1

Case Study 1 Bank (Golden Bank)

The Golden Bank (GB) is the largest financial institution operating in mainland Tivoli. GB has 28
branch offices around Tivoli and two remote branch offices in the islands of Greenland and Faroe.
GB has three major facilities, all located in mainland Tivoli: Headquarters, Operations and Backup.
The Headquarters facility is located in a downtown office that houses the administrative staff. The
Operations facility is located in a warehouse near an industrial area in the outskirts of Tivoli. The
Operations building located 60Kms from the headquarters houses the back-office technical
functions, the data centre and the GB IT staff. Finally, the Backup facility, located in the country area
of Tivoli about 100km from the headquarters is used as a warm-site facility which can take over
within minutes in the event that the Operations facility fails.
The 28 branch offices are very similar in size and staff, spread around Tivoli in small buildings that
use relatively old and complex technology. Automated Teller Machines (ATM) at each branch use
different SNA (Systems Network Architecture) protocols to talk to the mainframe computer at
Operations. Currently, File servers still require IPX/SPX communication and some branches (not all)
use TCP/IP to connect to the Internet.
Additionally, each branch is connected to the Operations through a Cisco 2600 series Multiservice
Platform router for flexible LAN and WAN configurations and easy upgrading, also capable of
handling the many protocols used at the internet and transport layers in branch office
communications.
Apart from internal connections supporting the day-to-day activities of the organisation, GB also
deals with a dozen (12) outside support vendors including credit card processing, credit card
authorisation etc., all in a different way. The lack of standards is a major issue in Tivoli.

WANs in GB
Figure 1 outlines the complex group of WANs Tivoli currently uses to support its operations.
A mesh of three T3 leased lines connects the Headquarters, Operations and Backup buildings. These
lines operate at 44.7 Mbps, providing redundancy between the major facilities.
Branches connect to the major facilities most of the times via Frame Relay links. For each branch,
there are two 56kbps PVCs. One leads to the Operations and the other leads to the Backup facility.
There are ISDN backup lines in case of Frame Relay failure. The two islands are connected to the
Headquarters via 128kbps fractional T1 digital leased lines. By the same token, the 12 vendors are
connected to the GB via a frame relay network of 56kbps each. As shown in the diagram, GB uses
two separate ISPs for Internet connection via T1 leased lines.

Networks and Information Security Case study

Copyright Edilson Arenas
CQUniversity

Figure 1 Golden BANK WAN

LANs in GB
Each branch office (including the two islands) is supported by 10Base-T Ethernet LANs, GB is
expecting to change for more modern Ethernets. Each branch has an average of 20 employees
including the bank tellers, customer service and branch managers. The Headquarters houses 80
administrative, finance, accounting and management staff, supported by 100BaseT Ethernet LANs. In
the Operations facility, there are 20 engineers in charge of the technical support of the data centre,
networking, and maintenance and application development. The organisational and operational
structure of the Backup facility is very similar to Operations.

Current ICT infrastructure

Branch (including the islands)
Hardware
Staff equipped with Desktop PCs running Windows 8
Two ATM machines
2 networked Laser Printers
2 network flat-bed scanners
1 NAS for local storage
Cisco 2600 series Multiservice Platform routers
10BaseT Ethernet ( 2 subnets: administrative + management)
Networks and Information Security Case study
Copyright Edilson Arenas
CQUniversity

3
Software
Microsoft outlook installed in all staff workstations to access emails
Accounting, finance software and Microsoft Office suite
Anti-virus and software firewalls
Headquarters
Hardware
Ten ATM Machines
Staff equipped with Desktop PCs running Windows 8
10 networked Laser Printers
10 network flat-bed scanners
Cisco 2600 series Multiservice Platform routers
100BaseT Ethernet (4 subnets: Finance + Accounting + Management + Administrative)
Software
Microsoft outlook installed in all staff workstations to access emails
Specialised software including Accounting, Finance, Decision Support, Executive and
management) and Microsoft Office suite.
Anti-virus and software firewalls
Operations
Cisco 2600 series Multiservice Platform routers
Operating system: Combination of Windows and Linux for servers
Staff equipped with Desktop PCs running Windows 8
All operational servers including FTP, HTTP/HTTPS, SMTP/SMTPS, DHCP, DNS, Authentication,
Telepresence, Domain Controllers, Database, SAN, Load Balancing and video are concentrated in this
facility.
Backup
As mentioned, the Backup is a warm-site facility which can take over within minutes in the event
that the Operations facility fails. Its infrastructure mirrors Operations

Problem Statement
GB business processes rely on a combination of systems including Internet, IPX/SPX, SNA and ICT
related services with a very complex ICT infrastructure in place seen by the GB board of directors as
problematic for the sustainability and further GB business growth. They argue that the organisation
is spending a great deal of money in the maintenance and integration of disparate and cumbersome
systems; and with little room to expand and improve its services. The GB board of directors claim
that there needs to be a change and re-provisioning of its ICT infrastructure to remain competitive.
As part of this change, the transition to interoperability should be achieved in a smooth manner and
leverage in the latest advancements in secure network infrastructure to guarantee zero problems
within the GB business processes. The bank is expected to expand its branch services to 30% in the
Networks and Information Security Case study
Copyright Edilson Arenas
CQUniversity

4
next 3 years. They are also considering embracing the latest Cisco immersive telepresence system
across the organisation, staff remote access and mobile services (staff BYOD and Work-at-home (WAT)
policies) that GB bank currently does not have.
In terms of security, the new system should safeguard the appropriate access and use of ICT
resources; ensure unauthorised and malicious internal and external network attacks are properly
blocked. Network redundancy is currently achieved with the mesh of three T3 leased lines
connecting the Headquarters, Operations and Backup buildings; however, nothing has been done so
far in terms a security plan including a robust disaster recovery and business continuity plan.

