PORTFOLIO

Student Version

ICTNWK546
Manage network security
C ONT ENTS
Section 1: Security design preparation 4
Section 2: Security design and policy 10
Student name: Nilesh Nischal Prasad

Assessor:

Date:

Business this assessment is

based on:

ICTNWK546 Manage network security | 3

Section 1: Security design preparation

Network security Planning

planning
-The overall goal is to create an optimum security system
Provide an outline of the
processes you will use
for the network. This will involve discussion of the hardware,
to plan, build and software, firewalls and security devices that needs to be
manage a network purchased as per the company budget.
security design to meet
the organisation’s - router
requirements.
- switches

- servers

- CCTV

- firewall

- cabling

-Server racks

- Switch Racks

- ISP routers

- Screen console – KPM switches

-PC’S

- UPS

- Software licenses

- Windows operating system and license

- Antivirus

- Printers

Building

In the building phase, network administrators and security

specialist use he available hardware and software to
create the security system as set out in the security design.
In building phase, network administrator and security
specialist use the available hardware and software to
create the security system as per security planning and
design. The administrators will also develop, test and
deploy security templates and policies.

ICTNWK546 Manage network security | 4

 Security policy includes:

- User identification and password – strong password

policy including letter, numbers and symbol
- Threat Data policy – name of the administrator that will
have access to database.
- Security policy – computer should not be left long
period of time. Enforce security policies to the PC is
locked if not in use for the period of time.
- IT equipment should not be removed from the premises

Managing

After the security design has been implemented, the

administrator is responsible for managing the design to
ensure it provides the security envisioned by the security
design. The network administrator will ensure that the
policy implemented is working properly. If there is issues
with the policy, it will be reported to the specialist and
rectified.

ICT assets Aseets Value

Provide an overview of
the organisation’s Data and Information High Value – critical data
assets that need and required by the
protecting. Remember organisation
assets are not just
physical assets.
Computers High Value- computer and
Categorise each of the servers are expensive
assets in terms of their
equipment and requires to
value. The value does
not need to be a be fully operational for the
monetary value but network / IT LAN to
instead can be based on function.
the value to the
organisation e.g., high, Routers Medium Value – router is
medium, low, etc.
required for LAN to
operational. This can be
replaced by 3rd party
vendor under SLA
agreement.

Bridges Medium Value – Bridges is

required for LAN to be
operational. This can be
replaced by 3rd party

ICTNWK546 Manage network security | 5

 vendor under SLA
agreement.

Printer Low value – printers can be

replaced with new one at
cheaper cost.

Threat modelling Malware – Malicious software, program or code that is

Describe at least three harmful to systems
major threats to network
security that can happen
- Computer slows down
to any organisation, as - Your system crashes
well as where these
threats originate from. - Loss of disk space
For each threat, - Your screen is inundated with annoying ads
describe a system
vulnerability that may - There is weird increase in your systems Internet activity
have led to the threat.
- Your browser settings change

- You lose access to your files or your entire computer

Types of Malware

- Adware – unwanted software designed to throw

advertisements up on your screen.

- Spyware – secretly observes the computer user activity

- Virus – attaches to another program

- Randsomeware attack – that locks out you from PC

and requires to pay a randsome to regain access

- Trojan horse

ICTNWK546 Manage network security | 6

Phishing

Phishing is a type of social engineering attack often used

to steal user data, including login credentials and credit
card numbers. It occurs when an attacker, masquerading
as a trusted entity, dupes a victim into opening an email,
instant message, or text message. The recipient is then
tricked into clicking a malicious link, which can lead to the
installation of malware, the freezing of the system as part
of a ransomware attack or the revealing of sensitive
information.

SQL Injection

- SQL (Level – physical (data is extracted, logical

(Processing) and view level.

- SQL injection – Denied your access to database,

malicious information

- SQL Injection refers to the vulnerability that allows

cybercriminals to exploit SQL code in order to
manipulate RDBMS procedure that reply on SQL.

Type of SQL Injection

- Hidden data retrieval. Change the SQL query such that

it can access hidden database entities.

- Logic subversion – Manipulating application logic or

using query to interfere with the expected use of
application.

