Cyber Shield:

Defending the network Problem Statement:

PART 1:
Campus Network Analysis

Network Topology Overview

The university campus network is a complex infrastructure designed to support

academic, administrative, and recreational activities. It consists of several
interconnected devices, including routers, switches, firewalls, servers, access points,
and end-user devices (computers, smartphones, IoT devices). The network is
segmented into different VLANs to isolate traffic and enhance security.

Network Components

1. Core Layer: Comprises high-performance routers and switches that form the
backbone of the network, connecting all other layers and ensuring fast and
reliable data transfer.

2. Distribution Layer: Includes routers and switches that manage traffic between
the core layer and access layer, applying policies and performing routing
functions.

3. Access Layer: Consists of switches and access points that connect end-user
devices to the network, providing connectivity and enforcing security policies.

4. Data Centers: Host servers and storage devices, supporting academic

applications, databases, email, and other services.

5. Security Devices: Firewalls, intrusion detection systems (IDS), and intrusion

prevention systems (IPS) protect the network from external and internal threats.

Network Mapping with Cisco Packet Tracer

Utilizing Cisco Packet Tracer, the network infrastructure can be visually represented to
display the placement and interconnectivity of various components.

1. Core Layer: High-capacity routers and Layer 3 switches form the central
backbone, interconnecting different campus buildings and critical services.

2. Distribution Layer: Layer 2/3 switches aggregate traffic from multiple access
layer switches, applying security policies and routing.

3. Access Layer: Edge switches connect to end-user devices and wireless access
points.
 4. Data Centers: Include servers connected to core/distribution switches,
protected by firewalls.

5. Security Devices: Firewalls placed at network perimeters, IDS/IPS systems

monitoring traffic for anomalies.

Attack Surface Mapping

Potential Vulnerabilities

1. Unauthorized Access: Insufficient access controls may allow unauthorized

users to access sensitive data.

2. Data Breaches: Weak encryption or unpatched systems could lead to data

breaches.

3. Network Availability: DDoS attacks or hardware failures can disrupt network

services.

Identified Weaknesses

1. Insufficient Network Segmentation: Flat network architecture without proper

VLAN segmentation increases the risk of lateral movement by attackers.

2. Weak Authentication Mechanisms: Lack of multi-factor authentication (MFA)

increases susceptibility to credential theft.

3. Unpatched Systems: Outdated software and firmware on network devices can

be exploited.

Proposed Countermeasures

Enhanced Network Segmentation

1. VLAN Implementation: Segment the network into VLANs based on department

or function (e.g., academic, administrative, guest) to isolate traffic and limit the
spread of malware.

2. Subnets: Use subnets to further isolate critical systems and sensitive data.

Strengthened Authentication and Authorization

1. Multi-Factor Authentication (MFA): Implement MFA for all network access

points, including VPN and remote access.

2. Role-Based Access Control (RBAC): Enforce RBAC to ensure users have the
minimum necessary permissions.

Intrusion Detection and Prevention

 1. Regular IDS/IPS Updates: Ensure IDS/IPS systems are regularly updated with
the latest signatures and patterns to detect and prevent known threats.

2. Network Monitoring: Implement continuous network monitoring to detect

anomalies and potential breaches in real-time.

Regular Patch Management

1. Automated Patch Deployment: Use automated tools to regularly update all

network devices with the latest security patches.

2. Vulnerability Scanning: Conduct regular vulnerability scans to identify and

remediate potential weaknesses.

DDoS Mitigation Strategies

1. Traffic Analysis and Filtering: Use traffic analysis tools to detect and filter out
malicious traffic patterns.

2. Redundant Network Paths: Design the network with redundant paths and
failover mechanisms to ensure availability during attacks.

Cyber Shield:
Defending the network Problem Statement:
PART 2:
Hybrid Working Environment Design

Objectives

1. Enable secure access for faculty and students to specific resources both on-
campus and remotely.

2. Ensure campus network services are not exposed to the public internet.

3. Implement robust network security measures to protect against unauthorized

access and cyber threats.

