Secure System Design

Description

task 1

Security Analysis (total 20%)

Identification of suitable design weakness
Appropriate diagram snippet
Explanation of suitable design weakness

task 2

System Design Report (total 75%)

Financial Breakdown
Logical Diagram
Logical Explanation
Physical Diagram
Physical Explanation
Service Implementation

Quality of report (total 5%)

Professionalism of report
Use of references

1. The assignment contains all the details and requirements you have to work including the two diagrams that have the weaknesses attached .

2. The Lecture attached contains how to create the physical and logical network diagram as our doctor needs, also the lab attached has the link to draw the network. the lecture Is very important please refers to it.

https://app.diagrams.net/

Unformatted Attachment Preview

School of Computing & Data Science
Coursework Title:
Secure System Design
Module Name:
Secure Systems
Module Code:
Level:
Credit Rating:
7542CYQR
7
20
Weighting:
Maximum mark available:
40%
100
Lecturer:
Contact:
Dr Ali Baydoun
If you have any issues with this coursework, you may contact your
lecturer.
Email: [email protected]
Hand-out Date:
04/02/2024
Hand-in Date:
04/03/2024
Hand-in Method:
Canvas
Feedback Date:
TBD
Feedback Method:
Canvas
Programmes:
MSc Cyber Security
Introduction
In this scenario, E-Tat Marketplace is a startup company providing a digital marketplace for preowned goods. The usage of the platform has increased significantly, so they are looking to invest in
a larger and more secure network. They have hired you as a security consultant to design them a new
secure network from scratch. However, you are constrained to using their approved hardware and
staying within budget.
1
Learning Outcome to be assessed
1. Display critical awareness of the relationship between theoretical and practical security
concepts and their implementation.
Detail of the task
This assignment requires you to interpret the criteria and produce a secure network design, which
meets the company’s criteria. Your work should be presented as a professional report to give to the
company; the quality, presentation and writing of this report will be assessed. This is an individual
assignment and all designs, diagrams and explanations should be your own work. Although you are
strongly advised to undertake additional research, the use of credible academic resources should
only be used to strengthen/support your own work. Your report should use either the Harvard or
IEEE referencing style.
Task 1
The current logical and physical network designs for E-Tat Marketplace’s network are available on
Canvas. You are required to carefully analyse these designs and identify and explain five security
weaknesses within this design. For each weakness, you need to include the following:
• A snippet of the respective network design (annotations are encouraged) demonstrating the
area of the design being discussed.
• A detailed explanation of the issue.
• A detailed explanation of the potential impacts.
Task 2
E-Tat Marketplace has asked you to design a new network from scratch for their business. This new
design should be based on the provided requirements ONLY (no inclusion of existing components is
required). You are to create a secure and resilient network design, and document this in a
technically detailed, and professional report. The design can only utilise the approved hardware
listed in Table 1, it must fulfil all of the service requirements shown in Table 2 and provide 10 PCs
for staff to use. The cost must be within the company’s budget of £100,000.
Table 1. E-Tat Marketplace’s Equipment List
Individual Device
Cost
Storage server
• 250 GB
• 500 GB
• 750 GB
£2600
£3700
£4300
2
•
£5100
1000 GB
Compute server
•
•
•
•
1 CPU
2 CPUs
4 CPUs
8 CPUs
£2600
£3700
£4300
£5100
Load balancer
£600
Desktop PC
£420
8 port switch
£90
16 port switch
£200
24 port switch
£350
Security gateway
£130
Network Anti-Virus
£750
Firewall
£110
Router
£170
IDS
£250
IPS
£300
Table 2. Overview of Required Services
Service
Required
CPU
Capacity
Required
Storage
Capacity
(GB)
Accessed
Externally
Notes
Selling Web App
16
0
Y
All data is stored on DB
Buying Web App
16
0
Y
All data is stored on DB
Admin Web App
2
0
N
Staff only, local application
Payment Gateway
8
200
Y
SMTP
2
100
N
CRM Web App
4
100
N
Staff only, local application
3
DB
10
500
N
SIEM
4
10
N
Staff only, local application
VPN
2
0
Y
Only allows access to CRM and
SIEM
Active Directory
2
0
N
Serves in DS and LDS roles
Backup
1
500
N
The following assumptions should be made in the development of your design:
• 2 ISP uplinks have been installed from different providers.