Signs of SQL Injection

- Large volume of queries with unexpected structure

- Frequent redirects, ads and popups linked to your

website.

- Access request to database metadata and structure

information

- Requests about the structure of dynamic SQL queries

- Unexpected behaviour of the application.

ICTNWK546 Manage network security | 7

 IP address spoofing

- IP spoofing is the creation of internet protocol packets

which have a modified source address in order to
either hide the identity of the sender. IP Spoofing is
analogous to an attacker sending a package to
someone with the wrong return address listed.

Risk management plan Threats Level of Risk Risk Control

For each of the threats
you have identified, Malware Likely -Antivirus software
identify the level of risk Significant
that the threat presents
(use a risk legend to do Phishing Significant -Install Phishing
this). prevention tool or
Rank the threats in hardware to detect
order of severity from and block phishing
least severe to most emails and train end
severe. users not to open
Outline a risk control any links that is not
relevant to each threat. business related.
Use the table included
- Strong Password
in the Portfolio to SQL injection Likely
parameters
develop your plan. Significant
- Third-party
authentication.
- Web application
firewall.
- Always update
and use patches.
-Continuously
monitor SQL
statements and
database.

IP address Spoofing Medium - Install firewall on

network

ICTNWK546 Manage network security | 8

 - Use VPN

- Visit secure sites

that uses https
protocol

- Install Antivirus
software with
firewall protection
enabled

IT Risk register - Refer end of this document

Presentation LAN Network Diagram – Refer end of this document

Write the title of your
presentation here and
attach it to your
Portfolio.

Attach:
Presentation ☒

ICTNWK546 Manage network security | 9

Section 2: Security design and policy

Network security design Configure Firewall – Refer end of this document

Provide an overview of
your design to protect
network security.
Include screenshots to
illustrate your work as
required.
Make sure you take into
account manufacturer’s
recommendations for use
of the tools you will
incorporate into your
design. Write about how
you have done this.
Further, include the costs
of the equipment/software
you have identified and
document them here.

Security policies IT Security Policy – Refer end of this document

Develop and document
security policies to
accompany your network
security design.
Your security policy must
include as a minimum:

 Purpose of the policy.

 Key procedures
relevant to maintaining
security e.g., identity
management, threat
management
(including incident
response procedures)
and auditing
procedures.
As a guide your policy
should be 2 – 3 pages.
Write the name of your

ICTNWK546 Manage network security | 10

policy here and attach it
your Portfolio.

Feedback Feedback Template – Refer end of this Document

Write the feedback you
received here and your
response to it.

ICTNWK546 Manage network security | 11

 LAN Network Design

For Melbourne Retail Shop

Requirements for LAN setup
Shop 1

- 2 x Laptops on LAN network

- 1 x Switch
- 1 x 2900 series router
- Cabling

Shop 2
- 2 x Laptops on LAN network
- 1 x Switch
- 1 x 2900 series router
- Cabling
LAN Network Design
SHOP 1
Network Details:

IP Range:
192.168.19.XX
Subnet :
255.255.255.192
Gateway:
192.168.19.1
LAN Network Design
SHOP 1 –Router G0/0 IP Config Details
LAN Network Design
• Shop 1 -Laptop IP Details
LAN Network Design
SHOP 2
Network Details:

IP Range:
192.168.24.XX
Subnet :
255.255.255.0
Gateway:
192.168.24.1
LAN Network Design
SHOP 2 –Router G0/0 IP Config Details
LAN Network Design
• Shop 1 -Laptop IP Details
Shop 1 & 2 Router Connectivity

Network Details:

Shop 1 Router IP
G0/1 – 10.1.0.1

Shop 2 Router IP
G0/1 -10.1.0.2
Router 1 & 2 IP assignment
LAN Network Final Design
Ping From Shop 1 Laptop to Shop 2 Laptop
RIP Routing Setup
• Shop 1 Router
RIP Router Setup – Shop 2
Simulation Result
Simulation Result 1
Simulation Result 3
Simulation Result 4
LAN Network – Setup Firewall Rules
LAPTOP 0 Able to Ping Laptop 1
Setting up Firwall – Deny Ping Services
Between PC 0 TO PC 1
Allow to view IP address
Firewall Successful – Cannot Ping Laptop 0 to
Laptop 1 Failed – Inbound rule is active
Simulation Result
 IT RISK Register
Category Name Probability Impact Mitigation Contigency Risk Score after Mitigation Action by Action When

