Secured Network Infrastructure Design and Implementation for MNM Company, AY24 Sem 2 Practical Assignment, Singapore

Network Security – Practical Assignment

Task 1 (20 marks)

To design and implement a secured network infrastructure on packet tracer using the base packet tracer file provided (without any configuration, only physical topology provided) as per the scenario and requirement listed below. Begin with a network design of IP Addresses as per the host requirement below. You may select an appropriate private IP block and may use FLSM/VLSM. Include justifications of your choice in the report.

Scenario

You are the Security Consultant of ‘MNM Company’ that offers educational services to its clients. They have three offices in Singapore namely HQ and branch offices in AMK and Tuas.

General Requirement

• HQ and their branch offices each have an administrator. They have accounts created locally on the respective routers as “HQ_Admin, AMK_Admin and Tuas_Admin” with secret password as ‘admin_no’E.g. ‘123456D’
• All the devices to have hostnames as ‘admin_no_location’ E.g. 123456D_Branch
• All the devices to have enable passwords as ‘admin_no_enable’ E.g. 123456D_enable’
• All the routers to accept only one (1) virtual line through SSH and are authenticated (AAA) through Radius server located at SERVER_FARM. In case radius server is not available, local accounts should be used for AAA. Radius Server should have a user account ‘Radius_Admin’ with password as ’admin_no’. Telnet, Console and Auxiliary connections not to be allowed.
• Password used on all the routers are encrypted when displayed (Eg.sh run config)
• All the routers are time-synchronized with the NTP server.

NTP Parameters Table

• The entire network (except ISP Router) must have OSPF as the routing protocol with Type 2 authentication with the key as “Admin_no_MD5”.
• Hello and Dead intervals between all routers are set as 10 and 15 respectively across all routers.
• Note there is no direct connectivity between HQ and Tuas offices. IPSec site-to-site VPN is to be configured between HQ and Tuas offices. Use the parameters as appropriate and document them.
• All offices connect to Internet via HQ’s ISP connectivity.
• Each network to have at least one PC connected to test connectivity.
• In terms of access to servers, propose and implement the following:
  • Access to the Radius Server to be limited (to only HQ/Tuas/AMK offices)
  • Access to other servers hosted at HQ/Tuas to be limited with the specific port numbers as applicable.

HQ @ Singapore

• HQ hosts a single LAN (INTRANET) that consists of three departments across three floors namely HR (7 staff), Finance (5 staff) and Management (4 staff) and all the staff are provided with only desktops. i.e. You need to plan for a single subnet that consists of HR, Finance and Management departments.
• HQ also has server farm (DMZ) that hosts web server (www.mnm.com) and DNS server (dns.mnm.com). Both Internet and Intranet users to have secured access to the web server and DNS server.
• Propose a security plan given that there is budget to buy an ASA5506/ASA5505 to secure the network. You may use techniques like security levels, security zones, ACLs etc.
• All the company users to have only secured web access to finance.mnm.com.
• Port Security is to be enabled as per the connectivity shown in the packet tracer started file and unused ports must be administratively disabled. Any breaches must require administrator’s action.
• HQ Router has connectivity to the ISP and the required routing (Hint: Default route) is to be configured for all the devices to access Internet through this link. ISP uses router model 1841 and uses 64K serial link (DCE) to connect to the HQ. All company users connect through HQ router for Internet access.

AMK Office

• It hosts only IT department that has 4 staff members with laptops.
• AMK office connects to HQ for secured web access to finance.mnm.com.
• AMK Router connects to Radius Server @ SERVER FARM for authentication as per the general requirement above.
• AMK Router synchronises its clock with NTP Server @ SERVER FARM.
• Port Security is to be enabled with the maximum of 2 MAC addresses and rest of the unused ports to be administratively disabled. Any breaches do NOT require administrator’s action.

TUAS Office

• It hosts only Marketing department that has 14 staff members with laptops.
• TUAS office connects to HQ for secured web access to finance.mnm.com.
• HQ connects with Tuas over IPSec site-to-site VPN to access Tuas.mnm.com over only HTTPS. HQ users also have access to Tuas.mnm.com over HTTPS.
• Port Security is to be enabled with the maximum of 3 MAC addresses and rest of the unused ports to be administratively disabled. Any breaches do NOT require administrator’s action.

Task 2 (10 marks)

Write a detailed report that covers the following points:

• Your considerations for the network IP address and FLSM/VLSM design.
• Tabulate (as per the table below) all the IP addresses used per location basis including the mask chosen.

