COIT20246 Networking and Cyber Security Assignment Sample

COIT20246 Networking and Cyber Security

4.1 Network Design

4.1.1 Design the Network

Design the entire network. Your design should include:

1. One or more network diagrams (using diagrams.net);

2. Explanation of key design decisions, e.g., why you chose to design as you did;

3. Explain the WiFi design, including listing important settings (and their values).

4. Address allocations, e.g., IPv4 address ranges to be used;

5. List of recommended hardware, e.g., recommended minimum specifications for equipment, with links to websites with the specifications and/or prices (AUD).

IP Addressing Requirements

The IP address ranges to be used are chosen by you, however they must meet the following requirements:

- Only /16 or /24 network masks

- The 1st decimal value, A, in any IP address, A.B.C.D, must be the last two digits of one of the group members student ID.

- The 2nd (B), 3rd (C) and 4th (D) decimal value in an IP address, A.B.C.D, can be any value that is logically correct.

For example, if a group has two members with IDs 12345678 and 12234506 then all IP addresses used in your network design must start with 78 or 6, such as 78.1.2.3, 78.43.0.0/16, 6.19.123.56, 6.100.24.0/24. Depending on your network design, you can select to use any of the student IDs or use both of them. Private address, such as 192.168.x.y, must not be used in any part of the network.

4.2 Cloud Services

4.2.1 Pricing for cloud services

You are to estimate the cost of the following cloud services in two different cloud providers:

A web server using Linux operating system. The web server will host the public website of the company and include information about the company as well as details of all the products it offers (including specifications and pictures).

- A backup server using any operating system. The backup server will store many important files of the company, e.g., sales, financial, customer and staff data, as well as automated regular backups of key computers in the network. These files will be encrypted before being backed up to the cloud backup server.

The servers can be implemented in a virtual machine in a cloud service. Both servers must be hosted in Australia. You must find the price from two different cloud providers, either Azure, AWS, or Google Cloud using the official calculators from those providers (see the links), and you must export the price estimate from the calculator and upload the file to your GitHub repository. You must also recommend one cloud provider to the company. Give a reason for the selected cloud provider.
You must summarise the values you chose for important specifications (e.g., region, operating system, CPU, storage) and justify your selection (e.g., why did you choose each value). The specifications should be the same or similar across cloud providers (e.g., do NOT choose a 1 TB disk for backup server in AWS and then choose a

5 TB disk for backup server in Azure; that is an unfair comparison). You must also give the annual cost for each server by each provider.

4.2.2 Compare backup strategies

The company prefers to keep its confidential information on local servers/disks it owns and operates, not on cloud services. However, for backups of confidential information, they are considering storing the backups on cloud services if that information is encrypted before sending to the cloud. You are to:

- Recommend an approach for the company to backup confidential information to the cloud.

Consider what data should be backed up, how often, with what tools, and who should be involved.
Also explain to the company the advantages and disadvantages of the recommend approach compared to local backup only.

- Recommend an approach for a new CQU ICT student (such as your group members) to organise and backup their university work during their entire course. You must recommend specific tools and justify the selection of the tools.

4.3 Security

4.3.1 Conduct cyber security risk assessment

You are to conduct a mini cyber security risk assessment of your network. By “mini” we mean you only conduct a subset of steps of a typical full risk assessment (due to lack of time and information available to you). You must use the risk assessment template, and follow the process, provided in the unit. Your risk assessment must consider vulnerabilities across at least 8 of the 12 information security threats, must contain assets of each asset type, and there must be at least 4 different data assets considered.

4.3.2 Recommend security controls

Select the data asset rated with the highest risk (from the previous risk assessment). Consider the following security controls covered in the unit: encryption, MFA, firewalls. Recommend at least one specific way you can use each of these controls in the project scenario to reduce the risk of the selected data asset. You must explain how the control reduces the risk, give details of how the control can be used (e.g., referring to devices, data and users in the project scenario, recommend specific technologies or approaches), and should mention specific parts of your network design when relevant (e.g., where in the network will the control be implemented; what will need to change in the network). You should also discuss any disadvantages of introducing the controls from the perspective of the users.

