Overview
INFT 3015 Network Security SP5 2023
Assignment 1 (40%)
Due: See Below
Individual Assignment Submission: via the course website
The following assignment will require you to demonstrate skills you have learnt in the course INFT 3015 Network Security. The case study has you as a network consultant brought in to work on a new network design for Kaisa Incorporated. Each deliverable has been listed below to assist you in planning the report. Please make a note of the due dates in this document. Part 1 is submitted prior to Part 2 and 3 being due.
• Part 1 – Due Date: Sunday 27th August 2023, 11:59pm (end of Week 5)
• Part 2 & 3 – Due Date: Sunday 15th of October 2023, 11:59pm (end of Week 10)
Submit each part under its respective submission area.
For full marks, a professional report meeting all deliverables must be submitted before the due date. In summary, this assignment requires you to create a report for a particular penetration/testing tool, along with a suitable network design for the given case study, you will then implement your security policies using Netlab. This is a large assignment and will require significant time investment on research and writing. Do not start this assignment late. It is important you justify your choices in each deliverable.
Academic Integrity
Generative Artificial Intelligence (GenAI) tools such as, but not limited to: ChatGPT, OpenAI Playground are not permitted to be used to complete this assessment item. As per Academic Integrity Policy AB-69, use of artificial intelligence tools is considered a form of contract cheating in cases where students have not been given explicit permission to use such tools.
You may use Generative Artificial Intelligence (GenAI) tools to help you understand or learn concepts involved in this assignment. We are expecting you to balance the use of these tools and you are reminded that the results from these tools may not be correct or may be incomplete in the context of this assignment and course.
Deliverables
This assignment requires you to complete multiple deliverables:
• Penetration/Testing Tool Report (Word/PDF),
• Demonstration Video (MP4/AVI/MKV),
• Logical Network Diagram (PNG file),
• Security Policies (Firewall Policies) Document (Word/PDF),
• Traffic Flow Diagrams (PNG files),
• Traffic Flow Support Document (use cases, other justification) (Word/PDF),
• Equipment List (Word/PDF),
15/07/2023 v1.0 1
Some of these should be combined, such as the Word documents. It is up to you to make this work in a professional manner. You will be partially marked on professionalism of your reports.
Justifications and assumptions for the deliverables should be included when relevant.
Your Learnonline submission should contain:
• Word Documents/PDFs,
• Excel file,
• Video file,
• Diagram files (PNGs).
Submissions should not be in archive files such as Zip, RAR, RAR5, 7zip or similar.
Weighting
The assignment is worth 40% of your overall grade for this course. The following table breaks down each component of the assignment, giving it a percentage out of the 40% for this assignment.
Investigation of Penetration/Testing Tool 10% Network Design 5% Draft Security Policies & Traffic Flow 10% Equipment List 5% Implementation 10%
Part 1 – Investigate Penetration/Testing Tools – Due 27/08/2023
11:59 PM
The first part of this assignment focusses on research. Cybersecurity tools for red/blue teams. The first step is to pick the tool you will investigate. The list of tools available to use is on the Learnonline site. Up to 4 people can pick the same tool, you MUST join the team for the tool to use it in this part of your assignment. If you use a different tool that is not listed or do not join a team for a tool you will receive a zero (0) for this section of the assignment.
Tool Overview and Comparison (~500 words1)
The next step is to outline the tool, its primary functions, and features and why it is an important tool for red/blue teaming. Include the target audience for the tool (red/blue/purple) and the MITRE ATT&CK Enterprise tactic(s) for the tool. Further to this, discuss how this tool may impact a business if used unethically by malicious actors.
Compare the tool to two other tools available to cybersecurity teams, use the primary tactic to research other tools that exist. Your comparison should be based on relevant factors to that tactic (the techniques and sub-techniques), and other factors you deem reasonable. You can find the tactics to techniques ATT&CK Matrix for Enterprise here:
1 Note: word count is a guide, do not treat it as a maximum or required number. You may go over or under this word count as much as you wish.
15/07/2023 v1.0 2
An example for Credential Access tactic is shown below.
Techniques Tool 1
Tool 2 Tool 3
OS Credential Dumping
Yes. Explain more here.
No. Explain more here.
Yes. Explain more here.
Steal Web Session Cookie
Brute Force
No. Explain more here.
Yes. Explain more here.
Yes. Explain more here.
Yes. Explain more here.
Yes. Explain more here.
Yes. Explain more here.
Credentials from Password Stores
Yes. Explain more here.
No. Explain more here.
Yes. Explain more here.
Input Capture
No. Explain more here.
Yes. Explain more here.
No. Explain more here.
Demonstration of Tool (10-minute video)
The final task for this section is to record a (at maximum) 10-minute video demonstrating the tool in a secure and offline virtual environment. You may build your own virtual environment using VirtualBox/VMware if you wish to. If you are opting to build your own virtual environment, you should know how to secure it and prevent access to the Internet.
Your demonstration should include:
• An overview of what the demonstration will cover,
• A live demonstration against a virtual target (not your computer or someone else’s
computer, remember your ethics). This should also include you explaining what is happening during the demonstration.
