202310_CRS180_VU21991_AT2of2_EM_V9_Aminda Wimalagunaratna (3)

CRS180 Revision 101 May 2018 Page 3 OFFICI AL Assessment Task 2: Skills Assessment Section E – Marking Sheet - Student Answer Sheet Unit code: VU21991 Unit title: Implement network security infrastructure for an organisation Project/Report/Portfolio task Criteria for assessment Satisfactory Comment Yes No The following has been submitted for assessment: Part 1 - Identifying the project requirements ☒ ☐ Part 2 – Configure Basic Device Settings ☒ ☐ Part 3 - Control Administrative Access for Routers ☒ ☐ Part 4 – Implemented firewall technologies ☐ ☒ Marking criteria: Part 1 - Identifying the project requirements: Criteria below relate to the project requirements in Assessment Documentation 1. The client network security architecture requirements have been identified as per client brief Part 1 by the learner. ☒ ☐ 2. The learner has identified three (3) core needs for the client ☒ ☐ 3. The learner has identified three (3) current cyber security threats and attacks experienced by the client. ☒ ☐ 4. The learner has described two (2) network security testing methodologies that could be used to test for vulnerabilities based on the brief. ☒ ☐ Part 1 - Identifying the project requirements Based on the information you have gathered from the brief complete the following: 1. Identify the network security architecture required by the client. Given the security challenges faced by Impossible Triangle, it is essential to design a comprehensive security architecture to protect the company's systems and networks. Here are some key components that could be part of the security architecture: Deploying firewalls at network perimeters and between different network segments can help filter and block unauthorized access attempts, including intrusion attempts and denial-of-service attacks. Implementing an IDPS can monitor network traffic and systems for suspicious activities and potential security breaches. It can detect and respond to attacks such as Trojans, DoS, DDoS, and man-in-the-middle attacks. Separating the network into segments with different security levels can help contain security incidents. By isolating critical systems and limiting access between FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 6 OFFICI AL Assessment Task 2: Skills Assessment Screenshot of Topology FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 9 OFFICI AL Assessment Task 2: Skills Assessment FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 12 OFFICI AL Assessment Task 2: Skills Assessment Question 2: Take a screenshot of verifying the connectivity between hosts and routers. (Use Ping and traceroute   commands) Note. Please provide screenshots of configuration below including your name and student id visible in a notepad document. (Use Cisco Packet Tracer) Satisfactory response Yes ☒ No ☐ FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 15 OFFICI AL Assessment Task 2: Skills Assessment Part 3 - Control Administrative Access for routers & apply security restrictions Based on the information you have gathered from the brief secure administrative access to network devices and apply apply Security restrictions Skills to be observed during this task to the required standard The following questions are to be answered in relation to the scenario outlined in the instruction 1. Date: 2. Date: 3. Date: Comment 01/08/23 Satisfactory Satisfactory Satisfactory Yes No Yes No Yes No 1. The learner is able to secure and control administrative access for Routers. ☒ ☐ ☐ ☐ ☐ ☐ 2. The learner is able to configure local authentication, authorization, and accounting (AAA). ☒ ☐ ☐ ☐ ☐ ☐ 3. The learner is able to configure SSH, minimum password requirement, user account privileges, banners and encrypt passwords. ☒ ☐ ☐ ☐ ☐ ☐ 4. The learner is able to verify the connectivity. ☒ ☐ ☐ ☐ ☐ ☐ Part 3: Questions Refer to part 3 requirements of the Supporting document (Please provide screenshots of configuration below including your name and student id visible in a notepad document) Question 1: Secure and control administrative access for Routers. Satisfactory response Yes ☒ No ☐ Answer: Comment: FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 18 OFFICI AL Assessment Task 2: Skills Assessment FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 21 OFFICI AL Assessment Task 2: Skills Assessment including your name and student id visible in a notepad document) Question 1: Create an “Extended ACL” Satisfactory response Yes ☐ No ☒ Answer: Comment: Question 2: Apply this ACL on the correct router interface Satisfactory response Yes ☒ No ☐ Answer: Comment: FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 22 OFFICI AL Assessment Task 2: Skills Assessment Question 3: Verify ACL configuration using PING, HTTP and HTTPS protocols. Satisfactory response Yes ☐ No ☒ Answer: Screenshots of Pinging PC-C to PC-A Screenshot of HTTPS from PC-C to PC-A Comment: Aminda, ping and https should be permitted. HTTP should be denied. You need to fixed your ACL configurations. Please watch my recording in Brightspace to help you with this task. -Eddie This is your access-list Aminda. This is incorrect, you have to deny http from host 192.168.3.3 to destination 192.168.1.3. Second to permit HTTPS from PC-C to PC-A. Third is to allow ping from PC-C to PC-A. The screenshots you are showing are all correct. But FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 23 OFFICI AL Assessment Task 2: Skills Assessment Screenshot of HTTP from PC-C to PC-A Matches when I checked your Packet Tracer, it is not showing the same output as your screenshots. Please resubmit again on the 15 th of August 23. If you are not sure what to do message me in Webex chat or attend the Friday support session at 4PM. Cheers, Eddie Assessment Submission Cover Sheet (VET) Student Declaration – Must be signed before submission By submitting this assessment task and signing the below, I acknowledge and agree that: • This completed assessment task is my own work. • I understand the serious nature of plagiarism and I am aware of the penalties that exist for