutions want to have some sort of control over what activity takes place on
their networks. Limiting what users can browse, download, and search on the internet is all a part
of keeping a safe network . If a student or employee were to open a suspicious attachment or
visit unsecured websites, they could make your network vulnerable to hackers and viruses.

Ensure Users are Avoiding Illegal Activity

An AUP can help ensure users are following the law. For instance, an AUP may strictly prohibit
users from pirating music, movies, or other files. It may outline that if a user is violating these
rules, they will be banned from the network. Having users break the law on your network can
become a liability for your business, which is why outlining these prohibited activities in your AUP
is so essential.

Focus on Productivity

Schools may also use an AUP to ensure their students are focusing on classwork rather than
looking up things for fun on the web. Also, when young people are using the internet, schools
need to make parameters to protect children from any inappropriate websites. Businesses can
use it to ensure their employees are working on their tasks rather than browsing social media or
tending to personal communications.

2. Access Control (ACP)

The ACP describes the access that employees have to the data and information systems of a
business. Standards for access control, including the Access Control and Implementation Guides

Page | 12
 published by NIST, are some of the subjects that are often covered in the policy. This policy also
covers the complexity of corporate passwords, network access restrictions, operating system
software controls, and standards for user access. The procedures for monitoring how corporate
systems are accessed and used, how unattended workstations should be secured, and how access
is terminated when an employee departs the company are other supplementary items that are
frequently described. IAPP has a fantastic illustration of this policy.
3. Information Security
Information security policies for an organization are typically high-level policies that can cover
many different security procedures. The corporation issues the primary information security policy
to make sure that all employees who use information technology resources throughout the
organization's networks adhere to the rules and policies that are outlined in it. I've observed
businesses request that staff members sign this form to confirm that they have read it (which is
generally done with the signing of the AUP policy). With regard to the sensitivity of business
information and IT assets, this policy is intended to make employees aware of the expectations
they must meet. An outstanding example of a cybersecurity policy that is accessible for download
is one from the State of Illinois.
4. Change Management
A structured procedure for making changes to IT, software development, and security
services/operations is referred to as a change management policy. A change management program
aims to raise organizational knowledge and understanding of proposed changes while ensuring
that all changes are implemented methodically to reduce any negative effects on products and
clients. SANS provides a solid illustration of an IT change management policy that is open for fair
use.
Task 3: Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS
(P3).
1. Firewall
A firewall is a network security device that monitors incoming and outgoing network traffic and permits
or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between
your internal network and incoming traffic from external sources (such as the internet) in order to
block malicious traffic like viruses and hackers.

Page | 13
 Figure 12: Firewall.

How does a firewall work?

Firewalls carefully analyze incoming traffic based on pre-established rules and filter traffic coming from
unsecured or suspicious sources to prevent attacks. Firewalls guard traffic at a computer’s entry point,
called ports, which is where information is exchanged with external devices. For example, “Source
address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22." Think of IP addresses as
houses, and port numbers as rooms within the house. Only trusted people (source addresses) are
allowed to enter the house (destination address) at all—then it’s further filtered so that people within
the house are only allowed to access certain rooms (destination ports), depending on if they're the
owner, a child, or a guest. The owner is allowed to any room (any port), while children and guests are
allowed into a certain set of rooms (specific ports).
Type of firewalls:
• Next-generation firewalls (NGFW) combine traditional firewall technology with additional
functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and
more. Most notably, it includes deep packet inspection (DPI). While basic firewalls only look at
packet headers, deep packet inspection examines the data within the packet itself, enabling
users to more effectively identify, categorize, or stop packets with malicious data.
• Proxy firewalls filter network traffic at the application level. Unlike basic firewalls, the proxy
acts an intermediary between two end systems. The client must send a request to the firewall,
where it is then evaluated against a set of security rules and then permitted or blocked. Most
notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP, and use both
stateful and deep packet inspection to detect malicious traffic.
• Network address translation (NAT) firewalls allow multiple devices with independent network
addresses to connect to the internet using a single IP address, keeping individual IP addresses
hidden. As a result, attackers scanning a network for IP addresses can't capture specific details,

Page | 14
 providing greater security against attacks. NAT firewalls are similar to proxy firewalls in that
they act as an intermediary between a group of computers and outside traffic.
• Stateful multilayer inspection (SMLI) firewalls filter packets at the network, transport, and
application layers, comparing them against known trusted packets. Like NGFW firewalls, SMLI
also examine the entire packet and only allow them to pass if they pass each layer individually.
These firewalls examine packets to determine the state of the communication (thus the name)
to ensure all initiated communication is only taking place with trusted sources.
2. Intrusion Detection System (IDS)
A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a network
or system for malicious activities or policy violations. Each illegal activity or violation is often
recorded either centrally using a SIEM system or notified to an administration. IDS monitors a
network or system for malicious activity and protects a computer network from unauthorized
access from users, including perhaps insiders. The intrusion detector learning task is to build a
predictive model (i.e. a classifier) capable of distinguishing between ‘bad connections’
(intrusion/attacks) and ‘good (normal) connections’.

