Network Security Assignment: Implementation of ASA, IPS & VPN For Finance Solutions Pvt Ltd
Question
Task:
Introduction
This is an individual network security assignment. This task weights 70% of the overall grade.
For this coursework, you are required to implement network security. You must reflect/validate the network security services and produce an associated 3000 words report. You need to complete this assignment as an individual. Please provide a detailed walk through snippet of secure network and services. The quality of walk through snippet will influence the weighting of assignment marks.
Assume that you are working as a Network Security Engineer at Finance Solutions Pvt, Ltd at London. You have been asked to implement and test network security of Finance Solutions Company. The network topology of
Finance Solutions is given below:
Finance Solutions Network Topology
Your main task is to design and implement network security with direct link to Internet/Wide Area Network (WAN)in a series of Block Tasks. You should be able to design and implement Site-to-Site VPN Tunnel, ASA Firewall andIOS based Intrusion Prevention System (IPS) along with basic device hardenings to secure organisation Local Area Network (LAN) using appropriate network simulation environment. The organisational network enable integration with IPSec VPN that allow strong encryption to ensure confidentiality and integrity.The network and security services can be designed using well known network simulators.
Assignment Tasks:
Your work must be presented in the form of a Project Report and be no longer than 3000words (excl. references, figures, tables and appendices) plus a facing page that includes the executive summary.
Portfolio Task(s):
Block A: Network Architecture and Communication [30 marks]
1. Implement basic device hardening with the following services fully running and functional, DHCP server, DNS Server, Web Server and Syslog Server.
2. Allocate and distribute the IP addresses to network and end devices according to given design both static configuration and dynamic configuration via DHCP server.
3. Implement and configure Dynamic Routing using RIPV2 protocol to demonstrate effective routing on WAN network between internal and external site.
4. Configuring appropriate VLAN trunking for multiple VLAN’S to segment the traffic in separate broadcast domain for security reasons.
5. Design and implement fully functional Inter-Vlanrouting using IEEE 802.1X encapsulation standard to demonstrate connectivity between business sites.
Block B: Secure Operations and Service Delivery [30 marks]
1. Configure ACL and firewall on the ASA device to implement the Security Policy to restrict the network access according to the organisation policy. (Reasonable assumptions can be made).
2. Implement and configure a Site-to-Site IPsec VPN to comprehensively encrypt the traffic travelling over WAN network between internal and external site network. Evidence must be provided on how the VPN Tunnel provides the integrity and confidentiality for the IP packets traversing in and out of network.
3. Implement IOSbased Network Intrusion Prevention System (IPS) and test its efficiency in your deployment to secure internal network.
Block C: Research & Development [40 marks]
1. Zero Trust is a network security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the Internet. Considering the context of case study and practical implementation of block A and B, please discuss and critically analyse the Zero Trust Network Security Model. You should refer to your security implementation in given network for the sack of discussion and back up your findings with credible references to demonstrate critical research on the topic.
2. With reference to the case study, critically discuss how IPSec VPN can be used to achieve security. Identify the level of reliability and critically discuss the cryptographic mechanism of IPSec.
Answer
1. Executive Summary
Network security is a set of configurations and rules that is designed to protect the confidentiality, integrity, and accessibility of a network. The network security assignmentwill focus on implementing and testing thenetwork security of the Finance Solutions Pvt Ltd. The main objective of this report is to design and implement network security with a direct link to a wide area network. Therefore, all the devices of the finance solution company will be configured with proper security solutions. The report will show the designing and implementation of a site to site VPN tunnel that will protect the privacy of the network and enhance the security on the internet. Moreover, the report will also demonstrate the design and configuration of the ASA firewall, site-to-site VPN tunnel, and IOS-based intrusion prevention system along with the basic device hardening components that will secure the organization's local area network. Finally, the report willalso demonstrate the configuration of the DNS server, DHCP server, SYS-Log server, and WEB server that will store the organization's business data.
2.Block A: Architecture and Communication
Figure: Network Diagram of Finance Solutions Pvt, Ltd.
