Order 1548415: Network Design
tutorthammy
Propsalanswerspart2.pdf
StuDocu is not sponsored or endorsed by any college or university
Network Design Proposal Part 2
Fundamentals of Networking (University of Maryland University College)
StuDocu is not sponsored or endorsed by any college or university
Network Design Proposal Part 2
Fundamentals of Networking (University of Maryland University College)
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
Network Design Proposal:
Network Addressing &
Security (Part 2)
Prepared for:
University of Maryland University College
Prepared by:
Kellie Keiser
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
Part A: IP Addressing
Proposed Subnet
Subnet Description Required Hosts
Classroom 1 (First Floor) 25 Computers
Classroom 2 (First Floor) 25 Computers
Classroom 4 (First Floor) 25 Computers
Classroom 1 (Second Floor) 25 Computers
Classroom 5 (Second Floor) 25 Computers
Office 5 – Admissions (Second Floor) 25 Computers
Student Computer Lab 25 Computers
Library 15 Computers
Subnet Network Address Host Address Range Broadcast Address
Subnet Mask: 255.255.255.0
Classroom 1 (First Floor)
192.168.2.0 192.168.2.1 - 192.168.2.30 192.168.2.31
Classroom 2 (First Floor)
192.168.2.32 192.168.2. 33 - 192.168.2.62 192.168.2.63
Classroom 4 (First Floor)
192.168.2.64 192.168.2.65 - 192.168.2.94 192.168.2.95
Classroom 1 (Second Floor)
192.168.2.96 192.168.2.97 - 192.168.2.126 192.168.2.127
Classroom 5 (Second Floor)
192.168.2.128 192.168.2.129 - 192.168.2.158 192.168.2.159
Office 5 – Admissions (Second Floor)
192.168.2.160 192.168.2.161 - 192.168.2.190 192.168.2.191
Student Computer Lab
192.168.2.192 192.168.2.193 - 192.168.2.222 192.168.2.223
Library 192.168.2.224 192.168.2.225 - 192.168.2.254 192.168.2.255
Wi-Fi Network 192.168.3.0 192.168.3.1 - 192.168.3.30 192.168.3.31
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
Part B: Security
C.) Firewall: Network Based - Cisco ASA 5540 Series $3000
A Firewall is a device that secures a network from intruders. It acts as a lock between the
internet and a LAN requiring all traffic from the internet to pass through the firewall before
accessing any device within the network. There are two different types of firewalls: a host
based, which is a built in firewall that runs on a server or a network based, which is a hardware
appliance. For this campus, a network based firewall was chosen because they offer a stronger
defense barrier against intrusions and hackers. The Cisco Adaptive Security Appliance (ASA)
5540 series firewall is an identity-based network firewall which allows certain users and groups
to access the network. This enables simplified policy configuration, so administrators can write
policies that correspond to business rules—for increased security, enhanced ease of use, and
fewer policies to manage. [1]
D.) IDS vs. IPS
An IPS (Intrusion Prevention System) is a device that allows or prevents traffic from
accessing a network. The Cisco ASA 5540 series has an IPS module. The IPS module runs
advanced IPS software that provides proactive, full-featured intrusion prevention services to stop
malicious traffic, including worms and viruses, before they can affect a network. [1] For the
security of the University, the IPS module is the best option. An IDS (Intrusion Detection
System) wouldn’t prevent the malicious software from entering the network, which would be
detrimental to the University. Protecting University hardware and devices from cyber threats and
malware is one of the most important requirements of network security officer.
E.) DMZ
A De-Militarized Zone (DMZ) is a type of subnet that screens traffic between a private
network and an untrusted network such as the internet. [2] A DMZ zone is a network
configuration designed to segregate computers on each side of a firewall. A commercial DMZ
creates a separate subnet outside of the firewall containing one or multiple computers to better
protect the devices inside the firewall. [3] A router with a DMZ subnet allows access to the
DMZ from the WAN while the firewall is protecting the LAN. [4] A DMZ can also be
established using one or two firewalls. The single firewall solution uses multiple interfaces to
create multiple DMZ’s with multiple security zones. Each security zone can be created for
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
different levels of security: low, medium and high and anything in between. [2] For the
University campus, the best option is to create the DMZ’s using the existing hardware which is
the Cisco ASA firewall.