• Your considerations, justification and explanation of the security measures implemented at every location.
• Document the verification/test results by attaching screenshots where applicable.
• Any assumptions made must be stated clearly under a separate section “Assumptions”.
• Attach the current configuration of every device that you have implemented as annex.

Assignment Rubrics

Submission Requirements

Please ensure that your submission follows the formatting guidelines and is submitted within the specified time frame. Refer to the annex for late submission policies.

Guidelines for Late and Extension for Submission of Assignment (ASSN) and Project (PROJ)

A. Late Submission

Scope

A submission of an Assignment (ASSN) or Project (PROJ), including ITP report will be considered as late if the submission was received after the stipulated due date/time, e.g. if the due date/time is on 5 Oct 2023, 2359 hrs, any submission later than that will be considered as late, and there will be penalty.

Penalty

1. If you passed the ASSN or PROJ, a penalty of 50% capped will be deducted from the base score of ASSN or PROJ.
2. If you failed the ASSN/PROJ, you will be awarded a failed score.
3. Regardless you Pass or Fail, If you submit the ASSN or PROJ beyond 5 calendar days from the due date, you will be awarded Zero.

Frequently Asked Questions

1. If my ASSN or PROJ due date is on 5 Oct 2023, 2359 hrs and I submit it on 6 Oct 2023, 0000 hrs, is it considered late submission?Yes, any submission beyond the due date and time will be considered as late submission.
2. What is the penalty if I submit my ASSN or PROJ after the due date?If you submitted the ASSN/PROJ late but within 5 calendar days from the due date, as a penalty, a cap of 50% of the base score will be awarded if you pass the ASSN or PROJ. This mean if the base score is 50 marks, your marks will be capped at 25 marks should you pass the ASSN or PROJ. If you fail the ASSN or PROJ, you will be awarded the failed score. If you submit after 5 calendar days from the due date, you will be awarded Zero mark.
3. ExampleASSN or PROJ submission due date on 5 Oct, 2359 hrsBase score of ASSN or PROJ = 50Learners who submit any time from 6 Oct, 0000 hrs to 10 Oct 2359 hrs: If passed the ASSN or PROJ, award 25 marks (capped at 50% of base score). If failed the ASSN or PROJ, award the failed score, e.g. 15 marksLearners who submit from 11 Oct, 0000 hrs onwards: Mark awarded = 0

B. Extension of Assignment or Project submission

Scope

1. If you have a valid reason for submitting the ASSN/PROJ late, you may apply for extension of the submission deadline.
2. You must submit a Statement of Absence (SOA) as per current procedure and apply for an extension through the Unit Leader (UL).
3. The extension will only be considered if your ASSN/PROJ due date falls within the duration of SOA.
4. Each extension can be granted to 1 day (24 hours) after the end date of your SOA period.
5. If you fail to submit your ASSN/PROJ after the approved extension period, penalty will be applicable based on late submission guidelines.

Frequently Asked Questions

1. What type of assessments are applicable under the guidelines for late and extension of submission?The Guidelines are applicable for 2 assessment tasks: Assignment (ASSN) or Project (PROJ), including Internship (ITP) report.
2. How do I apply for an extension of ASSN or PROJ due date?Extension of ASSN or PROJ will be granted if you have a valid absence reason, e.g. MC. You must inform your Unit Leader (UL) and submit your Statement of Absence (SOA) online to make the request for an extension.
3. How many days of extension will I be granted?The revised submission due date will be granted to 24 hours after the end date of your SOA. This is only applicable if the ASSN or PROJ due date falls within the duration of the SOA.
   ASSN or PROJ submission due date on 5 Oct, 2359 hrs: Learner on MC from 4 to 5 Oct.
   Revised submission due date 6 Oct, 2359 hrs.
4. What if I am still unwell and given further MC from 6 to 7 Oct?You can submit your MC in SOA and make a second request through your UL immediately. Your revised due date for ASSN or PROJ will be on 8 Oct, 2359 hrs. Please note that the period of your SOA must be consecutive before you can make the second request.
5. What happens if I do not submit my ASSN or PROJ after the revised due date?If no submission of ASSN or PROJ is received after the revised due date, the late submission policy will be applicable, where you will be subject to marks deduction or zero mark depending on when you submit your ASSN or PROJ.
6. Can I request for extension if my reason is not a valid reason listed under the NYP Attendance Policy?You must plan your submission early and submit your ASSN or PROJ timely. Please contact your UL immediately if you are unable to submit on time. Any request for extension with no valid reason would be evaluated case-by-case and subject to DOS’ approval.