2.1 Configure IP connectivity and device hardening
In order to ensure the connectivity within all devices, it is important to configure the IP connectivity and basic device hardening within all networking devices. The IP connectivity configuration will allow the user to send and receive data packets (Tschofenig and Baccelli 2019). Therefore, the IP configuration will allow the devices of the organization to communicatewith each other. Basic device hardening is the procedure of eliminating various kinds of attacks by turning off non-important services, patching vulnerabilities, and configuring the system with appropriate security controls such as disabling unused network ports, file permissions, and password management (Nguyen, Palani and Nicol 2019). In this project, all the networking devices are protected with passwords that will provide security to the devices and it is the first step of device hardening. The device hardening will maintain the security of the network by adding a various levels of security. The device hardening also reduces the surface of vulnerability and removes the disabled programs or files to enhance the security within the network. Therefore, the benefits of device hardening are provided below:
• Device hardening improves the performance of the network frees up the memory and disk space. Therefore, the device hardening allows the computer to work more efficiently and quickly as it is not struggling and bogged down to operate with the limited space and memory (Waheed and Ali 2018).
• The device hardening eliminates access points by removing unwanted software and files.
• Hardening adds a different level of security within the network that will protect the user and servers.
Figure 1: IP configuration ofInternal site router
The above screenshot shows the IP configuration of internal site router.
Figure 2: IP configuration of Router 1
The above screenshot shows the IP configuration of router 1.
Figure 3: IP configuration of External site router
The above screenshot shows the IP configuration of external site router.
Figure 4: IP configuration of internal site PC
The above screenshot shows the IP configuration of internal site PC.
Figure 5: IP configuration of external site PC
The above screenshot shows the IP configuration of external site PC.
Figure 6: Device hardening in Router1
The above screenshot shows that the router is configured with password to enhance the router security.
2.2 Configure servers DHCP, DNS, WEB, SYS-Log.
Dynamic Host Configuration Protocol (DHCP) is one type of network management protocol that enables the user to automate the procedure of configuring devices with reusable IP addresses. The DHCP server will dynamically assign the IP addresses on each device (Shan and Liao 2016). The DNS server within the network will translate the domain name into machine readable IP addresses. Therefore, DNS server configuring is very important as the computer can’t process domain names. The web server within the network is a physical server that delivers services and contents to end-users through the internet. The SYS-Log server is a comprehensive tool that collects information from various sources within the network to make it easier to monitor the network devices (Miao et al. 2019). Therefore, it is important to configure the DHCP, DNS, WEB, and SYS-Log server within the network.
Figure 7: DHCP configuration on PC0
Figure 8: DHCP configuration in site admin PC
The above two figure shows the DHCP configuration on the organization's internal network. Both the PCs of the finance solution internal network are configured with DHCP. In order to the configure the DHCP, a DHCP pool has been created is the ASA firewall by providing IP addresses to be assigned to hosts. The following command has been utilized to automatically assigning IP addresses:
Figure 9: command used for DHCP configuration
After providing the DHCPD address, DHCP enabled on every host to automatically assign the IP addresses.
Figure 10: DMZ DNS server IP configuration
The above figure shows the IP configuration of the DMZ DNS server.
Figure 11: DMZ web server IP configuration
The above figure shows the IP configuration of the DMZ web server.
Figure 12: NAT configuration for DMZ DNS and Web server(step 1)
Figure 13: NAT configuration for DMZ DNS and Web server (step 2)
All the above figure shows the DMZDNS and web server configuration. Both the server is configured with proper IP address. NAT has been configured on ASA firewall by providing the inside interface and outside interface of the firewalls. NAT configuration is very important to enhance the firewall security, therefore, in this scenario, NAT has been configured to enhance the firewall security (Natali, Fajrillah and Diansyah 2016). It is mainly configuring to enable strict control of access to resources on both side of the firewalls.
Figure 14: SYSLOG server IP configuration
Figure 15: Logs in SYSLOG server
The figure shows that the SYSLOG server gets a log from the 192.168.30.1 IP address.
