1 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity Capstone Project Case Study The Community College (CC) Background The Community College (CC) is a major public higher education institution founded in Northampton in late 1960. By 1970, it was the first higher education institution in the country to launch distance education programs. During the 1980s, the College expanded its operations to other regional areas outside Northampton including Carlsberg, Radcliff, Bluestone and Quay West. Likewise, CC also expanded its presence throughout the country with campuses in metropolitan areas including Armadale, Bass Strait, Coors, Saint Marie, and Golden Goose. At present CC provides diverse range of trade qualifications, undergraduate and postgraduate programs as well as short professional or occupational courses. More than 30,000 students are currently studying various levels of programs at CC as on-campus students. Additionally, more than 10,000 students are currently studying at CC under the online and distance education programs. CC has three major facilities to support its information technology services: Headquarters, Operations (Data Centre) and Backup. The Headquarters facility is located in the Northampton main campus. The Operations facility is located 50Kms from the Headquarters in a warehouse near an industrial area in the outskirts of Northampton. The Operations facility houses the back-office technical functions, the data centre and IT staff. The Backup facility is located in the country area of about 1000km from the headquarters. CC uses the Backup as a warm-site facility that can be operational within minutes in the event the Operations facility fails. Apart from the main campus in Northampton, all regional and metropolitan campuses are very similar in terms of size, staff, and technologies. Their IT infrastructure uses relatively old and complex technologies. CC still uses a number of protocols to enable campus communication to the main server farm located at Operations. Additionally, each campus is connected to the Operations through an old Multiservice Platform Router for flexible LAN and WAN configurations, easy upgrades, and the handling of various protocols at the internet and transport layers. The router enables the campus to communicate with different CC campuses located in different sites. To support the day-to-day learning and teaching activities, academics and administrative staff at CC also deals with a dozen (12) of external partners including hospitals, research centres, vendor support and technology partners in many different ways, non-necessarily compatible each other. At CC the current network has performance and reliability problems owing to a growth in enrolments and other factors (discussed later). The CC management has told the IT department that both student and faculty complaints about the network have increased. Particularly, faculty claims that, due to network problems, they cannot efficiently submit grades, maintain contact with colleagues at other campuses, or keep up with research. Students say they have handed in homework late due to network problems. The late submissions have impacted their grades. Despite the complaints about the network, faculty, staff, and student use of the network has almost doubled in the past few years.2 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity Another issue at CC is that there are no BYOD and Work-at-home (WAT) policies. This has become a focus of contention between the IT department, staff and students. The IT department is concerned about a number of rogue wireless ad-hoc access points often placed by students within the campus premises. The vast majority of staff, faculty and students agree that there is a need of implementing secure wireless and remote access including the WAT and BYOD policies. The senior management at CC has identified a number of key business factors that need immediate attention: 1. Enrolment for both on-campus and distance education is to increase 50% in the next three years. 2. Improve faculty efficiency and allow faculty to participate in more research projects with colleagues at other campuses. 3. Improve student support efficiency and eliminate problems with homework submission. 4. As part of the BYOD policy, allow students, staff and visitors to the college to access the campus network and the Internet wirelessly using their mobile devices including notebooks, smartphones and tablets. 5. As part of the WAT, allow students and staff to remotely access the campus network from home. 6. Secure the campus networks from intruders. In response to the senior management call, the IT department at CC developed a list of technical goals that should be implemented as soon as possible: 1. Redesign the current network including provision for wireless services 2. Overhaul the IP addressing scheme 3. Increase the bandwidth of the Internet connection to support new applications and the expanded use of current applications 4. Provide a secure, private wireless network for students, staff and visitors to access the campus network and the Internet 5. Provide a network that offers a response time of less than a second for interactive applications. 