Router Security Technology Group Assignment

(cover page)
 Table of Content
Part 1: Marking Table
Part 2: Gantt Chart
Part 3: Detailed work breakdown structure
Part 4: Introduction
Part 5: Chapters/Sections (Recommendations & Network Configurations)
Firewall
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Part 6: Documentation of the configured device
Part 7: Recommendations
Part 8: Conclusion
Part 9: References
Part 10: Contribution of each member
Part 11:Appendices
 Part 1: Marking Table

Number Group member’s name TP Number

1 Tan Sim Yi TP055707

2 Tan Long sen TP051126

3 Pranav Haran Harichandran TP052468

4 Avinash Dashwin Bargavan TP058302

Part 2:Gantt Chart

 Part 3:Detailed work breakdown structure

Task/Chapter Title Name

1 Client workstations (Sales, Engineering Sim Yi

and Finance) must be able to access the
web server at the DMZ over HTTP and
HTTPS. The web server should be
reachable from the external clients over
HTTP and HTTPS only. (Solution and
configuration)

2 Clients should also be able to put and get Sim Yi

files via FTP to the same server. The
company requires implementing FTP
with user and password is essential for
each transaction. (Solution and
configuration.)

3 Engineering and IT workstations must be Pranav Haran

able to access the Internet (to reach
APIIT Sri Lanka) over HTTP and
 HTTPS with DNS. No other protocol
access is allowed to the Internet.
(Solution and configuration.)

4 Client workstations must be able to check Pranav Haran

their e-mail on the e-mail server at the
DMZ. (Solution and configuration.)

5 No client from sales, engineering and Sim Yi

finance department is able to access
clients in the other departments.
(Solution and configuration.)

6 Layer two securities is a requirement in Dashwin

the APU main campus at Kuala Lumpur
and APIIT (Sri Lanka) LAN. (Solution
and configuration.)

7 Management PC managing VLAN and Tan Long Sen

using secure communication using SSH
connection. (Configuration required)

8 Connectivity between APU main campus Dashwin

in Kuala Lumpur and APIIT in Sri Lanka
is a requirement. What is the best
solution? Elaborate on the solution.
(Configuration is not required).
9 Data transmitted over the network must Tan Long Sen
be kept disguised and only intended
recipient can read it. Hackers are unable
to understand the content even they are
able to wiretap the communication.
(Solution on the techniques, no
configuration is required)

10 The company requires implementing Tan Long Sen

intrusion detection systems (IDS).
Provide the network diagram and show
where to locate the IDS. (Configuration
is required.)

11 Implement VPN between Sri Lanka and Pranav Haran

Kuala Lumpur. (Configuration is
required.)

12 Implement NAT for the given network. Dashwin

(Configuration is required)

Part 4:Introduction
We were given a task to fulfil network requirements for Asia Pacific University (APU) by
creating connections between their main office in Technology Park, Kuala Lumpur and office in
Sri Lanka. As a network engineer, our team needs to design their network in a secure way, to
protect their internal network and Demilitarized Zone (DMZ) from external threats. We have to
provide a security solution for APU’s offices and campuses at Kuala Lumpur and Sri Lanka.
There are several requirements provided by APU so that the users can use the workstations with
ease and security. The main office in Kuala Lumpur has three departments, sales, engineering
and finance and it also has a firewall protecting its network. Each department will also have a
few workstations each. It also has a DMZ hosting a few servers which are web, email, DNS and
FTP. DNS stands for Domain Name System and FTP stands for File Transfer Protocol. The
routers from Sri Lanka and Kuala Lumpur will be connected through their Internet Service
Provider’s (ISP) router, it is also connected to a firewall. The IT office in Sri Lanka has 50
workstations for their employees connected to some switches but this is represented by only one
switch and a few workstations to simplify the topology plan.

Part 5:Chapters/Sections
Firewall

Considering all our traffic goes through the firewall, it is probably one of the most important
parts of the configuration, because of this, a separate section is configured here just to give a
rough draft of what is exactly configured in the firewall. This will be referred to in later sections
as an indicator of what was configured for specific topics or functions.
Figure 1.1

Figure 1.2

Figure 1.3
 Figure 1.4
Figures 1.1 to 1.4 show the commands in the ASA firewall for Malaysia’s network configuration

The commands above show three vlans, 1,2 and 3. Vlan 1 is for the internal network and is
named ‘inside’ with an IP address of 192.168.1.1. The second Vlan is for the external network,
named ‘outside’ with an IP address of 192.168.2.2. Vlan 3 is for the DMZ servers, with an IP
address of 172.168.1.1. An additional command was input to ensure DMZ cannot communicate
with Vlan 1.
Next, the object network is configured for every Vlan, including the departments (e.g. Sales is
Vlan 10, Engineering is Vlan 20, etc). The object network command is also used for each server
in DMZ.
The route outside is also configured to the IP at Ethernet port 0/0 for the Malaysian firewall. This
is to ensure the security level of the vlans outside. The routes inside are configured for every
department vlan to go through the IP for internal vlan (192.168.1.2). Access-lists are also
configured for the DNS server for ICMP and TCP and ICMP only for the mail server. The
commands for the NAT are also configured inside the firewall.