Statement of Work
Your task is to design and implement a secured network infrastructure that ensures high availability,
reliability, scalability, performance and security to support GB services. This requires 1) the design of
the network; 2) the delivery of a comprehensive network security plan; and 3) Security technology
implementation - proof of concept.
The following is a description of what is required.
Network Design
1. Network design including LANs, VLANs, WANs and VPNs. In this design, the IP address
allocation should use the CIDR format (x.y.z.t/n). Each group should have different ranges of
IP public and private addresses. Discuss with your mentor the range of addresses you are
planning to use.
2. Each LAN, WAN, VLAN and VPN should be justified in terms of traffic, reliability,
performance, availability, scalability and security. To do this you need to make a number of
assumptions (discuss this with your mentor / facilitator / teacher); however, assume that
ATM machines, Operations and Backup facilities are to operate 24/7. Other facilities are to
operate from 6:00am to 8:00pm daily.
For this design, take into account the following:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.

Traffic generated by the hosts: ATMs, clients, servers and backup devices
Appropriateness of current WAN links
Appropriateness of current WANs (Frame Relay)
Appropriateness of current LANs
VLANs requirements
All networking devices including routers and switches at each site or location
IP address allocation of each network and main network devices
Sub-netting to separate traffic including IP address allocation
Firewalls positioning and strategy: Dual firewall, Single firewall, stateful packet filter,
Proxies
NAT/PAT
DMZs
Routing tables for all routers
Firewalls Access Control Lists

Networks and Information Security Case study

Copyright Edilson Arenas
CQUniversity

5
o. Diagram of the network topology and allocation of devices; and IP addresses for the main
network devices
Network Security plan
The network security plan should contain as minimum the following:
1.
2.
3.
4.
5.

6.
7.
8.
9.

10.

Introduction outlining the importance of the plan and its purpose

Scope outlining the areas of the organisation that the Plan applies
Assumptions documenting any assumptions you have made in order to prepare the plan
Clear and concise statements about what the Security Plan is designed to achieve.
Summary and analysis of the organisations risks, highlighting the current threats,
challenges and vulnerabilities along with an assessment of current security environment
and treatments in place.
Security policies to address all possible network attacks and vulnerabilities
Disaster recovery and Business continuity plans
Security Strategies and Recommended controls including security policies
Residual risks that remain after all possible (cost-effective) mitigation or treatment of risks.
Your security plan should estimate, describe and rate these risks to guide the priorities for
ongoing monitoring of risks.
Resources and cost requirements for implementing the recommendation

Security Technology Implementation

As part of the security technology implementation and in line with the recommended controls
mentioned above in item 8, you need to provide at least the complete design of the following:
1. Data backup and recovery procedures. Note that there are NASs at the branches to back
up the data generated locally, however the vast majority of data is backed up to the File
Server Operations facility through the network.
2. Secure staff remote access and mobile services (staff BYOD and Work-at-home (WAT))
3. A proper authentication system that takes care of highly secured roles and permissions
to access, share, download, upload files and folders.
4. Proper safeguard required to prevent spam emails
5. Hardening of application servers including FTP, HTTP/HTTPS, SMTP/SMTPS, DHCP, DNS,
Authentication, Telepresence, Domain Controllers, Database, SAN, Load Balancing, video
and any other specialised banking software.
6. Network security including DMZs, firewalls, Proxies, IDSs, IPS, Cryptography etc.
7. Security Policies
GB Technology implementation - Proof of concept
As part of the project requirements, you will need to design; implement and test the Unified Threat
Management system (Enterprise Firewall) using open software like Endian FW, Vyatta or any other
system you are familiar with. The solution should address the firewall needs of GB, including the
installation of the software, configuration of the ACLs, and developing of test cases to check the
complete functionality of the rules.
Networks and Information Security Case study
Copyright Edilson Arenas
CQUniversity

6
For the proof of concept, it is mandatory that you include the documented results (procedures and
screen dumps) of various network security attacks tests (such as Network Penetration Test) as part
of your final project report. You may use your choice of security software/tools and operating
systems (Windows, Linux, or Ubuntu) in a virtualized environment to build and simulate the security
tests. To do this students are suggested to get a second-hand personal computer and give a physical
demonstration at the end of the term.
Final Remark
It is important to note that the final output of your project is to deliver a comprehensive report
documentation comprising network design, network security plan and security technology
implementation.

References
1. Ciampa, M. (2012). Security+ Guide to Network Security Fundamentals, 4th Edition,
Boston, MA. Course Technology, Cengage Learning.
2. Forouzan, B. (2010). TCP/IP Protocol Suite, 4th Edition, Boston, MA. McGraw-Hill Higher
Education.
3. Panko, R. (2003). Business Data Networks and Telecommunications, 4th edition, Upper
Saddle River, N.J. Pearson Education.
4. Weaver, R., Weaver, D., & Farwood, D. (2014) Guide to Network Defense and
Countermeasures, 3rd edition, Boston, MA, Course Technology, Cengage Learning.
5. Whitman, M., Mattord, H., & Green, A. (2012) Guide to Firewalls & VPNs, 3rd edition,
Boston, MA. Course Technology, Cengage Learning.

Networks and Information Security Case study

Copyright Edilson Arenas
CQUniversity