- Setup polices on network management

system to trigger and
Run cisco packet tracker to shutdown ports that is creating heavy
troubleshoot and fix the traffic on network. Configure network
network slowness issue or Alert and reporting tools to send emails
Performance Risk Network is slow Very High Very High network congestion . to network administrator. Less than 5% Network Administrator 02/08/2023

Randsomeware attack on few

PC's. Remove the PC'S the - Install Licensed Antivirus software and
network and reinstall operating activate firewall on all the PC's and push
system. Run Windows update the update from Antivirus administrator
and also install licensed console. ICT Manager
Operational Risk Malware / Phishing Attack on PC'S Very High Very High Antivirus software. -Push windows SCCM updates to all PC'S 10-20 % Systems Administrator 02/08/2023
-Replace End of life switches
Replace faulty switch and -Monitor switches logs to ensure there is
Technology Risk Switch failed - cannot turn on Medium Medium restore switch configs. no hardware alarms. Less than 5% Network Administrator 02/08/2023
Create a white list of possible inputs,
to ensure the system accepts only pre-
approved inputs.

Check the SQL logs and Fix the - ensure SQL software is fully updated
vulernabilities and review with latest patch
database permission and access
Security Risk SQL Injection High High level. - Use Web application firewall. 10-20 % Database Administrator 02/08/2023
- Prepare Incident Respond Plan
- Train users on downtime procedure
Network is completely down - Print downtime reports from ICT Manager
Strategic Risk - No Incident Respond Plan High High Manual operations activated software 50% Systems Administrator 02/08/2023
IT SECURITY POLICY
The Information Security Policy is designed to protect and preserve the appropriate confidentiality,
integrity, and availability of information and information systems owned by or in the care of the
Company and its subsidiaries, affiliates, and service providers. This Policy identifies and describes
the principles that requires to globally protect company information and company information
assets using industry best practices with a risk-based and business aware approach.

POLICY STATEMENT
Protecting Company information assets is critical to the reputation, operation, and financial well- being of
the organization. Security controls must be in place to protect company information assets, and the business
processes they support, against accidental or intentional unauthorized use, disclosure, transfer,
modification, or destruction. These security controls must meet legislative, regulatory, and compliance
requirements and support companies Vision, Mission, and Values.

Deviations discovered in risk assessments, internal or external audits, or security compliance reviews must be
remediated with timeliness directly proportionate to the risk involved.

A. Information Security Program

The Company must create and maintain a formal Information Security Program that:
• Provides for the confidentiality, integrity, and availability of information assets;
• Protects against anticipated threats or hazards to information assets;
• Protects against unauthorized access to, or use of, information assets;
• Posts the Information Security Policy on the Company Intranet web site, consistent with other Company
policies;
• Disseminates the Information Security Policy, as appropriate, to relevant personnel (e.g., vendors,
business partners);
• Provides awareness training on the Information Security Policy for all new, existing, and temporary Team
Members with access to protected information. All Team Members will receive training upon hire and at
least once annually;
• Ensures the Information Security Policy is reviewed and updated as necessary at least once annually or
as changes to business practices, technologies, or risks occur; and
• Ensures the Information Security Program is reviewed and updated as necessary at least once annually;
• Monitors and enforces compliance with the policy.
 B: Prohibited Activities

Company Team Members must not engage in any activity that is unlawful under local, state, federal, or
international law while utilizing Company-owned resources.

