Investigation, Design and Implementation of a Secure Network Model for the University of Tripoli.

Investigation, Design and Implementation of a Secure Network Model for the University of Tripoli.Presented By: Firas Alsayied

Outline

Network Overview

What is a Network ?A Network Is a collection of devices and End-to-End systems connected together that originate, route and terminate the data.

4

Characteristic of Networks Topology Speed Cost Security Availability Scalability Reliability

Topology : the arrangement of the network componentsSpeed: of the data transition between source and distiation Cost: less money more honey Security: indicates how protected the network is Avalibility: of the network to the subscribers 24/7 of the timeSacbility: how easily the network can accommodate more users and data transmission requirementsReliability: indicates the dependability of the components that make up the network

5

Types of network PAN LAN

WAN

PAN: is a computer network organized around an individual person.LAN: is a group of devices that share a common communications line.Wan: used in large geographical area such as cities or countries.6

Network Components

Network components can be divided into 4 groups :1- End Points: such as PC, Servers 2- Interconnections: NIC LAN Card3- Network media: which can be a physical media such as cables, wireless media4-Connector devices : switch, router7

Network Security, Policy & Vulnerabilitiesl

Security

Security has one purpose: to protect assets In terms of computer networks the assets can be:Information files, data streams ServersConfigurationsUser accountsPasswords- Devices

Assets can be defined as something of value 9

Network Security Goals (CIA Model)

1. Confidentiality: Ensure that the secrecy is enforced and the information is not read by unauthorized users.

2. Integrity: modification of data is not permitted to unauthorized Users.

3. Availability: prevention of loss of access to resources and information.

In network security certain concepts needed to be attained, which are : Confidin: whos authorized to be log in or reading the data Intig: Is the data that arrived is the same data that has being sent Avalib: of the network resources and services to subscribers. 10

Security Policy

Policy define how the security is implemented with a set of laws. And thats done by answering the following questions What are you trying to protect?What data is confidential?What resources are precious?What are you trying to protect against?Who is authorized to login into the management plan ?

11

VulnerabilitiesVulnerability is a weakness which is inherent in network, device, technology or policy.

Types of vulnerabilities:Technology weaknesses

Configuration weaknesses

- Security policy weaknesses

Vulnerabilities may exist in computer systems and networks, allowing the system to be open to a technical attack or in administrative procedures12

ThreatsThreats: are the people eager, willing, and qualified to take advantage of each security weakness, and they continually search for new methods and techniques to do so.`

Types of threats:Internal Threat

- External Threat

Internal threats can cause more damages to the network information than the external ones13

Examples of Threats Eavesdropping

MIN Denial of Service DOS

Dos : attacks that originate from a large number of systems that usually controlled from a single master sending a ping packet to network server causing it to fail.Min: Is an attack where the attacker secretly relays and alters the communication between two parties who believe they are directly communicating with each other14

Security Countermeasures

FirewallsIs anetwork securitysystem (Software/hardware) that monitors and controls the incoming and outgoing network traffic, based on predetermined security rules. Modern firewalls includes- Intrusion Prevention System- Authentication, Authorization, and Vulnerability assessment systems.

Firewall acts like a shield from outside threats, allowing only pre-determined protocols to pass throw while denying the others.16

Intrusion Detection System (IDS)Used to monitor for suspicious activity on a network

Syslog Server :

Is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities17

VPN Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate.VPN uses several protocols such as: PPTP -- Point-to-Point Tunneling Protocol L2TP -- Layer 2 Tunneling Protocol

VPN acts like a private tunnel in untrusted network such as the internet, establishing encrypted communication between the two parties.18

Encryption

Encryption -- is a method of scrambling data before transmitting it onto the Internet.

- Public Key Encryption Technique - Digital signature

or simply alters the data in such way to hide it from unauthorized Individuals to see it Encryption have several techniques such as: 19

k

1- phase one : Network infrastructure Design & layout planning

2- Phase Two : Application of Protection & Implementation of Secure Policy

Network DesignIs the process of arranging the various components of a network to supply the demands of the subscribers.Our network design must answer some pretty basic questions- What stuff do we get for the network ?- Whats the size and type of the devices ?How do we connect it all ?- How do we configure it to work right ?- Whats method of connection ?- Finally Is the network secure ?