Solution

Task 4

4.1 Network design

4.1.1 Design the network

The diagram of network

1. Service area and main dining: that includes the consoles for customer self-ordering, consoles with the service staff, printers, point of registers sale, screens information display, and access WIFI points.

2. Area for office: the administration comprises the meeting rooms, the area for staff, and the consoles entertained networked (Farhan et al. 2022).

3. Facility storage: Wifi enabled with equipped scanners and tags for the tracking supply.

4. Cameras security: both the exterior area and interior covering, video streaming back to the local servers

5. Cloud services connectivity: represented with a line dedicated to email services and websites.

Key design decisions:

1. Segmentation: subnets separate from the main office, dining, and camera security for a network to ensure security and efficiency.

2. Local servers: data critical that can be hosted on the local server for protection and control.

Wifi design:

1. Security: WPA3-personal

2. SSID: restaurantWIFI

3. The policy of password: there must be 12 characters, including lower case and upper case letters, symbols, and letters.

4. Wifi for guests: network internal that are isolated, bandwidth limited and captive with the terms portal acceptance.

WiFi:

The WiFi infrastructure for management assignment expert in the restaurant is designed to provide seamless connectivity for both customers and staff. Three distinct WiFi networks have been implemented:

Main Dining Area WiFi:

● SSID: MainDining_WiFi

● This network covers the main dining area and facilitates connectivity for customer tablets, service staff consoles, and information display screens (Hombalimath et al. 2023).

● Access Points: Cisco Aironet 3800 series
Office WiFi:

● SSID: Office_WiFi

● This network serves the office area, including business administration, staff relaxation, and meeting spaces.

● Access Points: Cisco Aironet 3800 series
Guest WiFi:

● SSID: Guest_WiFi

● Provided for dine-in customers, this network includes a guest portal for authentication.

● Access Points: Cisco Aironet 3800 series
Security Cameras WiFi:

● SSID: SecurityCam_WiFi
● Dedicated network for IP-based security cameras, ensuring continuous video surveillance.
● Access Points: Cisco Aironet 3800 series

Figure 1 : Entities diagram
(Source: created by the learner.)

Address allocation (IPv4)

1. Office area:192.168.2.0/24

2. Service and dining area: 192.168.1.0/24

3. Cameras security:192.168.3.0/24

Addressing:

The IP addressing scheme adheres to the specified requirements:

● Main Dining Area: 192.168.78.0/24

● Office: 192.168.78.0/24

● Security Cameras: 192.168.6.0/24

Each subnet aligns with the group members' student IDs, ensuring compliance with the project specifications.

List of Equipment:
Access Points:

● Model: Cisco Aironet 3800 series
WiFi-enabled Tablets:

● Model: iPad Pro
WiFi-enabled Tags and Scanners:

● Model: RFID Scanner

Hardware recommendation:

1. Firewall/router: Cisco ASA 5500 series.

2. Switches: Catalyst Cisco 2960 series.

3. Local server : Dell powerEdge R640

4. Points access: ubiquiti unifi UAP-AC-PRO.

They ensure the design are secure, scalable, and efficient to all the catering network to the diverse restaurant needs. The cloud used for the services for the data non-sensitive balances accessibility and performance. The segmentation of networks enhances the security, unauthorized preventing access to servers critical (Krishnan et al. 2023). The design for the wifi prioritizes both the security internal and network for the guest, best meeting industry practices. The hardware recommended aligns with the main standards industry and is required for providing seamless operations and performance.

