Book All Semester Assignments at 50% OFF! ORDER NOW

Abstract

This report gives a detailed proposal and analysis for strengthening the network security of Callister Inc. The company has its branches in Cambridge and Manchester. The analysis includes evaluation of the existing network structure, singling out weaknesses, and coming up with proposals on new security mechanisms and implementing them using packet tracer, testing their effectiveness and drafting a report regarding the findings. 

Introduction

Recently, Callister Inc. has expanded and opened branches in Cambridge and Manchester. Though, it has been noted that its network design has various security faults, which is defecting the entire system. This presentation aims at analyzing the existing network setup, highlighting the weakness, and suggesting effective security measures by utilizing packet tracer and testing the new system to ensure that it is effective.

The Network Overview

The network of the company is made up of DMZ, Public Network, Cambridge branch and Manchester HQ networks. Individual network segment plays a specific role and interacts with both external and internal devices. The current configuration is composed of NAT settings, IP address and the specifications of each device.

1.1: Network Topology 

  • The public network is external to Callister Inc. ‘s control and is composed of an outsider PC, a teleworker PC, HTTPS server, DHCP server, and DNS server.
  • The DMZ hosts the company’s public facing servers that are made up of the website, internal DNS server, and email server. Access to external servers is aided by static NAT.
  • Manchester HQ comprises of an internal network where devices operate with private IP addresses. External connections are established through the Manchester NAT router, through dynamic NAT.
  • The Cambridge Branch, which is the same as Manchester HQ, utilizes private IP addresses for its internal network. External access is enabled via the Cambridge NAT router, through dynamic NAT.

Security Analysis of the Existing Network

An in-depth analysis of the company’s network established numerous serious risks that called for an immediate intervention.

2.1: Unsecured Network Devices like the Manchester Router

Unsecured network devices such as routers pose a major threat to the network by expose it to attackers (Rizvi et al., 2020,) This includes:

  • Vulnerability to cyber-attacks: since the devices are unsecured, they are exposed to hackers who can easily get an access to the company’s network, snip sensitive data, interfere with normal operations or even launch an attack.
  • The unsecured devices can be infected with malware through Botnet recruitment. This can lead to occurrences of Ddos attacks, malicious activities and spam campaigns.
  • Breaching of Data. The company’s sensitive information saved or being transmitted via unsecured devices can be easily compromised leading to financial losses, damage of reputation and further legal consequences.
  • Hackers can get access to the system by gaining lateral movement through unsecured devices giving the access to critical data and systems.
  • Many devices will be connected to the company network resulting in increased surface attack. This will pose a great risk of compromise.
  • Due to insufficient authorization and authentication mechanisms, the network will be exposed to illegal configuration changes and access

2.2: Exposed DMZ Servers

The servers which are located in the DMZ and intended for public access are susceptible and exposed as critical points to cyber-attack threats. They are exposed directly to the internet and they are key targets for malicious attacks which include the SQL infiltration, malware infiltration, denial of service attacks, and further exploitation via zero-day risks. The network does not have robust strengthening measures and proactive risk management which further increases chances of being attacked. These servers are exceptionally vulnerable to exploitation. The security concerns within the DMZ is important since it safeguards the confidentiality and integrity of sensitive data that is stored in the servers. Reducing the chances of these risks to occur involves processes such as controlling access to the servers, having regular security patches and updates, and close monitoring of the firewall configuration systems.

2.3: Uncontrolled Network Traffic

Since the network operates without intrusion prevention system (IPS) and firewalls, this result in uncontrolled traffic movement across and within different network zones. This increases vulnerability of the system to malware injection, illegal lateral movement and data breaches in the network. Lack of these important security apparatuses in place, will result into the system experiencing malicious entrance compromising the company’s data and deflating the overall security of the network posture. Implementing the IPS and firewalls will be important to keep track, block, and filter suspicious traffic hence, protecting the network against illegal access and possible threats.

2.4: Weak Layer 2 Security

The integrated switches into the network lack important ports, VLAN implementation and security measures; thus, permitting unauthorized devices to connect uninterrupted. These aspects pose a big risk on the network as it allows potential access to sensitive information. Additionally, the encryption absence on the internal network traffic further increases the data interception risks. The network becomes vulnerable without holistic layer 2 security measures, leading to data access by unauthorized users and information breaches. Moreover, implementing mechanisms such as port security protocol or VLAN segmentation is crucial in protecting sensitive information, minimizing unauthorized access, and controlling connections. Additionally, permitting encryption for internal network security is vital in limiting unauthorized users and safeguarding data security.

