M11Cde Skills-Based Assessment

School of Engineering & Computing Department of Computing Internet Information Security (M11CDE) Layered Security Student Name: BUSA ABANG OBI SID:4560229 I certify that this is my own work yes/no and that I have read and understand the University Assessment regulations. Signature: [pic] Submission Details The details below indicate what you should submit, when you should submit it and where is should be submitted to. Submission Date and Method Deadline 11 January 2013 11:50pm online submission. Submission Format: 1. Fill the online quiz for the practical test which will be available one week before the final fixed deadline. . Download an electronic copy of this document and where there are blanks or spaces to complete addressing information etc. , please include them in the document. You submission should include the answers in the document, but do not change the document in any other way! If the document has been modified other than to include the required information your submissi on will be null and void. 3. Your files should be name as â€Å"SID_FIRSTNAME_SURNAME. doc†. E. g. 100292_FIRSTNAME_SURNAME. doc. 4. Save the configurations from all your network devices and embed them into the end of this document. 5.If you have attempted to configure VLANs, please also include a switch configuration from any one of your LAN switches. Please note that this must be a switch that you have actually configured VLANs on. 6. If you have implemented the network in Packet Tracer, you may consider submitting a copy of that as well but this is not compulsory. Zero Tolerance for late submission: If your work is late it will have to be marked zero according to new university policy. Please ensure you upload your work well before the deadline. You will be able to delete and update your work before the deadline. Plagiarism Note:As with all assessed work, both the research and written submission should be your own work. When submitting this work you are explicitly indicati ng that you have read the rules on plagiarism as defined in the University regulations and that all work is in fact your own, except where explicitly referenced using the accepted referencing style. Feedback and marking: The practical work will be marked by using the questions set in the online quiz and number of questions for each section will depend on the weightings set in the below sections. Feedbacks and marks will be provided once the online practical quiz is submitted.Network topology [Whilst the topology shows only two hosts on each LAN, you should configure four hosts on each LAN. ] Network Information The WAN IP network address between Dundee and Glasgow is 209. 154. 17. 0 with a subnet mask of 255. 255. 255. 0. The WAN IP network address between Edinburgh and Glasgow is 209. 154. 16. 0 with a subnet mask of 255. 255. 255. 0. This is clearly shown on the network topology. Dundee information The LAN for Dundee has been assigned an IP network address of 192. 168. 6. 0 Each s ubnet of the above network needs to accommodate 14 host addresses. The subnet mask will be 255. 255. 255. 40. This is worked out by borrowing 4 bits from the final octet and is shown in the table below. Table 1 Custom Subnet Mask for Dundee |255 |255 |255 |240 | |128 64 32 16 8 4 2 1 |128 64 32 16 8 4 2 1 |128 64 32 16 8 4 2 1 |128 64 32 16 8 4 2 1 | |1 1 1 1 1 1 1 1 |1 1 1 1 1 1 1 1 |1 1 1 1 1 1 1 1 |1 1 1 1 0 0 0 0 | Use the 6th usable subnet for the LAN.Do not use subnet zero as the first usable subnet. The table below shows how the 6th usable network can be identified. |Network |Network ID |First Host |Last Host |Broadcast |Mask | |0 |192. 168. 6. 0 |192. 168. 6. 1 |192. 168. 6. 14 |192. 168. 6. 15 |/28 | |1 |192. 168. 6. 16 |192. 168. 6. 17 |192. 168. 