Figure 2 : Restaurant network design
(Source: created by the learner)

4.2 pricing for the cloud services

Chosen cloud providers:

1. AWS

2. Microsoft Azure

1. Specification

1. Web server: Australia (Sydney)

2. Operating system: Linux (Ubuntu 20.04 LTS)

3. Ram: 4GB

4. Cpu: 2 vCPUs

5. Backup: daily snapshots automated

6. Storage: 50 GB SSD.

2. Backup server:

1. Region: Australia (Sydney)

2. Operating system: Linux

3. CPU: 2vCPUs

4. Ram: 8GB

5. Storage: 100 GB SSD

6. Backup: regular backups are automated with the key computers, stored on the cloud server backup.

Justification

1. Region: Australia has been chosen the ensure that both the servers have a low latency and can comply with the residency data regulations.

2. Operating system: Linux has been chosen for the webservers as it is a cost-effective type and can be used commonly for the hosting of the web. Any system for the operation is being chosen for the server to have the flexibility to allow.

3. Ram and CPU: sufficient type of selecting resources for the performance optimal overprovisioning without.

4. Storage: estimated allocated based needs with the chosen SSD for better and faster performance.

5. Strategy for backups: daily snapshots automated web servers and regular backups through automated systems are chosen for the resilience of data.
Pricing estimation - the estimation for pricing was obtained by the use of calculators official form Azure and AWS. The price exported estimates files that are available on the repository GitHub.

Figure 3 : Cisco network diagram
(Source: created by the learner)

Recommendation

It is recommended for the use of AWS as it is much more cost-effective and comprehensive for the services. The competitive pricing and the AWS has been well established with the reliability for reputation and performance. Additionally, AWS offers a range of wide services that can accommodate the expansion for future requirements.

4.2.2 compare strategies backup

The backup strategy for the company’s confidential pieces of information.

Approach:

I suggest carrying out a crossover reinforcement methodology, where classified data is upheld both locally and to the cloud. This approach joins the upsides of nearby control with the additional security and overt repetitiveness of offsite distributed storage.

Subtleties:

Information Determination:

Basic Information: Select just private data that is essential for the organization's activities, like monetary information, client data, and key business archives.
Prohibit Excess Information: Try not to back up repetitive or effectively recoverable information to streamline capacity use.

Reinforcement Recurrence:

Ongoing for Basic Information: Execute constant or successive planned reinforcements for basic information to limit information misfortune if there should be an occurrence of an episode.

Standard Reinforcements for Less Basic Information: Perform day-to-day or week-by-week reinforcements for less basic information to work out some kind of harmony between information insurance and functional effectiveness.

Encryption:

Nearby Reinforcements: Utilize solid encryption conventions for neighborhood reinforcements to guarantee the privacy of delicate data.

Cloud Reinforcements: Scramble information before sending it to the cloud utilizing start-to-finish encryption. Most distributed storage suppliers offer encryption choices.

Reinforcement Apparatuses:

Nearby Reinforcements: Use trustworthy reinforcement arrangements with encryption highlights for neighborhood reinforcements. Models incorporate Veeam Reinforcement and Replication or Acronis Genuine Picture.

Cloud Reinforcements: Influence cloud-local reinforcement devices given by the picked cloud specialist organization, guaranteeing similarity and consistent mix.

Obligation:

Allowed Faculty: Assign mindful staff to observe and deal with the reinforcement interaction, including normal testing and check of reinforcement respectability.
Access Controls: Carry out severe access controls to restrict who can start, make due, and reestablish reinforcements, diminishing the gamble of unapproved access.

Benefits of the Suggested Approach:

• Information Overt repetitiveness: Crossover reinforcement guarantees information overt repetitiveness, with duplicates put away both locally and in the cloud, lessening the gamble of information misfortune because of neighborhood occurrences.

• Speedy Neighborhood Recuperation: Nearby reinforcements work with fast information recuperation for everyday functional necessities, guaranteeing insignificant margin time.

• Offsite Calamity Recuperation: Cloud reinforcements act as an offsite fiasco recuperation arrangement, safeguarding against actual harm, robbery, or other on-premises catastrophes.