2.5: Insecure Communication

Manchester and Cambridge rely on the public internet for communication, posing major network vulnerabilities like information hijacking, eavesdropping, and data manipulation. Public internet further lacks the needed security protocols and encryption methods, making the communication channel prone to unauthorized connections and numerous interceptions. This, in turn, jeopardizes the confidentiality and integrity of data in transmission, thereby threatening the security and privacy of sensitive information. Therefore, it is vital to consider the implementation of secure and safer communication channels and protocols like encrypted communication channels or virtual private networks to help prevent potential security breaches and protect data during transmissions.

Design and Implementation of Security in the Network

The recommended security measures are implemented by the use of Cisco Packet Tracer. This can be achieved by configuring and securing network devices such as the Manchester Router for administrative access, setting up zone-based policy firewalls, reinforcing layer 2 security, deploying intrusion prevention systems and creating VPN connections between Cambridge and Manchester. A detailed policy document and configuration process will be issued for the future reference and maintenance.

Recommendations include:

3.1: Securing Network Devices

The configuration of the Manchester router is minimal and lacks various security best operations. Securing devices is very important since it minimizes the risks of successful attacks, prevents costly disruptions and protects data. Also, it minimizes the overall network threats by addressing risks across the network, minimizing vulnerable cyber-attacks and improving the security posture of the network (Aslan, et al 2023). This report recommends the following security settings and improvements. 

  • Allowing SSH: This can be achieved by replacing Telnet with SSH to ensure remote access is secure. SSH version 2 configuration and generation of RSA/DSA key for encryption are ensured by the enabling SSH. 
  • Implementing Access Control Lists (ACLs): The ACLs set-up to control traffic between interfaces is very important. For example, configuring extended or standard ACLs permits or denies access to a particular IP traffic. 
  • Password Protection: Securing sensitive information in configuration is achieved by enabling password encryption. 
  • Interface Security: Allowing IP addresses is very important on the interfaces. Also, the network management should disable unused interfaces completely. 
  • Disabling unused services: They should ensure all unnecessary services are turned off such as Cisco Discovery Protocol (CDP) to minimize the amount of data exposed to potential attackers. 
  • Implementing Banner Messages: This can be achieved by configuring login banners to warn any unauthorized user against attempting access. 
  • Routing Security: This can be done by Route Filtering Implementation to distribute lists or utilize route maps thus filtering advertised routes and controlling routing updates. Also, they can secure and verify static routes using appropriate administrative distances and route summarization. 
  • Syslog Configuration: Logging a set-up to a syslog server is crucial as it monitors and analyzes the devices logs for unusual activities and potential security threats. 
  • Software/Firmware Updates: The network administrators should regularly check for updates to router firmware’s and apply security patches to address known threats. 
  • Authentication, Authorization and Accounting (AAA): They should successfully implement AAA for centralized authentication, authorization and accounting of users' access to the network devices.

Router Security Settings

Figure 1: Router Security Settings

securing Router Device

Figure 2: Securing Router Device

Securing Router Devices

3.2: Implementing zone-based policy firewalls

The implementation entails establishing security zones, then incorporating polices that allows traffic control between these zones based on a specific, defined criteria (N’goran et al., 2022).

Creating the Firewall Zone Creating the Firewall Zones

Figure 3: Creating the Firewall Zones

Identifying Traffic Using a Class Map

Figure 4: Identifying Traffic Using a Class-Map

Specifying and Applying Firewall Policies

Figure 5: Specifying and Applying Firewall Policies

3.3: Implementing Intrusion Prevention Systems

The IPS systems involves active monitoring of network traffic. The systems detect malicious codes, patterns and signatures and immediately block them or provide an alert of the suspicious activity before it proceeds to infiltrating the network and harming sensitive data. 

Configuration of the IPS signature

Figure 6: Creating an IOS IPS configuration directory in flash, Configuration of the IPS signature storage location, Creating IPS rule.

Configuring IOS IPS to use the signature categorie

Figure 7: Configuring IOS IPS to use the signature categories, Applying the IPS rule to an interface and signature modification

3.4: Enhancing Layer 2 Security

Specific MAC ports address authentication through configuring port security on switches to restrain unauthorized devices access. Also, implementing VLANs and enhancing layer 2 security to segregate network segments logically further improves the security boundaries. It can be achieved by deploying Network Access Control (NAC) solutions for better control over access of devices and activity on the networks.

Enabling Port Fast on all access ports

Figure 8: Enabling Port Fast on all access ports.

Enabling BPDU guard on all access ports

Figure 9: Enabling BPDU guard on all access ports.