Figure 13: IDS Diagram.

How does an IDS work?

• An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect
any suspicious activity.

Page | 15
 • It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
• The IDS compares the network activity to a set of predefined rules and patterns to identify
any activity that might indicate an attack or intrusion.
• If the IDS detects something that matches one of these rules or patterns, it sends an alert
to the system administrator.
• The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.
Benefits of IDS:
• Detects malicious activity: IDS can detect any suspicious activities and alert the system
administrator before any significant damage is done.
• Improves network performance: IDS can identify any performance issues on the network,
which can be addressed to improve network performance.
• Compliance requirements: IDS can help in meeting compliance requirements by monitoring
network activity and generating reports.
• Provides insights: IDS generates valuable insights into network traffic, which can be used to
identify any weaknesses and improve network security.
Detection Method of IDS:
• Signature-based Method: Signature-based IDS detects the attacks on the basis of the
specific patterns such as the number of bytes or a number of 1s or the number of 0s in the
network traffic. It also detects on the basis of the already known malicious instruction
sequence that is used by the malware. The detected patterns in the IDS are known as
signatures. Signature-based IDS can easily detect the attacks whose pattern (signature)
already exists in the system but it is quite difficult to detect new malware attacks as their
pattern (signature) is not known.
• Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown malware
attacks as new malware is developed rapidly. In anomaly-based IDS there is the use of
machine learning to create a trustful activity model and anything coming is compared with
that model and it is declared suspicious if it is not found in the model. The machine learning-
based method has a better-generalized property in comparison to signature-based IDS as
these models can be trained according to the applications and hardware configurations.
3. Firewall threat-risk
3.1. Insider Attacks
An external network assault is one that a perimeter firewall is designed to thwart. What
occurs then if the attack originates from within? Since the attacker is already on your
system, the perimeter firewall usually becomes useless. Firewalls can still be helpful, even
if an attack comes from within your network, IF you also have internal firewalls in addition
to perimeter firewalls. Internal firewalls aid in segmenting specific network assets so that
attackers must exert more effort to transfer from one system to another. By doing this, you

Page | 16
 give yourself additional time to react to the attack while also extending the attacker's
breakout time.
3.2. Missed Security Patches
When network firewall software isn't correctly handled, this problem occurs. Attackers can
take advantage of flaws in any software program; firewall programs are no different from
other software in this regard. When firewall providers find these flaws, they often work to
quickly develop a patch to address the issue. The firewall application at your firm won't
automatically receive the patch just because it exists. The vulnerability is still present and
ready for exploitation by an arbitrary attacker up until the point at which that firewall
software fix is actually applied. The best solution to this issue is to establish and adhere to
a rigid patch management schedule. According to such a plan, you (or the person in charge
of your cybersecurity) should regularly check for firewall software security updates and
make sure to immediately install any that are available.
3.3. Configuration Mistakes
Even if a firewall is installed on your network and has all the most recent vulnerability fixes
installed, conflicts in the firewall's configuration settings might still arise and lead to issues.
In certain circumstances, this can result in a decrease in network speed for your business,
while in others, a firewall may completely stop offering security. For instance, enabling
dynamic routing was once thought to be a negative choice because it leads to a loss of
control and lowers security. However, some businesses leave it on, leaving a gap in their
firewall defense. The key to the main gate is hidden in a hide-a-key directly close to the
entry if your firewall is badly configured; this only makes things easier for attackers while
wasting time, money, and effort on your "security" measure.
3.4. A Lack of Deep Packet Inspection
In order to approve or refuse a packet's travel to or from a system, next-generation firewalls
use the stringent Layer 7 (also known as "deep packet") inspection mode. An attacker might
easily spoof this information to get around a less sophisticated firewall that only checks the
data packet's place of origin and destination before allowing or rejecting a request. Using a
firewall that can do deep packet inspection to scan information packets for known malware
can be the best solution for this issue.
3.5. DDoS Attacks
Attacks using distributed denial of service (DDoS) are common and are known for being very
efficient and relatively inexpensive to carry out. The primary objective is to deplete a
defender's resources and bring about a shutdown or extended inability to provide services.
Protocol attacks are a type of attack that aim to exhaust the resources of load balancers
and firewalls in order to prevent them from processing legal traffic. Firewalls can reduce
some DDoS attacks; however, protocol attacks can still cause them to get overwhelmed.

