0% found this document useful (0 votes)
19 views9 pages

ITNSA Project

The document outlines security weaknesses in BusyBugs' network, including lack of secure authentication and improper network segmentation, which allowed lateral movement by attackers. It proposes preventive measures such as access control, network segmentation best practices, and monitoring solutions to enhance security. Additionally, it discusses best practices for SafeNet's network security management and subnetting and firewall implementation for Karoo Manufacturing's network infrastructure.

Uploaded by

Dharishan Naidoo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
19 views9 pages

ITNSA Project

The document outlines security weaknesses in BusyBugs' network, including lack of secure authentication and improper network segmentation, which allowed lateral movement by attackers. It proposes preventive measures such as access control, network segmentation best practices, and monitoring solutions to enhance security. Additionally, it discusses best practices for SafeNet's network security management and subnetting and firewall implementation for Karoo Manufacturing's network infrastructure.

Uploaded by

Dharishan Naidoo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Question 1

1.1 Analysis of Security Weaknesses and Preventive


Measures

The lack of secure authentication on the FTP server and improper


network segmentation facilitated lateral movement by attackers. These
vulnerabilities allowed unauthorized access to sensitive areas of the
network, including the Database Subnet.
How these weaknesses contributed to lateral movement:
 Anonymous FTP Access: The FTP server was exposed to the
internet with no authentication, making it an easy entry point for
attackers.
 Improper Network Segmentation: The Management Subnet
(10.10.4.0/24), which contained the FTP server, had access to other
critical subnets like the Database Subnet (10.10.3.0/24), allowing
attackers to move laterally.
 Routing Protocol Weaknesses: Misconfigurations in OSPF
(internal routing) and BGP (external routing) might have allowed
malicious traffic to move freely within subnets.
 Insufficient Access Controls: There were no explicit access
controls or firewall rules to restrict unauthorized traffic between
subnets.
Proposed Plan to Prevent Lateral Movement:
1. Access Control Measures:
o Disable anonymous access on the FTP server.
o Implement Multi-Factor Authentication (MFA) for all remote
and internal access.
o Use role-based access control (RBAC) to restrict access to
critical resources.
2. Network Segmentation Best Practices:
o Isolate the FTP server in a Demilitarized Zone (DMZ),
separating it from the internal network.
o Implement firewall rules to block unnecessary communication
between subnets.
o Enforce Zero Trust Architecture (ZTA) by requiring
authentication for each subnet interaction.
3. Monitoring and Intrusion Detection Solutions:
o Deploy a Network Intrusion Detection System (NIDS) to
monitor network traffic.
o Enable logging and audit trails to track unauthorized access
attempts.
o Use Security Information and Event Management (SIEM)
systems to analyze logs and detect anomalies.
4. Security Updates & Hardening Measures:
o Regularly update FTP server software to patch vulnerabilities.
o Conduct penetration testing to identify and remediate
potential threats.
o Enforce encryption (TLS/SSL) for data transfers over the
network.
1.2 Monitoring & Incident Response Strategy

To address current weaknesses, BusyBugs needs a comprehensive


monitoring and incident response strategy that includes log collection,
Intrusion Detection and Prevention Systems (IDS/IPS), and an efficient
incident response process.
1. Log Collection & Analysis:
 Centralized logging using a Security Information and Event
Management (SIEM) system.
 Collect logs from FTP servers, firewalls, and routers to detect
anomalies.
 Automated alerts for suspicious logins, failed authentication
attempts, and unauthorized file access.
2. IDS/IPS Deployment:
 Install an Intrusion Detection System (IDS) to detect malicious
activity.
 Deploy an Intrusion Prevention System (IPS) to block unauthorized
access attempts in real-time.
 Monitor network traffic using Deep Packet Inspection (DPI) to
identify threats.
3. Incident Response & Alerting Process:
 Define an Incident Response Plan (IRP) with clear roles and
escalation procedures.
 Automate real-time alerts to notify security teams of potential
breaches.
 Conduct regular security drills to ensure quick response to cyber
threats.
By implementing these preventative measures and monitoring
solutions, BusyBugs can enhance network security, limit lateral
movement, and prevent future data breaches.

Question 2

2.1 Best Practices for Strengthening SafeNet’s Network


Security Management

To enhance SafeNet’s security, best practices should be implemented


across firewall policies, VPN security, network segmentation, and
access control.
Firewall Policies:
 Implement stateful firewalls to track active connections and prevent
unauthorized traffic.
 Configure access control lists (ACLs) to allow only essential
services and restrict unnecessary traffic.
 Enable Deep Packet Inspection (DPI) to detect malicious payloads
within network traffic.
VPN Security:
 Enforce Multi-Factor Authentication (MFA) for VPN access to
prevent unauthorized logins.
 Use IPsec (Internet Protocol Security) or SSL (Secure Sockets
Layer) VPNs with strong encryption (AES-256).
 Implement split tunneling restrictions to prevent users from
accessing both corporate and public networks simultaneously.
Network Segmentation:
 Adopt a multi-layered segmentation model by separating
departments and branch offices into distinct VLANs.
 Restrict cross-segment communication using firewall rules to limit
unnecessary lateral movement.
 Implement Zero Trust Architecture (ZTA), ensuring users and
devices authenticate before accessing different segments.
Access Control:
 Apply Role-Based Access Control (RBAC) to restrict access based
on job responsibilities.
 Monitor privileged accounts and enforce least privilege principles.
 Regularly audit user accounts and access logs to detect
unauthorized access.

