Hayden HooperCOLCHESTER INSTITUTE | SHEEPEN ROAD, COLCHESTER, ESSEXDOCUMENT BODY WORD COUNT: 8261

How can an organisationimprove network security byimplementing AAA protocolssuch as RADIUS on privateIEEE 802.11 and 802.3networks?

Student ID: 1400869

i

AbstractThis report investigates the potential uses for IEEE 802.1x authentication within organisations to helpimprove organisational security compared to traditional authentication methods which utilised sharedkeys which are commonly known. The report will also investigate existing solutions such as AccessGateways, the benefits and disadvantages of access gateways compared to the use of RADIUSauthentication on Wired and Wireless networks.

Student ID: 1400869

ii

Declaration of Original work

I understand the nature of plagiarism, and I am aware of the policy set out by the University of Essex inregard to this.

I hereby certify that this dissertation reports original work produced by myself during my individualproject, except for the following:

Note work sourced by third party authors

Signature : ______________________________Printed : Mr Hayden Jeffrey Hooper

Date : Dated this first day of February of the year two thousand and fifteen.

Declaration of Ethical compliance

Research conducted within the report has been done in confidence and no information has beencollected and/or processed to personally identify an individual by name1 or geolocation2.

Information such as MAC addresses and IP addresses (Both IPv4 and IPv6) may be present within thisreport but do not relate to an implemented solution within any organisation nor in a public place.

The purpose of using this information is purely for academic purposes and does not infringe the rightsof any data subjects involved during the research of this project.

A full copy of the Ethical awareness declaration can be located within the appendix A11 of thisdocument.

1 In certain instances names may be replaced by a generated acronym, such as USFLMIS1. The first twodigits of the name will be country code, so in the example shown previously US = United States, Thesecond two digits will be State or County code, so in the example shown, FL = Florida, The third group oftwo digits will be the town or city code, so in the example, MI = Miami and the remaining digits startingwith S will represent the site number. This will be randomly generated to ensure anonymity.2 Geolocation meaning fixed location by specific address. Geolocations such as country names or codesmay be present within this report

Student ID: 1400869

iii

Contract of Allocation

Component Range Agreed %

Presentation of report 5% 5%

Content of report 40-50% 40%

Project Management 10% 10%

Practical implementation 10-25% 20%

Primary research 0-20% 5%

Literature research and references 10-15% 10%

Oral 10% 10%

Total 100%

Signatures

___________________________________

Supervisor – Mr Philip Cheung - Date:

___________________________________

Student – Mr Hayden Hooper – Date: 2nd May 2015

___________________________________

Project co-ordinator – Mrs Elizabeth Scott – Date:

H. Hooper

Student ID: 1400869

iv

AcknowledgementsI would like to take this opportunity to give thanks to Mr John Rawnsley (Managing Director ofRawApple Communications Ltd) who has assisted me in completing my research by providing resourcestowards this research and by also allowing me to complete my coursework during working hours.

Resources provided by RawApple Communications Ltd

1x Microsoft Windows Server 2008 R2 Standard License

1x JDSU ValidatorPRO Network Certifier

1x DrayTek Vigor AP700

I would also like to extend my thanks to Mr Philip Cheung (Networks, Systems Security and CCNACertified Lecturer), Mr Marwan Mahassen (Workshop Supervisor (CCNA Certified Instructor andMasters in Computer Networks)), and Mrs Elizabeth Scott (Head of Department for BusinessManagement and Computing at Colchester Institute) for providing support and resources which haveallowed me to complete this study.

Student ID: 1400869

v

Table of ContentsAbstract .................................................................................................................... i

Declaration of Original work .................................................................................... ii

Declaration of Ethical compliance............................................................................. ii

Contract of Allocation ............................................................................................. iii

Acknowledgements................................................................................................. iv

Table of Contents..................................................................................................... v

List of Figures........................................................................................................ viii

1 – Introduction ....................................................................................................... 1

1.1 – Scope and Objectives .................................................................................................1

1.2 – Background Scenario..................................................................................................2

1.3 – The problem ...............................................................................................................2

1.4 – Overview of Dissertation..................................................................................................2

2 – Literature Review ........................................................................................... 3