The final configuration is the policy map. This includes class inspection for FTP, DNS, HTTP
and ICMP.
Chapter 1
There are three departments in Asia Pacific University’s main office, located in Technology
Park, Kuala Lumpur. Sales, Engineering, and Finance are the departments, and each has client
workstations. There is also a Demilitarized Zone (DMZ) that houses various servers, including
web and email servers, DNS, and FTP applications. These departments' client workstations must
be able to connect to the DMZ web server through HTTP and HTTPS. External clients should
only be able to access the web server over HTTP and HTTPS. For this configuration, it is
recommended to set an Access Control List (ACL) to block communications that are not
permitted.

ACLs can help the network filter packets to control their movements, it provides security by
limiting access of traffic in a network. It is a set of rules that can be configured on routers and
firewalls. (geek-university, 2019) It is mainly for users to have certain access rights whereas
unauthorised users will not have the right to access certain files so that the network can be more
secure, those private and sensitive files will not be exposed or modified to unauthorised users.
An ACL is a table of data with rules saying which operating system has access rights to that
system or object like an individual file, and the servers will refer to this table whenever there is a
request made by a user. They will determine if they have permission to access the file or not. The
table will have some attributes and settings that require configuration or insertion before it can
work. There are two types of ACLs, Standard ACLs and Extended ACLs. Standard ACL simply
allows or disallows packets based on source IPV4 addresses, whereas Extended ACL allows or
disallows packets based on source and destination IPv4 addresses, protocol type, and other
factors. (Cisco, 2020) The Demilitarised Zone is a network that allows a host to provide an
interface to the external network, like the internet. At the same time, it also keeps the internal
private network like APU’s main office separated and isolated from the external network.
(doubleoctopus, 2021) This is because systems that provide services to users outside of the local
area network such as DNS, web and email servers etc are vulnerable to attacks so they should
keep the external network separated from the internal network.

The main requirement for chapter 1 is that the external network will only have access to HTTP
and HTTPS service only and allow sales, engineering, and finance departments to have access to
them too. Thus, an Extended ACL should be implemented so that it can limit who can have
access to certain services. Moreover, Extended ACL is better than Standard ACL because if the
departments decided to increase the number of workstations or change topology etc, they won’t
have to redo or reset the configuration all over again.

Figure 5.1.1: Network configuration to show that extended access-lists have been used for client
workstations and external clients to have access to http and https.

Chapter 2

File Transfer Protocol (FTP) is a protocol for communicating and transferring files between
computers on a TCP/IP network, such as the internet. Two parties must establish and
communicate on the network in order for the connection to operate. Users must have authority to
do so by submitting credentials to the FTP server. (M., 2021) Clients can read, download,
upload, copy, delete, write, and transfer files on the server by utilising FTP. The FTP that should
be implemented at the APU department in Malaysia should require a username and password
every time a user wants to perform a transaction or communication on the network. Thus, it is
recommended that the DMZ area has an FTP server for the Sales, Finance and Engineering
department to have access to.
 Figure 5.2.1: A FTP server has been configured for the client side (APU Malaysia) for them to
edit read write and view the list in directory from FTP server

Chapter 3

Chapter 3 requires that APIIT Sri Lanka be reached from Engineering and IT workstations using
only HTTP from the DNS server. To do this, the web server must have HTTP enabled and its IP
be registered under the DNS server, in this case as “apu.com”. A server is a device or software
that provides services to other programmes, often known as clients. The purpose of a Domain
Name Service server (DNS) is to translate the different domain names to their respective IP
addresses. It can also be referred to as the phonebook of the internet. it contains all the domain
names like, “google.com” or “facebook.com” that users can use to access information on it
online. Most current desktop and mobile operating systems have DNS clients, which allow web
browsers to communicate with DNS servers. Essentially, this was the solution to Chapter 3,
configure the DNS server and use a PC in APIIT Sri Lanka to access the server, using the
domain name. A public IP was required to do this effectively though, as APIIT Sri Lanka is on a
separate Vlan and router. An issue faced was also to configure the NAT in the firewall and an
ACL to control the flow of data along the two networks. (For the commands, look at Firewall).

Figure 5.3.1 shows Apu.com being accessed by a PC in Sri Lanka

 Figure 5.2.2: One of the PC accessing the FTP server

Chapter 4

The departments need to communicate with each other and find a suitable means of doing so.
One of the most prominent ways to achieve this is using email. Employees will be required to
send, receive and write emails to other PCs in the same department or other department, the mail
server will have to be established first, to ensure that all clients have a specific location to store,
and direct their messages. To do this, a server is added and under the services tab, the email
service is turned on and given a name, in this case “mail.com”, after which clients and their
passwords will be added in. There will be essentially two types of mail servers employed. Simple
Mail Transfer Protocol (SMTP) server is the outgoing mail server. There are two types of
incoming mail servers. The Post Office Protocol (POP3), which is the third version of the
protocol, is one of them. The protocol is famous for storing sent and received messages. This
will be where the employees using the PC send their emails. The mail server will collect these
messages and store them until the employee decides to receive the email. The mail server will
then send the recipient the saved email to read. The Internet Message Access Protocol (IMAP),
on the other hand, is used to keep copies of messages on the server.
Figure 5.4.1 shows the layout of the email server
 Figure 5.4.2 shows an email about to be sent to Client using PC 3

Figure 5.4.3 shows that PC9 received the email

As you can see from the pictures above, the email implementation works well. The second
picture shows an email being sent from Client 3 to Client 9 using the email service newly
configured. Once the email is written, the user can send it by pressing the button on the top left
of the screen. The email is clearly received in the last picture and to check any received mail, the
user needs to hit the “receive” button. The inbox will then pop up, and the user can read the
email by clicking on it.

