Essay: IP Addressing And LAN Security For XYZ Org.

Your task is to secure communication between HQ and Melbourne and Brisbane. You should provide secure remote access by:
- Clientless VPN connecting to the ASA Firewall

- Remote users may have different access authorization to the HQ internal resources, e.g. Web Server.

IPv4 Address Range

IP ADDRESSING

IPV4 ADDRESS RANGE

IPV6 ADDRESS RANGE

The reason for this networking project is to plan a Local Area Network (LAN) for XYZ organization. Similarly, the report delves into the weaknesses of the company network and executes safety efforts to ensure organized assets and framework administrations. Therefore, the redesigning manages physical and consistent outline of a LAN by building a system in a test data, management, and control centers, comprising of PCs; servers and ASA (Appliance Security Appliance) 5505 firewall. Access layer and multilayer switches are designed for end-to-end availability and lastly applying security layers on those gadgets expected to protect the framework. The objective of this paper is to write about the security issues and sound answers for the Local Area Network set up for XYZ organization by building a safe LAN framework and furthermore to prescribe the accepted procedures that would shield the system framework from inward and outside assaults. Authentication, Authorization and Accounting (AAA) security techniques were overviewed as fundamental for the LAN which were configured in two steps. First, the arguments were configured appropriately and later activated for the whole network. Similarly, arguments for TACACS+ were defined to the switches on both HQ and branch offices into communication with the TACACS+ servers. A concurrent networking protocol included Remote Authentication Dial-In User Service (RADIUS), and was implemented for the provision of a concentrated services on all users’ resources on AAA. As such, the technology came in handy to manage the company’s approach to the Internet, inner networks, as well as incorporated email helps.

• To implement a zone-based policy firewall on company’s branch office edge router.
• To implement an Intrusion Prevention Systems (IPS) on company’s branch office network.
• To implement Cisco ASA firewall on the company’s Headquarters’ office network.
• To secure traffic amid the company’s branch and HR/Finance departments.
• To secure traffic amid the company’s branch and sales departments.
• To implement a non-remote access on company’s management and admin departments.
• To secure the XYZ company headquarter offices with remote home access to Brisbane and Melbourne home networks through a clientless VPN connection with ASA Firewall.
• To segment the company network according to all departments.
• To protect the company LAN against layer 2 weaknesses including VLAN attacks, DHCP attacks, DTP, VTP and STP control.
• To implement AAA authentication on company network.
• To secure NTP communications on company’s network.
• Hardening of layer 3 devices through control, management, and data planes.

The Control Plane, Data Plane and Management Plane make the center of XYZ company network DNA. In the present systems administration equipment, they are used to move IP packets from start to finish. The Management plane is a crucial segment yet in addition broadly excepted as a client to hardware communication. These planes of activity are the building squares of the layered engineering that systems have advanced to today (Björk, 2018). By abstracting information to adjust to these builds is the manner by which the Internet works today.

• Implementation of the industry best practices for layer 3 and layer 2 devices.

Layer 3 switches and routers of work at the network layer. Therefore, they not only direct broadcasts but also direct multicast communication and decide the ideal way a frame should take, hence overseeing packet movement.  More often than not, switches are the systems entryway to the web or to a greater WAN.

• Physical Security.

IPv6 Address Range

Physical security is frequently seen as the principal line that guards the network. It denies the intruder to getting into the network physically (by sitting and retrieving data on an already signed in PC). The application of physical layer security to XYZ company network provides every employee with the accompanying rules:

• An employee ought to readily available at whatever point a PC is signed in.
• Signed in PCs ought to never be left unattended.
• If conceivable, access to the server room where XYZ network is found, ought to be controlled and restricted to the individuals who don't have business there.
• Also, the switch and firewall ought not to be open to individuals outside the company team. On the off chance that this isn't conceivable, clients ought to be limited to sign in just on specific frameworks, regardless of whether they are recognized by MAC addresses (see additional segments) or a hostname. Security can likewise be upgraded by enabling them to get to just amid specific occasions for instance.
• The group ought to receive a reasonable work area strategy: crucial archives ought to be put away on CDs or USB keys, and ought not to be kept unattended (secure drawers, take away home).
• The company’s network ought to be secured against power disruptions and atmospheric dangers. On the larger perspective, other measures that can be taken to expand the physical security of the framework include biometrics. The latter comes in handy for ID purposes, hence guests ought not to be cleared out unattended, server rooms ought to be outfitted with proper checking gadgets (cameras for instance), monitored by the suitably prepared workforce, or anchored with keycard get to entryways. 

Referring to the shape and layout of XYZ company network, the topology describes the preferred connection between nodes as well as how the communication is carried out. The implementation resulted to the most common hierarchal structure network. It was decided that the use of the aforesaid technology in building a company network would be most appropriate to objectively demonstrate the business.

