CSE2ANX

Advanced Computer Networks

Assessment 3 – Infrastructure services management and security

Contents
Task 1...........................................................................................................................................................3
Task 2...........................................................................................................................................................4
Task 3...........................................................................................................................................................5
.................................................................................................................................................................... 6
Task 4/5.......................................................................................................................................................7
Task A.......................................................................................................................................................7
Task B.......................................................................................................................................................8
Task C.......................................................................................................................................................9
Part B.........................................................................................................................................................10
Question 1.............................................................................................................................................10
Question 2.............................................................................................................................................11
Task 1

Task 2
Task 3
Task 4/5

Task A
This ACL configuration will specifically deny HTTP traffic from PC10 to the ISP Web Server while allowing
other types of traffic. Pc20 is used as an example to show that other types of traffic is allowed.

Task B

PC30 is unable to access the ISP FTP Server (70.0.012) but can access other services. 70.0.0.11 is used to
show that PC30 can access other services.
Task C

This ACL configuration specifically denies ICMP traffic from PC20 to the 70.0.0.0/24 network while
allowing all other types of IP traffic. We can see that when sending traffic to the 70.0.0.0/24 network you
don’t receive a reply to the ping request, unlike when you ping the 50.0.0.0/24 network.
Part B

Question 1

1. Confidentiality: By encrypting data as it moves over the network, VPNs ensure data
confidentiality by preventing access by unauthorized users or eavesdroppers.

2. Integrity: By identifying and stopping illegal changes or tampering with transmitted data, VPNs
protect the integrity of data. This function ensures that the data provided and received are
the same.

3. Authentication: To verify the identities of the parties communicating, VPNs provide

authentication. This guarantees that the endpoints are authentic and stops unwanted access to
the network.

4. Access Control: By limiting network access to authorized users and devices, VPNs employ access
control technologies. They have access control over who can access which resources and who
can connect to the network.

Confidentiality:

How security is achieved: Encryption is used to maintain confidentiality. VPNs encrypt data at the source
and decrypt it at the destination using cryptographic techniques. The encryption protocols IPsec,
SSL/TLS, and PPTP are frequently used. Only a person in possession of the proper decryption key can
decrypt the encrypted data, also referred to as the ciphertext.

Why we require it: Maintaining confidentiality is essential to preventing unauthorized parties from
intercepting sensitive data. A large amount of sensitive data is transferred over public or private
networks in today's globally interconnected society, and maintaining its confidentiality is crucial for both
security and privacy.

Integrity:

How security is achieved: Message authentication codes (MACs) and hash functions are used to
preserve integrity. By recalculating the hash and comparing it to the received value, the recipient can
confirm that the data has not been altered. These techniques provide a hash value for the data.
Why we require it: Data integrity guarantees that no malicious or inadvertent changes have been made
to the data while it is being transmitted. This is essential to guard against data tampering, corruption,
and unauthorized modifications, which could jeopardize the information's authenticity and
dependability.

Authentication:

How it achieves security: VPNs use a variety of authentication techniques, such as digital certificates,
biometrics, and passwords. Before being allowed access to the VPN, users and devices must authenticate
themselves. For increased security, multifactor authentication is frequently utilized.

Why we require it: Through authentication, the network is kept safe from unauthorized users and
devices. Inadequate authentication could allow third parties to access and compromise data and
resources, resulting in security lapses and unapproved network usage.

Access Control:

How it achieves security: In virtual private networks (VPNs), access control refers to the process of
creating and implementing rules that specify which people, devices, or programs are permitted to access
network resources. Role-based access control (RBAC), access control lists, and firewall rules are
frequently used to do this.

Why we require it: Restricting access is necessary to reduce vulnerability to security threats. VPNs can
assist in preventing unauthorized users from accessing sensitive data or network components by limiting
access to only those who require it and specifying what they can access.

Question 2

To explain how these three technologies work – Site-to-Site VPN, Site-to-Site VPNs with IPSec, and Client
VPNs with SSL – and demonstrate their hypothetical scenarios in the company illustrated in Figure 1, let's
consider some typical use cases and assumptions:

Assumptions:

Users are mobile and use laptop devices. Users may be using web browsers. The company wants secure
communication between its different branches and remote users.

Scenario 1: Site-to-Site VPN (Router-to-Router VPN)

 In a Site-to-Site VPN scenario, each branch office connects its routers using VPN tunnels to create a
secure, private network between the offices. In Figure 1, we can create Site-to-Site VPNs between the
routers.

 Each 2911 router at the branch offices can establish VPN tunnels using IPsec to connect to the
central office (ISPISP).
 The 3650 Layer-3 switches within each branch office can route traffic between the routers and
local devices.
 Data exchanged between branch offices and the central office remains secure, encrypted, and
isolated from the public internet.

Scenario 2: Site-to-Site VPNs with IPSec (Router-to-Router VPN with Strong Encryption)

In this scenario, the company wants to enhance the security of its Site-to-Site VPN connections using
IPsec, a robust encryption and authentication protocol.

 The routers at each branch office (e.g., Branch Office2) and the central office (ISPISP) establish
IPsec-based Site-to-Site VPN connections.
 IPsec encrypts the data as it travels through the public internet, ensuring that even if
intercepted, it remains confidential and secure.
 This technology is well-suited for highly sensitive data, such as financial information, which the
company wants to protect from eavesdroppers and unauthorized access.

Scenario 3: Client VPNs with SSL (Remote Access VPN)

In this scenario, the company provides secure remote access to its network for mobile users, like
employees with laptops working from home or while on the go.

 Users with laptops can connect to the company's internal network securely through a web
browser using SSL-based Client VPNs.
 SSL VPNs use Secure Socket Layer (SSL) or its successor, Transport Layer Security (TLS), to create
an encrypted tunnel between the user's device and the company's internal network.
 This enables remote users to access resources like the HO_FTP Server and HO_PC1 securely
without exposing sensitive data to potential threats on public networks.

. By implementing these technologies, the company can achieve the following:

 Secure communication between branch offices and the central office

 . Robust encryption and authentication for data in transit.
 Remote access for mobile users, maintaining security and privacy.
 Protecting sensitive data from unauthorized access, ensuring confidentiality and integrity.

These technologies enable the company to build a network that's both interconnected and secure,
allowing for efficient and protected communication between the various components of the network, as
illustrated in Figure 1.