The following activities are considered by the Company, at a minimum, to be categorized as unacceptable use
and are strictly prohibited:
• Introducing or downloading malicious programs onto Company technology resources (e.g., viruses, worms,
Trojan Horses, email bombs, malware);
• Using Company technology resources to advertise or sell products, items, or services for personal gain;
• Breaching or disrupting network communications. Security breaches and disruptions include, but are not
limited to:
• Knowingly accessing information for which the user is not an intended recipient;
• Logging into a server or account that the user is not expressly authorized to access;
• Generating excessive network traffic or causing any type of denial-of-service condition;
• Performing network reconnaissance and analysis activities without authorization (e.g., network sniffing); and
• Introducing malformed or malicious network traffic (e.g., ping floods, packet smooth, forging routing
information);

• Network monitoring, port scanning, or security/ vulnerability scanning, including the ‘testing’ of security
tools on any Company resources without authorization;
• Circumventing user authentication or Company information security controls;
• Installing or circumventing software with the direct or indirect result of avoiding information security
services and restrictions at Company;
• Providing confidential information about or lists of Company guests, clients, service providers, or

C: Prohibited Electronic Communication Activities

The following activities are strictly prohibited when using Company information technology resources:

• Using Company equipment and / or networks for non-business-related activities during working times,
with the exception of incidental and occasional personal messages or Internet usage.
• Transmitting or accessing by email or other form of electronic communication any material that is
profane, obscene, sexually explicit, or offensive
based on any protected characteristic (e.g., sexual comments or images, racial or ethnic slurs, comments
that may be offensive on the basis of an individual’s age, religious or political belief, sex, disability, or any
other status protected by law) or any other such conduct that may violate the law.
• Knowingly downloading or opening attachments from un-trusted, non-Company resources that may contain
viruses and/or malicious programs;
• Unauthorized use or forging of email header information;
• Creating or forwarding chain letters or pyramid schemes of any type;
• Use of unsolicited email originating from within Company networks or other Internet, intranet, or extranet
service providers on behalf of, or to advertise, any service hosted by the Company or connected via the
Company network.
 D: ACCESS MANAGEMENT

A. Approvals
• All access must be approved, in writing or an equivalent electronic form, by an authorized approver prior to
access being granted to a system or information. This approval must be in a form that specifies the user’s
required privileges.
• Access approval documentation must be retained by User Account Administrators.

B. Reviews
• Access to systems and data must be reviewed at least once annually, unless increased frequency is
required to meet legal, regulatory, or compliance standards applicable to the Company (e.g., PCI DSS,
Sarbanes-Oxley).
• Review documentation must be retained for a minimum of one year.

C. User Accounts
• User accounts must be unique and assigned to a specific individual.
• Generic or shared user accounts must not be created or used.
• User accounts granted system level access must not bypass the required logging and audit trails (e.g.,
requiring Unix root-level access to occur through use of the “su” command)
• User accounts granted system administration privileges must only be used for administration purposes.
Accounts granted administrative-level access privileges must not be used for general use (e.g., reading email,
Internet browsing).
• User accounts temporarily assigned to vendors for maintenance purposes must only be activated as needed
and be disabled when not in use.
• System and service account passwords must be changed from vendor defaults and are subject to the
Access Management Standard.
• User accounts granted to contractors, consultants, and/or temporary employees must automatically expire
after a period of time as defined in the Access Management Standard. Reactivation of the account must be
approved.

D. Access Requests
• Access must be requested using the principle of least privilege, whereby users are assigned only those
permissions consistent with their job title, classification, or function. Permissions are not to be granted
functionality based on a “copy” of another user account with similar job responsibilities.

E. Access Assignments
Access assignment is performed by and the responsibility of Information Technology or an authorized service
provider.
• Permissions must be assigned using a Role Base Access Control (RBAC) model that implements the
principle of least privilege, whereby users are assigned only those permissions consistent with
their job title, classification, or function. Permissions are not to be granted functionality based on a “copy” of
another user account with similar job responsibilities.

