DESIGN AND IMPLEMENT A SECURED UNIVERSITY CAMPUS NETWORK WITH

AAA USING MIKROTIK

NAME: Ebong Halle Etoh

MATRICULE: SC20A892

1. INTRODUCTION
1.1. Historical Background
In today’s interconnected world, where technology reigns supreme, the need to
robust network security measures has become paramount. This project aims to
provide a detailed and engaging guide to implement network security in a university
campus network with AAA using [Link] following these steps and best
practices, students can fortify their digital infrastructure against potential treats and
protect sensitive information.
Network security is the practice of protecting networks and their infrastructure from
unauthorized access, misuse, or disruption. It encompasses various technologies,
polices, and practices aimed at ensuring the confidentiality, integrity and availability
of data. By employing robust network security measures, universities can safe guard
their digital assets against cyber threats.
Network security encompasses a range of measures designed to protect computer
networks from unauthorized access, data branches, and malicious activities. It
involves both hard ware and software components, as well as proactive policies and
procedures aimed at mitigating risks. By understanding the fundamental principles of
network security, universities can lay the foundation of a robust and resilient security
infrastructure.
Before implementing network security measures, it is crucial to conduct a
comprehensive assessment of potential risks and vulnerabilities. This involves
identifying potential entry points, evaluating existing security measures, and
analyzing the potential impact of security branches. By conducting a thorough risk
assessment, organizations can develop an effective security strategy tailored to their
specific needs.
 Authentication: As the first, authentication provides a way of identifying a
user, typically by having them enter a valid username and password before

1
 access is granted. Other authenticated processes can be used instead , such as
biometrics or smart card.
The authentication process is based on each user having a unique set of
criteria for gaining access. AAA server compares the user’s credentials in the
authentication request with the user credential store in database. If the
credentials match, the user is granted access to the network. If the credentials
don’t match, authentication fails, and the user is denied network access.
Once authenticated, the user is limited to the performing actions that don’t
access specified data or resources configured by network administrators.
 Authorization: following authentication, the user must be authorized to
perform certain task. After logging into a system, for instance, they might try
to issue commands. The authorization process determines whether the user
has the authority to issue such commands. Simply put authorization in the
process of enforcing policies by determining what type of qualities of
activities, resources or services the user is permitted. Usually, authorization
occurs within the context of authentication. Once the user is authenticated
they can be authorized for different type of activities.
 Accounting: measures the resources the user consumes during access. This
can include the amount of system times or data the user has sent and received
during a session. Accounting logs sessions statistics and usage information
and is used for authorization control, billing, trend analysis, resources
utilization and capacity planning activities.
1.2. IMPORTANCE OF THIS PROJECT
Your network is the first line for your company’s sensitive data and system. If your
network isn’t secure, malicious actors will find a way in and start wreaking havoc on
all of your other defenses.
Network security is the practice of securing computer networks from attack. These
network typically handle sensitive information, such as customer data and financial
data. As such it is important to keep network security strong. If it isn’t, hackers can
steal this data and cause a host of other problems.
Network security address three key areas of concern: confidentiality is the assurance
that data is only used by authorized individuals and its not disclosed to others.
Integrity ensures that data is not altered in any way during transmission or storage.
Availability ensures that the network is available when data owners need it.

2
 One of the most important aspects of protecting your network is to protect criteria
data. This includes customers data, financial data, and employee data. By keeping
your network secure, you reduce the risk of a data breach, which can severely impact
your organisation’s reputation and bottom line. This is especially important in
today’s increasingly connected world where data is more portable than ever before.
In other to protect data, you need to trust your network, system, and devices are
secure. This is accomplished through a variety of robust security measures, such as
encryption, firewalls, antivirus software, password manager, and employee training.
1.3. THE AIM AND BOUNDARIES OF THE PROJECT
The main aim of this project is to prevent unauthorized access into or between parts
of a network. The main objectives of security are: confidentiality, Integrity and
availability. Network security is an essential aspect of cybersecurity that protects
network data and resources from attackers. Network security has three main
objectives to prevent unauthorized access, to detect and stop cyberattacks, and to
ensure secure access for authorized users.
 Confidentiality: this is the assurance that information is not disclosed to
unauthorized individuals, groups, processes, or devices. Highly confidential
data must be encrypted so third parties cannot easy decrypt it. Only those who
are authorized to view the information are allowed access.
 Integrity: the accuracy and completeness of vital information must be
safeguarded. Data should not be altered or destroyed during transmission and
storage. This involves making sure that an information system is not
tampered by any unauthorized entities. Policies should be in places so that
users know how to properly utilize their system.
 Availability: This means the authorized users have timely and easy access to
information services. IT resources and infrastructure should remain robust
and fully-function at all times even during adverse conditions, such as data
base conundrum or fall-over. It involves protecting against malicious codes,
hackers, and other threats that could block access to the information system.
 Authenticity: the security measure is designed to establish the validity of a
transmission, message, or a means of verifying an individual and individual’s
authorization to receive specific information. Authentication prevents
impersonation and requires users to confirm their identities before being

3
 allowed access to systems and resources. This includes user names, password,
emails, biometrics, and others.
 Non-Repudiation: This attributes assures the sender of data is provided with
proof of the sender’s, receiving, or access the data. Security principles should
be used to prove identities and to validate the communication process.