• Adaptability: Distributed storage takes into account versatile capacity limits, obliging developing information volumes without the requirement for consistent equipment updates.

• Cost Effectiveness: Adjusting neighborhood and distributed storage limits costs, as just basic information is put away in the cloud, advancing capacity costs.

Reinforcement Technique for a CQU ICT Understudy:

Approach:

For another CQU ICT understudy, a proficient and dependable reinforcement system includes utilizing a blend of neighborhood and cloud-based arrangements, taking into account the significance of scholarly work and the potential for gadget misfortune or disappointment.

Subtleties:

Information Choice:

• Scholastic Reports: Consistently back up archives connected with tasks, research papers, and undertakings.

• Project Code: Back up coding projects, guaranteeing the safeguarding of important code and advancement work.

• Individual Notes and Exploration: Incorporate individual notes and examination material that add to the understudy's scholastic advancement.

• Reinforcement Recurrence:

• Programmed Everyday Reinforcements: Execute programmed day-to-day reinforcements to guarantee late renditions of scholarly work are protected.

• Manual Reinforcements Before Significant Errands: Lead manual reinforcements before significant tasks, tests, or undertaking achievements.

Reinforcement Devices:

• Neighborhood Reinforcements: Use nearby reinforcement devices, for example, Time Machine (for macOS) or Document History (for Windows) for productive and formed nearby reinforcements (Nkenyereye et al. 2023).

• Cloud Reinforcements: Influence distributed storage administrations like Google Drive or Dropbox for synchronized cloud reinforcements, giving availability from different gadgets.

• Access and Cooperation:

• Cloud Cooperation: Exploit distributed storage for coordinated effort on bunch projects, working with consistent sharing and altering among bunch individuals.
• Rendition Control: Use variant control frameworks like Git for code projects, guaranteeing a background marked by changes and simple joint effort with peers.

Security:

• Encryption: Empower encryption highlights given by the picked distributed storage administration to get delicate scholarly materials put away in the cloud.
• Secure Passwords: Utilize solid and exceptional passwords for both nearby and cloud reinforcement answers to forestall unapproved access.

Support:

This approach guarantees a decent and thorough reinforcement technique, tending to nearby and distributed storage needs. It focuses on information uprightness, openness, and security, lining up with the dynamic and cooperative nature of academic work in ICT courses. The chosen instruments are easy to understand, generally utilized, and offer hearty elements for productive reinforcement and recuperation.

4.3 security

4.3.1 Cyber security assessment of risk.

In the led small digital protection risk appraisal, weaknesses across 8 data security dangers were distinguished, covering resources like servers, network gadgets, and client gadgets. The evaluation thought about something like 4 distinct information resources, including monetary information, client data, business reports, and worker records (Saeed et al. 2023,). The gamble evaluation layout and cycle illustrated in the unit were followed to guarantee an organized and extensive assessment of possible dangers to the organization. The recognized weaknesses will advise the execution regarding fitting security controls to moderate the distinguished dangers.

4.3.2 Recommendation security controls

Encryption:

• Execution: Use start-to-finish encryption for monetary information put away on nearby servers. This includes scrambling the information very still, on the way, and during handling.

• Importance to Arrange Configuration: Incorporate encryption innovations into the nearby servers facilitating monetary information, guaranteeing that information stays secure regardless of whether there is unapproved admittance to the actual servers.

• Risk Decrease: in case of an information break or unapproved access, encoded monetary information stays garbled without the fitting encryption keys. This control shields touchy monetary data from being taken advantage of.

Multifaceted Verification (MFA):

• Execution: Uphold MFA for admittance to monetary information on basic frameworks, including servers and monetary programming applications.

• Importance to Organize Configuration: Coordinate MFA at passageways to basic servers and monetary programming inside the organization. This can be applied to client consoles getting to monetary information and regulatory connection points (Kubizňák et al. 2019).

