1 Capstone Project Case Study City of Yule Background The City of Yule is a local government area in Antioquia, in the north-eastern suburbs of Gundenai. It has an area of 63 square kilometres (24.3 sq mi) and lies between 7 and 21 km from central Gundenai. At the 2010 Census, Yule had a population of 100,000. The Iron River runs along the City’s south border while the west is defined by the Crocodile Creek. The City of Yule has plenty of open spaces and parklands, especially along the Iron River and Crocodile Creek valleys. There are 617 hectares of open space owned by the City, as well as substantial areas of parkland managed by Parks and Gardens department. These provide a wealth of recreational, environmental and tourism opportunities for the region. Cycling and walking through Yule City is a popular pastime, made enjoyable by the many kilometres of bicycle and pedestrian trails throughout the city, particularly along the Iron River and Crocodile Creek. There are 21 suburbs in the City of Yule (Banyule, 2016). Services The City of Yule has a number of services to offer to its citizens including, but not limited to: 1. Permits ​ - permission to carrying out various activities like house renovation, planning and building, gardening and landscaping (e.g. tree removal) and operating a business. 2. Rubbish and Recycling ​ - regular collection services for residents: garbage collection collected weekly and recycling and green waste collected fortnightly, on alternating weeks. 3. Waste Recovery Centre ​- to divert as much waste from landfill as possible. This enables the residents to disposal of recyclable materials like glass bottles, steel and aluminium cans, fridges, mattresses, batteries, burnt motor oil, etc. 4. Parks and Facilities ​ - for citizens leisure, recreation and multi-cultural activities. 5. Public Health - ​ basic health services like vaccination, dental care, etc. 6. Libraries ​ - each of the 21 suburbs has a library facility with an extensive physical collection of books, DVDs etc. available for loan. The libraries are also connected to an online library service to access databases, journals, newspapers, e-books etc. 7. Transport, Parking and Roads ​ - maintaining, regulating and controlling the traffic within the city. 8. Community services ​- for the family, youth and the elderly (Banyule, 2016). Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity2 Management Structure The City of Yule is managed by the City Council elected every four years. The current management structure is depicted in the next diagram. Figure 1 Management Structure (Adapted from Banyue, 2016) Yule’s workforce is made up of approximately 1000 staff, with a wide range of nationalities, age groups, backgrounds and skills that enrich the workplace (Banyule,2016). The allocation of staff to each of the four directorates is as follows: Table 1 Staff Allocation Corporate Services Community Programs City Development Assets & City Services 1 x Director 4 x Managers 50 x Finance staff 50 x Governance & Comm staff 50 x HR staff 50 x Organisation systems staff 1 x Director 3 x Managers 100 x Health, Aged & Community 100 x Youth & Family Services 100 x Leisure, Recreation and Cultural services 1 x Director 3 x Managers 75 x Transport & Municipal Laws 50 x Urban Planning 25 x Property & Economic Dev 1 x Director 4 x Managers 50 x Capital Projects 100 x Assets & Infrastructure 100 x Operations 100 x Parks & Gardens Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity3 City of Yule Facilities and ICT infrastructure Yule’s facilities comprise 4 main buildings: 1) Headquarters, 2) Operations Centre, 3) Community Centre, and 4) Maintenance Yard. There are also 21 buildings to house the libraries and two (2) waste recovery centres conveniently located in the outskirts of the city. Currently, the City of Yule has a good ICT infrastructure to support all businesses and services within the city, however, leveraging modern Internet, Mobile and Web technologies, the Council is planning to modernise the existing ICT infrastructure as the first step to fulfil its vision of a smart city by 2025. Specifically, the Council is envisaging to use cutting edge technology for the following: 1. Smart Energy for public areas, residential and commercial buildings 2. Smart Transportation with smart traffic and smart parking 3. Smart Data 4. Smart infrastructure - to help address hazards, complications and costs associated with water, lighting and waste management 5. Smart Internet of Things 6. Automatic Online processing of permits and parking fines 7. Online payments 8. Driverless trucks for rubbish collection 9. Parks equipped with sensor networks to track fauna and protect the environment. 10. Bushfires prediction 11. Council Online Electronic Voting 12. Electronic surveillance of roads, parks and public areas 13. Reducing CO2 emissions through traffic management 14. Free Wi-Fi across the city The implementation of such a critical infrastructure is not without a challenge. It demands a complete redesign of the current computer facilities and the implementation of a robust security plan to make sure that the services and the infrastructure are protected against any type of attack including physical and cyber attacks. Your company has been selected to help fulfil Yule’s vision with the ultimate goal of being world's most liveable city by 2025. The contract stipulates the following business factors that need attention: 1. City infrastructure to support a population of 130,000 in 10 years’ time. 2. Improve business efficiency through the automation of the majority of the city services. 3. Provide excellent customer service typical of a smart city. 4. Allow staff, registered citizens, and tourists to access the free Wi-Fi. 5. Allow staff to access the City’s computer network remotely using mobile devices like notebooks, smartphones and tablets. 