6. 30 |192. 168. 6. 31 |/28 | |2 |192. 168. 6. 2 |192. 168. 6. 33 |192. 168. 6. 46 |192. 168. 6. 47 |/28 | |3 |192. 168. 6. 48 |192. 168. 6. 49 |192. 168. 6. 62 |192. 168. 6. 63 |/28 | |4 |192. 168. 6. 64 |192. 168. 6. 65 |192. 16 8. 6. 78 |192. 168. 6. 79 |/28 | |5 |192. 168. 6. 80 |192. 168. 6. 81 |192. 168. 6. 94 |192. 168. 6. 95 |/28 | |6 |192. 168. 6. 6 |192. 168. 6. 97 |192. 168. 6. 110 |192. 168. 6. 111 |/28 | |7 |192. 168. 6. 112 |192. 168. 6. 113 |192. 168. 6. 126 |192. 168. 6. 127 |/28 | You should be able to identify the pattern (or magic number from the subnet mask). If it is not immediately apparent subtract the last non-zero octet from 256. Edinburgh information The LAN for Edinburgh has been assigned an IP network address of 192. 168. 5. 0 Again, each subnet of the above network needs to accommodate 14 host addresses.The subnet mask will be 255. 255. 255. 240. This is worked out by borrowing 4 bits from the final octet and is shown in the table below. Table 1 Custom Subnet Mask for Edinburgh |255 |255 |255 |240 | |128 64 32 16 8 4 2 1 |128 64 32 16 8 4 2 1 |128 64 32 16 8 4 2 1 |128 64 32 16 8 4 2 1 | |1 1 1 1 1 1 1 1 |1 1 1 1 1 1 1 1 |1 1 1 1 1 1 1 1 |1 1 1 1 0 0 0 0 |Use the 4th usable subnet for the LAN. Do not use subnet zero as the first usable subnet. You must follow the example for Dundee to complete the table for step 1 planning. You should be able to identify the pattern (or magic number from the subnet mask). If it is not immediately apparent subtract the last non-zero octet from 256. The elements of the coursework are: 1. Planning and assigning addresses [30 marks] 2. Basic configuration [40 marks] 3. Security ACLs [10 marks] 4.Security VLANs [20 marks] The basic theme is that Glasgow (GLA) is regional headquarters of the company. Edinburgh and Dundee are branch offices. Each network associate (student) will be responsible for an entire network. This means that using either the lab equipment in EC1-13 or Packet Tracer, you will configure 3 routers, 2 switches and 8 PCs. A network address and specific number of hosts per subnet has been assigned for the local LAN on each network (Edinburgh and Dundee).From the information provided, the subnet address, the subnet mask, the first and last usable addresses and the broadcast address for each site LAN need to be determined. (When using the router or Packet Tracer – it is expected that you keep a copy of your router configuration at each stage, just in case you run into problems). Step 1 Planning Using the chart below, plan the first ten usable subnets of the LAN address assigned to Edinburgh. You have been given the first 6 addresses for Dundee, you are now expected to plan for the first 10 addresses for Edinburgh. Subnet |Subnet |Subnet |First Host |Last Host |Broadcast | | |Address |Mask (/x) | | | | |0 |192. 168. 5. 0 |28 |192. 168. 5. 1 |192. 168. 5. 14 |192. 168. 5. 5 | |1 |192. 168. 5. 16 |28 |192. 168. 5. 17 |192. 168. 5. 30 |192. 168. 5. 31 | |2 |192. 168. 5. 32 |28 |192. 168. 5. 33 |192. 168. 5. 46 |192. 168. 5. 47 | |3 |192. 168. 5. 48 |28 |192. 168. 5. 49 |192. 168. 5. 2 |192. 168. 5. 63 | |4 |192. 168. 5. 64 |28 |192. 168. 5. 65 |192. 168. 5. 78 |192. 168. 5. 79 | |5 |192. 1 68. 5. 80 |28 |192. 168. 5. 81 |192. 168. 5. 94 |192. 168. 5. 95 | |6 |192. 168. 5. 96 |28 |192. 168. 5. 97 |192. 68. 5. 110 |192. 168. 5. 111 | |7 |192. 168. 5. 112 |28 |192. 168. 5. 113 |192. 168. 5. 126 |192. 168. 5. 127 | |8 |192. 168. 5. 128 |28 |192. 168. 5. 129 |192. 168. 5. 142 |192. 168. 5. 143 | |9 |192. 168. 5. 144 |28 |192. 68. 5. 145 |192. 168. 5. 152 |192. 168. 5. 159 | |10 |192. 168. 5. 160 |28 |192. 168. 5. 161 |192. 168. 5. 174 |192. 168. 5. 