Reference no: EM133558516
Network Security
Overview
The learning objective of this assignment is for you to gain a first-hand experience on designing, implementing, testing and ethically using an enterprise network.
This is an individual assignment and you are not allowed to discuss any aspect of it with others (excluding teaching team members). Failing this requirement (e.g. helping other students, discussing solutions towards answering assignment questions in any platform) will result in penalties in accordance with the University's Academic Integrity guidelines:
Scenario for the Assignment
You have been hired to design and implement a secure network - containing several servers, firewalls, routers, clients etc. - for Monash University. The network spreads across three campuses: Caulfield, Clayton, and Peninsula. The location of the primary data-center (Primary DC) depends on your student ID as follows. StudentID is your Monash student ID number.
StudentID mod 3 Primary DC
0 Clayton
1 Peninsula
2 Caulfield
You will be asked to carry out different tasks depending on the location of the Primary DC. If you solve a question based on an incorrect Primary DC value (or any other value computed based on
your student ID), you will receive a zero mark (regardless of the correctness of your answer based on a different Primary DC).
4 Secure Network Design and Implementation
This task entails designing and executing a network that spans across the three Monash campuses, utilizing GNS3. The network's architecture should prioritize security considerations. Your design should establish inter-connectivity between the three campuses leveraging the perimeter firewalls or routers present. While an illustrative example of a topology configuration file has been provided, it remains incomplete. You can use your own network topology if you would like. Please use the following command to download the example configuration file:
Additionally, there are supplementary network prerequisites that must be addressed.
• All campuses must have at least one perimeter firewall/router.
• All campuses must have a Client LAN, each LAN should contain at least one client container.
• The network must have the following servers: DNS, CA (Certificate Authority), SSH and SMTP.
• DNS and CA are internal servers and WEB, SMTP and SSH are externally accessible servers. All external servers must be placed in your Primary DC. Internal servers can be placed in any appropriate location.
• Add a Metasploit container directly to the ISP switch and name it as External-Attacker.
• Assign different subnets to campuses and configure perimeter firewalls/routers.
• SSH server should be a Metasploitable container.
• For the DNS, WEB and SMTP servers, any open-source server can be installed. Using lab material is also fine. CA can just be a regular container with OpenSSL. Web server should host a web page designed by you where your student ID is displayed. DNS can be a forwarding DNS server to Google DNS.
• WEB and SMTP servers should use TLS with certificates issued by the CA. Use your student ID as domain name for both WEB and SMTP servers. E.g., for student ID 111222333, use 111222333.com as domain name.
• At this stage all devices should be able to reach each other and all services should be active.
Note: If you use the provided GNS3 project most of the above network configurations are already done. However, you may need to add more LANs in your network. Instructions are provided in appendix section on steps to add a new LAN.
Note: It's recommended to go through the Firewall and IDS questions before completing this task.
Submission Requirement
Video: Video should demonstrate access to DNS, WEB, SMTP and SSH services from a different campus from which the server is hosted. You can use any client side tool to access the services (E.g: Lynx, OpenSSL SClient, dig etc.). Use Wireshark to show that all secure services are encrypted (WEB, SMTP and SSH).
Report: Report should include a screenshot of the network topology (GNS3), IP subnets of any new subnets, IP addresses of all nodes, name of your Primary DC. You can mention all these in the GNS3 topology itself and capture them in the screenshot.
5 BGP
Configure the perimeter firewalls in each campus with BGP routing. Each campus should be a separate BGP AS and all directly connected networks to each firewall should be advertised on BGP. If you are using the provided GNS3 topology, this is already configured. Perform the following tasks on the firewalls:
• Perform a BGP prefix-hijacking attack from any of the firewalls other than your Primary DC firewall, to redirect the traffic going to the Primary DC. Demonstrate the live attack and the live re-direction of the traffic in your video.
• Apply a countermeasure to temporally fight back from the victim firewall. Live demonstrate the configurations and the change of the direction of traffic using Wireshark.
Note: You have to perform this task before attempting the other tasks to avoid the complications with VPNs and firewall rules. Revert back all changes before proceeding to the next tasks.
5.1 Submission Requirement
Video: Recording of the demonstration of the attack and the fight back.
Report: N/A.
6 VPN
For this task, your objective is to establish VPN tunnels using IPSec with ESP between the three campuses, forming a mesh network topology. The primary goal is to ensure that all inter-campus traffic is securely protected by these VPN tunnels.