Solution Components
 1. Virtual Private Network (VPN): Implement VPN solutions for secure remote
access.

2. Network Access Control (NAC): Enforce network policies and control device
access.

3. Multi-Factor Authentication (MFA): Strengthen authentication mechanisms.

4. Firewall: Protect the network perimeter.

5. Intrusion Detection and Prevention Systems (IDS/IPS): Monitor and prevent

threats.

6. Separate VLANs: Isolate faculty and student traffic.

Component Details

1. VPN Solutions:

o Cisco AnyConnect: Provides secure VPN access for faculty and

students, ensuring encrypted connections to the college network from
remote locations.

o Risks: VPN misconfiguration can lead to vulnerabilities. Ensuring robust

setup and regular monitoring is essential.

o Advantages: Secure remote access to resources, encrypted data

transmission, and integration with existing Cisco infrastructure.

2. Network Access Control (NAC):

o Cisco Identity Services Engine (ISE): Enforces policies for device

access, ensuring only authorized devices can connect to the network.

o Risks: Initial setup complexity and possible disruptions if not configured

correctly.

o Advantages: Enhanced security by controlling device access, automated

compliance checks, and detailed access logs.

3. Multi-Factor Authentication (MFA):

o Duo Security: Implement MFA for all network access points, requiring an
additional verification step beyond passwords.

o Risks: User inconvenience and possible resistance to adoption.

o Advantages: Significantly reduces the risk of credential theft and

unauthorized access.

4. Firewall:
 o Cisco ASA Firewall: Provides robust protection at the network perimeter,
filtering traffic based on security rules.

o Risks: Potential performance bottlenecks if not properly configured.

o Advantages: Strong defense against external threats, granular control

over traffic, and integration with other Cisco security products.

5. Intrusion Detection and Prevention Systems (IDS/IPS):

o Cisco Firepower: Monitors network traffic for suspicious activity and

automatically takes preventive measures.

o Risks: False positives can disrupt legitimate activities.

o Advantages: Proactive threat detection, real-time response to intrusions,

and detailed reporting.

6. Separate VLANs:

o Faculty VLAN: Dedicated VLAN for faculty devices with access to faculty-
specific resources.

o Student VLAN: Separate VLAN for student devices, isolating them from
faculty resources.

o Risks: Misconfiguration can lead to VLAN hopping attacks.

o Advantages: Improved security through traffic segmentation, reduced

risk of lateral movement by attackers, and better network performance
management.

Updated Network Topology

1. Core Layer:

o High-capacity routers and Layer 3 switches, connecting all layers and

data centers.

2. Distribution Layer:

o Layer 2/3 switches, applying policies and routing between core and
access layers.

3. Access Layer:

o Edge switches and wireless access points for end-user connectivity.

4. Security Components:

o Cisco ASA Firewall: Positioned at the network perimeter.

 o Cisco Firepower: Monitoring traffic between layers.

o Cisco ISE: Managing device access.

o Duo Security: Providing MFA for all access points.

5. VLAN Segmentation:

o Faculty VLAN: Isolated from student and guest networks.

o Student VLAN: Separate from faculty and guest networks.

o Guest VLAN: For visitors, with internet access only.

Reasoning Behind Choices

1. VPN Solutions:

o Secure remote access is critical for hybrid work environments. Cisco

AnyConnect ensures encrypted connections, protecting data in transit.

2. Network Access Control (NAC):

o NAC ensures only authorized devices connect to the network, reducing

the risk of unauthorized access.

3. Multi-Factor Authentication (MFA):

o MFA adds an extra layer of security, mitigating the risk of credential theft.

4. Firewall and IDS/IPS:

o Firewalls and IDS/IPS provide robust defense mechanisms, protecting

against external threats and monitoring for anomalies.

5. VLAN Segmentation:

o Segregating traffic improves security and network performance, reducing

the risk of lateral movement by attackers.

Risks and Advantages

Risks:

• Misconfiguration of components can introduce vulnerabilities.

• User resistance to new security measures like MFA.

• Initial setup complexity and potential disruptions.

Advantages:

• Enhanced security for remote and on-campus access.