F. Access Removals
• Human Resources must immediately notify User Account Administrators responsible for physical access
and logical access of job terminations and job transfers.
• Physical access and logical access to each system, application, or database must be disabled immediately
following a job termination or job transfer notification.
 G. Authentication and Passwords
Authentication and Password systems are implemented by and the responsibility of Information Technology or
an authorized service provider. Any other authentication or password systems used in the Company
environment must be pre-approved
by Information Technology and compliant with the Information Security Policy.
• Access control systems must require both a user account as well as at least one other method to
authenticate the user (e.g., password, token).
• Passwords must be securely delivered to any user and kept secured at all times.
• Passwords must change upon initial logon, system permitting, by the user and subsequently changed every
90 days.
• After six unsuccessful password attempts, the device (not including mobile phones or tablets) must be made
unavailable to the user via account locking, keyboard locking, and/or screen blanking for at least 30 minutes or
until an administrator unlocks the user’s account.
• After ten unsuccessful password attempts, iPhone, iPad, and Android devices will be disabled.
• Sharing of passwords to individual user accounts is prohibited.
• Passwords must comply with the following rules and contain:
• a minimum of seven characters;
• alpha-numeric characters;
• a minimum of one special character (e.g., !, #, $, %) (system permitting); and
• upper and lower case letters (system permitting).
• Passwords for mobile phones and tablets must comply with the following rules and contain:
• a minimum of five characters.
• Passwords must not:
• repeat any of the four most recently used passwords;
• use standalone words from a dictionary, the movies, or geographical locations;
• use month, day, year combinations (e.g., Jan07, 07Jan13, Jan2013); and
• contain proper names (e.g., oneself, family, friends, colleagues, vendors).
• A user’s identity must be positively verified before a request to reset the user’s password is performed.
• Sharing of passwords to individual user accounts is prohibited.
 BACKUP AND RESTORATION

A. Backups C. Business Continuity

Backups are performed by and the responsibility of Business process and data owners must define and
Information Technology or an authorized service are responsible for maintaining a risk-based business
provider, as well as authorized Team Members at the continuity plan.
properties. • The business continuity plan must be maintained
• Business owners are responsible for identifying to ensure critical business functions are available as
protected information to be backed up and needed.
retention requirements. • The business continuity plan must define recovery
• Company information must be backed up on a timeframes and prioritize resumption of functions
regular basis to ensure recovery point and time as prioritized by the business.
objectives are met. • The business continuity plan must be tested at least
• Backups must be stored in a secured location once annually and maintained by annual reviews,
accessible only to authorized users. unless increased frequency is required in order to
• For data centers and computer rooms, an
meet legal, regulatory, or compliance standards
offsite copy of data must be kept to help
applicable to the Company (e.g., PCI DSS, Sarbanes-
ensure the recoverability of data in the event
Oxley), to ensure that it is up-to-date and effective.
of a physical disaster at the primary
location.
D. Disaster Recovery
• Physical backup media (e.g., backup tapes)
The disaster recovery plan must be maintained by
must be subject to management processes that
Information Technology or its authorized service
include labeling (barcoding), location tracking,
provider to ensure the recovery or continuation of the
and periodic inventory.
technology infrastructure critical to the Company
• Physical backup media must be secured
following a natural or human-induced disaster.
when in transit between Company or non-
Company locations.
• Transmittal records must be retained when
physical backup media is sent offsite or
returned to site.
• A security review of the facility where
physical backup media are stored must be
performed at least annually.
• Laptops must have Company online
backup software installed.

B. Restoration
Restoration of protected information must
be tested semi-annually to ensure the
information is recoverable and complete in
the event of an information loss.

CHANGE MANAGEMENT
B. Independent Third Party Assessments
A. Infrastructure and Applications
Information Technology or an authorized service
provider is responsible for defining and maintaining a
Change Management process.
• All technology infrastructure and application
systems used for production processing of critical
business functions at the Company must employ a
formal change control process.
• The change control process must establish
requirements for documentation of required
activities (e.g., testing), as well as authorizations and
D. Vulnerability Scanning and Penetration Testing
approvals.
• Emergency changes to the Company production
environment must follow an emergency change
control procedure, including changes made to the
Company production environment by third parties.
COMPLIANCE
A. Internal Audits
Internal audits must be performed on a periodic
basis to assess compliance with security policies and
standards. Internal audits must be performed on, but
are not limited to, the following areas: Information
Security, Access Management, Change Management,
Configuration Management, Vulnerability
Management, and Physical Security.
Independent third parties, with the appropriate
expertise, must assess information security
compliance on a periodic basis. Information Security &
Compliance is responsible for managing independent
third party assessments.
C. Risk Assessments
IT risk assessments that identify and evaluate threats
and vulnerabilities must be performed annually and
after a security incident, unless increased frequency
is required to meet legal, regulatory, or compliance
standards applicable to the Company (e.g., PCI DSS,
Sarbanes-Oxley). Information Security & Compliance
is responsible for managing risk assessments.
Vulnerability scans and penetration tests must
be performed, as required by legal, regulatory, or
compliance standards applicable to the Company
(e.g., PCI DSS, Sarbanes-Oxley). Information Security &
Compliance is responsible for managing vulnerability
scanning and penetration testing.
E. Vulnerability Management
Known vulnerabilities must be remediated, or
Information Security & Compliance approved
compensating controls put in place, with timeliness
directly proportionate to the risk involved as required by
legal, regulatory, or compliance standards application to
the Company (e.g., PCI DSS, Sarbanes-Oxley).
F. Human Resources
• A formal security awareness training program
must be implemented. Information Security &
Compliance is responsible for managing an annual
security awareness program.
• Users of Company resources must validate upon
hire and at least once annually that they have taken
the security awareness training.
• Users of Company resources must acknowledge
at least once annually that they have read and
understand the Information Security Policy.