• All necessary infrastructure hardware is in place e.g. CAT6 cabling, network wall jacks.
• Externally hosting any service is not permitted.
• Each server has a dual network interface card.
• Any OS licence is included in the costs shown in Table 1.
• Only software included with the OS as standard, or open source software may be used.
Your professional report should be both detailed and technical, and must contain the following:
• Design Overview
▪ Explanation of the design principles followed.
▪ Explanation of the network security considerations integrated into the design.
▪ A financial breakdown of the design proposed.
• Physical Network Design
▪ Technical illustration of proposed physical network design
▪ Descriptions of the design/decision made
• Logical Network Design
▪ Technical illustration of proposed logical network design
▪ Descriptions of the design/decision made
• Services
▪ How each service will be deployed (e.g. standalone, co-located, virtualised)
▪ A recommendation of the software used to implement the services
• References
4
What you should hand in
You must submit a professional report in .doc/docx format via the Canvas handler.
Marking Scheme/Assessment Criteria
Task
1
2
Assessment Criteria
Weighting
Security Analysis (total 20%)
• Identification of suitable design weakness (x4)
• Appropriate diagram snippet (x4)
• Explanation of suitable design weakness (x4)
1% each
1% each
3% each
System Design Report (total 75%)
• Financial Breakdown
• Logical Diagram
• Logical Explanation
• Physical Diagram
• Physical Explanation
• Service Implementation
5%
25%
5%
20%
5%
15%
Quality of report (total 5%)
• Professionalism of report
• Use of references
3%
2%
Assessment Rubric
Task
Poor
Average
Good
Excellent
Identification of
weakness
Element is missing,
misunderstood or
incoherent.
Weakness is
identified but some
important details
are missing.
Weakness is
unsuitable.
Weakness is
identified at a basic
level but lacks
sufficient
terminology and
technical detail.
Weakness is clearly
identified using
appropriate
terminology and
technical detail.
Snippet(s) missing or
element is
misunderstood.
Snippet(s) included
but key parts of the
design are omitted.
Appropriate
snippet(s) included
featuring all
necessary design
parts.
Appropriate
snippet(s) included
with annotations.
Task 1
Appropriate
Diagram Snippet
5
Weakness
Explanation
Element is missing,
misunderstood or
incoherent.
A basic explanation
is given but it lacks
technical depth.
Detailed explanation
given but no impact
metrics/discussion
provided.
Detailed explanation
of weakness and its
impact.
Element is missing,
misunderstood or
incoherent.
Breakdown is not
clear or quantities
missing.
Breakdown lacks
sufficient depth (e.g.
grouping dissimilar
components
together).
Accurate and clear
breakdown
provided.
Task 2
Financial
Breakdown
Costs are missing or
incorrect, or the
total is incorrectly
summed.
Logical Diagram
Element is missing,
misunderstood or
incoherent.
Diagram is missing
several important
design or
diagrammatic
elements, or is not a
proper physical
diagram.
Diagram is suitable
but is missing
several components
and/or includes
unauthorised
components, or
design elements are
flawed.
Diagram is
appropriate and
includes the
required
components but
there may be some
minor issues.
Logical Explanation
Element is missing,
misunderstood or
incoherent.
Explanation provided
is a self-evident walk
through of the
diagram.
Explanation covers
the design decisions
and justifies the
choices made.
Detailed explanation
covering the design
decisions and clearly
outlines underlying
theory and/or
principles involved.