2.2 Evaluating Firewall and VPN Configuration for Security


and Performance

Balancing security and performance requires proper configuration of


firewalls, VPNs, and RDP protection mechanisms.
Firewall Configuration:
 Enable Geo-IP filtering to block connections from high-risk regions.
 Set rate-limiting rules to prevent brute-force attacks on RDP
services.
 Utilize Next-Generation Firewalls (NGFWs) with application-layer
filtering to block malware.
VPN Security Enhancements:
 Implement Always-On VPN for seamless and secure remote access.
 Use Perfect Forward Secrecy (PFS) to prevent compromised
session keys from affecting future communications.
 Optimize VPN performance by using load balancing and QoS
(Quality of Service) for prioritizing business-critical traffic.
Brute-Force Protection for RDP:
 Restrict RDP access to VPN users only, blocking direct internet
connections.
 Enable account lockout policies after multiple failed login attempts.
 Deploy Network Level Authentication (NLA) to require
authentication before initiating an RDP session.

2.3 Traffic Monitoring and Logging for Security Improvement

Role of Traffic Monitoring & Logging:


 Provides real-time visibility into network activity.
 Helps in detecting anomalous behavior, such as unusual login
attempts.
 Supports forensic analysis after security incidents.
Implementing IDS/IPS for Threat Detection:
 Intrusion Detection Systems (IDS) monitor network traffic and
generate alerts for suspicious activities.
 Intrusion Prevention Systems (IPS) actively block threats in real-
time.
 Use signature-based detection for known threats and behavioral
analysis for new attack patterns.
Suitable Monitoring Strategy for SafeNet’s Hybrid Infrastructure:
 Deploy a centralized SIEM (Security Information and Event
Management) system for log aggregation and correlation.
 Use host-based monitoring (HIDS) for endpoint protection and
network-based monitoring (NIDS) for real-time traffic analysis.
 Implement automated alerting mechanisms to notify administrators
of potential breaches.

Question 3

Solution for Karoo Manufacturing’s Network Implementation


3.1 Subnetting

Karoo Manufacturing has been assigned the 10.20.0.0/24 network and


requires four subnets for different departments. To accommodate the
required number of devices, we must allocate appropriate subnet masks.

Devices Usable IPs


Department Subnet Mask Subnet Range
Needed Required

/26 10.20.0.0 –
Administration 40 At least 62
(255.255.255.192) 10.20.0.63

/27 10.20.0.64 –
Sales 30 At least 30
(255.255.255.224) 10.20.0.95

/26 10.20.0.96 –
Production 50 At least 62
(255.255.255.192) 10.20.0.159

/27 10.20.0.160 –
HR 25 At least 30
(255.255.255.224) 10.20.0.191

 Administration and Production require the /26 subnet (64 total IPs,
62 usable).
 Sales and HR require the /27 subnet (32 total IPs, 30 usable).
 The remaining addresses (10.20.0.192 – 10.20.0.255) can be
reserved for future expansion.

3.2 Firewall Implementation

To enhance security, the Cisco ASA Firewall must be properly configured


to separate the Internal Network, DMZ, and External Network while
enforcing security policies.
1. Configuring Three Security Zones:
o Internal Zone: Hosts office operations (subnets above).
o DMZ Zone: Hosts external-facing servers (web server:
10.20.10.10, email server: 10.20.10.20).
o External Zone: Connects to the internet.
2. Placing Servers in the DMZ:
o The web server (10.20.10.10) and email server (10.20.10.20)
should be placed in the DMZ to separate them from the internal
network.
3. Access Control Lists (ACLs) & NAT Rules:
o Web Server (DMZ) Rules:
 Allow HTTP (port 80) and HTTPS (port 443) traffic from
the external network.
o Email Server (DMZ) Rules:
 Allow SMTP (port 25) for outgoing mail and POP3 (port
110) for incoming mail from the external network.
o Restrict Internal Network Access:
 Block direct access from the DMZ to the internal
network.
 Only allow necessary communication initiated by the
internal network.
o VPN Security for Remote Access:
 Configure VPN on the Cisco ASA Firewall for secure
remote connections.
 Enforce Multi-Factor Authentication (MFA) for VPN
users.
By implementing proper subnetting, firewall policies, and access
control, Karoo Manufacturing can achieve a secure, scalable, and
efficient network infrastructure.

You might also like