2.1 – Background of Wireless Technology ..........................................................................3

2.1 – Previous Research ............................................................................................................4

2.2 – Previously Targeted infrastructure attacks ......................................................................4

2.3 – Motives and Reasons for attacks .....................................................................................4

2.4 – The value of data..............................................................................................................4

2.5 – The problem .....................................................................................................................5

2.6 – The Question ....................................................................................................................5

3 – Methodology and Design .................................................................................... 6

3.1 – Survey targeting ...............................................................................................................6

3.2 – Research flow ...................................................................................................................7

3.3 – Project Methodology........................................................................................................8

3 – Technical Chapter ........................................................................................... 9

4.1 – Phase 1 – Preliminary Evaluation & Infrastructure design...............................................9

4.1.1 – Review of Survey and Research ................................................................................9

4.1.2 – Definition of Aims and Objectives...........................................................................10

4.1.3 – Evaluation of Available resources ...........................................................................11

4.1.4 – Design of infrastructure ..........................................................................................11

4.1.5 – Evaluation of existing solutions...............................................................................12

4.1.6 – Justification of network design ...............................................................................13

4.2 – Phase 2 – Implementation of Infrastructure..................................................................14

4.3 – Phase 3 – Development of Infrastructure and Future Recommendations ....................19

Student ID: 1400869

vi

Conclusion ............................................................................................................. 20

Recommendations ................................................................................................. 21

Evaluation.............................................................................................................. 22

Project Evaluation ...................................................................................................................22

Evaluation of meetings and discussions .................................................................................22

Evaluation of project planning ................................................................................................22

References............................................................................................................. 23

Glossary................................................................................................................. 25

Appendix ............................................................................................................... 27

A1 – Survey Response Summary - Network & Infrastructure security ...................................27

A1.1 - Welcome...................................................................................................................27

A1.2 - Questions for Individuals ..........................................................................................27

A1.3 – Questions for Organisations and IT Professionals ...................................................32

A2 – Blank Survey - Network & Infrastructure security ..........................................................38

A2.1 - Page 1 – Welcome ....................................................................................................38

A2.2 - Page 2: Questions for Individuals .............................................................................38

A2.3 - Page 3: Questions for Individuals .............................................................................38

A2.4 - Page 4: Questions for Organisations ........................................................................40

A3 – Practical Network Design – NOTE CONFIGURATION LOCATION IN APPENDIX...............42

A4 – Practical Network Design – Backbone Core....................................................................43

A5 – ValidatorPRO cable certification report..........................................................................44

A6 – Router Configurations.....................................................................................................64

A6.1 – R1 .............................................................................................................................64

A6.2 – R2 .............................................................................................................................68

A6.3 – ISP.............................................................................................................................72

A6.4 – WEBHOST.................................................................................................................74

A7 – Switch Configurations .....................................................................................................76

A7.1 – S1..............................................................................................................................76

A7.2 – S2..............................................................................................................................80

A7.3 – S3..............................................................................................................................84

A8 – Subnet and IP Configuration...........................................................................................88

A8.1 – Subnet Management ...............................................................................................88

A8.2 – IP Address Allocation ...............................................................................................89

A9 – Failed RADIUS Authentication ........................................................................................90

A9.1 – Failed RADIUS Authentication request (XML)..........................................................90

Student ID: 1400869

vii

A9.1.1 – Raw XML Data.......................................................................................................90

A9.1.2 – Description Raw XML Data....................................................................................90

A9.2 – Failed RADIUS Authentication request (GUI)...........................................................92

A10 – Testing of configuration................................................................................................93

A11 – Declaration of Ethical Compliance................................................................................95

A12 – Project Gantt Chart .....................................................................................................101

Student ID: 1400869

viii

List of Figures

List of figures included within this document are listed below

Figure 1 - Project Management Venn Diagram ........................................................................................... 1Figure 2 - Waterfall Methodology................................................................................................................ 8Figure 3 - Backbone core network design.................................................................................................. 11Figure 4 - Example network solution utilising an Access Gateway ............................................................ 13Figure 5 - Cable schedule and labelling...................................................................................................... 14Figure 6 - Packet tracer diagram of network infrastructure ...................................................................... 15Figure 7 - Services.msc snapin for Microsoft Management Console - WiredAutoConfig Service ............. 17Figure 8 - WiredAutoConfig properties...................................................................................................... 17Figure 9 - Ethernet Properties - Authentication tab .................................................................................. 18Figure 10 - Network diagram of project testing......................................................................................... 42Figure 11 - Backbone core of network design - Including IP Phone Server and Apache Webserver ......... 43Figure 12 - Failed RADIUS authentication - Microsoft Event Viewer - (GUI) ............................................. 92