Page | 17
 There is no quick answer for DDoS attacks because there are several attack tactics that can
take advantage of various network architectural flaws in your firm.

Figure 14: DDoS Attack.

Some cybersecurity service providers provide "scrubbing" services, in which they redirect
incoming traffic away from your network and separate the DDoS activity from the traffic
that is actually trying to get access to your system. Then, your network receives this lawful
traffic so you may carry on with your regular business. Firewalls by themselves are unable
to shield your network from all attacks. However, they might be a crucial component of a
more comprehensive cybersecurity plan to protect your company.
Task 4: Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can
improve Network Security (P4)
1. DMZ (Demilitarized zone).

A DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network
(LAN) from other untrusted networks -- usually, the public internet. DMZs are also known as
perimeter networks or screened subnetworks. Any service provided to users on the public internet
should be placed in the DMZ network. External-facing servers, resources and services are usually
located there. Some of the most common of these services include web, email, domain name
system, File Transfer Protocol and proxy servers. Servers and resources in the DMZ are accessible
from the internet, but the rest of the internal LAN remains unreachable. This approach provides an
additional layer of security to the LAN as it restricts a hacker's ability to directly access internal
servers and data from the internet.

Page | 18
 Figure 15: DMZ.

How DMZs work?

A DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network
(LAN) from other untrusted networks -- usually, the public internet. DMZs are also known as
perimeter networks or screened subnetworks. Any service provided to users on the public internet
should be placed in the DMZ network. External-facing servers, resources and services are usually
located there. Some of the most common of these services include web, email, domain name
system, File Transfer Protocol and proxy servers. Servers and resources in the DMZ are accessible
from the internet, but the rest of the internal LAN remains unreachable. This approach provides an
additional layer of security to the LAN as it restricts a hacker's ability to directly access internal
servers and data from the internet.

Figure 16: How DMZs work?

If better-prepared threat actors pass through the first firewall, they must then gain unauthorized
access to the services in the DMZ before they can do any damage. Those systems are likely to be
hardened against such attacks.

Page | 19
Finally, assuming well-resourced threat actors take over a system hosted in the DMZ; they must
still break through the internal firewall before they can reach sensitive enterprise resources.
Determined attackers can breach even the most secure DMZ architecture. However, a DMZ under
attack will set off alarms, giving security professionals enough warning to avert a full breach of
their organization.

Why are DMZs important?

DMZs provide a level of network segmentation that helps protect internal corporate networks.
These subnetworks restrict remote access to internal servers and resources, making it difficult for
attackers to access the internal network. This strategy is useful for both individual use and large
organizations. Businesses place applications and servers that are exposed to the internet in a DMZ,
separating them from the internal network. The DMZ isolates these resources so, if they are
compromised, the attack is unlikely to cause exposure, damage or loss.

What are the benefits of using a DMZ?

The primary benefit of a DMZ is that it offers users from the public internet access to certain secure
services, while maintaining a buffer between those users and the private internal network. There
are several security benefits from this buffer, including the following:

• Access control. A DMZ network provides access control to services outside an organization's
network perimeters that are accessed from the internet. It simultaneously introduces a
level of network segmentation that increases the number of obstacles a user must bypass
before gaining access to an organization's private network. In some cases, a DMZ includes
a proxy server, which centralizes the flow of internal -- usually, employee -- internet traffic
and makes recording and monitoring that traffic simpler.
• Network reconnaissance prevention. A DMZ also prevents an attacker from being able to
scope out potential targets within the network. Even if a system within the DMZ is
compromised, the internal firewall still protects the private network, separating it from the
DMZ. This setup makes external active reconnaissance more difficult. Although the servers
in the DMZ are publicly exposed, they are backed by another layer of protection. The public
face of the DMZ keeps attackers from seeing the contents of the internal private network.
If attackers do manage to compromise the servers within the DMZ, they are still isolated
from the private network by the DMZ's internal barrier.
• Protection against Internet Protocol (IP) spoofing. In some cases, attackers attempt to
bypass access control restrictions by spoofing an authorized IP address to impersonate

Page | 20
 another device on the network. A DMZ can stall potential IP spoofers, while another service
on the network verifies the IP address's legitimacy by testing whether it is reachable.

What DMZs are used for?