breaching this. • I have kept a copy of this assessment task. • The assessor may provide a copy of this assessment task to another member of the Institute for validation and/or benchmarking purposes. Student ID: 100640117 Student name: Aminda Wimalagunaratna Submission or observation date: Student signature For electronic submissions: By typing your name in the student signature field, you are accepting the above declaration. Aminda Wimalagunaratna Section F – Feedback to Student Has the student successfully completed this assessment task? Yes No ☐ ☑ FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 24 OFFICI AL Assessment Task 2: Skills Assessment Section F – Feedback to Student Additional Assessor comments (as appropriate): Aminda thank you for your submission of Assessment Task 2. Great work on answering most of the assigned task correctly. Please focus on my comments on the document and have another attempt at completing the task. Use the marked assessment attached and resubmit the updated assessment with your new answers within the next 7 days. Resubmission date: 8 August 2023 Aminda unfortunately your resubmission is still not satisfactory. Please read my newest feedback on the document. Please resubmit again on the 15th of August 23 . If you are not sure what to do message me in Webex chat or attend the Friday support session at 4PM. Resubmission allowed: Yes ☐ No ☐ Resubmission due date: 015/08/2023 Assessor name: Edsel Morales Assessor signature: Edsel Morales Date assessed: 08/08/23 Supporting document Project Brief Read thought the brief below take note of the needs and requirements outlined in the brief. Introduction Since its inauguration, Impossible Triangle (name of company) has been defining the 3D printing industry. Founded in 2011, Impossible Triangle is led by people who've spent most of their careers in startups, and combine serious technical knowledge with an inspiring vision of what the world could be. They bring together a passionate, dynamic team of game changers. Impossible Triangle is the worlds’ leading 3D Printing Service. Impossible Triangle enables everyone to bring his or her ideas to life. Clients can login to a backend portal and upload their 3D designs to place instant order. Clients’ orders are printed and shipped within 30 business days. Problem Impossible Triangle has a strong web presence and the recent update to the website has drawn much interest from public and hence experiencing high web traffic. Unfortunately, their new website has been used as a gateway to access servers and the local network of the company. Consequently, Impossible Triangle has been experiencing many typical security attacks from Trojans, DoS, DDoS, Spoofing, Phishing, Spear phishing, Man in the middle and FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 25 OFFICI AL Assessment Task 2: Skills Assessment Password attacks in the past 6 months. Project requirements It is crucial that all network devices be configured with at least a minimum set of best practice security setting. Unfortunately, this hasn’t been done. The network device topology shown below has the potential of offering a robust security solution, but there is a problem due to default passwords and incorrect network device configuration. (Aspects of this document has been taken from CCNA Security - Skills Assessment, which is Cisco Public document) Connect the devices as per topology shown below: Use the following addressing table to give IP addressing. Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5 S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A R3 G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5 S0/0/1 10.2.2.1 255.255.255.252 N/A N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18 Project objectives Part 1: Identify client requirements Part 2: Configure Basic Device Settings  Connect the devices as shown in the topology.  Configure basic IP addressing for routers and PCs as provided.  Configure OSPF routing on all three routers (R1, R2, R3). Use process ID 100, and OSPF area 0.  Configure PC hosts (PC1 & PC2). FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner

CRS180 Revision 101 May 2018 Page 26 OFFICI AL Assessment Task 2: Skills Assessment  Verify connectivity between PC and Server (end-to-end conductivity).  Once completed, provide screen shots with your name and Student ID. Part 3: Control Administrative Access for Routers  Configure a console password and enable login for all routers. Set the exec-timeout command which causes the line to log out after 7 minutes of inactivity.  Configure AUX port password and enable login for all routers. Set the exec-timeout command which causes the line to log out after 4 minutes of inactivity.  Configure VTY lines password and enable login for all routers. Set the exec-timeout command causes the line to log out after 4 minutes of inactivity.  Configure local authentication, authorization, and accounting (AAA) user authentication.  Configure R1 to accept SSH sessions for remote management only.  Encrypt clear text passwords in all routers.  Configure minimum password length on all routers to be 8 characters.  Create a new user account with a secret password (user ciscouser password myciscopass ) with maximum privilege (level 15)  Configure a login warning banner on all routers  Configure the enable secret passwords on all routers ( ciscoenable)  Provide screen shots with your name and Student ID. Part 4: Configure, Apply and Verify an ACL with the following specifications:  Extended Numbered ACL 150 on R3 accept and reject traffic from network 192.168.3.0 / 24 as per following conditions:  Block HTTP traffic from PC to Server.  Permit HTTPS and all other traffic from PC to Server.  Apply this ACL on the correct interface on R3.  Verify ACL configuration by using HTTP, HTTPS from PC to IP address of Server, also verify if PC can PING to Server.  Provide screen shots with your name and Student ID. FOR OFFICIAL USE ONLY Holmesglen: CAIT_EM 2023 L:\CAIT\Teaching\T&L\202310\22334VIC_Online\Network_Security_Infrastructure \202310_CRS180_VU21991__AT2of2_EM_V9_Learner