6. Provide a campus network that is available approximately 99.9 percent of the time and offers an MTBF (mean-time-between-failure) of 4000 hours and an MTTR (mean-time-torepair) of 2 hours (with a low standard deviation from these average numbers). 7. Provide security to protect the Internet connection and internal network from intruders. 8. Use network management tools that can increase the efficiency and effectiveness of the IT department. 9. Provide a network that can scale to support future expanded usage of multimedia applications including online teaching. 10. Feasibility study to address the need to migrate web, mail and file services to the cloud.3 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity Wide Area Networks (WANs) in CC Figure 1 outlines the complex WAN infrastructure CC currently uses to support its operations. A mesh of three T3 leased lines connects the Headquarters, Operations (Data Centre) and Backup sites. These lines operate at 44.7 Mbps, providing redundancy between the major facilities. Each campus building connects to the major facilities via a Frame Relay network: one 56kbps PVC2 leading to the Operations and 56 kbps PVC3 leading to the Backup facility, most of the time. There are ISDN backup lines in case of Frame Relay failure (Note that PCV1 represents two aggregate PVCs of 56 kbps each. PVC2 and PVC3 are both 56kbps). By the same token, the 12 educational partners are connected to CC via a frame relay network of 56kbps. As shown in the diagram, CC uses two separate Internet Service Providers (ISP) for Internet connection via T1 leased lines. Figure 1 Community College WAN Campus Network in CC (metro and regional campuses) Each CC campus is supported by 100Base-TX Switched Ethernet LANs, and CC is expecting to upgrade to more modern Switched Ethernets soon. Employees at CC are distributed as follows: 1. 250 employees including academic (x150), administrative (x50) and management staff (x50); and about 2,000 on-campus students in each of the regional and metro campuses. 2. The main campus at Northampton houses around 2,000 employees including academic (x1000); administrative (x500) and management staff (x500). Nearly 12,000 on-campus students are studying at the Northampton main campus. The Operations facility is also supported by 100Base-TX Switched Ethernet LANs. In the Operations facility, there are 100 engineers in charge of technical support of the data centre, networking,4 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity maintenance, and application development. The organisational and operational structure of the Backup facility is similar to the structure of the Operations facility. Academic staff at the Northampton main campus, regional and metro campuses teach courses in the faculties of arts and humanities, business, social sciences, mathematics, computer science, the physical sciences, and health sciences. The administrative staff handle admissions, student records, and other student operational functions. The management staff consists of human resources, senior management and information technology. Enrolment at CC has almost doubled in the past few years; and the faculty and admin staff has also doubled in size. Figure 2 Current Campus Backbone Network The logical topology of the current campus backbone network at CC (Northampton, regional and metro campuses) is shown in figure 2. Notice how the campus-backbone supports the operations of the seven faculties (arts and humanities, business, social sciences, mathematics, computer science, the physical sciences, and health sciences). The following are the details of the IT infrastructure: 1. A high-end core switch in each building is connected to a high-end Campus core switch in the campus backbone data centre. 2. Within each building, 24-port Ethernet switches on each floor connect end user systems. 3. Floor switches are connected to the building switch. 4. The 100Base-TX switches are layer-2 switches running the IEEE 802.1D Spanning Tree Protocol. 5. All devices are part of the same broadcast domain. All devices (except public servers) are part of the 192.168.0.0 internal network5 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity 6. Addressing for end-user hosts is accomplished with DHCP. A Windows server in the server farm located in the Operations facility acts as the DHCP server. 7. A Windows-based network management software package monitors the switches using SNMP and RMON. The software runs on a server in the server farm located in the Operations Centre. 8. CC email and web servers use public addresses that AARNET assigned to CC (Discuss with your mentor the allocation of these public addresses). The system also provides a DNS server that the CC uses. All these public servers are located in the Operations facility. 9. The Multiservice Platform router has a default route to the WAN and does not run a routing protocol. 