Specialist Diploma in Network Security School of Electrical & Electronic Engineering ET0249 Project Project: A Secure Office Network

Environment
Information The project would require you to work in a group of maximum 3 persons. The project is divided into several parts. You would have to submit your project based on the deadline given. Marks will be allocated as your progress throughout the implementation of your project. Duration 14 Weeks + 1 Week for presentation Rough Schedule of Project Semester Week Description Percentage 1 [16 Apr 20 Apr] Start of project - Briefing 2 [23 Apr 27 Apr] Task 1: Set up and secure web server
3 [30 Apr 04 May ] 5 [14 May 18 May] 6 [21 May 25 May] 7 [28 May 01 Jun] 8 [04 Jun 08 Jun] 9 [11 Jun 15 Jun] 10 [18 Jun 22 Jun] 11 [25 Jun 29 Jun] 12 [02 Jul 06 Jul] 13 [09 Jul 13 Jul] 14 [16 Jul 20 Jul] 15 [23 Jul 27 Jul] 16 [30 Jul 03 Aug] 17 [06 Aug 10 Aug]
3 1,2

4 [07 May 11 May ]

Presentation of Task 1 (20%) Task 2: Set up the firewall MST Week Project lesson as usual Holidays Holidays Holidays Presentation of Task 2 (30%) Task 3: Set up wireless network Presentation of Task 3 (20%) Task 4: Perform analysis of network Presentation of Final Product Presentation of Task 4 (10%) Presentation of Final Product Final Presentation & Report (20%) Examination Week Examination Week

18 [13 Aug 17 Aug] 19 [20 Aug 24 Aug] 20 [27 Aug 31 Aug]

1 2

Labour Day 01 May 2012 (Tuesday) Vesak Day 05 May 2012 (Saturday) 3 National Day 09 August 2012 (Thursday) 4 Hari Raya Puasa 19 August 2012 (Sunday), 20 August 2012 (Monday in-lieu)

ET0249 Network Security Project

Page 1 of 6

Background
Acme Inc. deals with sales of widgets. In order to maintain a presence on the Internet, they have decided to re-vamp the entire network structure to include an internet gateway as well as wireless clients on their network. Your team has been asked to implement and test the following network design.

Task One In order to complete this task, you have to setup the following:
A server offering Web and File Sharing services A server managing Dynamic IP, Name Services and Network Time Protocol.

Both servers are part of your office network and must be implemented using Linux. The Ubuntu910-alt Guest VM image is provided for your use together with the necessary ISO repository and setup documentation. As you are implementing a DHCP server, it would be advisable for you to segregate your network behind a NAT device.

ET0249 Network Security Project

Page 2 of 6

Server 1 Web and File Sharing services

1. Implement the Web server using Apache2. This will be a static web server, hence there is no need to implement PHP or MySQL services. Create a default website for your company with a banner identifying your site. 2. Implement the File Sharing Services using vsFTP. This site will cater for anonymous as well as privileged users (users who have an account on this server). Ensure that anonymous users can only download files from this server. Privileged users are only allowed to access their own sites. Create sufficient access for 10 users. 3. The default web site is managed by the user "webmaster". He/She is only allowed to access/change the contents of the website. The webmaster will use FTP to upload/download files to the site. Set up the necessary privileges for this access. 4. The default web site will be called www.pbilXX.lab where XX is the group number. 5. All access to the site will be logged.

Server 2 DHCP, DNS and NTP services

1. Implement IP management using this server. Allocate the necessary IPs as per the original task discussion. You should consider reserving IPs for specific hosts on your system. 2. Limit the lease time of each allocated IP to 30 minutes. 3. Implement Name Services using this server. Please assign reasonable identifiers to the different hosts on your system, including the NAT/Router/Firewall. All hosts should be identifiable using the Name Service. 4. At present this system will be the authorative server for the domain. Currently there is no external access to this server and the name service will only be available for internal users. All external references will be forwarded to the lab server (172.16.110.2). 5. This server will also be the reference NTP server for your network. Your local hosts should take their time from this server.