175 | For the WAN links for DUN and EDN the lowest usable address on the networks must be used. Identify and use the lowest usable WAN address for your S0 interface assigned to you for the two networks shown: 1 Dundee:209. 154. 17. 1 Edinburgh:209. 154. 16. 1 For security reasons, all of the production workstations will be assigned the lower-half of the IP addresses of the assigned subnet. All of the network devices and management stations will be assigned the upper-half of the IP address numbers of the subnet assigned for the L AN. From this upper half range of addresses, the Ethernet router interface (the default gateway on each LAN) is to be assigned the highest usable address. Identify the required IP address of the Ethernet interface on your two routers. Address of your Ethernet interface on Dundee : 192. 168. 6. 10 Address of your Ethernet interface on Edinburgh : 192. 168. 5. 78 The host (PC) configurations must also be planned. Using the table, complete the host information. |Branch: DUN |IP Address Range | |Production Host Range |192. 168. 6. 97——–192. 168. 6. 103 | |(Lower half) | | |Management Host Range |192. 168. 6. 104——–192. 168. 6. 10 | |(Upper half) | | [5 marks for ranges of addresses] Supply addresses for a production and management host. Production Host (1) IP Address192. 168. 6. 97 Subnet Mask255. 255. 255. 240 Default Gateway192. 168. 6. 110 Management Host (1) IP Address192. 168. 6. 104 Subnet Mask255. 255. 255. 240 Default Gateway192. 168. 6. 110 |Branch: EDN |IP Address Range | |Production Host Range |192. 68. 5. 65——–192. 168. 5. 71 | |(Lower half) | | |Management Host Range |192. 168. 5. 72——–192. 168. 5. 78 | |(Upper half) | | Supply addresses for a production and management host. Production Host (1) IP Address192. 168. 5. 65 Subnet Mask255. 255. 255. 240 Default Gateway192. 168. 5. 78 Management Host (1)IP Address192. 168. 5. 72 Subnet Mask255. 255. 255. 240 Default Gateway192. 168. 5. 78 Step 2 Basic Configuration Apply a basic configuration to the router. This configuration should include all the normal configuration items. You must supply one router configuration file. This will be either Dundee or Edinburgh. The router configuration files will be marked as follows: Basic Configuration †¢ Router name †¢ Console and VTY configuration and passwords (use ‘cisco’, ‘class’ and ‘berril’ for console, secret and VTY passwords r espectively) †¢ Interface configurations DTE/DCE identified appropriately and clockrates set only on DCE †¢ Routing correct and working (RIP is fine) †¢ Host tables †¢ Banner display before login – warn of unauthorised access Basic Configuration (40 marks) Security (ACLS – Marked as part of step 3) 1. ACLs correct and applied to correct interface in correct direction [10] 2. ACLs correct but not applied to correct interface or direction [7 – 9] 3. ACLs attempted but some errors or wrong placement [4 – 6] 4. ACLs attempted but incorrect and not applied properly [1- 3] 5. ACLs not attempted [0]ACL Total (Total 10 marks) Step 3 Security There are several security concerns in the Internetwork. Develop Access Control Lists (ACLs) to address security issues. The following problems must be addressed: 1. The production hosts in both the Edinburgh and Dundee networks are permitted HTTP access to the 172. 16. 0. 0 network, management hosts are p ermitted no access to this network. 2. The company has discovered an Internet Web server at 198. 145. 7. 1 that is known to contain viruses. All hosts are banned from reaching this site. The ACLs are worth 10 marks. Step 4 VLANsThis step is the final 20% of the coursework mark. To achieve this step you should consider how you might use a VLAN to separate the production and management LANs. The goal is that neither network should be able to see the other network traffic. There is no additional guidance on this part of the skills test as you are expected to identify: 1. An appropriate VLAN number to use for each VLAN. 2. An appropriate VLAN configuration. 