2.3 Configure Dynamic Routing (RIPV2) and Inter-VLAN Routing/Trunking
Dynamic routing:Dynamic routing the procedure where the router can transmit data packets on a different route. In the dynamic routing procedure, the routes of data packets are updated on the basis of change in the network (Alabady, Hazim and Amer 2018). Therefore, RIP has been configured on each router that will help to transmit the data packets in a different route. the following command has been utilized to configure the dynamic routing:
R1(config)# router rip
R1(config-router)# version 2
R1(Config-router)# network (IP address)
R1(config-router)#exit
R1(config)#exit
Figure 16: Dynamic Routing configuration on internal site router
Figure 17: Dynamic routing configuration on Router 1
Figure 18: Dynamic router configuration on the external site router
Inter VLAN Routing/Trunking: Inter-VLAN routing is the procedure of forwarding data packets within various VLANs by implementing a router within the network. Whether the VLAN trunking enables the traffic movement to various parts of the network.The below figure shows the inter VLAN routing:
Figure 19: Pinging from PC0 to DMZ DNS server
Inter-VLAN routing has been configured on the ASA firewall. Therefore, the PC0 can ping to the DMZ DNS server. The inter VLAN routing helps to forward data packets from the organization's internal network to the DMZ network.
3. Block B: Secure Operations and Service Delivery
3.1 Implement ACL and Firewall on ASA device
The access control list (ACL) implementing is the procedure of providing a basic level of security within the network. Access control lists normally filter the packets to control the movement of data packets on a network. The packet filtering performed by the ACL provides security to the network by limiting the access of traffic, preventing the traffic from leaving the network, and restricting the device or user to access the network (Lin et al. 2018). Therefore, the implementation of an access control list reduces the possibility of denial of services and spoofing attacks and only allows the legitimate user to access the network. In this project, access control list has been implemented within the ASA device.
Figure 20: ACL configuration on the ASA device
In this project, a firewall is also implemented in the ASA device to secure the internal network. The firewall continuously monitors the incoming and outgoing traffic of the network and protect the organization's internal network from unauthorized user. The firewall also uses the packet filtering procedure to secure the network. These filters only allow the legitimate user to access the network and blocks the packet that matches the identified threats. In this project, the firewall will connect the organization's internal network with the DMZ network.
Figure 21: ASA Firewall Configuration
Figure 22: ASA Firewall Configuration
Figure 23: ASA firewall configuration
3.2 Implement Site-To-Site IPSec VPN
In the proposed network design, a site to site network has been implemented that helps to develop a secure connection between two routers over a public network. By implementing a site to site VPN, the employees of the organization can securely communicate with each other on the network (Nurkahfiet al. 2018). The VPN tunnel also enables a secure way to transfer the data between organizationsdifferent branches, and users. In the network, a site-to-site VPN tunnel has been created between the organization's internal network and external network so that the devices of the organization's internal network and external network can communicate securely.
Figure 24: Site to site VPN configuration on internal site router
Figure 25: Site to Site VPN configuration on the internal site router
Figure 26: Site to site VPN configuration on external site router
Figure 27: Site to site VPN configuration on external site router
3.3 NIPS implementation and testing
A network intrusion prevention system is a network security application that continuously monitors the network traffic and analyzes the protocol activity to protect the network from suspicious activity. Therefore, it is important to implement the NIPS in the organization's network to protect the network from various kinds of threats. By implementing the network intrusion prevention system, the organization can protect the network from viruses, worms, exploits, and denial of service attacks. In this project, IOS IPS have been configured on the internal site router so that it will protect the organization's internal network from various kind of attacks.
Figure 28: IOS IPS configuration on the internal site router
Figure 29: Testing of IOS IPS configuration on the internal site router
4. Research & Development
4.1 Zero Trust Network Security Framework
According to (Eidleet al. 2017), Zero trust is a strategic initiative in cybersecurity that helps to protect the network from successful data breaches by eliminating the trust concept from any organization's internal network. Zero trust network security framework is mainly designed to protect the network by preventing lateral movement, leveraging network segmentation, simplifying granular user-access control, and providing layer 7 threat prevention. In order to develop the zero trust network architecture for finance solution organizations, it is important to identify the ‘protect surface’ that is made of the network’s most valuable and critical services, applications, assets, and data. By identifying the protected surface, the organization can identify how traffic moves within the network, the users who are accessing the network as well as all devices and applications. Therefore, by understanding the interdependencies within the users, services, and infrastructure the organization can protect their network.