10. Campus servers support for local file storage (students and staff) and data backups that are periodically transferred to the main Data Centre at the Operations Facility The logical topology of the Operations facility is similar to the Campus backbone. The main difference, as noted above, is that the server farm with the public services (Web, email and file services) are housed in the Data Centre of this facility. Another difference is that the Multiservice Platform router at the Operations facility acts as a firewall using packet filtering. This router also implements NAT. The router has a default route to the Internet and does not run a routing protocol. As shown in Figure 1, the WAN link to the Internet is a T1 leased line. Application and Enterprise Services The following table describes the network applications and enterprise services running in the regional, metro and Northampton main campus of CC. Application / Service Description Users Students and academics' work On-campus students use the network to write assignments and other documents. Science academic and students use the network to develop code. They save their work to file servers in the campus servers and print their tasks on printers within the campus and other buildings. Students and academic staff Electronic Mail Email is used campus-wide extensively Students and College staff Web services (secure and public) Use of web browsers to access information, participate in chat rooms, and use other typical web services. Students, and College staff College Library The College has a main library at Northampton and smaller collections at each campus. Students and staff access the online library catalogue. Students, and College staff HPC Higher Performance Computing as part of a nation's scientific research program Students and faculty in collaboration with partner colleges and industries6 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity Distance Education The faculty of Arts and Humanities has two online teaching programs that requires real-time audio and video streaming via Blackboard Collaborate Distance Arts and Humanities students Moodle Learning Management System Management of learning resources Students and Academic staff Enterprise Resource Management Human Resource Management and SAP Enterprise Resource Planning Administrative and Management staff Student Information System The college administration staff uses this system to keep track of class registrations, enrolments and student records. Administrative and academic staff Current ICT infrastructure Summary ICT infrastructure at Metro and Regional campuses Hardware • Staff equipped with Desktop PCs running Windows 7 (dual monitors) • Staff PCs equipped with first generation headsets and webcams • 4 networked Laser Printers in each faculty • 2 computer labs, each with 24 PCs for student work in each faculty • One Network Attachment Storage for local storage in each lab. • 100Base-TX Switched Ethernet ICT infrastructure at Headquarters (Northampton) Hardware • Staff equipped with Desktop PCs running Windows 7 (dual monitors) • Staff PCs equipped with latest generation headsets and webcams • 20 networked Laser Printers (also capable of scanning and photocopying) in each faculty • 10 computer labs, each with 24 Desktop Pcs running Windows 7 (single monitor) for student work in each faculty • One Network Attachment Storage for local storage in each lab • Staff equipped with VoIP video phones • 100Base-TX Switched Ethernet ICT infrastructure at Operations site • Operating system: Combination of Windows and Linux OSs servers • Staff equipped with Desktop PCs running Windows 8 All operational servers including FTP, HTTP/HTTPS, SMTP/SMTPS, DHCP, DNS, Authentication, Blackboard, Domain Controllers, Database, SAN, Load Balancing and video streaming are concentrated in this facility. The Operations facility also contains the infrastructure to support CC's7 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity learning management and student information systems; and ERP services. The uplink to the Internet is also located in this facility. ICT infrastructure at Backup site As mentioned, the Backup is a warm-site facility that can take over within minutes in the event that the Operations facility fails. Its infrastructure mirrors the Operations facility. Problem Statement CC business processes rely on a combination of systems including Internet, IPX/SPX, SNA and ICTrelated services with a very complex ICT infrastructure. CC academic board acknowledges this as major issue: the bottleneck for future CC growth and sustainability. The senior executive of CC argues that currently the College is spending huge to maintain and integrate disparate and cumbersome systems; with little room to expand and improve services. The CC academic board claims that CC needs to change and re-provision the ICT infrastructure to provide high quality learning and teaching in the most cost effective way. As part of this change, the transition to interoperability should be achieved in a smooth manner while leveraging the latest advancements in network and information security infrastructure in order to guarantee "zero" problems in the CC processes. CC is also planning to invest in a multimillion dollar venture to modernise the College's ICT infrastructure. This will potentially include: [1] immersive telepresence system to support distance education students (expected to grow 50% in the next 3 years in all disciplines), [2] staff and student remote access and mobile services (staff