3. Implement the VLAN and provide the switch configuration file(s) to show that the VLAN has been implemented. VLAN Marks The VLAN component will be marked as follows: VLAN configured and correct configuration supplied [20] †¢ VLAN identified but configuration incomplete or incorrect [10 – 15] †¢ VLAN attempted [5 â €“ 10 depending on level of attempt] †¢ VLAN not attempted [0] VLAN (Total 20 marks) Appendix Network device configurations†¦Ã¢â‚¬ ¦ [pic] [pic] [pic] [pic] [pic] [pic] [pic] [pic] [pic] [pic] Press RETURN to get started! Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Router(config)#hostname EDINBURGH EDINBURGH(config)#line console 0 EDINBURGH(config-line)#password ciscoEDINBURGH(config-line)#login EDINBURGH(config-line)#exit EDINBURGH(config)#line vty 0 4 EDINBURGH(config-line)#password cisco EDINBURGH(config-line)#login EDINBURGH(config-line)#exit EDINBURGH(config)#enable password cisco EDINBURGH(config)#exit EDINBURGH# %SYS-5-CONFIG_I: Configured from console by console EDINBURGH#configure terminal Enter configuration commands, one per line. End with CNTL/Z. EDINBURGH>en Password: EDINBURGH#config t Enter configuration commands, one per line. End with CNTL/Z. EDINBURGH(config)#enable secret class EDINBURGH(config)#exit EDINBURGH# SYS-5-CONFIG_I: Configured from console by console [pic] [pic] EDINBURGH#configure terminal Enter configuration commands, one per line. End with CNTL/Z. EDINBURGH(config)#interface serial2/0 EDINBURGH(config-if)#ip address 209. 154. 16. 1 255. 255. 255. 0 EDINBURGH(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial2/0, changed state to up EDINBURGH(config-if)#exit %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up EDINBURGH(config)#interface fastethernet0/0 EDINBURGH(config-if)#ip address 192. 168. 5. 78 255. 255. 255. 240 EDINBURGH(config-if)#no shutdown LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up EDINBURGH(config-if)#exit EDINBURGH(config)#router rip EDINBURGH(config-router)#network 172. 16. 0. 0 EDINBURGH(config-router)#network 192. 168. 6. 0 EDINBURGH(config-router)#network 192. 168. 5. 0 EDINBURGH(config-rout er)#network 209. 154. 16. 0 EDINBURGH(config-router)#network 209. 154. 17. 0 EDINBURGH(config-router)#exit EDINBURGH(config)# banner motd #warn of unauthorised access# EDINBURGH(config)# banner login #do not enter if you are not authorized# EDINBURGH(config)#ip host DUN 209. 54. 17. 1 192. 168. 6. 110 EDINBURGH(config)#ip host GLA 172. 16. 1. 254 209. 154. 16. 2 209. 154. 17. 2 EDINBURGH(config)#exit EDINBURGH# %SYS-5-CONFIG_I: Configured from console by console EDINBURGH#copy running-config startup-config Destination filename [startup-config]? Building configuration†¦ [OK] EDINBURGH# EDINBURGH>show host Default Domain is not set Name/address lookup uses domain service Name servers are 255. 255. 255. 255 Codes: UN – unknown, EX – expired, OK – OK, – revalidate temp – temporary, perm – permanent NA – Not Applicable None – Not definedHost Port Flags Age Type Address(es) DUN None (perm, OK) 0 IP 192. 168. 6. 110 209. 154. 17 . 1 GLA None (perm, OK) 0 IP 172. 16. 1. 254 209. 154. 16. 2 209. 154. 17. 2 EDINBURGH> [pic] [pic] [pic] EDINBURGH#show r Building configuration†¦ Current configuration : 1291 bytes ! version 12. 2 no service timestamps log datetime msec no service timestamps debug datetime msec o service password-encryption ! hostname EDINBURGH ! ! ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU. ZeCi1 enable password cisco ! ! ! ! ! ! ! ! ip host DUN 192. 168. 6. 110 209. 154. 17. 1 ip host GLA 172. 16. 1. 254 209. 154. 16. 2 209. 154. 17. 2 ! ! ! ! ! ! interface FastEthernet0/0 ip address 192. 168. 5. 78 255. 255. 