Phase one ObjectivesDesign a sophisticated network Infrastructure to EEE and the other surrounding departments of the Engineering faculty that accomplishes the concept of availabilityConnect the total infrastructure of the departments by a main core-switch.Assigning interfaces and different DHCP pools for each departmentDistribute VLAN subnets that covers (Classes, Labs and Staff offices) Configure the Wireless access point for each

GNS3GNS3 is a Graphical Network Emulator that allows us to design complex network topologies. It provides Real Implementation to various devices such as Routers, Switches and Firewalls

EEE Department Network

As shown in figure, the EEE Department consist three floors The first floor contains 7 classes and one beta office for students The second floor consist of the staff offices and 3 labs The last floor consist of two labs and the admistration office 24

Total Infrastructure

The total contains 4 departments of the Eng faculty, (names) The infrastructure consist of 3 layers 25

Access Layer

Which Provides connectivity for network hosts and end devices, contains the 48 and 24 port switches, also the wireless access points26

Core Layer

Core layer contains fast switching layer 3 device that connect the departments together. 27

Head layer

As shown this layer contains the AAA and syslog server that are connected to the Firewall then to the isp 28

Switches distribution in each department DepartmentFloors24 - PortSwitches48 Port Switch Wireless access PointsElectric and Electronic Eng.3121Marine Eng.22-1Mechanical Eng.1111Architectural Eng.3111

Access switches are chosen depending on the number of the classes, labs, and floors that has been estimated in each department29

Assigning IP addresses and VLANs: Departments& serversStudent VLAN 10Labs VLAN 20Staff VALN30WLAN 40Electrical and Electronic Eng.10.1.0.010.2.0.010.3.0.010.4.0.0Marine Eng.10.5.0.010.6.0.010.7.0.010.8.0.0Mechanical Eng.10.9.0.010.10.0.010.11.0.010.12.0.0Architectural Eng.10.13.0.010.14.0.010.15.0.010.16.0.0AAA Server20.1.0.20---Syslog Server20.1.0.3---Firewall20.1.0.2---

Phase Two Applying the security protocols.Creating encrypted password for the management planConfigure Isolation mechanism.Allowing the head of departments networks to be able to connect to each other.Creating a syslog server.Configure VPN private network.Creating a zone-base firewall.Applying authentication for users.

1- to designate when and who is authorized to access/configure the network components.2- designated for administrators.3- to separate each VLAN for the other 4- !!!!!5-to receive and correlate events 6-for Wireless access point users.7-using captive portal application.

31

Securing the Management plan: Enable password for each network device and authentication retries limit.Enable SSH encryption for VTY auxiliary port.

3 authentication retries and 60 sec idle time32

Microsoft (M) - read vty bitchAccess List Isolation Policy for each VLAN

To segregate each vlan from the other, we used extended access list protocols in main core-switch as shown in this figure 33

Configuring Syslog Server

Using kiwi syslog program to receive messages from the core-switch and firewall, while choosing the debugging level of log 34

Initialize the Zone based Firewall Separate the Network into three zones 1- In Zone (internal network) 2- Out zone (ISP) 3- Self (Firewall) configure the interfaces of the firewall

Inside(trusted) Interfaces:Outside(untrusted) Interface: FastEthernet0/0 (20.1.0.2)/24FastEthernet1/0 (192.168.137.5)/24

Configure the Firewall through CCP

The figure demonstrate the firewall applied policies form in zone to out zone 36

Configure VPN tunnel for Wireless UsersDefine the interface for the wireless access point in the CCP then select the Pre-shared Key authentication

Group Policy for VPN and Maximum Connection Allowed

Implanting PFSense Captive Portal

Test & Results

Test the internet connection for clients and LABS1- Clients 2- LABS

Connection Between Head-Departments

Attempt to access the firewall from un-authorized user

Test the Management Plan Access

In this action we Emulate the password spoofing attack to aquire the usern & passw of the administrator, this action attack was a failure due to the ssh protocol that has been used44

Test the wireless network VPN connection

45

Check Captive Portal login k

Conclusion Network designing and security is an important field that is getting more and more attention as the internet expands. Providing the resources and the type for connection is a primary task that should be considered before implementing a network, keeping in mind the security measures and policies needed to be applied for the clients and the communication chain to keep it safe. An effective network design should be developed with: 1- Understanding of the network design concepts such as reliability and availability .2- learning the factors that make a network vulnerable and weak to potential threats and attackers.3-Needed level of security thats required to achieve stability and confidentiality of the subscribers.4- Finally implementing and configuring the network components to supply the demand of the clients while aligns with the security plan that has been imprinted.

jj