Chapter 5
It is required that the Sales, Engineering or Finance departments cannot have access to clients in
other departments. This is because the data from each department should be kept secure and only
authorised personnel can have access to their own department’s data or information. A Virtual
Local Area Network (VLAN) is a subset of a larger network. By serving as LAN segments, it is
primarily utilised to increase network security and minimise the amount of network resources
wasted. It can also allow local partitions, for example if workstations from the sales department
had to go to the engineering department because their office must undergo construction work,
they can still keep their VLAN separate from the engineering department without having to share
the VLAN. This allows them to have their data and information kept within their own
department even though they share the same physical location. (N-able, 2019) This also allows
employees in a single department to communicate with each other without having to be
physically close because VLANs allow workstations to connect even if they are physically
separated in a network.. VLANs also make the network administrator manage the network easier,
reduce traffic and enforcement of security policies. Administrators of VLAN networks have
control over each port and user, allowing them to limit the amount of resources available to
distinct groups of users. It is also easier to monitor the network and take control over the
situation in case there is a malicious user trying to do anything to harm the company’s network.
VLANs also help improve performance of the network especially during peak hours.
A router acts as a packet filter when packets are forwarded and denied according to the filtering
rules. The router determines whether to permit or deny traffic based on the source and
destination IP addresses, ports and protocol of the packet. However, it is more efficient if
switches handle the VLAN so that it eases the router’s job. (oreilly, 2021)
Therefore, each department will have their own VLAN so that any workstation from the sales
department will not be able to ping to the engineering and sales department and vice versa.
Figure 5.5.1 VLAN configuration for Engineering Department

Figure 5.5.2 VLAN configuration for Finance Department

Figure 5.5.3 VLAN configuration for Sales Department

Chapter 6
When it comes to layer two, it mostly has interconnected Ethernet switches. This involves
mainly end-user devices such as printers, computers or even phones that contain IP. These
devices connect through Layer two access switches. This means that network security risk could
be performed by the switches configured as the switches sometimes were attacked from internal
users.

The layer two security has been provided in this configuration in which involves port-security
and also the Spanning Tree Protocol (STP) features in which involves bpduguard as well as root
guard to be enabled. Finally, the unused ports were then closed in order to avoid misuse.

Bpdu guard and root guard are technically the same but the impacts of which are different. When
it comes to bpdu guard and root guard, there are some differences between them. For instance,
Bpdu guard has the capability to disable the port upon BPDU reception if the Portfast is then
enabled on the port. Once it’s done, it effectively rejects devices behind such ports from any
form of participation in STP (Support, Switching, Protocol and TechNotes, 2021). Root guard
however would give permission to the devices to involve in STP with the condition of the device
not becoming the root.

These are some of the methods/ suggestions from Cisco security features which could be
implemented/ used on all the switches. Firstly, is to enable root guard. This could assist in terms
of stopping spoofing and also rogue switches. This is normally placed on ports correlating to
edge switches in which bpdu isn't acceptable.

Next, securing access ports is also a must for security purposes. By proper management of the
STP root bridge, malicious attackers who have the intentions to spoof the current system in order
to add to the system, as the root bridge is however in the topology. If a port is somehow set with
portfast to attain the bpdu, STP has the capabilities to place the port in a blocking position by
using the option of bpdu guard.

The final suggestion, the basic switch settings should also be configured. This is where a
configuration to enable the secret password for an additional layer of security. The HTTP access
is then enabled as default. In order to block the HTTP access, the HTTP secure server and the
HTTP server as well must be disabled as well.

Below is the configuration for layer two security.

Figure 5.6.1: Enable switchport mode access

Figure 6.1 indicates the first step in which to access the interface and use the following
commands such as “switchport mode access” followed by “spanning-tree portfast”. The
following command has been inputted in the sales department.

Figure 5.6.2: Enable bpdu guard

Next, enable bpduguard by using the command “spanning-tree bpduguard enable”

 Figure 5.6.3: Enable bpdu guard for engineering department

Repeat the similar steps. The diagram above is the same command line inputted but in the
engineering department. Repeat the same steps for all the remaining switches.

Figure 5.6.4: Enable root guard DMZ switch

The above figure is the enabling root guard for the DMZ switch which requires the command
“spanning-tree guard root”.
 Figure 5.6.5: Switchport port-security

Next, make sure to configure port-security as well which is provided in the figure above. Set the
maximum number of learnt/ configured mac addresses to two. Also enable the mac address to be
learnt dynamically.