DEVICE MANAGEMENT
A. Inventory
Information Technology or an authorized service
provider is responsible for managing a device
inventory.
• The Company must maintain an inventory of
Company devices authorized for work use on the
Company’s network. The inventory shall include
descriptive characteristics that enable the device to
be uniquely identified.
• The Company must maintain lists of devices
and related technologies, as well as associated
authorization, location, and product lists as required by
specific compliance requirements (e.g., PCI DSS,
Sarbanes-Oxley).
• Inventory and security audits of company devices
must be performed at least once annually and
documented.
• Inventory of systems and applications that store
protected information must be maintained.
B. Physical Security
• All devices must be secured at all times from
unauthorized access.
• Information users must protect laptops, mobile
devices, and removable media that store, process, or
transmit Company information from unauthorized
access. Physical security measures must, at a
minimum, include the following:
• Devices must not be left unattended without
employing adequate safeguards (e.g., cable
locks, restricted access environments, lockable
cabinets);
• When possible, devices must remain under visual
control while traveling. If visual control cannot be
maintained, then necessary safeguards must be
employed to protect the device; and
• Safeguards must be taken to avoid unauthorized
viewing of protected information in public or
common areas.
• Information technology administrators must
protect Company servers and network devices that
store, process, or transmit Company information
from unauthorized access. Physical security
measures must meet minimum standards based on
location type.
• Devices must have physical (e.g., asset tab with
bar code) or logical (e.g., hostname) identifiers that
enable correlation of a device to its owner / primary
contact and purpose.
C. Anti-Virus Protection
Information Technology or an authorized service
provider is responsible for managing the anti-virus
systems.
• Up-to-date anti-virus software must be installed
on all Company or personal devices that store,
process, or transmit Company information and that
are commonly affected by malicious software and
configured according to the Anti-Virus Standard.
Information Technology or an authorized service
provider is responsible for implementing anti-virus
software on devices.
• Anti-virus software log generation must be enabled
and logs must be retained.
• Anti-virus software must not be disabled on any
device without prior authorization from Information
Security & Compliance.
D. Configuration Standards
• All Company or personal devices that store RESPONSE
Company information must meet Company
Configuration Standards as well as any laws,
regulations, and compliance standards applicable
to the Company (e.g., PCI DSS, Sarbanes-Oxley).
Information Technology is responsible for defining
and maintaining Company configuration standards.
• Users must never disable or alter standard
configurations, security services, devices, or software.
A. Incident Reporting
E. Disposal • All suspected, potential, and actual information
• Company or personal devices that store Company security incidents must be reported immediately to
information must be properly disposed of to ensure Company Management. Information security
that no Company information remains on the device incidents include, but are not limited to:
(e.g., degaussing, physical destruction). See the • Unauthorized access to electronic systems owned
Equipment Disposal & Decommissioning Standard. or operated by or for the Company;
• Malicious alteration or destruction of data,
F. Inactivity information, or communications;
• Users must lock or logoff all devices whenever a • Unauthorized interception or monitoring of
system is left unattended. communications; and
• Company and personal portable computing devices, • Any deliberate and unauthorized destruction or
desktops, and workstations must have a secure damage of IT resources.
inactivity timeout function enabled and set to 15 • Information Security & Compliance must notify the
minutes or less. appropriate entities according to the guidelines in
the Incident Response Plan.
G. Lost or Stolen
• Users must immediately report any lost or stolen
devices, suspected or confirmed, to:
• Direct Supervisor or Manager
• A standard tracking and recovery tool must be
installed on laptops. Information Technology or
an authorized service provider is responsible for
installation.
• Users must never disable the standard tracking and
recovery tool.
• Mobile phone and tablet configurations must allow
remote wipes and disabling.