Boundaries are used to specify the range of devices and services that are allowed on the
network. Network boundaries are also used to protect the network from unauthorized access
and malicious attacks. Network boundaries are important for organizations because they help
to secure their networks from external threats. In this project, the network security will be just
within the university campus.

1.4. WHAT WE WERE UNABLE TO DO

One of the primary challenges in cybersecurity is the constantly evolving nature of
cyber threats. Hackers and cybercriminals continuously develop new methods to
exploit vulnerabilities, often staying one step ahead of defensive measures. This
perpetual arms race means that what is considered safe today may be vulnerable
tomorrow.
Resources constraints. Since this is a small project there were no sophisticated devices
and much capital hence very limited resources making the project difficult to maintain
and easy target for hackers.
Limited Technology. Due to limited resources and low maintenance, sophisticated
hackers can often find ways around these technology, exploiting even the smallest
vulnerability.

4
5
2. LITERATURE REVIEW
In this chapter we see the approach and solutions others have developed concerning this
project. A background study of a secure campus network based on Mikrotik, and Windows
Server would involve an in-depth analysis of the hard ware and the software components,
network design, security measures, and best practices in network engineering and
administration. Existing network infrastructure -It could be important to understand the
current network infrastructure and how well it meets the organization’s needs, as well as any
limitations or vulnerability that may exist. Technical specifications and capabilities of each
technology-Determining the specific technical capabilities of the Mikrotik devices, and
Window server solutions can help to identify potential strength and weakness of the proposed
network architecture. Potential cost-Understanding the cost of purchasing and deploying the
equipment required for the secure campus network, as well as any ongoing maintenance or
operational expenses is also important to consider. Network security-It is essential to analyze
the network security features of each proposed technology and create a comprehensive frame
work to help ensure that the network is secured against both internal and external threads.
Compatibility issues-Ensuring that the hard ware and soft ware being proposed for the
network are compatible with existing equipment and software is also important to consider.
Network management-The network management practices and procedures should be studied
to ensure that the network can be easily managed and monitored.[1]. Mikrotik router OS are
software that can be used to make the computer become a reliable network router, covering
various features made for IP networks and wireless networks, suitable for use by ISAP and
hotspot provider . For the installation of Mikrotik is not required additional soft wear or other
additional components. Mikrotik is designed to be easy to use and very well used for the
purposes of computer network administration such as designing, and building a small to
complex computer network system though.[2]. The campus network of our study is designed
in a hierarchical manner which is common practice of campus and enterprise network. It
provides a modular topology of building blocks that allow the network to evolve easily.
A hierarchical design avoids the need for fully meshed networks in which all network nodes
are inter connected.
Designing a campus network may not appear as interesting or exiting as designing an IP
telephony network, an IP video network, or even designing a wireless network. However,
emerging applications like these are built upon the campus foundation. Much like the
construction of a house, if the engineering work is skipped at the foundation level, the house
will crack and eventually collapse.
Here are some proposed steps for mitigating the known attacks of a campus network:
 Creation VLANs(virtual LAN) for security;
It’s easy to see why virtual LANs have become extremely popular on networks of all
seizes. In practical terms multiple VLANs are pretty much the same as having
multiple separate physical networks within a single organization- without the
headache of managing multiple cable plans and switches. Because VLANs segments
a network, creating multiple broadcast domains, they effectively allow traffic from
the broadcast domains to remain isolated while increasing the networks bandwidth,
availability and security.
 Implementing Firewall for internal and external security:

6
 A firewall works to monitor and block or allow network traffic, both incoming and
outgoing, on a private network. While there is a hard ware firewall to help protect the
campus network security, these firewall affects certain out bound traffic and prevents
unauthorized inbound traffic. Net BIOS, SMTP and other miscellaneous ports
determined to pose a security risk are blocked in the outgoing direction. This does not
impact the majority of academic work related programs used on the campus.
 Virtual private network(VPN) used for branched campus:
A virtual private network(VPN) extends a private network across a public network,
such as the internet. It enables a computer, or network-enabled device to send and
receive data across shared or public networks as if it were directly connected to the
private network, while benefitting from the functionality security and management
policies of the public network. A VPN is created by establishing a virtual point-to-
point connection through the use of dedicated connection, virtual tunneling protocols,
or traffic encryption. Major implementation of VPN includes: OpenVPN and IP sec.
Campus VPN-provides a full tunnel VPN service that is a secure(encrypted)
connection to the network from off campus. Common uses of the campus VPN
includes: access to file sharing/shared drives and certain application that require a
campus IP address. The campus VPN has a 20-hours session limit. [3]
Designing your security system, consider the following questions that your standard
probably doesn’t address:
 Are there any caveats to these hardening standards in a redundant design?
 In a high load environment, what will be the performance impact of these standards?
Do we need to upgrade our devices as a result?
 Are there other settings we should implement on a router in an internet connection
beyond the published standards?[4]

7
8
9