F.) Physical Security
Physical security is protection of the University’s information assets, IT services and
resources as well as ensuring safety of faculty and students. Physical security requires three
different areas of focus: prevention, detection and recovery. Prevention is key in any type of
security outline. It is easier to prevent an attack than it is to recover from an attack. [2]
Protecting the perimeter of the network and making sure the network is extremely difficult to
access helps prevent an attacker from attempting to breach the security in place. If a breach
occurs, being able to detect who breached the network and when, what was accessed and if it is
missing or damaged is of utmost importance. Finally, how a network recovers is paramount after
a breach to prevent any additional occurrences. If the network is breached, a review of the
physical security policy is required to determine how the breach occurred and if the security
profile has been sufficiently hardened. After review of the security policies in place, the
weakness allowing the breach should be corrected to prevent future attacks on the network. [2]
Protecting the buildings with S2 NetBox Online cloud-based access control system works
with existing infrastructure and peripheral devices allowing for seamless integration. The S2
System is scalable and allows the integration of third party access control devices such as the
Sargent Assa Abloy door locks.
The first step to take in physical security is protecting the buildings themselves with
Sargent Assa Abloy Harmony Exterior Door locks. Priced at $900 each including the trim, lever
and mortise box, the Harmony lock includes all access control capabilities such as card reader,
door position switch and request to exit monitoring sensors. The hardware is compatible will all
popular access control systems, such as the S2 NetBox Online system, and supports a variety of
openings while industry leading Grade 1 hardware offers the highest degree of physical security
available in access control locks. [5] These locks and the access control system will allow IT
professionals and administrators to prevent unauthorized access into the buildings on campus.
The interior Sargent Assa Abloy Passport PoE locks will be placed on each interior door. These
locks provide a cost-effective, future-proof solution for the campus while providing simultaneous
support for multiple credentials and offers an easy migration path to higher security credentials
and mobile access. [5] In addition to the locks, each faculty member will be assigned an access
card for entrance into their offices and student areas will only be accessible 8am thru 8pm. The
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
The interior and exterior doors will automatically lock at 8pm every night, barring entrance with
the exception of faculty with access cards. The doors will re-open at 8am every morning, again
with the exception of faculty access cards which will be permitted to access the buildings at any
time. The doors will allow exit with the request to exit monitoring sensors.
For access to the computers, each student will be given a username and password, which
will expire every 90 days. Students are permitted to access the buildings between the hours of
8am and 8pm. The students will only be able to access the network based computers with a
student log-in and password, provided by administration at time of registration. The password
will expire at the end of every semester and will only renew if the student is in good academic
standing, academically and financially.
The second step in physical security is protecting the perimeter of the buildings with
video surveillance of all exits and entrances within the two buildings. There should also be video
surveillance in common areas such as the lobby and stairways, the computer lab and library and
placed strategically throughout the hallways in both buildings. Surveillance should also be
placed outside the buildings on the lamp posts along the pathways connecting the two buildings.
The Lorex LNB4163 4MP High Definition IP indoor/outdoor Camera with Color Night Vision
bullet style surveillance cameras will be installed throughout the two new campus buildings.
They are priced at $200 each and require Cat5e PoE cables for installation. The camera has an
83 degree field of view, 2K resolution, 3.6mm lens, 4MP sensor and 130 feet maximum night
vision. To extend the distance, an 8 port 10/100Mbps + 1 Gigabit 802.3af PoE+ switch will be
placed in each building connecting all the cameras together. Each switch will cost $280 and will
be connected to the router and the router connected to the Network Video Recorder (NVR). The
NVR purchased will be the Lorex NR9326 priced at $1400. The NVR is capable of
incorporating up to 32 separate cameras with the assistance of the PoE switch and contains a 6
terabyte security certified hard drive. This NVR is capable of recording 4K video in real-time on
all 32 channels. One benefit of using a 4K security system is the additional resolution needed
during an incident, which will offer the best chance to capture useful evidence such as distinct
facial features. [6]
This hardware will be used to provide optimal security on the University campus. The
electronic locks will be used to help prevent a physical security breach in one of the buildings.
The surveillance camera’s will also aid in prevention, since they are a deterrent for people trying
to gain access to the buildings without authorization. The cameras are also used for detection
and recovery as they will record any nefarious acts, which will help law enforcement or
administrators determine the “who” and possibly the “what.” Finally, the cameras will aid in the
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
recovery portion of physical security because they will provide administrators with a visual
account of the security breach as it is happening. This will help administrators implement new
policies and procedures to prevent future breaches in security. [2]
G.) Network Security Measures
Social engineering is an attempt to fraudulently access sensitive data from a user. Social
engineering is primarily accomplished by a person masquerading as someone the user trusts, then
asking for personal information such as passwords, usernames, bank account information and
social security numbers to name a few. Two different types of social engineering are used:
passive and active. Passive social engineering takes advantage of the unintended actions of a
user to gather information while active involves the user directly. [2] These types of attacks can
be prevented by implementing a social engineering policy. That policy would include bi-annual
mandatory training for all faculty, including IT professionals and administrators and students.