6.1 Submission Requirement
Video: Record a video showing ESP traffic using Wireshark capture on all three paths. You will have to generate some traffic between the campuses to demonstrate this.
Report: Provide the result of the command "/ip ipsec installed-sa print" from all three firewalls in the report. (2 marks per router for the command result)
7 Firewall Configuration
In this task, you will configure firewalls to make the network secure and control access. Here are general requirements (4 marks):
• DNS server should only be accessible from clients from the 3 campuses.
• WEB server should be accessible from all internal and external clients.
Additionally, configure the firewall according to one of the options below.
Compute the result of your student ID modulo 4 - e.g., if your student ID is 111222333, then student ID mod 4 = 1. Configure the firewall according to the following options:
• If student ID mod 4 = 0:
- Restrict access to the CA server to clients located exclusively within the Clayton campus.
- Restrict access to the SSH server to clients located exclusively within the Caulfield campus and all external clients.
- Restrict access to the MAIL server to clients located exclusively within the Peninsula campus.
• If student ID mod 4 = 1:
- Restrict access to the CA server to clients located exclusively within the Clayton campus.
- Restrict access to the SSH server to clients located exclusively within the Peninsula campus and all external clients.
- Restrict access to the MAIL server to clients located exclusively within the Caulfield campus.
• If student ID mod 4 = 2:
- Restrict access to the CA server to clients located exclusively within the Caulfield campus.
- Restrict access to the SSH server to clients located exclusively within the Clayton campus and all external clients.
- Restrict access to the MAIL server to clients located exclusively within the Peninsula campus.
• If student ID mod 4 = 3:
- Restrict access to the CA server to clients located exclusively within the Peninsula campus.
- Restrict access to the SSH server to clients located exclusively within the Caulfield campus and all external clients.
- Restrict access to the MAIL server to clients located exclusively within the Clayton campus.
Note: Only the respective service port should be allowed in all firewall rules. E.g: TCP 443 for CA and WEB, UDP 53 for DNS etc.
7.1 Submission Requirement
Video: Record a video showing that the firewall rules work as expected. First try connecting the service from a node where it was permissible and then from a node where it was not allowed.
Report: Provide a screenshot of the firewall rules of each firewall. You can use the command "/ip firewall filter print"(2 marks)
8 Security Analysis
Perform a security analysis of the network that you configured in the previous tasks. More specifically, discuss the following in the report (no actual configuration is required for these questions, please limit your answer to under 100 words):
• Can the firewall configuration be bypassed?
- If so, explain how it can be bypassed and how to counter it?
- If not, explain what rules are in effect to prevent bypassing?
• Discuss how the security of the network (including the servers) you have constructed be further improved. Your discussion can also include removing/adding servers and network devices.
Note: No video demonstration is required for this task.
9 IDS
In this task, you are required to exploit an internal server as an external attacker and configure IDS to detect and alert on these intrusion attempts. Perform the following tasks:
- Configure a Snort IDS node to the same network where your public servers (WEB, SSH and SMTP) are connected. Configure the switch to send all traffic in/out from the public servers to the IDS, similar to our approach in the IDS lab.
- Exploit two vulnerabilities in SSH server (Metasploitable container) using Metasploit framework. You can use the External-Attacker node as Metasploit. Capture the traffic in Wireshark and discuss how IDS rules can be made to detect these attacks.
- Create custom rules in the IDS to generate alerts in response to the above attempts by attackers to exploit vulnerabilities within the Metasploitable Docker. Perform the above two attacks again to show the IDS detection.
Video: Demonstrate in the video a live exploitation of the vulnerabilities in Metasploitable and the IDS detection alerts.
Report: Provide the IDS rule configuration in the report.
10 Ethical Conduct
With all suggested security improvements from Task 8, identify unethical activities a network user (staff or a student) can perform in the above network. Develop an Ethical Network Usage policy with a list of guidelines to Monash staff and students regarding appropriate network conduct, prohibited activities, and behaviors classified as unethical. List a minimum of five policy directives. Ensure your response falls within the 150 to 500 word limit. For this task, you need to conduct some research, and appropriately cite and acknowledge the resources you have consulted.
Quality of Presentation
The remaining 10 marks are allocated to the quality and clarity of presentation in the report and the video.
Appendix
Attachment:- Network Security.rar