Adding switch Port Security

Figure 10: Adding switch Port Security

Disabling unused ports

Figure 11: Disabling unused ports

3.5: Implementing Virtual Private Networks

Implementing Virtual Private Networks Implementing Virtual Private Networks Implementing Virtual Private Networks

As described by (Nyakomitta et al., 2020), VPNs allows secure communication and access to resources only to the authorized devices and users and devices as if they are in the same location.

Testing and Verification

The testing involves verification of the implemented security plans.

What

Where

Command/Test

Result

Comments

Secure administrative access

Manchester router

Check the connectivity of SSH from authorized user

Successful connection

The SSH service (version 2) is enabled and

Can only be accessed through the correct credentials.

Telnet connection attempt

Error

The telnet connection has been disabled to prevent unsafe access.

Review ACLs

The ACLs have been rightly configured for the purpose of controlling flow of traffic between interfaces.

Confirmed that only allowed traffic is allowed to flow between network segments. 

Password Settings

Encrypted and, strong passwords.

Complex passwords that are hard to guess have been set and are needed for privileged access.

Zone based policy firewalls

At the Manchester firewall

Check connectivity between authorized devices within the permitted zones.

Successful connection

Firewall rules are permitting communication between the allowed zones.

Ping requests from unauthorized zones and devices

Request denied

The firewall blocks unauthorized traffic between zones.

Checks logs for denied connections or dropped packets.

Presence of log entries from blocked traffic attempts

Firewall monitoring for suspicious activities.

Layer 2 Security

DMZ switch

Check for configuration of port security on access ports.

Port security settings enforced

Only the authorized devices can connect to the selected ports.

Test unauthorized connection of devices to the secured ports.

Denied Connection.

The port security blocks attempt of unauthorized access.

Test Vlan Communications with authorized devices

Successful connection

Segmented VLANs controls traffic and restricts unauthorized access.

Secure Communication from VPNs

Manchester and Cambridge users

Test for VPN connectivity

Successful pings

VPN allows secure remote access

Data transfer between tunnels

Successful

Data transferred between the VPN tunnels is encrypted and safe.

Try unauthorized access to resources which are beyond the authorized endpoints

Access denied

The VPN restricts unauthorized access within the network.

Conclusion

This security analysis and design plan offers a comprehensive overview of Callister Inc's roadmap to attain a sustainable network security. Implementing the recommendations and appropriately testing the solutions' efficacy will result in substantially lower security risks while safeguarding the valuable data assets. Furthermore, progressive security awareness training is key in organizational success along with occasional employee vulnerability assessments for proper posture maintenance. Adopting a proactive strategy to network security will secure Callister Inc.'s long-term success and sustainably protect the company against the evolving cyber risks.

References List

Aslan, Ö., Aktuğ, S.S., Ozkan-Okay, M., Yilmaz, A.A. and Akin, E., 2023. A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions. Electronics, 12(6), p.1333. https://doi.org/10.3390/electronics12061333

N’goran, R., Tetchueng, J.L., Pandry, G., Kermarrec, Y. and Asseu, O., 2022. Trust Assessment Model Based on a Zero Trust Strategy in a Community Cloud Environment. Engineering, 14(11), pp.479-496.

Nyakomitta, P.S. and Abeka, S.O., 2020. Security investigation on remote access methods of virtual private network. Global journal of computer science and technology, 20.

Rizvi, S., Pipetti, R., McIntyre, N., Todd, J. and Williams, I., 2020. Threat model for securing internet of things (IoT) network at device-level. Internet of Things, 11, p.100240. https://doi.org/10.1016/j.iot.2020.100240

You Might Also Like

Computer Science Assignment Help

Guide on Sequel Programming Languages

Get It Done! Today

Country
  • 1,212,718Orders

  • 4.9/5Rating

  • 5,063Experts

Highlights

  • 21 Step Quality Check
  • 2000+ Ph.D Experts
  • Live Expert Sessions
  • Dedicated App
  • Earn while you Learn with us
  • Confidentiality Agreement
  • Money Back Guarantee
  • Customer Feedback

Just Pay for your Assignment

  • Turnitin Report

    $10.00
  • Proofreading and Editing

    $9.00Per Page
  • Consultation with Expert

    $35.00Per Hour
  • Live Session 1-on-1

    $40.00Per 30 min.
  • Quality Check

    $25.00
  • Total

    Free
  • Let's Start

Get
500 Words Free
on your assignment today

Browse across 1 Million Assignment Samples for Free

Explore MASS

Customer Feedback

Check out what our Student community has to say about us.

Read More

My Assignment Services- Whatsapp Get 50% + 20% EXTRAAADiscount on WhatsApp

Need Assistance on your
existing assignment order?