Faculty and students should also be tested by an outside third party to see if they fall prey to a
social engineering scam. These kinds of tests help keep the user on their toes and less
susceptible to a social engineering attack. The policy should also state users must comply with
the rules in regards to social engineering such as: do not open attachments from unknown users,
do not provide anyone with sensitive information, online transactions should only be made on
websites that use the https protocol and do not trust anyone requesting personal or sensitive
information. [7]
Malware, or malicious software, is a type of computer program designed to infect a
computer and inflict harm. Malware can be anything from a virus to a worm or a Trojan or
spyware. Protection against students or faculty willingly or unwillingly infecting computers with
malware starts with personal vigilance by training on social engineering techniques and
prevention. The requirement of a username to log-in to a computer for all students and faculty
can also protect against unintended malware infection by a student or faculty member. If a
student or faculty member intends to infect a computer with malware, knowing they will be
caught due to the required log-in may be a deterrent.
A computer’s second layer of defense against malware is through malware security
protection known as a host based intrusion detection system (IDS) or antivirus software.
Antivirus software such as Kaspersky Antivirus can be uploaded onto a computer where it will
periodically scan the computer and its files to detect and defeat malware. In addition, the
antivirus software can recognize and warn against previously unknown malware threats based on
technical features of the malware and warn against suspicious websites. Kaspersky was chosen
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
for the University because it is easy to use and install and its effective. There is no such thing as
100% protection against malware, but with personal vigilance and antivirus software, a computer
is as protected as it can be. [8]
H.) UMUC’s Liability Policy
Personal devices may be used on the wireless LAN with the acceptance of the BYOD
policy. The policy will be accepted by each user as he/she logs onto the WLAN with their
device. The end user will not be able to access the network without checking the “accept” button
on the login page. The BYOD policy will state that all personal devices logged into the network
will keep screen locks on, use device-tracking software and notify the college immediately if a
device is lost so that IT can wipe it clean. This will prevent sensitive information on the network
from ending up in the wrong hands. All students and faculty must also electronically sign a
document stating they will upload and maintain antivirus software on their device. [9] If the
end user does not comply with these requirements, he/she will not be allowed to participate in
the BYOD program at UMUC. Furthermore, UMUC will not be liable for any damages to a
device while connected to the network or the guest WiFi.
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
References:
[1] "Cisco Identity-Based Firewalls", Cisco.com. [Online]. Available: https://www.cisco.com/c/
dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/
at_a_glance_c45-675579.pdf.
[2] LabSim Network Pro. TestOut, 2016.
[3] B. Mitchell, "Does your home computer network have a Demilitarized Zone (DMZ)?",
Lifewire, 2017. [Online]. Available: https://www.lifewire.com/demilitarized-zone-computer-
networking-816407.
[4] "What's the difference between DMZ Host and DMZ Subnet? - DrayTek Corp.",
Draytek.com, 2018. [Online]. Available: https://www.draytek.com/en/faq/faq-connectivity/
connectivity.lan/whats-the-difference-between-dmz-host-and-dmz-subnet/.
[5] "Harmony Mortise Lock Overview by SARGENT", Sargentlock.com. [Online]. Available:
http://www.sargentlock.com/products/product_overview.php?item_id=1878.
[6] "4MP High Definition IP Camera with Color Night Vision", Lorex Technology. [Online].
Available: https://www.lorextechnology.com/hd-ip-camera/1080p-4mp-ip-camera-with-color-
night-vision/LNB4163BW-1-p.
[7] N. Lord, "Social Engineering Attacks: Common Techniques & How to Prevent an Attack",
Digital Guardian, 2018. [Online]. Available: https://digitalguardian.com/blog/social-engineering-
attacks-common-techniques-how-prevent-attack.
[8] "What is Malware and How to Defend Against It?", Usa.kaspersky.com. [Online]. Available:
https://usa.kaspersky.com/resource-center/preemptive-safety/what-is-malware-and-how-to-
protect-against-it.
[9] M. Delaney, "The ABCs of BYOD on Campus", Technology Solutions That Drive
Education, 2013. [Online]. Available: https://edtechmagazine.com/higher/article/2013/08/abcs-
byod-campus.
Downloaded by Davidjh15 ([email protected])
lOMoARcPSD|3241324