Part 2 – Case Study – Due 15/10/2023 11:59 PM
Kaisa Incorporated (KAISA) is a growing enterprise in need of a new design for their network. KAISA
now specialises in virtual reality headsets and is an industry leader in this field. Along with this, KAISA has branched out further into VR games, becoming an industry leader in using haptic feedback to imitate human touch in games. They have excelled in creating cheap, but high quality, virtual reality headsets and haptic suits for gaming consoles and PC gamers.
KAISA have decided to move their headquarters, opting for a more modern and liveable location: Mawson Lakes Technology Park (Tech Park). This has put them in the difficult position of needing a network built for their new headquarters and their branch offices to be upgraded. KAISA’s previous head office in Sydney will become a branch office. Their Adelaide CBD branch office will move to Tech Park and will require significant upgrades to support the number of staff and devices.
KAISA currently has the following staffing requirements for each department:
15/07/2023 v1.0 3
Sydney (the current HQ)
Department
Team Staff Expected Growth in 5 Years
Human Resources & Finance
Limited.
Design and Development
Virtual Reality
Software Engineering
VR Game Design Research
3D Modelling Research Prototype Marketing
53 At least 30%.
15 At least 50%. 2 Limited.
13 At least 15%. 41 At least 50%. 12 At least 50%. 22 At least 10%.
23 Limited.
3 At least 30%. 15 At least 40%.
11 At least 30%.
1 At least 20% 10 Limited. 15 Limited.
Game Design
At least 30%.
Quality Assurance
Limited.
Art
Concept Art
At least 10%.
3D Printing
At least 40%.
Innovate
At least 30%.
Product
Custom Support
At least 25%.
Melbourne Branch Office
Department
Team Staff Expected Growth in 5 Years
Human Resources & Finance
Limited.
Design and Development
Art Product
Adelaide
Design and Development
Software Engineering
Concept Art Custom Support
Game Design
Quality Assurance 3D Printing Innovate
Game Design
At least 10%.
3D Modelling
At least 10%.
Training
At least 10%.
Department
Team Staff Expected Growth in 5 Years
Human Resources & Finance
At least 20%.
VR Game Design
At least 40%
Art
3D Modelling
Limited.
Virtual Reality
Research
Limited.
Product
Marketing
At least 10%.
KAISA has a few servers at each company location: Web, File and Email. Servers should all have externally accessible IP addresses. Servers should be in a DMZ zone; this means that a server should
15/07/2023 v1.0 4
not be able to ping/access internal devices unless the internal device initiates the connection. You are not required to provide any IP addressing for devices, simply referring to them by their name (“Sydney Concept Art PC”, “Melbourne Product Customer Support PC”) is sufficient.
Certain teams should also not be able to contact other teams. A list of general security policies (not business policies, firewall policies) include:
• HR should not be accessible by any team.
• The entire Virtual Reality (VR) department should not be contactable from any other team.
o Teams inside the VR department should be able to contact each other. • VR Game Design team should be accessible to only the Game Design team.
o The Game Design team should still have access to everything else.
• All departments should have access to the Internet. Certain limitations apply:
o The VR department should have no access to Bandwidth Consuming, Potentially Liable, Security Risk, and Unrated web filter categories.
o TheArtdepartmentshouldhavenoaccesstoSocialNetworking.
o The entire company should have no access to: Adult/Mature Content, Security Risk
categories.
o Social networking should be restricted to 30 minutes a day for every department
except Art.
• Virtual Reality is high-bandwidth capable and as a result, traffic from the Virtual Reality
department to anywhere should be guaranteed 1000Mbps.
Your role in this is to be the network consultant, providing a new network design, equipment list, security policies and traffic flow diagrams. This new design should support the expected growth in 5 years, as shown above. You need to calculate the new headquarter staff numbers. Staff are not expected to be made redundant in the transition to Tech Park. You are free to base the Sydney branch office staffing levels off Adelaide/Melbourne’s current staffing levels.
Network Design
You are required to create a logical network diagram for the entire new network. This means that Sydney will be a branch office in your diagram and Tech Park will exist.
This course does not have a pre-requisite that contains information on network design, as such, it is not expected of you to include any IP addressing in your logical network diagram. It is however expected that you include some aspects of network design, such as a two-tier or three-tier system and give reason as to why you chose one over the other. An example of a logical diagram without IP addressing is shown below.
This diagram SHOULD NOT be used as a complete diagram. This diagram also does NOT contain firewalls. Your final diagram SHOULD contain firewalls.
15/07/2023 v1.0 5
Remember, you are marked on completeness, suitability, scalability, security, redundancy. If you are not familiar with network design, please find the video titled “Network Design” on the Assignment tab to assist you.
Your logical diagram should be drawn using Draw.IO (https://app.diagrams.net/). You may opt to use Lucidcharts or Visio, you will probably find Draw.IO the easiest.
You are given significant freedom in what you choose to do in terms of design, link speeds and hostnames. Keep all decisions appropriate to the case study, include justifications and assumptions.