Student ID: 1400869

1

1 – IntroductionFor my research project I will be researching around the area of Wireless network security and howdifferent methods of securing a Wi-Fi network can benefit an organisation when managing networksecurity.

The project will look at the use of AAA (Authorisation Authentication and Accounting) on businessnetworks, whilst taking into consideration implementation costs, ease of management and accountingof devices and users connecting to the network infrastructure.

1.1 – Scope and Objectives

The purpose of this research project is to determine which authentication methods would be bestsuited to different types of organisations, whilst at the same time taking into consideration threefactors; Cost of equipment and services, Quality of the equipment and applications, and the speed ofthe system or application.

FIGURE 1 - PROJECT MANAGEMENT VENN DIAGRAM

When designing a project such as this businesses have to make a hard decision by picking two of thethree factors which comprise a project. These three factors are

1. Quality of the final product2. Cost of the final product3. Speed of the final product

It is impossible to create a final product which comprises of all 3 factors, so when creating a project onbehalf of an organisation businesses have to choose two of three factors to base the project on.

Student ID: 1400869

2

1.2 – Background Scenario

The main scenario for this project will be a small estate agents called “Great Estates Ltd” 3 whoemployees 3-5 personnel, two of the employees are full time and one of the three remaining employeeswork at the organisation part time as an administrative clerk. The other two remaining employees arecontractors employed by the organisation to work on the estate agents office and homes which aremanaged by the estate agent.

Over the past year one employee has been dismissed for abuse of information technology systems andfor breach of the Data Protection Act 1998, Breach of the Computer Misuse Act 1990 and for breach ofcontract by running a separate estate agents on the side and gaining customers through the dataobtained illegally.

The IT Service provider at the time didn’t prioritise this breach and user accounts remained active andWi-Fi keys were not changed. After the organisation found a new IT service provider, they discoveredthe problem was much worse than initially thought. The dismissed employee had been returning to thepremises out of hours and accessing the systems using the Wireless infrastructure.

After this breach was detected passwords were immediately changed and user accounts were disabled.

1.3 – The problemMany organisations use little or no security when implementing wireless access points due to twofactors, limited resources or limited funding. If an organisation requires Wi-Fi to be installed on anetwork businesses may buy in Wi-Fi equipment and install it directly on the network withoutconfiguring wireless security protocols such as WEP, WPA, WPA2 or WPA2 Enterprise (IEEE 802.11x).

From my personal experience, because of the costs involved with installing Wireless Access pointsprofessionally, businesses will rather install equipment themselves (Rogue Access Points), which puts allof the other network devices at risk and the business at risk of breaching the Data Protection Act 1998and the Computer Misuse Act 1990. (Cisco, n.d.)

1.4 – Overview of DissertationThis project investigates the use of IEEE 802.1x authentication on Wireless Access Points and ManagedSwitches to ensure the wireless and wired network infrastructure remains secure. This report alsoinvestigates existing solutions such as Access gateways which will provide a comparison of the twodifferent solutions and how each solution could benefit an organisation.

3 Note – Great Estates Ltd is a fictitious business and the business name does not relate to anyorganisations with the same or similar name

Student ID: 1400869

3

2 – Literature Review2.1 – Background of Wireless Technology

In 1985 the FCC (Federal Communications Commission) de-regulated the radio spectrum from 2.4Ghz to2.5Ghz for use by the ISM (Industrial, Scientific, and Medical) communities.

This de-regulation enabled the spectrum to be used for individual, non-licensed applications. (Berg,2011) This de-regulation enabled developers off wireless technology to design communicationstechnologies without the needs for costly licensing.