• Risk Decrease: MFA adds an extra layer of confirmation, expecting clients to give different types of recognizable proof. Regardless of whether login certifications are compromised, unapproved access is fundamentally hindered, decreasing the gamble of unapproved monetary information access.

Firewalls:

• Execution: Send firewalls to isolate the organization zones, especially secluding the server facilitating monetary information from less basic zones.

• Importance to Arrange Configuration: Incorporate firewalls at the organization border and between various sections, implementing severe access control strategies for traffic to and from the server facilitating monetary information.

• Risk Decrease: Firewalls go about as a boundary between the monetary information server and likely outside dangers. They screen and control approaching and active organization traffic, forestalling unapproved access and relieving the gamble of outer assaults focusing on monetary information.

Client Point of View Impediments:

Encryption: Clients might encounter a slight postponement in information access and handling because of the above related to encryption and decoding processes. In any case, the compromise between execution and security is important to sufficiently safeguard delicate monetary data (Alzahrani et al. 2021).

Multifaceted Verification (MFA):

Starting arrangement and variation to MFA might represent a slight bother for clients, expecting them to go through extra strides during the login cycle. Notwithstanding, the upgraded security offsets the minor burden.

Firewalls:

Severe access controls implemented by firewalls might restrict a few clients' adaptability in getting to monetary information from specific areas or gadgets. In any case, these limitations are fundamental to keeping a solid climate for basic monetary data.

5. Project management.

Project Plan:

The project plan encompasses various stages, ensuring a systematic and successful implementation:

Define Requirements:

● Collaborate with stakeholders to gather and understand network requirements, including capacity, coverage, and security considerations.

Design Network:

● Develop comprehensive network diagrams using diagrams.net, incorporating VLANs for different segments.

● Determine IP addressing schemes and allocate subnets based on the provided guidelines.

Implement WiFi:

● Deploy access points strategically to meet coverage requirements.

● Configure SSIDs, security settings, and QoS parameters for optimized performance.

Test and Optimize:

● Conduct thorough testing of WiFi networks, ensuring seamless connectivity and performance.

● Optimize configurations for better efficiency and user experience.

References

Alzahrani, A.O. 2021, "Designing a Network Intrusion Detection System Based on Machine Learning for Software Defined Networks", Future Internet, vol. 13, no. 5, pp. 111.

Farhan, A.K., Azana Hafizah, M.A., Hassan, R. & Nisar, K. 2022, "A Survey on Information-Centric Networking with Cloud Internet of Things and Artificial Intelligence", Wireless Communications & Mobile Computing (Online), vol. 2022.

Hombalimath, A., Mangla, N. & Balodi, A. 2023, "Designing A Permissioned Blockchain Network for the Insurance Claim Process Using Hyperledger Fabric and Composer", Informatica, vol. 47, no. 3, pp. 393-416.

Krishnan, P., Jain, K., Aldweesh, A., Prabu, P. & Buyya, R. 2023, "OpenStackDP: a scalable network security framework for SDN-based OpenStack cloud infrastructure", Journal of Cloud Computing, vol. 12, no. 1, pp. 26.

Kubizňák, P., Hochachka, W.M., Osoba, V., Kotek, T., Kuchař, J., Klapetek, V., Hradcová, K., Růžička, J. & Zárybnická, M. 2019, "Designing network‐connected systems for ecological research and education", Ecosphere, vol. 10, no. 6.

Nkenyereye, L., Nkenyereye, L. & Jong-Wook Jang 2023, "Convergence of Software-Defined Vehicular Cloud and 5G Enabling Technologies: A Survey", Electronics, vol. 12, no. 9, pp. 2066.

Saeed, F., Hussain, M., Aboalsamh, H.A., Adel, F.A. & Adi Mohammed, A.O. 2023, "Designing the Architecture of a Convolutional Neural Network Automatically for Diabetic Retinopathy Diagnosis", Mathematics, vol. 11, no. 2, pp. 307.