Draft Security Policies & Traffic Flow for Tech Park Headquarters (~500 words2)
After you have decided on your new design it is time to write your draft security policies and illustrate how the network will work with the draft security policies implemented. You only need to create these policies, use cases, and traffic flow diagrams for the new Tech Park Headquarters.
Your draft security policies should be written like how you would write a firewall policy (they will be implemented as firewall policies in Part 3). These draft security policies should take the form of a table. The format of the table is up to you to decide on and make. All policies should use the same table format.
Traffic flow diagrams should clearly illustrate how traffic will move throughout the network in different use cases. At the very least a traffic flow diagram should show:
• Who initiated the connection in the use case (Concept Art? Product Customer Support?),
• Where the traffic flow is allowed to go,
• Where the traffic flow is not allowed to go.
2 Note: word count is a guide, do not treat it as a maximum or required number. You may go over or under this word count as much as you wish.
15/07/2023 v1.0 6
You will need to create more than one traffic flow diagram. You may find it easiest to write several use cases to show network activity (“HR connects to the Internet”, “VR connects to the Art department”) and then draw traffic flow diagrams based off the use cases. Ensure the use cases are included in your traffic flow supporting document.
Equipment List (~250 words3)
The second task in this part is to create an equipment list. This may take the form of paragraphs for each device or a table which cleanly outlines the equipment that has been chosen for the new network design.
Equipment for this new network should include:
• Networking devices (NOT consumer-based devices, enterprise vendors only): o Routers,
o Layer3switches,
o Layer2switches.
• Firewall appliances (these MUST be Fortinet).
• Prices for the above
o Licensing o Hardware
The equipment list should not include:
• Printers,
• Servers,
• Wireless Access Points,
• Wireless LAN Controllers,
• Other end devices.
All equipment choices should be justified and compared to other potential solutions. All choices should also be researched, particular attention should be paid to the port speeds, density, and compatibility with Fortinet. It is not appropriate to state, “Because it will work well for this company”.
Your equipment list should include references, you might find footnotes to be particularly suitable. A footnote should include a link to the website/resource and the date you viewed it.
3 Note: word count is a guide, do not treat it as a maximum or required number. You may go over or under this word count as much as you wish.
15/07/2023 v1.0 7
Part 3 – Implementation using Netlab/Remotelab – Due 15/10/2023
11:59 PM
As a part of the new design KAISA wants to see the implementation of your security policies on a simulated environment. For this we will use Netlab/Remotelab which you have all used for your practicals. Your implementation will be different depending on your design you have created above. You will be marked by the consistency between your security policies (firewall policies) that you have implemented on Netlab and the listed policies in Part 2 of the assignment.
Netlab has a standardised pod design that cannot be changed. As a result of this, you are not required to create a complete, functioning network. You will, however, implement certain aspects of your design. You should use the Local-FortiGate device (access through the Local-Client machine) to implement the following:
• The security policies you have created in Part 2 (as firewall policies),
• Web filter profile(s) – these should be applied to the appropriate firewall policy as well,
• App control profile(s) – these should be applied to the appropriate firewall policy as well,
• Traffic shaping profile(s),
• Relevant IP address objects – IP addresses are not marked, but you will need to create IP
address objects identifying the devices to use in your policies,
• SNAT/DNAT.
You are required to create screenshots of your implementation (GUI and/or CLI) and organise them in a Word document for submission. Be careful to include all details in your screenshots, you may need to take more than one screenshot for the feature implemented. A short description for each screenshot or section should clearly tell the reader what part is being implemented.
Academic Integrity
You are warned that the University’s policies on academic integrity will be strictly adhered to. This is an individual assignment and the work you submit must be entirely your own: no part of your submission can be anybody else’s work or work that you did together with another student or students. You must not make your work available to another student. All use of outside assistance, e.g., “essay farms” on the Web or work written for you by anything or anyone (friend, AI ...), is strictly forbidden and will attract a minimum penalty of zero for the assignment. To defend yourself in the case of any suspicion of academic misconduct, you are strongly urged to retain all evidence of how you developed your assignment, such as rough work sheets, notes, drafts, copies of reference material, minutes of meetings etc.
You are free to discuss the report with others, and to give and receive help, including references and general discussion of the main arguments and conclusions, as long as the text of your report is written by yourself and is not made available to others. Your submission will be subject to automated checks for plagiarism, including, but not limited to, Turnitin.
If you have any doubts about the academic integrity requirements, please discuss them with us. Refer to the University’s academic integrity policy for further information.
15/07/2023 v1.0 8
Extension to Assessment Task Deadlines
There will be NO extensions to the assessment task deadline unless arranged prior. If you submit the assignment late for whatever reason, the late penalty described below will apply. If for some reason you need to take extended leave from this course, such as jury duty or Defence Force leave, please see the course coordinator BEFORE taking such leave otherwise no extensions will be granted. Extension requests must be submitted through the Learnonline site.
Late Submissions
If you submit your assignment after the specified deadline without a pre-arranged extension, a penalty of 20% of the total mark per day (including Saturday and Sunday) will be incurred. For example, if you are 2 days late and you are awarded 10/15 your actual mark will be 8/15.
15/07/2023 v1.0 9