H. Vendor Management
• Vendors and service providers, who maintain
devices that store, process, or transmit Company
information must adhere to Sections A through G
NETWORK

Network management establishes requirements to

ensure the appropriate protection and continuous
operation of the Company network infrastructure.
Information Technology or its authorized service
provider is responsible for managing the Company
networks.

A. Firewalls and General Network Security

• All Company private networks must be separated from any non-Company private or
public networks by the use of a firewall device.
• All inbound Internet connections to Company private networks must be separated by
the use of a firewall.
• The default firewall rule must deny all traffic except for explicitly approved traffic.
• All firewall and router rule sets must be reviewed at least once every six months.
• All firewalls rules must restrict traffic based on business requirements and meet legal,
regulatory, or compliance standards applicable to the Company (e.g., PCI DSS, Sarbanes-
Oxley).

B. Wireless
• Wireless access points must be architected, installed, and maintained by the
Company as defined in the Wireless Standard.
• Wireless access points cannot be placed on the Company network or installed in a
Company facility without prior explicit written approval from management.
• Wireless environments must conform to compliance standards applicable to the
Company (e.g., PCI DSS, Sarbanes-Oxley) as outlined in the Wireless Standard.
 • Wireless environments and technologies must be tested and deemed acceptable
before being installed and used.
• Wireless networks must require authentication for connectivity.
• Wireless network activity must be logged.
• Scanning must be conducted twice per calendar year to identify unauthorized wireless
access points, unless more frequent scanning is required to meet legal, regulatory, or
compliance requirements applicable to the Company (e.g., PCI DSS, Sarbanes- Oxley).
• An inventory identifying and describing all wireless technologies in use and the
security measures in place must be maintained.
• Current network diagrams and cardholder data flows must include wireless networks
and must be maintained.
• Perimeter firewalls must be installed between any wireless networks and the
cardholder data environment. These firewalls must be configured to deny or control
(if such traffic is necessary for business purposes) any traffic from the wireless
environment into the cardholder data environment.

C. Remote Access and Modem Security

• Remote access to Company private networks must be provisioned as defined in the
Remote Access Standard.
• Remote access over a public network such as the Internet or a wireless network
must utilize
encryption technology (e.g. virtual private network) as described in the Encryption Standard.
• Modem connections inside Company facilities must be formally documented and
approved.
• Reviews must be conducted twice per calendar year to identify unauthorized remote
access mechanisms, unless more frequent reviews are required to meet legal,
regulatory, or compliance requirements applicable to the Company (e.g., PCI DSS,
Sarbanes-Oxley).
• Remote access used by vendors must be enabled only during the time period
needed, monitored when in use, and immediately deactivated when access is no
longer required.
• Remote access technologies must require an automatic session disconnect after a
specific period of inactivity.
ICTNWK546-Feedback From

Student Name:
Student ID:

Feedback received on- Add three feedbacks (F) Your response

Router configuration F-1: Recommended to Response to F-1: Added one more

add more end-devices. server as the end device.

F-2: Cannot ping LAN 1 & Response to F-2:Added RIP

LAN 2 Network. settings in Router and ping is
successful.

F-3: Can we add another Response to F-3: Explained that

device between LAN 1 there is direct cable between
and LAN 2 Router. Router 1 and Router 2.

Firewall configuration as a F-1: Recommended to use Response to F-1: Included CLI

part of network security CLI. outcome in the final presentation
design

F-2: Type of firewall Response to F-2: Explained that

available there is physical hardware firewall
and also IPV4 software firewall.

F-3: Can we allow all Response to F-3: Explained that

traffic in firewall the main purpose of firewall is to
block inbound and outbound
traffic and only firewall rule is
allowed as per business
justification.