6. ​Secure the computer networks from intruders. Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity4 The contract also stipulates the following technical goals: 1. Redesign the current network infrastructure in all buildings as described above including provision for wireless services. 2. Implement a new IP addressing scheme to accommodate current and new services. 3. Increase the bandwidth of the Internet connection to support new smart applications and the expanded use of current applications. 4. Provide a secure, private wireless network for staff to access the computer network and the Internet remotely. 5. Provide a secure, Wi-Fi network for citizens and tourists. 6. Provide a campus network that is available approximately 99.9 percent of the time and offers an MTBF (mean-time-between-failure) of 4000 hours and an MTTR (mean-time-to-repair) of 2 hours (with a low standard deviation from these average numbers). 7. Automation of network management to increase the efficiency and effectiveness of the ICT department. 8. Provide a computer network that can scale to support future expanded usage of sensitive applications including Council elections via online voting, electronic surveillance and car parking metering automation. 9. Provide security to protect the Internet connection, internal network, hosts, servers and data assets from intruders. Statement of Works Part A For this part you are required to design and implement a secure information and network infrastructure that ensures high availability, reliability, scalability, performance and security to support the City of Yule current and new services. This requires: 1. In line with Yule’s aspirations, redesign the network to cater for the needs of a smart city. 2. Delivery of a comprehensive network security plan. 3. Security technology implementation 4. Proof of concept. The following is the breakdown of the tasks for part A. Part A - 1. Network Redesign The new network proposal should be justified in terms of traffic, reliability, performance, availability, and scalability that best cater for the needs of business and services operations Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity5 within the City of Yule. To do this you need to make a number of assumptions (discuss this with your mentor / facilitator / teacher). For example, assume that the majority of Yule’s services operate from 8:00am to 5:00pm Monday to Friday, whereas other services like online payment, electronic surveillance, and car park automation operate 24/7. Specifically for this redesign, take into account the following: 1. Traffic generated by the hosts: clients, servers and backup devices. 2. Appropriateness of WAN links to support current traffic and forecasted growth. 3. Appropriateness of WANs. What WAN protocols would you use? 4. Appropriateness of wired LANs and Wireless LANs to support future growth. 5. Would you use VPNs? Why? 6. The specifications of networking devices including routers and switches at each site or location (wired and wireless). 7. IP address allocation of each network and main network devices. Use CIDR format (x.y.z.t/n). 8. Sub-netting to separate traffic including IP address allocation. 9. Firewalls positioning and strategy. Would you use separate packet filtering and routing? 10. Would you consider Proxy servers? Why? 11. DMZ configuration. 12. Firewalls Access Control Lists. 13. Network diagram for both logical and physical topologies showing devices; and IP addresses for the main clients, hosts, servers and network devices. 14. Provision of data encryption to secure data travelling between internal and external networks. Part A - 2. Comprehensive Network Security plan The network security plan should contain an ​executive summary ​ and as ​minimum ​ the following items: 1. ​ ​Introduction ​ outlining the ​ importance of the plan and its purpose. Your introduction should also provide a brief description of the components of the proposed network security plan in terms of the City of Yule’s needs. 2. ​ ​Scope ​ outlining the areas of the City that the Plan applies. The scope also relates to the breakdown of the tasks that are needed to make sure that the network is secure. 3. ​ ​Assumptions ​documenting any assumptions you have made in order to prepare the plan. There are things that might not be clear from the case study, hence you have either to consult with the mentor or assume them in a reasonable way with a clear justification. 4. ​ ​Clear and concise statements ​ about what the Security Plan is designed to achieve. This statement must relate the business and technical goals of the City. 5. ​ ​Summary and analysis ​ of the City’s ​risks ​, highlighting the current threats, ​challenges and vulnerabilities ​ along with an ​assessment of current security environment and treatments in place ​. This is perhaps the most important component of the security plan. It Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity6 includes the complete assessment of each of the network assets (computer hardware, PCs, servers, application and system software, network devices, employees, partners and the like) and its importance for the normal operation of the network services. The analysis also investigates the vulnerabilities of each asset and its associated threat that might exploit those vulnerabilities. 6. ​ ​Network Security policies ​ to address all possible network attacks and vulnerabilities. Note that these policies address the likely issues that might occur during the transmission of the data through the network. 7. ​ ​Information Security policies ​to address unauthorized and misappropriate use of City’s data and software applications. Note that these policies address the likely issues that might occur during the storage and processing of the data. 8. ​ ​Disaster ​ recovery and Business continuity plans. 