Once you have setup your system, you should

1. The default web site should host your ongoing work. Hence, the final report will be taken as the material posted on the website. This should be a journal/blog of your project. A good idea is to take a look at the free wiki/blog software hosted on web servers and use that as a documentation tool. All work and screen captures showing work done should be posted on this site.

ET0249 Network Security Project

Page 3 of 6

2. Test your system(s) to ensure that they meet the requirements as stated. You should also come up with a check list to ensure that the tests have been done. You will post the check list on the default web site together with your results when complete. 3. Perform a port scan on your servers to ensure that there are no vulnerable ports on the systems. List down the open ports and their functionality. 4. The normal method of saving your work has always been to save the image of the Guest VM. This usually takes 15-20 minutes to save for each VM with the possibility of errors in the copying. A better method is to perform a backup of the tasks/services configured. As this is a Linux system, the configuration files are usually in text. Suggest and implement a method of backing up your servers for the next laboratory. Office Network Network address: 10.10.10.0/24 The office network is divided into 3 sections: .1-10 Reserved static addresses .1 is reserved for the PIX interface .9 is reserved for the TFTP/Syslog server .10 is reserved for the HTTP server .11-127 Internal DHCP wired hosts .128-254 - Internal DHCP wireless hosts Deliverables 1. Show that the servers are working. Host a relevant web site, and do not use the default web page on the systems for your work. You might like to host your project report as the default web page. 2. For FTP server, allow anonymous read/write access. Host a relevant site for the FTP as well. 3. Show that computers connected is given an IP address by the DHCP server. 4. Show the scanning report of servers that was set up.

Task Two
Set up PIX firewall. Implement 3 security levels such as outside, DMZ and inside. The outside interface is physically connected to the lab network via specific points. For the IP address, please refer to the website in the lab. Use the network address of 10.10.20.0/28 for the DMZ. Use the first useable address for the PIX interface. The DMZ hosts the FTP server. The FTP server should be accessible to all outside users and users who are wired clients. Maintain a FTP Server that provides anonymous as well as user access to both external and internal networks. You may use any FTP server program for this purpose (e.g. GuildFTP or Microsoft FTP). The FTP server is accessed from the external network using the 2nd last global address that was assigned by the ISP provider.

ET0249 Network Security Project

Page 4 of 6

The PIX should allow anonymous read/write access to the FTP server on the DMZ from both the outside and office networks. Wireless clients are not allowed access to the FTP server. The PIX should allow only read access to the HTTP server for outside networks. All users of the network should also be able to access the HTTP server. The PIX provides Syslog information to a Syslog server on the office network. A TFTP server is also set up on the office network to save the configuration settings of the PIX. Both the Syslog and PIX servers are not to be accessed by external networks or the DMZ. You might like to refer to Appendix A for the IP Address for the external connection.

Deliverables 1. PIX firewall configuration scripts 2. Demonstrate the accessibility of the network 3. Ensure that PIX firewall events are display on the Syslog server. 4. Ensure that the PIX firewall configuration scripts can be saved using the TFTP server.

Task Three
Set up the wireless access point to support the local wireless clients Use an appropriate name for the SSID. Implement the necessary security measures for the access point, such as disable SSID broadcast, and etc. Ensure that wireless clients are not allowed access to the FTP server

Deliverables 1. A list of the security measures that were implemented for the AP 2. Demonstrate that the client connected wirelessly is not able to access the FTP server 3. Make use of different profiles if possible to ensure that the necessary access is given.

Task Four
Using appropriate tools generate traffic on the network and examine the traffic pattern Demonstrate how you can detect a ping scanning on the network Capture a portion of the network traffic, and explain what is actually happening Locate tools that can be used for penetration test to examine how secure your network is Using wireless sniffing tool to examine if it is easy to discover the wireless network information based on the security measures that you have implemented

Finale Deliverables 1. A project report detailing the network structure and configuration. 2. Screen capture of all the setup, output, and configuration of the network 3. References and technical information guides used 4. Demonstration of project

ET0249 Network Security Project

Page 5 of 6

Appendix A: Network Setup in the Lab

ET0249 Network Security Project

Page 6 of 6