MOD005774 Network Security

Assignment element 011 - Component 1: Case Study

Trimester 1, 2023

Instructions

This document outlines all the details concerning assessment element 011 in the Network Security module. Please ensure to thoroughly review the entire document and identify any elements that may not be clear. For any inquiries regarding the case study, kindly reach out to the module leader. Please note that questions submitted via email or verbally will not receive a response.  

Introduction

PocoLoco Inc., a recent establishment in London, has extended its presence by opening a branch in Chelmsford. Although the company has crafted its network infrastructure, it acknowledges the presence of multiple security vulnerabilities within the design. In response, they have engaged ARU with a consulting contract. Under this agreement, BSc Computer Networks students will be tasked with devising, implementing, and documenting an effective security solution tailored to meet the company's specific requirements.

This document outlines the existing condition of the network, outlines the security needs of PocoLoco Inc., and concludes by specifying the ultimate deliverables expected for this assignment.

The company is headquartered in London and operates a branch in Chelmsford. The network is structured as follows:

PUBLIC NETWORK: This network operates independently of PocoLoco Inc.'s management and should remain unaltered. It comprises an HTTPS server accessible via the https://google.com/ URL, a computer designated for a teleworker (i.e., an employee working remotely but affiliated with the company), a computer used by an external individual not associated with the company, a DNS server utilized by devices within the PUBLIC NETWORK, and a DHCP server responsible for assigning IP addresses to devices connected to the PUBLIC NETWORK. The ISP router is part of the PUBLIC NETWORK and must not undergo any modifications, assuming proper configuration by the ISP as showing in the figure 1.

• DMZ: This area constitutes the demilitarized zone (DMZ) within PocoLoco Inc., containing all servers accessible from both internal and external networks. It falls under the company's administration and should be integrated into your security planning. Currently, it exclusively hosts the company's web server (https://pocoloco.com/) as showing in the figure 1.

LONDON HQ: This area represents the internal network of the London headquarters and is under the direct management of the company. Within this network, you will encounter the server farm housing AAA, Syslog/NTP, and Internal DNS servers as showing in the figure 1.

• CHELMSFORD BRANCH: This network has all devices of the Chelmsford branch that are under the management of PocoLoco Inc. as showing in the figure 1.

The following configurations have already been made for you:

• IP addresses of all devices as well as hostnames
• Static routing

Figure 1 and Table 1 show the IP addresses configured in each device interface.

Note that this topology doesn’t represent a real environment, certain protocols, such as NAT, have not been configured, to reduce the complexity and the assessment and to allow you to focus only on the understanding of the topics reviewed within this module. 

It is your responsibility to verify that the IP addresses indicated in the table are correct and correspond to the ones configured in the initial topology. Assume that the ones configured in the topology are the correct ones and modify the table if needed.

It is also your responsibility to verify connectivity. Right now there should be full connectivity between all the devices, so you must test that. This is important because when the security mechanisms are implemented you will not know if the traffic was stopped because of the security implemented or because there was no communication from the beginning.

You could use this table later for connectivity tests after security is implemented.

Other considerations:

• You must not touch the PUBLIC NETWORK, this one is outside your admin rights. Assume ISP is working properly, and you can use the Teleworker and Outsider PCs for testing.
• You must use the Admin laptop to configure the devices, don’t add more laptops to configure other devices, use the same one or use SSH to connect remotely.
• Finally, you must focus on security, not on the current design of the network. 

Security Analysis (30%)

Within the scope of your consulting role, PocoLoco Inc. requires you to conduct a security analysis of their existing network and devise the essential security measures for achieving basic network security. Your task involves composing a technical document outlining these security mechanisms. It is imperative to support your recommendations with references to established best practices and industry guidelines. Please note that references from the Cisco Network Security curriculum or slides from any other security module in your coursework are not permissible. However, you are allowed to cite relevant white papers from Cisco or similar documents to substantiate your recommendations.

Your analysis must consider the following mechanisms:

• Securing the network devices for administrative access (including AAA). 
• Firewalls.
• Intrusion Prevention Systems.
• Layer 2 security.
• Virtual Private Networks.

Students are encouraged to submit the security analysis by week 7 of the teaching semester so they can receive feedback from the module tutor.

Implement the security of the network (35%)

The network administrators at PocoLoco Inc. have assigned specific tasks for you to accomplish. If you have successfully completed all the labs and comprehended their objectives, you should be equipped to fulfill these assignments.

• Secure Administrative access: The materials and labs of week 2 should help you with this task.

Configure all essential security mechanisms for administrative access on routers London and Chelmsford, as well as switches L-S1, L-S2, C-S1, and C-S2. You are responsible for defining the passwords and parameters. Please provide a table detailing the passwords used; without this information, we won't be able to access your devices or evaluate your work.AAA: The materials and labs of week 3 should help with this task. Configure AAA in both LONDON and CHELMSFORD, you must configure local AAA as a backup but server AAA should be the preferred method. The AAA server should be the one in London HQ, and you must not add new ones.

• ACLs: The materials and labs of week 4 should help with this task. You must implement the appropriate ACLs that would allow the following:
  • CHELMSFORD and LONDON should be able to communicate via the VPN, without restrictions. 
  • CHELMSFORD should be able to communicate to the pocoloco.com server but without the VPN.
  • LONDON can only communicate to the PUBLIC NETWORK if the communication is initiated by a LONDON user. This means that communication initiated by PUBLIC NETWORK devices should not be allowed.
  • PUBLIC NETWORK devices can communicate only to the pocoloco.com device and only for HTTPS communication.
  • Everything else should be denied.
• Intrusion Prevention System: The materials and labs of week 5 should help with this task.

Activate IPS on the LONDON router to scan traffic entering the 172.10.0.48/29 network. Utilize the designated Syslog/NTP server for configuring IPS messages. Configure the router to recognize the Syslog server for receiving logging messages. Ensuring accurate time and date display in Syslog messages is crucial for effective network monitoring. Adjust the router's clock and configure the timestamp service for logging purposes. Lastly, enable IPS to generate alerts and block inline ICMP echo reply packets

• .Securing the Local Area Network: The materials and labs of week 6 should help with this task. 

Secure all switches in both LONDON and CHELMSFORD by implementing port security, deactivating unused ports, and safeguarding against STP attacks..

• Virtual Private Network: The materials and labs of week 8 should help with this task. 

All communication between LONDON and CHELMSFORD must be protected using an IPsec VPN.

Testing the security of the network (25%)

Finally, you must provide a test plan of the security mechanisms. Your test plan doesn’t need to include screenshots and it should just indicate the test that needs to be done to verify that the security mechanism is working properly. Table 3 shows an example of how to do the test plan, please note that show run must NOT be used as a command to verify a protocol. 

Please also refer to the marking scheme of the case study available in Canvas (MOD002774_011_Marking_Scheme.xlsx). Please note that the quality of the report will also be considered as part of the final mark.