DMZ networks have been an important part of enterprise network security for almost as long as
firewalls have been in use. They are deployed for similar reasons: to protect sensitive
organizational systems and resources. DMZ networks are often used for the following:

• Isolate and keep potential target systems separate from internal networks.
• Reduce and control access to those systems by external users.
• Host corporate resources to make some of them available to authorized external users.

More recently, enterprises have opted to use virtual machines or containers to isolate parts of
the network or specific applications from the rest of the corporate environment. Cloud
technologies have largely removed the need for many organizations to have in-house web
servers. Many of the external facing infrastructure once located in the enterprise DMZ has
migrated to the cloud, such as software-as-a service apps.

2. Static IP

A static IP address is an IP address that doesn’t change over time. IP (internet protocol) addresses
are numerical signifiers that allow data packets to be sent and received from our networks and
devices. Most IP addresses are dynamic, which means that they change occasionally. A static IP,
on the other hand, is always the same sequence of numbers.

A static IP address might be IPv4 or IPv6, however in this situation, static is key. One day, every
piece of our networked equipment may have a distinct static IPv6 address. We haven't arrived
yet. As of right now, permanent addresses are often assigned static IPv4 addresses.

Page | 21
 Figure 17: Static IP Address.

Why would you use a static IP address?

Static IP addresses can serve a number of useful functions.

• Remote access solutions. The most common use case for a static IP address involves
remote access systems, like VPNs. A company can make access to its resources and
databases dependent upon the user having a specific IP address. Users can then use a VPN
application on their device to connect to a company server with a static IP address (the
address needed for privileged access), and this will allow them to connect to and use
company files and networks.
• Server hosting. If you’re setting up and hosting a server, using a static IP address can make
it easier for devices to find and quickly connect to it.
• Faster data transfer from your internet gateway. If you set a device to use a static private
IP address, data can be sent from your internet gateway (usually a router or modem) to
that device a little faster. The boost to your speed will be minimal, however., once each
computer is configured to connect to that printer, those connections will last forever.

Advantages of static IP addresses

The main advantage of using static IP addresses relates to remote access solutions, as we
discussed above. Being able to create an allowlist of permissioned IP addresses, which are then
set as the static IP addresses on company gateways or VPN servers, is a good way to enhance
company security. However, it is worth remembering that having a dedicated IP address has few
advantages for individual internet users. Most of the time, using dynamic IP addresses on your
device or your router will work fine for your daily needs.

Page | 22
 Disadvantages of static IP addresses

There are no major disadvantages to having a static IP address. Having a static IP could, in theory,
make it easier for hackers to target you, assuming they are able to find out what your IP address
is. However, the dynamic IP on your router already changes so infrequently that the risk factor is
not massively increased by using a static IP address. The main disadvantage of a static IP is simply
that it offers so few advantages to most everyday internet users. Unless you’re running a server,
for example, you can probably stick with a dynamic IP address for now.

How can static IP improve network security?

A Static IP address will always provide a higher level of protection. An additional degree of
security built into static IP addresses ensures that the majority of security issues are avoided.

3. NAT
Network Address Translation (NAT) is a process in which one or more local IP address is
translated into one or more Global IP address and vice versa in order to provide Internet access
to the local hosts. Also, it does the translation of port numbers i.e., masks the port number of the
host with another port number, in the packet that will be routed to the destination. It then makes
the corresponding entries of IP address and port number in the NAT table. NAT generally
operates on a router or firewall.

Figure 18: Network Address Translation

Network Address Translation (NAT) working – Generally, the border router is configured for NAT
i.e., the router which has one interface in the local (inside) network and one interface in the
global (outside) network. When a packet traverse outside the local (inside) network, then NAT

Page | 23
converts that local (private) IP address to a global (public) IP address. When a packet enters the
local network, the global (public) IP address is converted to a local (private) IP address. If NAT
runs out of addresses, i.e., no address is left in the pool configured then the packets will be
dropped and an Internet Control Message Protocol (ICMP) host unreachable packet to the
destination is sent.
Why mask port numbers?

Suppose, in a network, two hosts A and B are connected. Now, both of them request for the same
destination, on the same port number, say 1000, on the host side, at the same time. If NAT does
only translation of IP addresses, then when their packets will arrive at the NAT, both of their IP
addresses would be masked by the public IP address of the network and sent to the destination.
Destination will send replies to the public IP address of the router. Thus, on receiving a reply, it
will be unclear to NAT as to which reply belongs to which host (because source port numbers for
both A and B are the same). Hence, to avoid such a problem, NAT masks the source port number
as well and makes an entry in the NAT table.