Figure 5.6.6: Violation shutdown

The command “switchport port-security violation shutdown” is then inputted but isn’t necessary
as it has already been placed as default.
 Figure 5.6.7: Closed all unused ports

The final step is to close all unused ports with the command of the interface range followed by
“shutdown”. This means that ports that are not used are closed.
 Chapter 7

SSH is an abbreviation for Secure Socket Shell, also known as Secure Shell. SSH is a network
protocol that allows user to access a device securely over an unprotected network. SSH uses
secure password and public key authentication, as well as encrypted data transfers. As a result,
administrators may control systems remotely and safely (Loshin, 2020). It works on a client-
server paradigm, with a Secure Shell client programme linked to the server, which displays a
session. The SSH server, on the other hand, is the point at which a session takes place. SSH is
normally implemented to support application protocols for terminal or file transfers (Loshin,
2020). Besides, that is how SSH protects the system from attackers as encryption has protected
sensitive data and information. Attacks such as eavesdropping, data manipulation, and DNS
spoofing can be prevented by using SSH to do sensitive or confidential tasks (Mitchell, 2020).

The configuration will be done on the multilayer switch and only allows management PC to
connect to it to perform necessary tasks when needed.

Figure 5.7.1 Configuring SSH on Multilayer Switch

Firstly, the default gateway is set to the management VLAN’s network address, which is
192.168.60.1. Then, an IP address is given to the switch so users can access it remotely. The
domain-name is also given, and the 1024-bit crypto key is generated.
 Figure 5.7.2 VTY and console line configuration

VTY and console line is also configured as it wasn’t configured initially.

Figure 5.7.3 Account creation

An account and the secret password for the switch are created for authentication purposes during
remote and local log in.

Figure 5.7.4 Verify SSH access

After configuring, the command “sh ip ssh” is used to verify the SSH access.
 Figure 5.7.5 Remote access successful

Then, the user can use the management PC to establish a SSH connection with the multilayer
switch.
 Chapter 8

When it comes to connectivity between the devices, there are various types of network to
implement. This depends on the type of requirement APU main campus and APITT in Sri Lanka
needs, examples of networks are such as Local Area Network (LAN) and Wide Area Network
(WAN).

Figure 5.8.1: Example of WAN

(Thomas, 2021)

However, in this scenario the best option is to implement Wide Area Network (WAN), the
reason behind this option is due to the fact that WAN has the capabilities to stretch across wide
distances unlike LAN. This is required to maintain the connectivity especially since the campus
are located in between Sri Lanka and Kuala Lumpur.
Figure 5.8.1 is an example of WAN topology. In certain ways, WANs are typically made up of
several LAN networks. Both Kuala Lumpur and Sri Lanka can be disregarded as LAN due to the
fact that it only connects devices within the same network.

When it comes to implementing WAN, there are several benefits especially with the involvement
of a university. The WAN that could be implemented is known as Software-Defined WAN (SD-
WAN) in which multiple universities are starting to implement this day. There are various
advantages of using SD-WANS such as the bandwidth optimization. SD-WAN has the
capabilities to have some operational efficiencies, a speed in deployment and a decreased burden
for IT personnel, thus an implementation of bandwidth optimization.

SD-WANS has better network connections as it is a cloud/ internet-based technology. It reduces

the number of lines used as well as cost. It saves the APU capital as it’s cost-effective in terms of
a long-term perspective due to the security it offers as well. Next, SD-WANS are used for remote
management, this means that site-visits are reduced or none at all. Moreover, SD-WAN is secure
and has a good layer of security which is beneficial to the universities as less security-related
issues are to be dealt with. (Zurier, 2021)

When it comes to WAN, there’s also some disadvantages that must be taken into consideration.
Firstly, the setup for WAN is complicated and tough. Due to the complicated setup, the cost is
considered high/ expensive especially since the connectivity is between Kuala Lumpur and Sri
Lanka. The further the distance, the higher the cost of setup. There’s also the cost for
maintenance issues in which to be required if WAN is used. Even though there’s a twenty-four
hours uptime, to maintain that uptime is especially difficult on multiple levels. Finally, the cost
would also be high due to the lack of qualified individuals in the industry that’s able to set up the
WAN in a proper method, therefore that form of scarcity has an effect on the pricing as well.
 Chapter 9

To prevent hackers from interpreting the transmitted data over the network even if they are able
to wiretap the communication, their attacks must first be understood. By wiretapping a
communication, it is often called a Man-in-the-middle attack, where hackers will interrupt an
existing data transfer or conversation by placing themselves somewhere in the middle of the
communication process (Veracode, 2020). Hence, allowing hackers to intercept those
information and data, and even possibly modifying those information and data, causing either or
side of the party to be getting falsely made information.

Man-in-the-middle attack is a type of session hijacking where hackers place themselves into the
session as proxies or relays in a happening data transfer or conversation. As it happens in real-
time, the attack is often undetected. By using this attack, hackers can gain confidential data and
allow them to put malicious data or link which is very identical from the real data.