As per (de Weever and Andreou 2020), zero trust network security architecture is the most effective way to control the access of the networks, data, and applications. Therefore, zero trust network security architecture comprises a broad range of prevention techniques including least privilege controls, endpoint security, micro-segmentation, and identity verification to limit the access of the network.Moreover, by restricting user access and segmenting the network, the organization can minimize data breaches and potential damages.
4.2 Overview of VPN reliability
In the case of an average user, the mechanism of a virtual private network may be confusing in which it creates a private tunnel between the client and a server that will be located somewhere in a different place. Several factors of VPN services contribute to its reliability that comes with multiple benefits. The use of a VPN will allow users to access various geo-blocked websites or contents. It can also help to change the IP address and allow access to certain websites (Panola,Yadi and Suryayusra 2019). It is reliable for the users as VPN services keep all the private activities secure irrespective of the accessibility as the user will remain anonymous. The remote users connect to the VPN through dialling to an ISP or using cable or DSL modems.
Figure: VPN Connection
(Source: Kurniawanet al. 2019)
However, the remote sites can get connected with a gateway or its own server that may get failed sometimes. Therefore, most organizations utilize a more robust VPN gateway for its headquarter. In order to maintain the reliability of the VPN service, the service providers offer various load-balancing or clustering services and in case one of the devices fails, a second device can be accessed by the users. Moreover, the VPN services are reliable as these services have become affordable and can be availed of by the majority of the organizations.
Therefore, by implementing the VPN connection, the finance solution organization can protect privacy within the network and increase the security on the internet. The employees of the organization can securely communicate with each other.
4.3 Cryptographic mechanism of IPSec
IPSec or Internet Protocol Security is a framework that can be used for securing the connection among the two points, which is seen in the majority of VPNs. This framework is a bit complex but it has a very significant option that can be used for securing the connections in some specific situations (Babu, Raju and Prasad 2016). The IPSec framework is an open standard that mainly works at the network level that is used for secure transfer of data from network-to-network, host-to-host, or between a host and a network. IPSec has a dual mode for its operation that includes tunnel mode and transport mode. While operating within the transport mode, both the source and destination performs the cryptographic operations. In this process, the encrypted data can be sent using a single tunnel, which is created by L2TP.
Figure: IPsec tunnel
(Source:Shan and Liao 2016)
Moreover, the ciphertext is developed through the source host that is recovered by the destination host. The overall operation creates end-to-end security. The significant part of this framework is the security association (SA) that uses SPI numbers carrying in the Authentication Header (AH) and ESP for indicating which SA has been used for the respective packet (Lipp, Blanchet and Bhargavan 2019). The IP address has also been included for determining the endpoint that can include the router, firewall, or end user. SAD or security association database is configured for storing the SAs, which will be used by using a security policy that helps to determine what the router will do with the data packet. The available security policies that are in use will be stored within the policy database.
5. Conclusion and Future Work
The report has helped in developing a comprehensive understanding of network security and its challenges that can be faced while implementing the network of Finance Solutions Pvt Ltd. The report has designed the required network for the company and has implemented some security that is associated with the wide area network. The report has shown a Site-to-Site VPN tunnel, IOS based IPS, and ASA Firewall. Moreover, the report has also demonstrated device hardenings for securing the local area network by implementing the network within a simulation environment known as Cisco Packet Tracer. The main objective of the network implementation is enabling IPSec VPN integration, which will support strong encryption for maintaining high integrity and confidentiality of network of Finance Solutions.
Finally, it can be concluded that network security is significant for the organization dealing with sensitive information that cannot be tampered with or lost. Finance Solutions Pvt Ltd needs to defend themselves against the potential threats that might hamper the company’s reputation in the market, which might cost huge to recover. Therefore, the network has been secured with the latest technologies to create a highly secured environment in which the users can work seamlessly over the network. However, in the future, the network can be upgraded to support wireless access to make it more flexible than before. It can be done by implementing wireless access points in appropriate places to allow wireless access to all the users on the campus.
