Assignment
This project provides an opportunity for students to apply their understanding of practical security concepts, network design and security implementation skills gained from lectures, studying the online curriculum, discussion as well as self-study and online research.
You are required to design, setup and implement a secure network infrastructure for a company. You need to do your research in order to provide a through and workable design. You should also show your research results in your written report.
To complete this Project properly with all required documentations is not a trivial task. It is important that you read and understand each requirement and complete all tasks as study progress.
You need to submit a written report and a working Packet Tracer file.
General Requirements and suggestions
1. You should plan and complete the Report on a weekly basis so that all tasks can be completed properly. Leaving the Report to the very last day(s) will result in an unprofessional research report.
2. The configuration must be working and is based on your Topology design.
3. Use Packet Tracer version 7.1 or for all your configuration.
4. All information sources must be appropriately acknowledged and a full bibliography is required.
5. Research using internet would be helpful. Make sure you state the source of the materials.
Scenario
XYZ Ltd. Pty (you can use your group name as the Company's name) is a medium size company based in Sydney. The Company has grown from a small company into a medium size company in recent years. It also has plan to expand further in the next two years. As the company's growth, the needs for securing its assets and IT infrastructure is getting more and more important. The Company hires you, a network security expert, to help them achieve their goals.
The Company has two offices: The HQ Office is in the City and a Branch Office at Liverpool. The current network setup is as follow:
The HQ Office was originally setup by a general admin staff, Steve, who is enthusiastic about networking. The structure of the network was not flexible and scalable enough to grow with the Company. It has an edge router, R1 and multiple access layer switches. When there is a need to connect more staff devices, more switches will be added. There are three major departments in the HQ Office: namely Management and Admin, HR and Finance, and Sales. The HQ has an internet connection through an ISP. It also has a dedicate link connecting the Branch Office.
The Branch Office is a small network which has a edge router, R11 and a access layer switch. Direct access from the Branch Office to the HQ Office is through dedicate connection.
The Company will expand the business to other states. It has hired M in Melbourne and B in Brisbane for the expansion. There is no office setting in these two cities. So both M and B use their home computers to do their work. Remote access connection will be needed from their homes to the HQ Office.
Requirements
Your task is to re-design the company's HQ network and secure the Company's network infrastructure and communications, which includes the following:
General: redesign a new IP address scheme for the whole network. You need to make sure that the size of routers' routing tables is optimised. The Company also want to start using IPv6 in their network. If full IPv6 implementation is not possible, you should at least plan for it and configure some part of the network using IPv6 as a start. Budget had already approved so you can add or replace devices to the network as you see fit in your design. You are also required to secure the management plane, control plane and the data plane of all the devices.
New Network Topology: Your network design should adopt industrial best practice for layer 3 and layer 2 devices. For the HQ Office, you should include, but not limited to:
• DHCP service,
• Server-based AAA service, with TACACS+ and/or RADIUS servers,
• NTP ,
• Syslog Server,
• ASA firewall,
• Dynamic routing protocol
• monitoring system such as Netflow,
• VLANs
For the Branch Office, the network topology does not need to be changed.
Securing the Network:
Your major task is to secure the HQ Office. It should include, but not limited to, the followings:
• secure network devices physically,
• harden the layer 3 device: management plane, control plane and data plane.
• network segmentation: based on departments
• protect the LAN network from major types of layer two attacks, eg. VLAN attacks,
DHCP attacks, DTP, VTP as well as STP manipulation, etc.
• use AAA for authentication
• secure NTP communications
• adopt industrial best practice for layer 3 and layer 2 devices
You should also plan and secure the Branch Office. The Branch Office security implementation should include, but not limited to, the followings:
o secure network devices physically,
o harden the layer 3 device: management plane, control plane and data plane.
o using Zone-based Policy Firewall on the edge router, R11, to protect the Branch
Office from major types of cyber attacks.
o implement Intrusion Prevention System (IPS)
Securing communication between HQ and Branch Office
Your task is to secure communication between sites by:
• installing a Cisco ASA Firewall in HQ Office.
• Setting up site-to-site IPSec VPN tunnels between HQ ASA and Branch R11
Securing communication between HQ and Home users
Your task is to secure communication between HQ and Melbourne and Brisbane. You should provide secure remote access by:
- Clientless VPN connecting to the ASA Firewall Hints
To ensure that you can apply most of the knowledge, make sure you are using the latest IOS you can get for all the devices. You should also make sure that your ASA Firewall is running the latest IOS, and upgrade from base licence to Security Plus licence. To use Security Plus licence on ASA, configure the following command:
ASA# activation-key 0x1321CF73 0xFCB68F7E 0x801111DC 0xB554E4A4 0x0F3E008D
You can use a router or multiple routers to represent the ISP/Internet that connecting the whole Company's network. You need to make sure that the ISP/Internet routing is set up properly so general communication can be achieved. You can also use the Cloud in Packet Tracer to represent the ISP/Internet.
Limitation
The latest version of Packet Tracer can support most of the configuration you may need in this project. However, there may still be some commands, according to your design, that may not be supported. If this is the case, you can include these configurations in your recommendation. Marks will be deducted if you put configuration/commands that supported by Packet Tracer in the recommendation.
Deliverable
You are expected to deliver a professional piece of work and a working Packet Tracer file. The report is expected to be concise, systematic and well organise in a logical manner. The length of the body of the report should be at least 2000 words (excluding IP address scheme, page title, abstract, references and appendix). The report must have a cover page. Supporting materials and references should be part of the Appendix.
The report should, but not limited to, these sections:
1. An abstract summarizing your report
2. A table of contents
3. The objectives of the report
4. Network Topology
5. Research and discussion about your design
6. Conclusions and/or Recommendations
- Reference/bibliography - appendices
The Packet Tracer files should have:
1. the network topology you designed for XYZ Ltd Pty.
2. working configurations which match the contents of your report.
If you use a different way to configure your design other than Packet Tracer, you have to convert your final configurations into Packet Tracer:
- commands that does not supported by Packet Tracer should be included in the written report
Assessment
Your report will be assessed based on:
• Neatness and professional presentation
• Show your understanding of IT security requirement, in the context of modern corporate environment
• Rationales for your design, suggestions and recommendations
• How practical are your recommendations
• Scope and areas covered.
• A general, basic or even shallow discussion will ended up with bad result.