Figure 5.9.1: Man-in-the-Middle Example

There are many ways to prevent a man in the middle attack. Depending on the vulnerability point
used, IT security infrastructures and the user’s own knowledge on potential IT security threats,
detecting a man-in-middle attack can be very difficult. Preventing it, however, can solve the
issue completely. It is important for larger businesses to have the right IT partner to ensure
security policies and systems are in place to protect them from the threats. Some other steps to be
taken are forbidding employees from using public networks for confidential work and
implementing Virtual Private Networks or VPNs to secure connections from your business to
online applications and enable employees to securely connect to internal private networks, from
any location. Another method to try is to ensure sensitive online transactions or logins are secure
with HTTPS. One way of doing this is the use of browser plugins. Plugins are a piece of software
that manages the internet’s content that a browser is not designed to process. For example,
specific file types may need special plugins, otherwise known as add-ons or extensions (Springer
Nature Support, n.d.). Other than that, you can use the latest version of high-security web
browsers like Chrome, Internet Explorer and Firefox or Safari. Aside from that, you could also
configure separate networks for guests, internal use and business application data transfers.
Doing this will increase the security and make an attack negligible, as the networks aren’t
connected, and therefore do not share any of the same critical information. You can also utilise
authentication credentials such as tokens and other forms of two-factor authentication for
sensitive accounts. Two factor authentication is a security process where the user provides two
different authentication factors to verify themselves. The process is done to better protect the
user’s credentials and the resources the user can access. Two-factor authentication is useful here
due to the higher level of security it provides. This is because it has two factors that have to be
taken into consideration to recognise the user. This means it adds an additional layer of security
to the authentication process by making it harder for attackers to access a person’s devices or
online accounts (SearchSecurity, 2019). Other methods include securing your email with SSL
and TLS which will protect messages transit, and consider using PGP/GPG encryption as
additional security. Installing an Intrusion Detection System (IDS) can help monitor your
network and alert you to any unusual events like attempts to hijack data flow as well. Finally,
you can regularly audit and monitor your networks to maintain awareness of normal and unusual
activities, and education for the employees can also help make them aware of common IT
security threats and attack vectors (Solid State Systems LLC, 2017).
 Chapter 10

The company requires implementing Intrusion Detection Systems (IDS). Provide the network
diagram and show where to locate the IDS. (Configuration is required.)

Intrusion Detection Systems (IDS) works with Intrusion Prevention Systems (IPS) to protect and
act as guardians that watch over the network. By working together, suspicious incidents are
identified and logged, hence stopping those incidents and these will be reported to the security
administrators on duty (Juniper, 2021). Both IDS and IPS are implemented to make sure
employees within the company network didn’t violate any security policies that may cause
malicious intrusions. There are reasons why security policies are being implemented and
employees are required to follow. Due to possible accidental mistakes, the security policies
might be violated, and this is where IDS and IPS act in the company network. Malicious activity
can be prevented and stopped so that the company network is protected from possible attackers
(Juniper, 2021).

There are 5 major types of IDS that are used to detect intrusions. Which are Host-based IDA,
Network-based IDS, Stack-based IDS, Signature-based IDS, and Anomaly-based IDS. Host-
based Intrusion Detection Systems (HIDS) are installed on the host, normally end devices in a
network. HIDS analyzes packets which are incoming and outgoing from a device. It is also
performing better than NIDS when it comes to detecting malicious and suspicious activity for a
specific device (rom, 2016).

Network Intrusion Detection Systems (NIDS) is implemented at certain strategic places to

analyze and monitor traffic within the network. It is utilized as a dedicated platform to check
passing traffic over the network. Thus, by cooperating with the network, it analyses packets and
then decides rules to be applied (rom, 2016).

Stack-based Intrusion Detection Systems (Stack IDS) is more like a technology which integrates
with the TCP/IP stack. Hence, it can supervise and monitor passing packets before it reaches the
operating system (rom, 2016).
Signature-based Intrusion Detection Systems performs well with known threads. This is because
it focuses on searching a sequence or series of bytes which seemed to be malicious. It is
relatively easy to develop once the network behavior is understood (rom, 2016).

Anomaly-based Intrusion Detection Systems is a centralized process which works based on a

concept baseline of a network behavior. It is similar to the signature-based IDS which identifies
malicious activity through the sequence or series of bytes in a packet, but anomaly-based
identifies malicious activity by the network’s behavior (rom, 2016).

However, due to industrial standards, it is better that Intrusion Prevention System (IPS) is
implemented. It will be implemented at the Malaysia router because most and major departments
such as DMZ, sales, and engineering are located there.

Figure 5.10.1 Security Package

Check the security package implemented by using the command “show version”. As stated, it’s
using the securityk9 security package.

Figure 5.10.2 Directory for the IPS

Create a file directory for the IPS, which is named ipsdir. The command used is “mkdir ipsdir”,
and after confirmation, the directory is created.
 Figure 5.10.3 Configuring IPS

Next, the name of the IPS (masips) will be given. Initially almost everything is declined, and
then only permitted patterns are allowed by the command “category ios_ips basic” and followed
by “retired false”. The logs will be stored at the DNS server with ip 172.168.1.5.

Figure 5.10.4 Setting the proper Interface

The proper interface is selected for the IPS, if any suspicious activity triggers the IPS, it will
generate an alert and stop the activity.
 Figure 5.10.5 Checking Details of IPS

To check the details of the configured IPS, it can be done by the command “do show ip ips all”
at the config level.
 Chapter 11:

A VPN stands for “Virtual Private Network” and describes the opportunity to establish a
protected network connection when using public networks. They encrypt your internet traffic and
disguise your online identity. This will make it more difficult for third parties to track the users
activities online and possibly steal data. The encryption takes place in real time. While the
function of the VPN involves hiding your IP address by letting the network redirect it through a
specially configured remote server run by a VPN host. Which means if you surf online with a
VPN, the servers will become your source of data. This means your ISP and other third parties
cannot see which websites you visit or what data you send and receive online
(www.kaspersky.com, 2020).