Physical Diagram
Element is missing,
misunderstood or
incoherent.
Diagram is missing
several important
design or
diagrammatic
elements, or is not a
proper physical
diagram.
Diagram is suitable
but is missing
several components
and/or includes
unauthorised
components, or
design elements are
flawed.
Diagram is
appropriate and
includes the
required
components but
there may be some
minor issues.
6
Physical Explanation
Element is missing,
misunderstood or
incoherent.
Explanation provided
is a self-evident walk
through of the
diagram.
Explanation covers
the design decisions
and justifies the
choices made.
Detailed explanation
covering the design
decisions and clearly
outlines underlying
theory and/or
principles involved.
Service
Implementation
Element is missing,
misunderstood or
incoherent.
Software is
suggested with no
explanation or
justification.
Suitable software is
recommended with
an explanation, but
Well written answer
with suitable and
justified software
Vague or no
deployment
information is
provided.
justifications are
poor.
and deployment
information.
Professionalism
Report is basic and
offers no
professional
qualities.
Report offers some
basic structuring but
there is scope for
improvement.
Quality of writing is
poor.
Quality of writing is
satisfactory.
Some deployment
information
provided but it lacks
clear justification.
Report provides a
cover page,
contents page and
professional styling.
There are some
minor areas for
improvement.
Report provides a
cover page,
contents page and
styling is of
professional quality.
Quality of writing is
very good.
Quality of writing is
good but there are
several minor issues.
Referencing
Element is missing,
misunderstood or
incoherent.
Referencing style has Insufficient reference
not been correctly
quantity or quality.
used.
Good use of
referencing
throughout.
Extenuating Circumstances
If something serious happens that means that you will not be able to complete this assignment, you
need to contact the module leader as soon as possible. There are a number of things that can be
done to help, such as extensions, waivers and alternative assessments, but we can only arrange this
7
if you tell us. To ensure that the system is not abused, you will need to provide some evidence of the
problem.
More guidance is available at: https://www.ljmu.ac.uk/about-us/publicinformation/studentregulations/guidance-policy-and-process
Any coursework submitted late without the prior agreement of the module leader will receive 0
marks.
Academic Misconduct
The University defines Academic Misconduct as ‘any case of deliberate, premeditated cheating,
collusion, plagiarism or falsification of information, in an attempt to deceive and gain an unfair
advantage in assessment’. This includes attempting to gain marks as part of a team without making
a contribution. The Faculty takes Academic Misconduct very seriously and any suspected cases will
be investigated through the University’s standard policy (https://www.ljmu.ac.uk/aboutus/publicinformation/student-regulations/academic-misconduct). If you are found guilty, you may
be expelled from the University with no award.
It is your responsibility to ensure that you understand what constitutes Academic Misconduct
and to ensure that you do not break the rules. If you are unclear about what is required, please
ask.