 • Segregated network traffic reduces risk of data breaches.

• Robust defense mechanisms protect against external and internal threats.

Cyber Shield:
Defending the network Problem Statement:
PART 3:

Solution for Restricting Access to Irrelevant Sites

Exploring Solutions

To restrict access to only allowed categories of web content, a robust web filtering
solution is necessary. This can be achieved through a combination of network security
products such as:

1. Web Filtering Software:

o Cisco Umbrella: Cloud-based web security service that provides web

filtering and threat intelligence.

o Risks: Reliance on internet connectivity for cloud-based solutions,

potential bypass methods by tech-savvy students.

o Advantages: Comprehensive URL filtering, real-time threat detection,

easy deployment, and management.

2. Next-Generation Firewalls (NGFW):

o Cisco Firepower NGFW: Offers advanced filtering capabilities, deep

packet inspection, and application control.

o Risks: Higher cost and complexity compared to basic firewalls.

o Advantages: Granular control over network traffic, integration with

existing security infrastructure, and protection against advanced threats.

3. Content Filtering Appliances:

o Barracuda Web Security Gateway: Hardware appliance that filters web

traffic based on predefined categories.
 o Risks: Potential performance bottlenecks, higher upfront costs.

o Advantages: Robust filtering capabilities, easy to manage policies, and

on-premises control.

Updated Network Topology

The updated topology includes the addition of Cisco Umbrella for cloud-based web
filtering and Cisco Firepower NGFW for advanced traffic management and content
filtering.

1. Core Layer:

o High-capacity routers and Layer 3 switches, connecting all layers and

data centers.

2. Distribution Layer:

o Layer 2/3 switches, applying policies and routing between core and
access layers.

3. Access Layer:

o Edge switches and wireless access points for end-user connectivity.

4. Security Components:

o Cisco ASA Firewall: Positioned at the network perimeter.

o Cisco Firepower NGFW: Advanced traffic management and filtering.

o Cisco Umbrella: Cloud-based web filtering.

o Cisco ISE: Managing device access.

o Duo Security: Providing MFA for all access points.

5. VLAN Segmentation:

o Faculty VLAN: Isolated from student and guest networks.

o Student VLAN: Separate from faculty and guest networks.

o Guest VLAN: For visitors, with internet access only.

Reasoning Behind Choices

1. Cisco Umbrella:

o Provides cloud-based web filtering, allowing the college to easily manage

and enforce web access policies. Its threat intelligence capabilities
enhance security by blocking malicious sites.
 2. Cisco Firepower NGFW:

o Offers granular control over network traffic and deep packet inspection,
enabling the college to enforce detailed content filtering policies.
Integration with existing Cisco infrastructure simplifies management.

Risks and Advantages

Risks:

• Dependence on internet connectivity for cloud-based solutions like Cisco

Umbrella.

• Potential bypass methods by tech-savvy students.

• Initial setup complexity and potential performance impacts with NGFW.

Advantages:

• Comprehensive web filtering and threat protection.

• Granular control over network traffic and application usage.

• Seamless integration with existing security infrastructure.

• Enhanced security posture and reduced risk of misuse of campus resources.

Web Access Policies

The following policies can be applied to enforce restricted access to allowed categories
of web content:

1. Block Social Media:

o "Block access to social media sites such as Facebook, Twitter, Instagram,

and Snapchat."

2. Allow Educational Sites:

o "Allow access to educational sites including .edu domains, online

libraries, and academic journals."

3. Block Streaming Services:

o "Block access to streaming services like Netflix, Hulu, and Amazon Prime
Video."

4. Allow Research Resources:

o "Allow access to research databases, online tools, and educational

platforms like Coursera and Khan Academy."
5. Block Gaming Sites:

o "Block access to online gaming sites and platforms such as Steam, Xbox
Live, and PlayStation Network."

6. Allow College Services:

o "Allow access to all college-specific services and resources."

7. Block Adult Content:

o "Block access to adult content and explicit websites."

8. Monitor and Report:

o "Monitor web traffic and generate reports on web usage for administrative
review."