1.

Scenario 1 Network Security and Firewall Implementation

The Directorate of Diplomatic Officers has recently agreed a new network infrastructure to connect its 3 international offices in Rome, Cambridge and Chicago. Your task is to complete the design and produce a working prototype configuration to prove the implementation will work. . The offices in Cambridge, Chicago and Rome will be interconnected via resilient T1 mesh network either as direct links or as part of an expandable Managed Service.. The clock rates are provided by Cambridge and Rome id direct links are recommended. It is anticipated there are requirements for around 2300 hosts at the Chicago office and a potential 1093 hosts at both the Rome and Cambridge offices. There will be 12 further offices within Europe in the next 2 years each with a minimum of 550 hosts each. The Cambridge office is used to host a connection to the Internet via a Managed Ethernet Connection (Fast Ethernet) with an allocated address of 209.123.234.5/30. As the organisation has not previously been connected to the Internet, they have not been allocated a block of addresses to use other than the dedicated Internet link. The new network design must use a configuration to reflect this lack of addresses and utilise appropriate addressing through use of RFC1918 addresses The organisation needs to implement a security policy on a suitable router to Ensure that only users from its main 3 offices can attach to the corporate data centre at 199.199.199.199. Only Chicago users on the Administration VLAN are able to access the Finance Server hosted at an ASP at address 200.200.200.200, utilising an application on Port 1234 using TCP. Only Rome and Cambridge users are able to access an EU Research database using http, https and ftp (remember ftp uses two ports) on address 194.123.88.99 All users need to access an off-site email server running both IMAP/POP3/SMTP in the appropriate directions on address 180.145.22.33. Block access to a range of file-sharing networks using IRC where demotivated employees are downloading copyrighted material using networks 206.206.83.0, 206.207.82.0, 206.207.83.0, 206.207.84.0 & 206.207.85.0. only internal initiated connections are permitted to access the Internet.

All security violations must be logged in an appropriate syslog server. Additional considerations which will need to be addressed include: 1. Design, justify and implement a classless based addressing scheme which will implement a VLSM to save spare addresses to encompass both the WAN and local office based LANs 2. Setup appropriate links to the Internet and ensure anywhere on the network can access the organisations data centre at 199.199.199.199.

3. Ensure appropriate secure routing and data-link connectivity between sites is used at all times 4. Implement appropriate scaling techniques to allow the organisation to connect to the Internet whilst maintaining their internal addressing strategy. 5. Implement the appropriate ACLs or firewall functionality in line with the organisations security policy at the most appropriate place 6. Basic Router & Switch Security should be applied to all console and virtual connections. Consider the use of appropriate technologies to help prevent unauthorised eavesdropping 7. Configure all network equipment to be queried via SNMP for basic location, contact details and utilisation for serial links. Use only RO communities and test utilising a SNMP tool of choice. 8. Set up a syslog server and configure the equipment chosen to host the security policy to log all security violations.