6. References
Alabady, S.A., Hazim, S. and Amer, A., 2018.Performance Evaluation and Comparison of Dynamic Routing Protocols for Suitability and Reliability. International Journal of Grid and Distributed Computing, 11(7), pp.41-52.
Babu, E.S., Raju, C.N. and Prasad, M.H.K., 2016. Inspired Pseudo Biotic DNA based Cryptographic Mechanism against Adaptive Cryptographic Attacks. IJ Network Security, 18(2), pp.291-303.
deWeever, C. and Andreou, M., 2020. Zero Trust Network Security Model in containerized environments.
Eidle, D., Ni, S.Y., DeCusatis, C. and Sager, A., 2017, October.Autonomic security for zero trust networks.In 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON) (pp. 288-293).IEEE.
Kurniawan, D.E., Arif, H., Nelmiawati, N., Tohari, A.H. and Fani, M., 2019, March. Implementation and analysis ipsec-vpn on cisco asa firewall using gns3 network simulator. In Journal of Physics: Conference Series (Vol. 1175, No. 1, p. 012031). IOP Publishing.
Lin, H., Yan, Z., Chen, Y. and Zhang, L., 2018. A survey on network security-related data collection technologies. IEEE Access, 6, pp.18345-18365. Lipp, B., Blanchet, B. and Bhargavan, K., 2019, June.A mechanised cryptographic proof of the WireGuard virtual private network protocol.In 2019 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 231-246).IEEE.
Miao, C., Wang, J., Ji, T., Wang, H., Xu, C., Li, F. and Ren, F., 2019, October. BDAC: A Behavior-aware Dynamic Adaptive Configuration on DHCP in Wireless LANs. In 2019 IEEE 27th International Conference on Network Protocols (ICNP) (pp. 1-11).IEEE.
Natali, J., Fajrillah, F. and Diansyah, T.M., 2016.Implementasi Static Nat TerhadapJaringanVlanMenggunakanIp Dynamic Host Configuration Protocol (Dhcp). JurnalIlmiahInformatika, 1(1), pp.51-58.
Nguyen, H.H., Palani, K. and Nicol, D.M., 2019, June.Extensions of network reliability analysis. In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (pp. 88-99). IEEE.
Nurkahfi, G.N., Mitayani, A., Mardiana, V.A. and Dinata, M.M.M., 2019, October. Comparing FlowVisor and Open Virtex as SDN-Based Site-to-Site VPN Services Solution. In 2019 International Conference on Radar, Antenna, Microwave, Electronics, and Telecommunications (ICRAMET) (pp. 142-147).IEEE.
Panola, R.R., Yadi, I.Z. and Suryayusra, S., 2019, February. PERBANDINGAN RELIABILITY OVPN DENGAN VPN IPSEC. Network security assignmentIn BinaDarma Conference on Computer Science (BDCCS) (Vol. 1, No. 2, pp. 307-315).
Shan, Z. and Liao, B., 2016. Design and Implementation of A Network Security Management System. arXiv preprint arXiv:1609.00099.
Tschofenig, H. and Baccelli, E., 2019. Cyberphysical security for the masses: A survey of the internet protocol suite for internet of things security. IEEE Security & Privacy, 17(5), pp.47-57.
Waheed, F. and Ali, M., 2018. Hardening CISCO Devices based on Cryptography and Security Protocols-Part One: Background Theory. Annals of Emerging Technologies in Computing (AETiC), Print ISSN, pp.2516-0281.
Appendices
Internal Site Router Configuration
Router>en
Router#sh run
Building configuration...