For more information you are directed to following the University web pages:
•
•
•
Information regarding academic misconduct:
https://www.ljmu.ac.uk/about-us/public-information/student-regulations/academicmisconduct
Information on study skills:
https://www.ljmu.ac.uk/microsites/library/skills-ljmu
Information regarding referencing:
https://www.ljmu.ac.uk/microsites/library/skills-ljmu/referencing-and-endnote
8
E-Tat Marketplace: Logical Network Design
v1.3
Internet
DMZ
Firewall 1
Load Balancer 1
192.168.1.0/24 VLAN 10
Router 1
Critical Data Zone
192.168.1.0/24 VLAN 10
Web Servers
Switch 1
Web 1 – 192.168.1.10
Web 2 – 192.168.1.11
Web 3 – 192.168.1.12
Servers
DB1 – 192.168.1.13
DB2 – 192.168.1.14
FTP – 192.168.1.15
Firewall 2
LAN
Switch 2
192.168.1.0/24 VLAN 20
PCs
Servers
AD – 192.168.1.16
Mail – 192.168.1.17
Print – 192.168.1.18
Printers
Net. Printer 1 – 192.168.1.30
Net. Printer 2 – 192.168.1.31
Net. Printer 3 – 192.168.1.32
Admin PC 1 – 192.168.1.90
Admin PC 2 – 192.168.1.91
IPS
E-Tat Marketplace: Physical Network Design
v1.3
DMZ
Internet
IPS
Critical Data Zone
DB Server 1
DB Server 2
FTP Server
Web Server 1
Firewall 1
Router 1
Load Balancer 1
Web Server 2
Web Server 3
Switch 1
Firewall 2
LAN
Switch 2
Mail Server
Active Directory
Print Server
Network Printer 1 Network Printer 2 Network Printer 3
Admin PC 1
Admin PC 2
7542CYQR Secure Systems
Module Leader:
Dr. Ali Baydoun
[email protected]
Class Times:
Wednesday: 5:00 PM till 6:00 PM – Lecture
6:00 PM till 8:00 PM – Lab
Lecture 02
Secure System Design & Topologies
Timetable
Week 1
Introduction & Concepts of Securing Systems
Week 2
Secure System Design & Topologies
Week 3
Network Security Technologies
Week 4
Secure System Administration
Week 5
Secure Configuration of Common Servers
Week 6
Enterprise Access Control & Authentication
Week 7
Automated Configuration & Deployment
Week 8
Security Monitoring & Analysis
Week 9
Patching & Vulnerability Management
Week 10
Application Security
Week 11
Revision
In this session…
• In this session, we will discuss:
• Design
• Technologies
• Topologies
Physical Designs
➢ Physical Design
▪ Physical devices and connections that make up the network
▪ Maps physical network infrastructure
▪ Representation of hardware quantity, type and physical location
• Must include ALL hardware
• Should not reference vendors/part numbers
• Keep it generic e.g. firewall, web server
• Vendors update products often, so the latest products should always be
assessed
Physical Designs Diagram
Logical Designs
• Logical
• Software-based “layer” of network – i.e. partitions, segments and connections
• High-level overview of data passing through the network
• Should be able to trace traffic and identify different zones it will pass through
• e.g. customer, employee or guest zones
• Should not specify hardware location, quantities or types
• Design should be generic
• Any site can be built using the same design
• Designs should be versioned
Logical Designs Diagram
What Diagram is this?
What Diagram is this?
How to Design a secure Network?
Not a rigid process – the following are guiding steps
1) Identify requirements
• Organisational – e.g. cut costs, improve user experience
• Technical/Functional – e.g. required apps
• Security – e.g. system X can’t access service Y
2) Identify constraints
• Financial – e.g. budget
• Technical – e.g. Specific software/hardware, incompatible software
3) Examine current network
• Most cases you’re not starting from scratch
How to Design a Network. cont.
4) Asset Classification
• Identify functional/security value of systems/assets
5) Functional & security grouping
• Group assets based on the similarity of functional requirements
• Sub-group assets based on similarity of security requirements/goals
6) Segment network based on groupings
• More on this shortly…
7) Identify appropriate security controls (like firewalls, …)
Network Design Best Practices
▪ Maximise:
• Performance
• Reliability
• Security
▪ Ensure:
• Modifiability
• Maintainability
• Scalability
• Security
▪ Security must be built into the design from outset!
Zero Trust Network (ZTN)
▪ Networks are built on 4 bases:
• Network always assumed to be hostile (pessimistic)
• Assume that External & internal threats exist on the network at all times
• Every device, user and network flow is authenticated & authorised
• Policies must be dynamic and calculated from as many sources as possible
Secure Design: Decoupling State
• Avoid storing software and data on a single machine
• Failure makes the whole machine useless
• Separating out functions makes it easier to recover
• Single function is much easier to backup/restore
• Separating helps minimising the human use of systems
• A single system has less scope for human mistakes & less impact of such mistakes
• Larger system has more scope and greater impact
Design: Isolating State
DB
DB
Have both the web
Server and
Database on one
machine – Imagine
what will happen if
the machine failed?