In the early 1990’s the IEEE (Institute of Electrical and Electronics Engineers) realised the potential ofdata transfer using these de-regulated frequencies. In 1990 a new committee was established toinvestigate the possibility of these frequencies for the use of data communication. (Institute of Electricaland Electronics Engineers, 2015)

It was not until 1997 that the 802.11 standard was published. During the next two years two variationsof 802.11 were ratified. These two variations are 802.11a and 802.11b. The 802.11a variation unlike the802.11b, utilises the 5Ghz frequency instead of the 2.4Ghz frequency which 802.11b utilises. (Berg,2011)

The primary objective of the 802.11 committee was to provide a standard with the aim to provide areliable, fast, inexpensive and robust solution with wide spread acceptance.

One of the reasons for the wide spread success was its compatibility with other 802 protocols,specifically IEEE 802.3 for Wired Ethernet networks. This compatibility enabled access points to beimplemented with direct connections to switches, routers and computers.

802.11 is very different now to what was originally designed in 1997. Speeds in the initial two variants of802.11 (a and b) were only capable of achieving a maximum of 11Mbps for 802.11b and 54Mbps for802.11a. (Curran & Canning, 2007)

Since the release of 802.11a and 802.11b, three additional variants of 802.11 have been released withother variants being tested and designed. The first ratified variant of 802.11 since 802.11b was 802.11g.802.11g was ratified on the 20th March 2003 by the IEEE (Institute of Electrical and ElectronicsEngineers, 2015) and 802.11g is capable of providing network connectivity as speeds of up to 54Mbps.(Curran & Canning, 2007)

802.11g like 802.11a, uses a more advanced form of modulation called OFDM (Orthogonal FrequencyDivision Multiplexing), but it enables it to be used in the 2.4Ghz frequency band. The large attraction to802.11g was its ability to provide data rates of up to 54Mbps.

In 2007 another variant of 802.11 was ratified and this variant was 802.11n. (Institute of Electrical andElectronics Engineers, 2015) 802.11n is capable of providing network speeds exceeding 300Mbps whichis of great benefit to organisations running applications which require fast network connectivity, such asremote desktop services and IP telephony.

In 2013 the 5th generation of IEEE 802.11 was ratified, this standard was published and approved byANSI on the 11th December 2013. (Institute of Electrical and Electronics Engineers, 2015). Unlike it’scounterpart 802.11n, 802.11ac can only function using the 5Ghz frequency. Each 802.11ac access pointcan provide network speeds of up to 500Mbps but by implementing a multi-station access pointconfiguration gigabit network speeds can be achieved. (Kassner, 2013)

Student ID: 1400869

4

2.1 – Previous ResearchEvery day business run the risk of exposing themselves to data breaches by not protecting their networkinfrastructure sufficiently. In 2013 the department for Business, Innovation & Skills reported in theexecutive summary of 2013 Information Security Breaches survey, the number of network securitybreaches has increased significantly and smaller businesses are now becoming victims of securitybreaches which have been seen by larger organisations in 2012. (Department for Business, Inovationand Skills, 2013)

During the survey conducted by the Department for Business, Innovation and Skills, 93% of largeorganisations surveyed in 2013 admitted to having at least 1 security breach in the period between2012 and 2013. The survey was also targeted at smaller organisations, 87% of those smallerorganisations surveyed also admitted that security breaches had been detected during the periodbetween 2012 and 2013. This statistic showed an increase in breaches in network security of 11%, up onthe previous survey. Of those companies which were affected, on average a 50% increase was detectedon network security breaches than the previous year. (Department for Business, Inovation and Skills,2013)

2.2 – Previously Targeted infrastructure attacksOn the 19th December 2013, the Target Superstores said that as many as 40 million credit card and debitcard accounts may have been compromised during Black Friday weekend through December 15, andthat information stolen included customer names, credit or debit card number, the card’s expirationdate and CVV (Card Verification Value). (Target Brands Inc, 2013) Upon further investigation by ForbesMagazine the reality of this breach was much worse than what was initially thought. The average of endusers affected was almost double the initial report by Target and showed that up to 70 millionconsumers may have been affected instead of the initial 40 million consumers. (Forbes Magazine, 2014)This breach of security demonstrated the hacker’s ability to obtaining a mass amount of informationwithin such a short period of time.