BYOD and Work-at-home (WAT) policies) that CC currently does not have, [3] migration of a number of services to the Cloud including the Learning Management System, File, Web and Mail Servers. In terms of network and information security, CC ICT infrastructure should safeguard appropriate access and use of ICT resources; ensure unauthorised and malicious internal and external network attacks are properly blocked. Network redundancy is currently achieved with the mesh of three T3 leased lines connecting the main Northampton campus, Operations and Backup buildings; however, nothing has been done in terms of a security plan including a robust disaster recovery (DRP) and business continuity plan (BCP) for the College. Statement of Work The statement of work is divided in two parts: Part A and Part B. Part A For this part you are required to design and implement a secure information and network infrastructure that ensures high availability, reliability, scalability, performance and security to support CC services. This requires [1] the redesign of the network to meet the current and future demands; [2] the delivery of a comprehensive network security plan; and [3] Security technology implementation and proof of concept. The following is a breakdown of the tasks for part A. Network Redesign 1. Network redesign. In this redesign, the IP address allocation should use the CIDR format (x.y.z.t/n).8 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity 2. Each design should be justified in terms of traffic, reliability, performance, availability, scalability and security. To do this you need to make a number of assumptions (discuss this with your mentor / facilitator / teacher). For example, assume that a great number of College services operate 24/7. Other services are to operate from 6:00am to 8:00pm daily, Monday to Friday. Other aspects to take into account are user's behaviour, applications, bandwidth requirements and the like. Specifically for this redesign, take into account the following: a. Traffic generated by the hosts: clients, servers and backup devices. b. Appropriateness of WAN links to support current traffic and forecasted growth. c. Appropriateness of WANs (Frame Relay). Are there better WAN protocols to use? d. Appropriateness of wired LANs and Wireless LANs to support future growth. e. Would you use VPNs? Why? f. The specifications of networking devices including routers and switches at each site or location (wired and wireless) g. IP address allocation of each network and main network devices h. Sub-netting to separate traffic including IP address allocation i. Firewalls positioning and strategy. Would you use separate packet filtering and routing? j. Proxy servers k. DMZ configuration l. Firewalls Access Control Lists m. Network diagram of the logical topology and allocation of devices; and IP addresses for the main network devices n. Provision data encryption to secure data travelling between internal and external networks Comprehensive Network Security plan The network security plan should contain as minimum the following: 1. Introduction outlining the importance of the plan and its purpose. Your introduction should also provide a brief description of the components of the proposed network security plan in terms of the Community College needs. 2. Scope outlining the areas of the organisation that the Plan applies. The scope also relates to the breakdown of the tasks that are needed to make sure that the network is secure. 3. Assumptions documenting any assumptions you have made in order to prepare the plan. There are things that might not be clear from the case study, hence you have either to consult with the mentor or assume them in a reasonable way with a clear justification. 4. Clear and concise statements about what the Security Plan is designed to achieve. This statement must relate the business and technical goals of CC. 5. Summary and analysis of the organisation's risks, highlighting the current threats, challenges and vulnerabilities along with an assessment of current security environment and treatments in place. This is perhaps the most important component of the security plan. It includes the complete assessment of each of the network assets (computer hardware, PCs, servers, application and system software, network devices, employees, partners and the like) and its importance for the normal operation of the network services.9 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity The analysis also investigates the vulnerabilities of each asset and its associated threat that might exploit those vulnerabilities. 6. Network Security policies to address all possible network attacks and vulnerabilities. Note that these policies address the likely issues that might occur during the transmission of the data through the network. 7. Information Security policies to address unauthorized and misappropriate use of CC data and software applications. Note that these policies address the likely issues that might occur during the storage and processing of the data. 8. Disaster recovery and Business continuity plans. 9. Security Strategies and Recommended controls including security policies. The recommended controls are the action points you are to put in place to mitigate the risks you uncovered as part of your risk analysis. 