Web Server
Web Server
Here, we separate
them and put them
on two different
machines –
Isolating/
decoupling is an
important design
fact.
Components: Web-facing Systems
• Most exposed part of the network
• Main attack surface and entry point
• Subjected to interaction with the “unknown”
• Give off impressions…attackers as well as customers
• Need to be tightly controlled:
• Update schedules
• Access permissions
• Permitted operations
Components: Sensitive/Critical Systems
• Most vital to the business
• Loss/destruction could be catastrophic…think Yahoo!
• Maximum level of scrutiny, and protection
• Utilise secure back-end/internal communications here too
• Encryption
• TLS (an updated version of SSL)
• IPSec (it is a protocol used to set up encrypted connections between two devices – it is often used in VPN)
Using secure communication is as important on an internal part of the network as it is on the external
part of the network – think about if the attacker is inside your network.
Components: Administrative Systems
• Administration/management systems are typically hidden from external
systems
• Should be treated equally as valuable as critical systems
• Should use traffic encryption and highly stringent access control,
authentication and authorisation
• Such systems are usually responsible for:
• Authentication e.g. Active Directory
• Authorisation
• Security/maintenance patches
• Policy control
Components: Infrastructure
• Infrastructure is a critical part of any network
• Often overlooked in terms of security
• Some of these devices can be the first point of connection e.g. border
routers
• Myth that hardware devices are immune to vulnerabilities – look at Cisco!
• Infrastructure systems can be vulnerable too
• Routers
• Switches
• DNS servers
2. Recap: OSI Model
Network Segmentation
Network Segmentation
▪ Division of a network into smaller sub-networks/ different zones
• A.K.A. Network segregation, network partitioning
• Security is the most common reason
• Divide the network based on security risk and/or asset value
• Implement security controls per segment
Micro-segmentation
• Partitioning of a network into separate segments/ zones
• Remain on the same network (but they are treated as a separate areas)
• New segments are created when a resource requires goals (security)
differing from the rest of the environment or other segments
• Forces attacks/traffic to cross trust boundaries, where traffic can be
captured/analysed in more detail
• Combats data loss in the event of an attack – controls what can leave the segment
• Contains compromised systems and attackers within a segment – prevents spreading
and further damage so fewer parts of the business are affected
Microsegmentation. Cont.
Microsegmentation . Cont.
o What is the design fault here?
Segmentation: Technologies
How do we implement Network
Segmentation?
How do we implement Network Segmentation?
1. DMZ
2. Virtual LAN(VLAN)
3. Subnet
4. Virtualisation: VMs
5. Virtualisation: Containers
6. Network Access Control (NAC)
How do we implement Network Segmentation?
• How can a network be segmented?
1- Isolation
• Physical (separate network components physically e.g. use different cables, routers, etc.)
• Logical (e.g. VLAN or Subnet – this allows you to segment part of the network)
• Technological (VMs, Containers and Network Access Control (NAC)
2- Demilitarised Zone (DMZ)
3- Access control/Firewall (uses access control combines with firewalls, this helps you
segment different areas of the network – you have to have different permission in order
to pass through to the network)
Subnets
• Subnetwork (subnet) is a logical subcomponent of a network (smaller network
with a larger network)
• Traffic is exchanged through subnets via routers when the prefixes differ
• Router serves as physical/logical boundary between subnets
Subnets. Cont.
• Commonly used for:
• DMZ
• Internal networks
• Separating high-speed networks e.g. backup
• Most networks use subnets to isolate security zones
• Should be achieved using separate devices rather than VLANSs
• Ensures network traffic only passes through networks using access controlled paths
What is the difference between Subnet and VLAN then??