XYZ organization like numerous different associations fabricated its very own LAN foundation with uncommon thought of safety efforts to shield their assets from any sort of assaults. Building a very much anchored LAN required outlining of system topology before choosing which physical gadgets to be obtained or innovations to send. The topology configuration was characterized by the recognizable proof of the system's interconnection focuses, the size and the extent of the system, and the sort of interconnecting gadgets utilized. Essentially, the network's design is one of the four periods of PDIOO (Plan Design Implement Operate Optimize) life cycle. In this period of the system lifecycle, the originator's undertaking was to build up the physical and intelligent outline of the system venture.

The physical outline of the network was concerned about the ID of LAN and WAN advancements and system gadgets that should understand the execution of the consistent plan on the loose. Amid this stage, the system planner was in charge of choosing gadgets, for example, cabling wires, switches, switches, and servers. As showed in Appendix II it is seen that the consistent outline stage is an establishment for the physical system plan on Appendix I, and it is the place the creator built up a various leveled and particular system. This stage incorporated the outlining of system layer tending to, determination of exchanging and directing conventions, security arranging and system administration plan. Likewise, the multifaceted nature of the topology relies upon the extent of the system and activity attributes of the framework.

Because of the foreseen development and unpredictability of XYZ organization arrange, a level system planning model would not work. Henceforth the system designers were required to think about building a system in a secluded methodology. The last planning split the enormous and complex assignments by a particular capacity and made the outline venture more sensible. Accordingly, the organization arranges framework incorporated the organization's LANs, remote-get to the framework, and WAN functionalities, in a situation that the various leveled displaying techniques fitted well.  

Network Topology and Hierarchical Modeling

Fundamentally, a hierarchical model is a three-layer secluded and basic plan strategy used to outline a LAN or WAN system (Judge et. al., 2018). Such an outlining model incorporates an organization's system with discrete layers comprising of many interrelated parts. In fact, a hierarchical model outline has three layers, to be specific core, distribution, and access layers. Each layer has its own capacities and they are assembled utilizing system gadgets like switches or switches or consolidated in a solitary gadget.

The primary errand of the entrance layer is to interface nearby clients on the network with the goal that they can get to coordinate assets and establishments. This layer is intended to convey nearby client bundles to the focused on end client PC and furthermore to guarantee a real access of system assets and administrations. End gadgets, for example, PCs, printers and IP telephones are associated with the entrance layer. Other than that, interconnecting gadgets, for example, switches, switches, centers and remote passageway can be a piece of the entrance layer (Kumbhari et al., 2018).

The distribution layer is a center layer between the entrance and center layer of a system. At the end of the day it is viewed as a division point between these layers. It is now where activity stream control and access control happens. All the more regularly, the circulation layer is a favored place for outlining virtual LANs (VLANs) to make at least one communicate spaces and to arrange organize gadgets like switches to course IP bundles crosswise over VLANs (Perlman et al., 2016). Other than that, the entrance layer is utilized to execute distinctive functionalities that worry about system approaches, IP tending to, zone conglomeration and furthermore nature of administrations (QoS). The dissemination layer stows away definite topology data of the entrance layer from the center layer by location synopsis, in like manner it cores layer goal address rundown and conceals the data from access layer gadgets. The dispersion layer enhances center layer execution in interfacing systems that run distinctive conventions and furthermore by redistributing between data transfer capacity serious access layer steering conventions, for example, IGRP (Interior Gateway Routing Protocol) and upgraded center directing conventions, for example, EIGRP (Enhanced Interior Gateway Routing Protocol).

A center layer is a rapid exchanging spine in charge of interconnecting dissemination layers’ gadgets. This layer totals activity from all dissemination layers’ gadgets and is in charge of sending a lot of information with a rapid over the system. To build the information throughput of the system, filtering packets as well as other approach based designs which maintains a strategic distance from the center layer since they include pointless idleness to the network and significantly affects general network responsiveness. Besides, the center layer should be exceptionally solid and blame tolerant (Wang et al., 2018). This occurs by setting up a full work redundant links amongst the center layer switches and amid the access layer switches and the other way around. Other than that, it is important to have reinforcement control supplies in the event of intensity disappointments.

Physical Security

Conclusion

The fundamental purpose behind actualizing system security is to anchor the system and framework assets associated with the system. Data in any shape is viewed as an important property of the system and losing or discharging it may cost cash or a fiasco by any stretch of the imagination. Executing security controls on an arranged situation empowers the system framework to work legitimately as planned. Along these lines, organizations, governments, and different associations have organized system security and burned through billions of euros on arranging and executing more up to date innovations. In the present open condition, associations who need to give community to the organize assets need to investigate the security dangers that may result in an assault on the framework. Now, it is worth to remind that an assault may occur from inside the system premises by confided in laborers too. A security expert is worried about finding any sorts of vulnerabilities and assaults that may make dangers the present activity of the framework and furthermore to the survival of XYZ company.