Current configuration : 1486 bytes
version 12.4
no service timestamps log datetimemsec
no service timestamps debug datetimemsec
no service password-encryption
hostname Router
noipcef
no ipv6 cef
cryptoisakmp policy 100
encraes 256
authentication pre-share
group 5
lifetime 60
cryptoisakmp key samekey address 192.168.70.6 cryptoipsec transform-set MOSTSECURE esp-aes 256 esp-sha-hmac
crypto map PT-IPSEC 1000 ipsec-isakmp
description Packet Tracer IPSEC Test Crypto Map
set peer 192.168.70.6
setpfs group5
set security-association lifetime seconds 120
set transform-set MOSTSECURE
match address 100
ip name-server 0.0.0.0
spanning-tree mode pvst
ipipsconfig location ipsdir retries 1
ipips name iosips
ipips signature-category
category all
retired true
categoryios_ips basic
retired false
interface FastEthernet0/0
ip address 192.168.70.8 255.255.255.240
ipipsiosips out
duplex auto
speed auto
interface FastEthernet0/1
noip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 192.168.70.1 255.255.255.252
interface Serial0/0/1
noip address
clock rate 2000000
shutdown
interface Vlan1
noip address
shutdown
router rip
version 2
passive-interface FastEthernet0/0
network 192.168.70.0
ip classless
ip flow-export version 9
access-list 100 permit ip 192.168.70.7 0.0.0.248 192.168.40.0 0.0.0.255
line con 0
line aux 0
linevty 0 4
login
end
External Site router configuration
Router>en
Router#sh run
Building configuration...
Current configuration : 1486 byte
version 12.4
no service timestamps log datetimemsec
no service timestamps debug datetimemsec
no service password-encryption
hostname Router
noipcef
no ipv6ce
cryptoisakmp policy 100
encraes 256
authentication pre-share
group 5
lifetime 60
cryptoisakmp key samekey address 192.168.70.6
cryptoipsec transform-set MOSTSECURE esp-aes 256 esp-sha-hmac
crypto map PT-IPSEC 1000 ipsec-isakmp
description Packet Tracer IPSEC Test Crypto Map
set peer 192.168.70.6
setpfs group5
set security-association lifetime seconds 120
set transform-set MOSTSECURE
match address 100
ip name-server 0.0.0.0
spanning-tree mode pvst
ipipsconfig location ipsdir retries 1
ipips name iosips
ipips signature-category
category all
retired true
categoryios_ips basic
retired false
interface FastEthernet0/0
ip address 192.168.70.8 255.255.255.240
ipipsiosips out
duplex auto
speed auto
interface FastEthernet0/1
noip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 192.168.70.1 255.255.255.252
interface Serial0/0/1
noip address
clock rate 2000000
shutdown
interface Vlan1
noip address
shutdown
router rip
version 2
passive-interface FastEthernet0/0
network 192.168.70.0
ip classless
ip flow-export version 9
access-list 100 permit ip 192.168.70.7 0.0.0.248 192.168.40.0 0.0.0.255
line con 0
line aux 0
linevty 0 4
login
end
ASA firewall configuration
ASA Version 8.4(2)
hostnameciscoasa
domain-name theccna.com
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 2
ip address 192.168.70.8 255.255.255.240
interface Vlan3
no forward interface Vlan1
nameifdmz
security-level 70
ip address 192.168.50.1 255.255.255.0
object network dmz-dns-server
host 192.168.50.2
object network dmz-web-server
host 192.168.50.3
object network inside-nat
subnet 192.168.30.0 255.255.255.0
access-list OUTSIDE-TO-DMZ extended permit tcp any host 192.168.70.21 eq www
access-list OUTSIDE-TO-DMZ extended permit tcp any host 192.168.70.22 eq domain
access-list OUTSIDE-TO-DMZ extended permit udp any host 192.168.70.22 eq domain
access-list OUTSIDE-TO-DMZ extended permit tcp host 192.168.40.1 host 192.168.70.21 eq ftp
access-group OUTSIDE-TO-DMZ in interface outside
object network dmz-dns-server
nat (dmz,outside) static 192.168.70.21
object network dmz-web-server
nat (dmz,outside) static 192.168.70.22
object network inside-nat
nat (inside,outside) dynamic interface
class-mapinspection_default
match default-inspection-traffic
policy-mapglobal_policy
classinspection_default
inspectdns
inspect ftp
inspect http
inspecticmp
service-policyglobal_policy global
ssh timeout 5
dhcpddns 192.168.30.10
dhcpd option 3 ip 192.168.30.1
dhcpd address 192.168.30.25-192.168.30.35 inside
dhcpd enable inside