3.2 Virtual LAN (VLAN)
• A technique used to isolate network segments at data link layer
• Each Packet is tagged with VLAN identification
• Works on switches/ routers and some enterprise Access Points (Aps)
• Separates devices without requiring extra cabling/devices
• Broadcast traffic affects VLAN size
• General rule 400 hosts per segment (VLAN)
• Uplink speed affects VLAN size
• E.g. 100 hosts with 10mbps traffic, uplink must be at least 1gbps
• Each VLAN should ideally contain a separate subnet (only one subnet per
VLAN)
3.2 Virtual LAN (VLAN). Cont.
Uplink
Uplink
3.2 Virtual LAN (VLAN). Cont.
• VLAN grouping strategies
• 1 big subnet (this is the worst approach)
• Office-layout
• E.g. Floor no (different floor different VLAN)
• All devices need to be same security level Security Levels
• Security Levels (Different Devices have different security requirements – different security requirements different VLAN )
• Environment (different business environment)
• E.g. Finance office, Administration, Research office, etc.
• Device Function
• E.g. Isolate IoT devices (poor security) and separate them from the rest of the network
3.3 VLAN Myths
• VLANs are NOT immune from security vulnerabilities!
• There are several e.g.:
• CAM Table Overflow
• Switches maintain CAM tables – map MACs to ports
• Table can usually only hold a fixed number of entries
• Once exceeded, traffic without a CAM entry is sent to all ports – essentially bypassing any security
mechanisms and isolation (VLANs).
• Switch spoofing
• VLAN connections between switches travel through trunks (which carry all VLANs)
• An attacker can pretence as another router, using the correct trunking protocol they can see traffic
on all VLANs
3.3 VLAN Myths. Cont.
• VLANs DON’T add additional bandwidth
• VLANs will not affect the volume of traffic crossing switch backplane.
• VLAN is just a tag on the packet segmenting who sends what, where
DMZ
• Demilitarised Zone (DMZ)
• Isolated from the main network
• Usually houses externally-facing services linked to untrusted networks
• Ex: Apache faces internet
• Adds layer of security by quarantining the “at-risk” devices from the core
network
• Traffic can be examined based upon destination
DMZ. Cont.
Dual Firewall with DMZ
Single Firewall with DMZ
Firewall
Virtualisation:(VMs)
• Abstraction of physical hardware through the hypervisor
• One physical machine can host multiple virtual machines
• Each VM contains a full OS, executables, code, libraries etc.
Virtualization: Containers
• Abstraction at an application level
• Standardised way of storing, transporting and running
applications and their dependencies.
• Encapsulates entire application :
• Code, runtime, system tools, system libraries and settings.
• Can be placed on any supported OS without
reconfiguration
Virtualization: Containers. Cont.
• Isolates software from underlying environment
• Works the same regardless of machines/software used e.g. development or user
• Many containers can run on the same machine and share the host OS kernel
• Consume less space than VMs
Different between VMs & Containers
It is a software process that
allows multiple VMs to run on
top of the same shared
hardware. It is responsible for
creating these virtualized
machines – responsible for
each the components that
make up our VM (processors,
RAM, storage, network, cards)
all these things are being
virtualised by the hypervisor)
VM1
VM2
VM n
Container1/
App1
Container2/
App2
Hypervisor
Operating system
Hardware
Hardware
Container n/
App n
Containers: despite the fact
that they share the same
operating system, it is
appearing to each container as
if they have its own operating
system. And what is installed
in them, is only the libraries,
codes, scripts and everything
they need to run the
application – we run all the
containers side by side and
they do not know about each
other – think here about
security??
Network Access Control (NAC)
• Technique/ method used to prevent any device from being plugged into the
network via a network port (there are many NAC products: e.g. Cisco ISE…)
• MAC
• Uses device MAC address to perform authorisation check (use the MAC address to verify if it is on the allowed list)
• Authentication
• User required to supply credentials in order to connect to the network (the device can only connect to the
network once you provide successful authentication)
• Certificate
• One-time verification and subsequent installation of a certificate.