One of the benefits of having a VPN connection is that it disguises your data traffic online and
protects it from external access. Unencrypted data can be viewed by anyone who can access the
network. This means, using a VPN, hackers and cyber criminals can’t decipher the data. Another
benefit is that the encryption is extremely secure and requires an encryption. This ensures that
deciphering the data would take millions of years, without that key. Which brings up the other
benefit, more secure data transfer. Let's assume you work remotely, in which case, you will need
access to important files on the company network. This kind of information will require more
secure data transfer, to ensure the security of the connection and confidentiality of the
information. A VPN also allows the user to access regional content from anywhere on the globe.
Services and websites will often contain content that can be accessed from certain parts of the
world. Most connections use local servers in the country to select your location. This means you
can only access content from a location, in the select location. A VPN will allow you to change
your location and access content, regardless of where you are (www.kaspersky.com, 2020).

To configure the VPN here, we need to enable two policies on the routers, ISAKMP and IPSec.
IPSec is a group of network protocols used for setting up secure encryption connections between
devices. It will be useful to keep the data sent over the public network secure (What is IPsec? |
How IPsec VPNs work | Cloudflare, n.d.).
The first step when enabling the IPsec parameters is to enable the Security Technology Package.
Once that is done, an ACL is used to identify traffic from the LAN on the third router (R3) to the
LAN on router 1 (R1). After that, you can configure the IKE phase 1 ISAKMP policies followed
by phase 2 (this should be in R1). Finally, you configure the crypto map on the outgoing
interface. The same steps are repeated on the third router. After this, you have to verify the VPN,
this is done by creating a tunnel and spoofing uninteresting traffic. You can then ping the PCs
and see if the packet goes through.

Figure 5.11.1 shows the existing VPN policies in Router 3 (Malaysia)

Figure 5.11.2 shows the VPN policies in Router 1 (Sri Lanka)
 Chapter 12

Figure 5.12.1 NAT

The above figure shows the NAT that was configured using different IP addresses in the ASA.

Network Address Translation (NAT) is to give permission to numerous devices to gain access to
the internet through one public Ip address. NAT was basically introduced due to the vast amount
of technologies that requires Ip addresses. Moreover, it does add extra layers of security by
concealing equipment’s such as servers or even computers from the outside world (What is NAT
and how does it work tutorial - Network Address Translation within firewalls and routers, 2021).

There are two types of NAT IP addresses that are known which are public and private. In terms
of private addresses, everyone has the capabilities to use it but under the condition of it being
kept private in the network itself, this means that it can’t be routed on the internet. Private IP
addresses are allowed by NAT as long as it's on the internal network. DHCP is then used to
assign different IP addresses onto the various devices that require an IP address within the user’s
private network.
NAT are differentiated into three types which are Dynamic, Static, and also Port Address
Translation (PAT). Firstly, in terms of dynamic NAT is that it acts as a communication bridge
for the packet routing between the networks such as internal/ private and the internet itself. If
there’s an internal device which has an unregistered IP address, it can then select a public IP
address in order to be given access to the internet.

Next NAT is the static NAT. A one-to-one relationship is involved between the Public IP
address and Private IP address in this NAT. A pool of IP addresses would definitely be assigned
to the NAT device using this. The private IP address then would have the capabilities to be
statically mapped to any of the given public IP addresses.

Finally, there’s also PAT which has the capabilities to allow a number of users within the private
network to use a small number of IP addresses. One of the basic functions of PAT is to share one
IP public address between a number of users who require the use of the internet publicly. PAT
basically contains the setup in which reduces the number of public IP addresses that is used by
the network to a single one, this means it can then be used by users using a similar IP address.
(What is NAT and how does it work tutorial - Network Address Translation within firewalls and
routers, 2021).
 Part 6: Documentation of the configured device