Network Address Translation (NAT) Types – There are 3 ways to configure NAT:
• Static NAT – In this, a single unregistered (Private) IP address is mapped with a legally
registered (Public) IP address i.e. one-to-one mapping between local and global addresses.
This is generally used for Web hosting. These are not used in organizations as there are
many devices that will need Internet access and to provide Internet access, a public IP
address is needed. Suppose, if there are 3000 devices that need access to the Internet, the
organization has to buy 3000 public addresses that will be very costly.
• Dynamic NAT – In this type of NAT, an unregistered IP address is translated into a
registered (Public) IP address from a pool of public IP addresses. If the IP address of the
pool is not free, then the packet will be dropped as only a fixed number of private IP
addresses can be translated to public addresses. Suppose, if there is a pool of 2 public IP
addresses then only 2 private IP addresses can be translated at a given time. If 3rd private
IP address wants to access the Internet, then the packet will be dropped therefore many
private IP addresses are mapped to a pool of public IP addresses. NAT is used when the
number of users who want to access the Internet is fixed. This is also very costly as the
organization has to buy many global IP addresses to make a pool.
• Port Address Translation (PAT) – This is also known as NAT overload. In this, many local
(private) IP addresses can be translated to a single registered IP address. Port numbers are
used to distinguish the traffic i.e., which traffic belongs to which IP address. This is most
frequently used as it is cost-effective as thousands of users can be connected to the
Internet by using only one real global (public) IP address.

Page | 24
Advantages of NAT –

• NAT conserves legally registered IP addresses.

• It provides privacy as the device’s IP address, sending and receiving the traffic, will be
hidden.
• Eliminates address renumbering when a network evolves.

Disadvantage of NAT –

• Translation results in switching path delays.

• Certain applications will not function while NAT is enabled.
• Complicates tunneling protocols such as IPsec.
• Also, the router being a network layer device, should not tamper with port numbers
(transport layer) but it has to do so because of NAT.
How can NAT improve network security?
1. If NAT is enabled on your network, your local IP address (also known as your private IP address)
is masked.
2. This implies that it is difficult for anybody else from the outside to determine which IP address
is connected to your PC or local side machine.
3. When attackers attempt to target your PC from the outside world to attack, this will aid in
terms of network capabilities.
4. If your network is configured to use Nat, they cannot determine your machine's IP address.
they could only view the public IP address, so. Network address translation hides the private IP
address.

Page | 25
References
1. Anon (2018) How internal threats occur, KnowItAllNinja, [online] Available at:
https://www.knowitallninja.com/lessons/how-internal-threats-occur/ (Accessed April 5, 2023).
2. Anon (n.d.) Application attacks: Web application attacks, Web, [online] Available at:
https://www.contrastsecurity.com/glossary/application-attacks (Accessed April 5, 2023).
3. Anon (n.d.) What is spyware? definition of spyware, spyware meaning, The Economic Times,
[online] Available at: https://economictimes.indiatimes.com/definition/spyware (Accessed April
5, 2023).
4. Anon (2023) Intrusion detection system (IDS), GeeksforGeeks, GeeksforGeeks, [online] Available
at: https://www.geeksforgeeks.org/intrusion-detection-system-ids/ (Accessed April 14, 2023).
5. Anon (n.d.) What is trojan? definition of trojan, trojan meaning, The Economic Times, [online]
Available at: https://economictimes.indiatimes.com/definition/trojan (Accessed April 5, 2023).
6. Touhid (2021) Common types of security threats to organizations, Cyber Threat & Security Portal,
[online] Available at: https://cyberthreatportal.com/types-of-security-threats-to-organizations/
(Accessed April 5, 2023).
7. Lutkevich, B. (2021) What is a DMZ in networking? Security, TechTarget, [online] Available at:
https://www.techtarget.com/searchsecurity/definition/DMZ (Accessed April 12, 2023).
8. Admin (2021) Advantages and disadvantages of a static IP explained, Tech Guide, [online]
Available at: https://www.techguide.com.au/news/internet-news/advantages-disadvantages-
static-ip-explained/ (Accessed April 12, 2023).
9. Anon (n.d.) Acceptable use policy, What Is It? A Helpful Guide, [online] Available at:
https://www.contractscounsel.com/t/us/acceptable-use-policy (Accessed April 12, 2023).
10. Anon (2022) What is a Firewall?, Forcepoint, [online] Available at:
https://www.forcepoint.com/cyber-edu/firewall (Accessed April 14, 2023).

Page | 26