WAN
• Most large-scale networks have assets that are located in different physical
places
• These are connected via long-distance network technologies This
interconnection is referred to as a Wide Area Network (WAN)
• Different network topologies exist for connecting sites
WAN. Cont.
• Demarcation point – The boundary between the organisation’s network and
the provider’s network e.g. ISP
• This point signifies changes in:
• Security
• Trust
• Control
Virtual Private Network (VPN)
• Most common technology used in the implementation of a WAN topology
• Emulates direct network connection
• A remote connection that provides the same level of access/security as a direct
connection.
• Data is encapsulated with external routing headers to transmit across the internet
• Data is encrypted to ensure it remains secure
• Doesn’t require direct line/cabling
Site-to-Site VPN
• Allows network site to be
securely connected
• Traffic runs through tunnels to
transport over the internet
WAN Topologies
• Topologies are an important consideration for enterprises with multiple sites
RO
RO
Region
Hub
RO
Remote
Office
Remote
Office
Region
Hub
Remote
Office
RO
Region
Hub
RO
Remote
Office
RO
RO
RO
Main
Office
Remote
Office
RO
RO
RO
Star (If the main office goes down, all the remote office goes down as well)
Region
Hub
RO
RO
RO
RO
RO
Multi-star (better level of redundancy)
WAN Topologies. Cont.
Remote
Office
Remote
Office
Remote
Office
Remote
Office
Remote
Office
Remote
Office
Ring
Cloud
Provider
Remote
Office
Remote
Office
Remote
Office
Remote
Office
Cloud (Must popular, administrator loses control))
Conclusion
• In this session, we’ve covered:
• Design
• Technologies
• Topologies
7542CYQR Secure Systems
Tutorial 2
Overview: In this tutorial, you will be familiarising yourself with some of the network
security concepts discussed in today’s lecture.
TASK 1 – Startup Cisco Packet Tracer
•
Cisco’s Packet Tracer tool is a useful tool, I recommend you install it on your
personal laptop, If you need the installation package, it is already uploaded onto
Canvas (week 02) with some installation instructions. Please let your lecturer
know if you still need help.
•
Login to the computer lab PC using the password: lab123
•
On the desktop, click and start the Cisco Packet Tracer.
Then use your Cisco account to login, if you do not have an account signup and create an
account.
TASK 2 – Network Simulation
In this task, we will be creating a VLAN, to show how communications can be logically separated
despite sharing the same physical connections.
•
In the bottom corner of Packet Tracer, click on the Network Devices icon then
select the Router icon.
•
Drag this into the main window:
•
Select the Switch icon (also in the Network Devices) option:
•
Drag the Switch into the main window:
•
Select the End Devices icon, then the End Devices icon again, then select the PC
icon:
7542CYQR Secure Systems
Tutorial 2
•
Drag the PC icon into the main window:
•
Repeat this 3 additional times (to add 3 more PCs):
•
Select the Connections Icon, Connections Icon again and then select the black line
icon:
•
Click on the first PC and in the context popup, select the FastEthernet0 option:
•
Then click on the Switch and in the context popup, select the FastEthernet0/2
option:
•
Repeat the above steps for the rest of the PCs and select the next available port
number on the switch (e.g. FastEthernet0/2, FastEthernet0/3):
•
Select the black line again but this time, join the Switch GigabitEthernet0/1 to the
Router GigabitEthernet0/1:
7542CYQR Secure Systems
Tutorial 2
•
Click on Router and a popup box should appear. In this popup box, select the
Config tab and the GigabitEthernet0/1 button in the left pane:
•
In the right pane, check the On checkbox, type “192.168.1.1” in the IP Address
box, then select the Subnet Mask textbox, which will be automatically populated:
•
Once completed, close the window
•
Click on the first PC and a different popup will appear:
7542CYQR Secure Systems
Tutorial 2
•
Select the Config tab and under the Gateway/DNS IPv4 group, enter “192.168.1.1”
in the Gateway textbox:
•
Select the FastEthernet0 option from the left pane. Then enter “192.168.1.2” in the
IP Address and select the Subnet Mask text box (which will automatically
populate).