Name Port Default Gateway IP address

Engineering Department (APU) VLAN 20

PC5 Fa0 - Fa0/1 192.168.20.1 192.168.20.2

PC6 Fa0 - Fa0/2 192.168.20.1 192.168.20.3

PC7 Fa0 - Fa0/3 192.168.20.1 192.168.20.4

Management Department (APU) VLAN 60

Management PC Fa0 - Fa0/4 192.168.60.1 192.168.60.2

Sales Department (APU) VLAN 10

PC3 Fa0 - Fa0/1 192.168.10.1 192.168.10.3

PC2 Fa0 - Fa0/2 192.168.10.1 192.168.10.4

PC4 Fa0 - Fa0/3 192.168.10.1 192.168.10.5

Finance Department (APU) VLAN 30

PC8 Fa0 - Fa0/1 192.168.30.1 192.168.30.2

PC9 Fa0 - Fa0/2 192.168.30.1 192.168.30.3

PC10 Fa0 - Fa0/3 192.168.30.1 192.168.30.4

DMZ

FTP Fa0 - Fa0/1 172.168.1.1 172.168.1.2

Web Fa0 - Fa0/2 172.168.1.1 172.168.1.3

Email Fa0 - Fa0/3 172.168.1.1 172.168.1.4

DNS Fa0 - Fa0/4 172.168.1.1 172.168.1.5

Sri Lanka

PC0 Fa0 - Fa0/1 192.168.40.1 192.168.40.2

LAPTOP0 Fa0 - Fa0/2 192.168.40.1 192.168.40.3

 PC1 Fa0 - Fa0/3 192.168.40.1 192.168.40.4

Routers

ISP Se0/1/0 200.100.10.0 200.100.10.2

Se0/1/1 200.100.20.0 200.100.20.1

Sri Lanka Se0/1/0 200.100.10.0 200.100.10.1

Gig 0/0 192.168.1.0 192.168.1.1

Malaysia Se0/1/0 200.100.20.0 200.100.20.2

Gig0/0 192.168.2.0 192.168.2.1

Switch

Multilayer Switch Gig1/0/24, Gig1/0/1, (Int vlan60) (Int vlan60)

Gig1/0/2, Gig 1/0/3 192.168.60.1 192.168.60.3

Sri Lanka Switch FA0/1, FA0/2, FA0/3, 192.168.40.1 N/A

FA 0/4

Engineering Switch FA0/1, FA0/2, FA0/3, (Int vlan20) N/A

Gig 0/1 192.168.20.1

Finance Switch FA0/1, FA0/2, FA0/3, (Int vlan30) N/A

Gig 0/1 192.168.30.1

Sales Switch FA0/1, FA0/2, FA0/3, (Int vlan10) N/A

FA0/4, Gig 0/1 192.168.10.1

DMZ Switch FA0/1, FA0/2, FA0/3, (Int vlan3) N/A

FA0/4, Gig 0/1 172.168.1.1

Firewall

ASA0 (Sri Lanka) Eth 0/0, Et0/1 192.168.40.1, N/A

200.165.100.1

ASA1 (Malaysia) Eth0/0, Eth0/1, 192.168.2.2, N/A

Eth0/2 192.168.1.1,
172.168.1.1
 Part 7: Recommendations

Although the configuration has been made, there are several recommendations which could
benefit or increase the efficiency of the network in terms of connectivity and also security. As a
recommendation, this network could implement a layer three switch instead of a layer two
switch. Layer three switch doesn’t function the same way layer two does, instead it works in an
opposite direction. This switch has faster switching capabilities and also has higher port densities
compared to layer two switch. Furthermore, layer three switches could also route the packets
containing the data without any additional network hops unlike the use of routers, this is the
function that increases the speed of switching and data transmissions. It is also a good
recommendation due to the benefits of the WAN connectivity.

Also, an extra layer of security could be implemented as well through cryptography. One of the
most recommended forms of encryption is the AES 256-bit encryption which could be applied
onto the data that would be transferred across the network in order to avoid any form of misusing
the data. The cryptography is also an additional layer of security to avoid attackers/malicious
users gaining access to the university's data.

On top of that, another feature to add in would be usernames and passwords. This feature can be
done using SSH, a network protocol that gives users a more secure way to access and login to a
computer over an unsecured network. Its main strongpoint is its strong password authentication
and public key authentication and encrypted data communication. Using SSH, we can create
more users to be registered and this will allow more systematic use of the network. At the
moment, the network has SSH enabled for the Management PC. Aside from that, to make things
more efficient, and available to most Vlans, the SSH can also be configured in the router, instead
of the multilayer switch (What is Secure Shell (SSH)? - Definition from WhatIs.com, 2019).

Part 8: Conclusion

The main goal of this assignment is to have the DMZ hosts and internals to be protected from
outside attacks. Security features were also suggested and given to both Kuala Lumpur and Sri
Lanka’s campuses. Through the experience of configuring for the Kuala Lumpur and Sri Lanka
campus, numerous features such as layer two security, SSH connection, virtual private network
(VPN) and etcetera were implemented. Such as the layer two security were implemented in order
to avoid unauthorized access from third parties. Overall, this was a good experience for network
engineering practises which taught us the importance and use of Cisco Packet Tracer.
 Part 9: References

1. Zurier, 2021. University Uses Software-Defined WANs to Extend LANs to the Cloud.
[online] Technology Solutions That Drive Education. Available at:
<https://edtechmagazine.com/higher/article/2016/01/university-uses-software-defined-
wans-extend-lans-cloud> [Accessed 29 May 2021].

2. Thomas, J., 2021. The Advantages and Disadvantages of WANs | Purple. [online] Purple.
Available at: <https://purple.ai/blogs/advantages-disadvantages-wans/> [Accessed 29
May 2021].

3. Internet-computer-security.com. 2021. What is NAT and how does it work tutorial -

Network Address Translation within firewalls and routers. [online] Available at:
<http://www.internet-computer-security.com/Firewall/NAT.html> [Accessed 31 May
2021].
4. Techopedia.com. 2021. What is a Static NAT? - Definition from Techopedia. [online]
Available at: <https://www.techopedia.com/definition/2456/static-nat> [Accessed 31
May 2021].

5. www.kaspersky.com. (2020). What is a VPN and how does it work? [online] Available
at: https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn.