255. 240 ip access-group 100 in duplex auto speed auto ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface Serial2/0 ip address 209. 154. 16. 1 255. 255. 255. 0 ip access-group 10 out ! interface Serial3/0 no ip address shutdown ! interface FastEthernet4/0 o ip address shutdown ! interface FastEthernet5/0 no ip address shutdown ! router rip network 172 . 16. 0. 0 network 192. 168. 5. 0 network 192. 168. 6. 0 network 209. 154. 16. 0 network 209. 154. 17. 0 ! ip classless ! ! access-list 100 deny tcp 192. 168. 5. 72 0. 0. 0. 7 172. 16. 0. 0 0. 0. 255. 255 eq www access-list 100 permit ip any any access-list 10 permit any access-list 10 deny host 198. 145. 7. 1 ! ! ! no cdp run ! banner login ^Cdo not enter if you are not authorized^C banner motd ^Cwarn of unauthorised access^C ! ! ! ! line con 0 password cisco login line vty 0 4 password cisco login ! ! ! endEDINBURGH# EDINBURGH#show access-lists configuration EDINBURGH(config)#access-list 100 deny tcp 192. 168. 5. 72 0. 0. 0. 7 172. 16. 0. 0 0. 0. 255. 255 eq 80 EDINBURGH(config)#access-list 100 permit ip any any EDINBURGH(config)#interface fastethernet0/0 EDINBURGH(config-if)#ip access-group 100 in EDINBURGH(config-if)#exit EDINBURGH(config)#access-list 10 permit any EDINBURGH(config)#access-list 10 deny host 198. 145. 7. 1 EDINBURGH(config)#interface serial2/0 EDINBURGH(config-if )#ip access-group 10 out EDINBURGH(config-if)#exit EDINBURGH(config)#exit EDINBURGH# %SYS-5-CONFIG_I: Configured from console by consoleEDINBURGH#copy running-config startup-config Destination filename [startup-config]? Building configuration†¦ [OK] EDINBURGH# [pic] EDINBURGH#show access-lists Extended IP access list 100 deny tcp 192. 168. 5. 72 0. 0. 0. 7 172. 16. 0. 0 0. 0. 255. 255 eq www permit ip any any Standard IP access list 10 permit any deny host 198. 145. 7. 1 EDINBURGH# [pic] EDINBURGHSWITCH CONFIGURATION Switch>en Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname EDINBURGHSWITCH EDINBURGHSWITCH(config)#line console 0 EDINBURGHSWITCH(config-line)#password ciscoEDINBURGHSWITCH(config-line)#login EDINBURGHSWITCH(config-line)#exit EDINBURGHSWITCH(config)#line vty 0 4 EDINBURGHSWITCH(config-line)#password cisco EDINBURGHSWITCH(config-line)#login EDINBURGHSWITCH(config-line)#exit EDINBURGHSWITCH(config)#enable password c isco EDINBURGHSWITCH(config)#exit EDINBURGHSWITCH# %SYS-5-CONFIG_I: Configured from console by console EDINBURGHSWITCH#config t Enter configuration commands, one per line. End with CNTL/Z. EDINBURGHSWITCH(config)#enable secret class EDINBURGHSWITCH(config)#exit EDINBURGHSWITCH# %SYS-5-CONFIG_I: Configured from console by console EDINBURGHSWITCH# EDINBURGHSWITCH#config tEnter configuration commands, one per line. End with CNTL/Z. EDINBURGHSWITCH(config)#interface vlan1 EDINBURGHSWITCH(config-if)#ip address 192. 168. 5. 77 255. 255. 255. 240 EDINBURGHSWITCH(config-if)#no shutdown %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up EDINBURGHSWITCH(config-if)#ip default-gateway 192. 168. 5. 78 EDINBURGHSWITCH(config)#exit EDINBURGHSWITCH# %SYS-5-CONFIG_I: Configured from console by console EDINBURGHSWITCH#copy running-config startup-config Destination filename [startup-config]? Building configuration†¦ [OK ]EDINBURGHSWITCH# EDINBURGHSWITCH#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. EDINBURGHSWITCH(vlan)#vlan 10 name production VLAN 10 modified: Name: production EDINBURGHSWITCH(vlan)#vlan 20 name management VLAN 20 added: Name: management EDINBURGHSWITCH(vlan)#exit APPLY completed. EDINBURGHSWITCH#config t Enter configuration commands, one per line. End with CNTL/Z. EDINBURGHSWITCH(config)#interface fastethernet0/2 EDINBURGHSWITCH(config-if)#switchport mode accessEDINBURGHSWITCH(config-if)#switchport access vlan 10 EDINBURGHSWITCH(config-if)