•
Repeat this process for the other 3 PCs, the Gateway IP should remain fixed
(192.168.1.1) but the IP Address should increment 192.168.1.3, 192.168.1.4 and
192.168.1.5.
•
Now, you can create a simple message to pass over the network by clicking on the
icon highlighted:
•
Next, select the first PC that will be the source of the packet (in this case click on
the first PC).
•
Then select the destination of the packet (in this case select the second PC) • In the
bottom corner, click on the Simulation button to change modes:
•
In the new window, select the Show All/None button:
•
The click Edit Filters button and select the ICMP checkbox
•
In the Simulation Panel, click on the play button under the Play Controls:
•
An animation of the packet’s journey will be shown on the screen. If successful, a
green tick will be shown on the transmitting PC:
7542CYQR Secure Systems
Tutorial 2
•
You can see each step taken by the packet in the Simulation Panel and the ultimate
result in the lower PDU list:
•
You will now need to delete this simulation instance using the delete (double
clicks) button in the PDU list:
•
Now, try sending a packet from the first to the fourth PC:
•
You should see that this communication is also successful. Now, click the
RealTime button to revert to your design.
TASK 3: Creating VLANS
We will now implement a VLAN to show how packet behaviour changes.
•
Click on the Switch, choose Config tab and then in the left pane click on the VLAN
Database.
•
For the VLAN Number, enter “10” and for the VLAN Name enter “Isolated-PCs”,
then click the Add button:
In this instance, we will be isolating the first and second PCs away from the third and fourth.
7542CYQR Secure Systems
Tutorial 2
•
Click on the Switch, then click the Config tab, select the FastEthernet0/2 interface
from the left pane (which is connected to the first PC). Then in the dropdown VLAN
box, uncheck the 1 box and check the 10 box.
•
Switch back to Simulation Mode and delete any existing simulations. Then create a
packet between the first and fourth PC.
•
You should receive an error as illustrated below. This is because the traffic from the
first PC is contained within the VLAN and the fourth PC is outside this VLAN.
You will have noticed during the previous simulations that the packet only travels to the
switch, as everything is in the same subnet. However, to provide increased isolation, as
discussed in today’s lecture, VLANs should be on separate subnets.
•
Firstly, we are going to split our PCs into two subnets as below:
•
Go back to Real Time mode and click on the third PC, in the popup window, change
and set the Gateway to “192.168.100.1”:
•
Then select FastEthernet0 from the left pane and change the “1” part of the address
to a “100”:
•
Perform the same action for the fourth PC.
•
Return to Simulation mode, if there are any existing simulations just delete them.
•
This time, create a packet to travel between the second PC and the fourth PC and run
the simulation.
You will see that as the second and fourth packets are now on separate subnets, the switch does not
know how to interpret this, so it will consult the router. As we have not specified any routes
between these subnets, the packet will be returned back to the sender.
7542CYQR Secure Systems
Tutorial 2
•
Revert to the Real-Time view and the same method as previously shown, add the
second PC to the Isolated-PCs VLAN.
•
Change to the Simulation view, delete any existing simulations, create a packet
between the first and second PCs (which are on the same VLAN) and run the
simulation.
This time you will notice that the packets are successfully transmitted between the two hosts as they
are on the same VLAN and subnet.
TASK 4: Network Architecture Diagram
As part of your Coursework 01, you will be expected to create a network design, part of
this will include creating a suitable diagram. For this task, you will practice using
draw.io to create a network diagram.
•
Navigate to https://app.diagrams.net/
•
When the following popup appe