Reference no: EM133044411

MOD002703 Advanced Network Security Principles - Anglia Ruskin University

Assessment - Case Study

ASSESSMENT ELEMENT - CASE STUDY

Callister Inc. is new in Manchester and has opened a branch in Cambridge. The company has designed its network, but the design has several security flaws. They have approached Anglia Ruskin University with a consulting contract where brilliant students in MSc in Cyber Security students will design, implement and document a proper security solution that can accommodate the requirements of the company.
This document describes the current state of the network as well as the security requirements of Callister Inc. Finally, it describes the final deliverables for this assignment.

Topology and Initial Configuration
The company has headquarters in Manchester and a branch in Cambridge.

The network is structured as follows:

• PUBLIC NETWORK: This network is outside Callister Inc. management and should not be changed. It has a HTTPS server, accessible through the URL, a PC representing a teleworker (i.e. belongs to the company but works remotely), a PC representing an outsider to the company, a DNS server that is used by devices belonging to the PUBLIC NETWORK, and a DHCP server to provide IP address to devices connected to the PUBLIC NETWORK. The ISP router belongs to the PUBLIC NETWORK and therefore should not be modified (assume that ISP has been configured properly).
• DMZ: This is the demilitarised zone of Callister Inc. and contains all servers that are public to internal and external areas. This is under the management of the company and should be considered within your security design. It contains the company's web server, an email server and, a DNS server that is used by users

of MANCHESTER HQ and CAMBRIDGE BRANCH. The DMZ servers are known externally through their external IP addresses and internally through their internal IP addresses, which means that static NAT has been configured in the DMZ_NAT router to perform this translation. All external devices trying to communicate with the DMZ servers need to use the public (external) IP addresses.

Figure 1. Callister Inc. network topology.

• MANCHESTER HQ: This is the internal network of the Manchester headquarters and is also under the management of the company. The Manchester_NAT router is the one implementing NAT translation, which means that all the devices connected to Manchester_NAT use private IP addresses to communicate internally between them but when connecting to devices on the other side of Manchester_NAT they will use the public IP address assigned by the dynamic NAT translation.
• CAMBRIDGE BRANCH: This network has all devices of the Cambridge branch that are under the management of Callister Inc. The Cambridge_NAT router implements NAT translation to allow devices connected to it to communicate to the rest of the devices. All the devices connected to Cambridge_NAT use private IP addresses to communicate internally between them but when connecting to devices on the other side of Cambridge_NAT they will use the public IP address assigned by the dynamic NAT translation.

The following configurations have already been made for you:
• IP addresses of all devices as well as hostnames
• NAT in the Manchester_NAT, Cambridge_NAT and DMZ_NAT routers. It is recommended not to modify anything of the existing configuration on those routers unless consulted with the module tutor. Assume that NAT is working properly.
• Static routing, please note that because of NAT, connectivity tests between devices that are in the same network should be done using the private IP address whilst connectivity between devices in different networks should be done using the public IP address. Figure 1 and Table 1 show the IP addresses configured in each device interface.

Security Analysis
As part of the consulting job Callister Inc. needs you to write a security analysis of their current network and come up with the security mechanisms needed to achieve basic network security. You must write a technical document that describes the security mechanisms you would recommend the company to implement supporting your decision with references to best practices and/or industry recommendations. The CCNA Security curriculum or the slides of any other security module from your course cannot be used as references but you can use white papers from Cisco or other similar documents.
Your analysis must consider the following mechanisms:

• Securing the network devices for administrative access (including AAA).
• Zone-based policy firewalls (only required in Manchester).
• Intrusion Prevention Systems.
• Layer 2 security.
• Virtual Private Networks (to communicate Manchester and Cambridge).

FOR SIMPLICITY PURPOSES YOU ARE NOT REQUIRED TO SECURE THE DMZ_NAT,
Cambridge_NAT NOR Manchester_NAT routers.

The analysis must be thorough and can include the addition of new elements to the networks that belong to the company. If your security analysis is incomplete, then this will also have an effect on your final configuration.

Assessment
Students must submit the security analysis by week 7 of the teaching semester as a formative assessment so they can receive feedback from the module tutor.

Design and Implement the security of the network
Once you are happy with the security mechanisms to implement you must configure them in the topology. The use of Packet Tracer is permitted, and the initial topology is provided in Canvas Element 010 assessment literacy page.

Testing the security of the network

Finally, you must provide a test plan of the security mechanisms. Your test plan doesn't need to include screenshots and it should just indicate the test that needs to be done to verify that the security mechanism is working properly. Table 3 shows an example on how to do the test plan, please note that show run must NOT be used as a command to verify a protocol.

Attachment:- Network Security Principles.rar