6. Cambridge Dictionary, N.A.. Meaning of wiretapping in English. [Online]

Available at: https://dictionary.cambridge.org/dictionary/english/wiretapping

7. Difference, 2018. Difference between WEP, WPA and WPA2. [Online]

Available at: https://difference.guru/difference-between-wep-wpa-and-
wpa2/#:~:text=Definitions%201%20WEP.%20Also%20known%20as%20Wired
%20Equivalent,major%20weaknesses%20found%20by%20researchers.
%203%20WPA2.%20

8. Higgins, M., 2020. IDS vs IPS: which is safer?. [Online]

Available at: https://nordvpn.com/blog/ids-vs-ips/

9. Internet-Computer-Security, N.A.. NAT (Network Address Translation) - Current

network security features used today. [Online]
Available at: http://www.internet-computer-security.com/Firewall/NAT.html
10. Johansen, A. G., 2020. What is encryption and how does it protect your data?. [Online]
Available at: https://us.norton.com/internetsecurity-privacy-what-is-encryption.html

11. Juniper, 2021. What is IDS and IPS?. [Online]

Available at: https://www.juniper.net/us/en/products-services/what-is/ids-ips/

12. O'Donnell, A., 2021. How to Encrypt Your Wireless Network. [Online]
Available at: https://www.lifewire.com/how-to-encrypt-your-wireless-network-2487653

13. Pedamkar, P., N.A.. Cryptography vs Encryption. [Online]

Available at: https://www.educba.com/cryptography-vs-encryption/

14. rom, d., 2016. Five Major Types of Intrusion Detection System (IDS). [Online]
Available at: https://www.slideshare.net/davidromm/five-major-types-of-intrusion-
detection-system-ids

15. Symanovich, S., 2021. What is a VPN?. [Online]

Available at: https://us.norton.com/internetsecurity-privacy-what-is-a-vpn.html

16. technopedia, N.A.. Dynamic Network Address Translation (Dynamic NAT). [Online]
Available at: https://www.techopedia.com/definition/2397/dynamic-network-address-
translation-dynamic-nat
17. technopedia, N.A.. Port Address Translation (PAT). [Online]
Available at: https://www.techopedia.com/definition/4056/port-address-translation-
pat#:~:text=Definition%20-%20What%20does%20Port%20Address%20Translation
%20%28PAT%29,clients%20who%20need%20to%20use%20the%20Internet
%20publicly.

18. technopedia, N.A.. Static NAT. [Online]

Available at: https://www.techopedia.com/definition/2456/static-nat#:~:text=Definition
%20-%20What%20does%20Static%20NAT%20mean%3F%20A,to%20an%20internal
%20private%20IP%20address%20and%2For%20network.

19. techopedia, N.A.. Network Encryption. [Online]

Available at: https://www.techopedia.com/definition/16121/network-encryption

20. WhatIsMyIPAddress, N.A.. What is Network Address Translation?. [Online]

Available at: https://whatismyipaddress.com/nat

21. Support, T., Switching, L., Protocol, S. and TechNotes, T., 2021. Spanning Tree Protocol
Root Guard Enhancement. [online] Cisco. Available at:
<https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-
protocol/10588-74.html#:~:text=BPDU%20guard%20disables%20the%20port,ports
%20from%20participation%20in%20STP.&text=Root%20guard%20allows%20the
%20device,try%20to%20become%20the%20root.> [Accessed 31 May 2021].
22. Loshin, P., 2020. TechTarget. [Online]
Available at: https://searchsecurity.techtarget.com/definition/Secure-Shell
[Accessed 19th May 2021].

23. Mitchell, S., 2020. inmotionhosting. [Online]

Available at: https://www.inmotionhosting.com/support/server/ssh/ssh-advantages/
[Accessed 19th May 2021].

24. What is Secure Shell (SSH)? - Definition from WhatIs.com (2019). What is Secure Shell
(SSH)? - Definition from WhatIs.com. [online] SearchSecurity. Available at:
https://searchsecurity.techtarget.com/definition/Secure-Shell.

25. ‌Springer Nature Support. (n.d.). Browser plugin, extension and add-ons. [online]
Available at: https://support.nature.com/en/support/solutions/articles/6000210939-
browser-plugin-extension-and-add-ons#:~:text=A%20plug%2Din%20is%20a [Accessed
29 May 2021].

26. SearchSecurity. (2019). What is two-factor authentication (2FA)? - Definition from

WhatIs.com. [online] Available at:
https://searchsecurity.techtarget.com/definition/two-factor-authentication.

27. Solid State Systems LLC. (2017). How to Prevent Man in The Middle Attacks. [online]
Available at: http://solidsystemsllc.com/prevent-man-in-the-middle-attacks/.

28. What is IPsec? | How IPsec VPNs work | Cloudflare. (n.d.). Cloudflare. [online]
Available at: https://www.cloudflare.com/learning/network-layer/what-is-ipsec/.
 Part 10: Contribution of each member

Group Members Tan Long Sen Tan Sim Yi Pranav Haran Avinash Dashwin
Harichandran Bargavan

Introduction x

Task 1 x

Task 2 x

Task 3 x x

Task 4 x

Task 5 x

Task 6 x

Task 7 x

Task 8 x

Task 9 x

Task 10 x
 Task 11 x

Task 12 x

Documentation of x x
the configured
device

Recommendations x x

Conclusion x x

Part 11:Appendices