10. In practice, achieving total security in an organisation is impossible. Residual risks that remain after all possible (cost-effective) mitigation or treatment of risks should be taken into account. Your security plan should estimate, describe and rate these residual risks to guide the priorities for ongoing monitoring of risks. 11. Resources for implementing the recommendation. This should include any type of resources like humans, communities of practice, quality audit groups, and the like. Security Technology Implementation As part of the security technology implementation and in line with the recommended controls mentioned above in the network security plan (item 9), you need to provide the complete design of the following: 1. Data backup and recovery technology including the procedures for backup and recovery. Note that there are NASs at the campuses to back up the data generated locally, however the vast majority of data is backed up to the File Servers in each campus and ultimately to the Operations facility through the WAN. You need to provide the strategy of the backup, technical details, specifications and functionalities of the recommended backup technology. 2. A proper authentication system that takes care of highly secured roles and permissions to access, share, download, upload files and folders. This should include authentication for wireless and mobile services as well. You need to provide the complete details of the recommended technology including the product and vendor specifications. 3. File, Web (and secure Web), Mail (and secure Mail including spam email prevention), DHCP, DNS, Domain Controllers. Make sure you address all these services. For example, you may suggest Apache HTTT Server as the Web server software. If that is the case, then you must describe the full configuration of the Apache HTTP Server and the application architecture used including the load balancer, replica web server, and data server (if you opt for a three-tier architecture for example). Again you need to provide details of the software vendor and recommended hardware to run the service. 4. Hardening of servers described above in section 3. All the services need to be hardened with products as recommended in the network security plan. 5. Network security including DMZs, Firewalls, Intrusion Detection and Prevention Systems (IDSs and IPSs).10 Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity For the five (5) items above, you need to justify your recommendations (chosen technology) in terms of cost, reliability, maintainability, performance and scalability. As mentioned, for each technology, make sure to provide details of the vendor, and the version of hardware and software. CC Technology implementation - Proof of concept As part of the project requirements, you are required to implement and test at least one of the recommended controls suggested in the security technology implementation section above. The solution should address current needs of CC, including the installation of the software, configuration of the system, and developing of test cases to check the complete functionality of the system. For the proof of concept, it is mandatory that you include the documented results (procedures and screen dumps) of various network security attacks tests (such as Network Penetration Test) as part of your final project report. You may use your choice of security software/tools (including freeware open software systems) and operating systems (Windows, Linux, or Ubuntu) in a virtualized environment to build and simulate the security tests. You are required to demonstrate your implementations at the end of the term. Part B In part B, your task is to recommend the CC academic board on: 1. An appropriate immersive telepresence system to support distance education students. As mentioned above, CC is expected to grow 50% in distance education in the next 3 years. 2. You are also to recommend the strategy for staff and student remote access and mobile services (staff BYOD and Work-at-home (WAT); and student BYOD and study-at-home policies). 3. Finally, a complete technical report on the migration of the LMS, File, Web and Mail Servers to the Cloud (looking into provisioning either IaaS, PaaS or SaaS), including requirement analysis, cost benefit analysis, risk analysis and final recommendation from a list of at least three cloud service providers (CSPs). References 1. Ciampa, M. (2015). CompTIA Security+ Guide to Network Security Fundamentals (5th Edition). Clifton Park, NY: Course Technology. 2. Forouzan, B. (2009). TCP/IP Protocol Suite (4th edition). Boston: McGraw-Hill Education. 3. Oppenheimer, P. (2011). Top-Down Network Design (3rd Edition). Indianapolis, In: Cisco Press 4. Panko, R. R. (2003). Business Data Networks and Telecommunications. (4th Edition edition). Prentice Hall. 5. Weaver, R., Weaver, D., & Farwood, D. (2013). Guide to Network Defense and Countermeasures (3rd edition). Australia ; Boston, MA, USA: Course Technology. 6. Whitman, M. E., Mattord, H. J., & Green, A. (2011). Guide to Firewalls and VPNs (3rd edition). Boston, MA: Delmar Cengage Learning.