9. ​ ​Security Strategies ​ and ​Recommended controls ​ including security policies. The recommended controls are the action points you are to put in place to mitigate the risks you uncovered as part of your risk analysis. 10. ​ ​In practice, achieving total information and network security in the City is impossible ​. Residual risks ​ that remain after all possible (cost-effective) mitigation or treatment of risks should be taken into account. Your security plan should estimate, describe and rate these residual risks ​ to guide the priorities for ongoing monitoring of risks. 11. ​ ​Resources ​for implementing the recommendation. This should include any type of resources like humans, communities of practice, quality audit groups, and the like. Part A - 3. Security Technology Implementation As part of the security technology implementation and in line with the recommended controls mentioned above in the network security plan (item 9), you need to provide the ​complete design ​of the following: 1. Data backup and recovery technology including the procedures for backup and recovery. You need to provide the strategy of the backup, technical details, specifications and functionalities of the recommended backup technology. 2. A proper authentication and authorisation system that takes care of highly secured roles and permissions to access, share, download, upload files and folders. This should include authentication for wireless and mobile services as well (work at home - WAT and bring your own device - BYOD). You need to provide the complete details of the recommended technology including the product and vendor specifications. 3. ​File, Web (and secure Web), Mail (and secure Mail including spam email prevention), DHCP, DNS and Domain Controllers. Make sure you address all these services. For example, you may suggest Apache HTTT Server as the Web server software. If that is the case, then you must describe the full configuration of the Apache HTTP Server and the application architecture used including the load balancer, replica web server, and data server (if you Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity7 opt for a three-tier architecture for example). Again you need to provide details of the software vendor and recommended hardware to run the service. 4. ​Hardening of servers described above in section 3. All the services need to be hardened with products as recommended in the network security plan. 5. Network security including DMZs, Firewalls, Intrusion Detection and Prevention Systems (IDSs and IPSs) fully configured For the five (5) items above, you need to justify your recommendations (chosen technology) in terms of cost, reliability, maintainability, performance and scalability. As mentioned, for each technology, make sure to provide details of the vendor, and the version of hardware and software. Part A - 4. Proof of concept As part of the project requirements, you are required to implement and test ​at least three of the recommended controls ​suggested in the security technology implementation section above. The solution should address current City of Yule needs, including the installation of the software, configuration of the system, and developing of test cases to check the complete functionality of the system. Discuss with your mentor all the possible options as soon as possible. Do not wait until the end of the term to do this task. For the proof of concept, it is mandatory that you include the documented results (procedures and screen dumps) of various network security attacks tests (such as Network Penetration Tests) as part of your final project report. You may use your choice of security software/tools (including freeware open software systems) and operating systems (Windows, Linux, or Ubuntu) in a virtualised environment to build and simulate the security tests. You are required to demonstrate your implementations at the end of the term using your own equipment. Part B For Part B, your task is to write two separate short reports (1000 words each) to recommend the City of Yule Council on: 1. Automation of Car Parking Revenue Control System 2. Council Elections via Online Electronic Voting For 1 and 2 above, you need to provide a feasibility study, focusing primarily in security. The reports should include: a) requirement analysis, b) cost-benefit analysis, c) risk analysis, and d) final recommendation. In researching about 1 and 2, take into account these applications deal with critical infrastructure, that is to say, assets that are essential for the functioning of a society and economy. These applications are likely to be the target of sophisticated and powerful cyber attacks, therefore it is essential you address these cybersecurity issues in the two reports. Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity8 References 1. Banyule (2016). BanYule City Council Website. https://www.banYule.vic.gov.au/ 2. Ciampa, M. (2015). CompTIA Security+ Guide to Network Security Fundamentals (5th Edition). Clifton Park, NY: Course Technology. 3. Forouzan, B. (2009). TCP/IP Protocol Suite (4th edition). Boston: McGraw-Hill Education. 4. Oppenheimer, P. (2011). Top-Down Network Design (3rd Edition). Indianapolis, In: Cisco Press 5. ​Panko, R. R. (2003). Business Data Networks and Telecommunications. (4th Edition edition). Prentice Hall. 6. ​Weaver, R., Weaver, D., & Farwood, D. (2013). Guide to Network Defense and Countermeasures (3rd edition). Australia ; Boston, MA, USA: Course Technology. 7. Whitman, M. E., Mattord, H. J., & Green, A. (2011). Guide to Firewalls and VPNs (3rd edition). Boston, MA: Delmar Cengage Learning. Networks and Information Security Case study - Copyright © Edilson Arenas - CQUniversity