The risk posed on a network's security is a likelihood that a specific danger abuses a specific vulnerability of a PC framework that prompts misfortunes of advantages and assets. There are various dangers to a system framework, however risk experts have to focus on those dangers that issue most. Today no PC framework is invulnerable to an assault, and organizations need to execute viable safety efforts that are fit for securing their system framework and assets. To stand up to an assault originating from inside or outside the organization's system overseers need to pick satisfactory security advancements and their situation in the system framework. Today there are various security advancements accessible however the decision and sending needs to match to the general organization's objective and security strategy Before building up a security approach it is important to build up a security plan that chooses what should be shielded and from whom. The most ideal approach to do it is by directing a hazard examination to rattle off what is viewed as permissible and non-reasonable activities and past that to figure out where and how security issues are tended to.

 An efficient security approach proposed for XYZ company should involve client get to strategy, remote access arrangement, responsibility arrangement, validation approach, incident response strategy, internet access strategy, email approach, physical security approach, upkeep arrangement and infringement revealing arrangement. By and large, each strategy ought not to be over-prohibitive but instead facilitate the utilization of assets with a specific level of confinements. The profundity of our security strategy dependent on the amount we trust individuals and the arrangement needs to attract a line to adjust between enabling clients to get to organization assets to carry out their employment and totally denying access to those assets and resources. For the most part, XYZ company heads together with senior chiefs of the organization are in charge of outlining the security approach. Contributions from clients, staff, chiefs, arrange directors and fashioners are required to build up a powerful security strategy. However, it is completely important to look for legitimate guidance before speaking with clients and staff of the organization and requesting that they submit to the principles of the strategy records.

All configurations were possible through packet tracer 7.1, thence no exact challenges were discovered against meeting XYZ company network configuration.

References

Björk, L., 2018. Writing a Best Current Practice about security in an already established network design.

Cisco. (2018). Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S - Zone-Based Policy Firewalls [Support]. [online] Available at: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html [Accessed 26 Oct. 2018].

Cisco. (2018). IPv6 Addressing and Basic Connectivity Configuration Guide, Cisco IOS XE Release 3S - IPv6 Addressing and Basic Connectivity [Support]. [online] Available at: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-add-basic-conn-xe.html [Accessed 26 Oct. 2018].

Cisco. (2018). Cisco IOS Intrusion Prevention System Configuration Guide, Cisco IOS Release 15MT - Cisco IOS IPS 5.x Signature Format Support and Usability Enhancements [Support]. [online] Available at: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_ios_ips/configuration/15-mt/sec-data-ios-ips-15-mt-book/sec-ips5-sig-fs-ue.html [Accessed 26 Oct. 2018].

Judge, P.Q. and Terrell, J.R., Luma Home Inc, 2018. Device for network security and management. U.S. Patent Application 29/561,797.

Kumbhari, U.K. and Rege, R.B., International Business Machines Corp, 2018. Using timestamps to analyze network topologies. U.S. Patent Application 10/033,591.

Omnisecu.com. (2018). How to configure Cisco IOS Zone Based Firewall. [online] Available at: https://www.omnisecu.com/ccna-security/how-to-configure-cisco-ios-zone-based-firewall.php [Accessed 26 Oct. 2018].

Perlman, R., Kaufman, C. and Speciner, M., 2016. Network security: private communication in a public world. Pearson Education India.

Support, P., Software, C., 15.3M&T, C. and Guides, C. (2018). Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T - Zone-Based Policy Firewalls [Cisco IOS 15.3M&T]. [online] Cisco. Available at: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html [Accessed 26 Oct. 2018].

Study-ccna.com. (2018). How to configure IPv6. [online] Available at: https://study-ccna.com/how-to-configure-ipv6/ [Accessed 26 Oct. 2018].

Support, P., Switches, C. and Guides, C. (2018). Catalyst 6500 Release 12.2SY Software Configuration Guide - Denial of Service (DoS) Protection [Cisco Catalyst 6500 Series Switches]. [online] Cisco. Available at: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/denial_of_service.html [Accessed 26 Oct. 2018].

Support, P., Products, E., Professional, C. and TechNotes, C. (2018). Cisco Configuration Professional: Zone-Based Firewall Blocking Peer to Peer Traffic Configuration Example. [online] Cisco. Available at: https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/112237-block-p2p-zbf-ccp-00.html [Accessed 26 Oct. 2018].

Services, P. (2018). Cisco IOS Intrusion Prevention System (IPS). [online] Cisco. Available at: https://www.cisco.com/c/en/us/products/security/ios-intrusion-prevention-system-ips/index.html [Accessed 26 Oct. 2018].

Wang, B., Zheng, Y., Lou, W. and Hou, Y.T., 2015. DDoS attack protection in the era of cloud computing and software-defined networking. Computer Networks, 81, pp.308-319.