As the breach was on the Black Friday event, the hack may have been targeted with pre-emptive threatanalysis being taken by the offending party, with the intent to attack during the busiest period wheremillions of transactions will be processed within a 48 hour period thus gaining mass amounts of databefore the threat is detected, identified and mitigated. In the days leading up to Thanksgiving 2013,malware was installed on Targets security and payments systems. This malware was designed to stealevery credit card used at the company’s one thousand, seven hundred and ninety seven stores withinthe United States. (Business, Riley, Elgin, Lawrence, & Matlack, 2014)

2.3 – Motives and Reasons for attacksThere are many reasons for attacking a business, for example, it could be a personal vendetta againstthat specific organisation for doing wrong, a targeted attack, such as that example above to obtaininformation for malicious purposes; such as financial gain from profiteering from the sale of the stolendata, or just attacking that organisation to deny others from using that service, such as DDOS attack.

2.4 – The value of dataThe value of an individual piece of fluctuated between $0.10 USD to $100 USD in the black market in2008, but in 2009 the value of each piece of data stabilised between $1 USD and $20 USD. In 2014 thevalue of one thousand stolen email addresses ranged from $0.50 USD and $10 USD. This pricing is agood incentive for hackers to sell data as they can profit very quickly on the black markets which can beaccessed using software such as Tor. (Wueest, 2014)

Student ID: 1400869

5

2.5 – The problemFrom previous experiences with customers, employees at any level pose a risk to the networkinfrastructure, authorised or unauthorised. Customers who have an IT infrastructure but do not requirea IT technician on-site sometimes leave their IT infrastructure exposed to risks, such as unauthoriseduse of resources because passwords are not changed and user accounts are not disabled when anemployee leaves the organisation.

This is usually as a result of lack of understanding of how the technology works and how it can bemanaged correctly to ensure maximum security and to also prevent unauthorised access of ITresources.

An example of this could be a customer who has recently fired an employee for misconduct. If the firedemployee had previously setup devices to connect to the Wi-Fi they could then abuse the ITinfrastructure from outside the premises by using user accounts which haven’t been secured correctlyafter that employee has left.

Resources such as Microsoft Windows Server 2012 R2 are becoming more common within organisationsas they are feature rich enabling organisations to utilise many features within their organisation whichthey may not have had available without that resource prior to its installation and configuration.(Microsoft Corp, 2014)

Business managers with little or no IT experience, may not completely understand the importance ofdata security within their organisation, nor how to ensure that data correctly protected by ensuringtheir IT infrastructure is secured.

This report will look at how businesses can ensure that computer accounts can be protected byimplementing features which are included within the Windows Server 2012 R2 operating system, and toalso ensure that resources such as Wi-Fi are secured using enterprise grade authentication.

2.6 – The QuestionHow can an organisation improve network security by implementing AAA protocols such asRADIUS on private IEEE 802.11 and 802.3 networks?

This report will discover how an organisation can correctly protect their 802.11 (Wireless Infrastructure)and their 802.3 (Cabled Network Infrastructure) by utilising server roles and features such as Microsoft’sActive Directory and Microsoft’s Network Policy Server to authenticate users by utilising features suchas RADIUS authentication.

Student ID: 1400869

6

3 – Methodology and Design

3.1 – Survey targeting

Surveys are being targeted at a specific audience. The audience I have targeted are professionals in theIT industry. This includes

IT and Telecommunication Infrastructure Engineers Lecturers NIS (Network Infrastructure Security) Analysts

The survey doesn’t have any specific age range set as the research will also determine whether certainpeople of particular age groups go about their business with an enhanced security configuration ontheir computers and other devices which connect to Wi-Fi networks.

Student ID: 1400869

7

3.2 – Research flow

For this project, the research will primarily be based on practical findings with additional research onexisting solutions being provided by organisations in the form of SaaS4. Surveys will also be distributedto individuals working within the IT and Telecommunications industry. A blank copy of the survey whichwas distributed to individuals can be located in the appendix – Section A2.

Additional research will be conducted using resources such as EBSCO Host which is provided by thecollege for use by students and staff as an electronic library, containing academic papers and academicjournals.

Research will also be conducted using practical resources provided by RawApple communications Ltdand Colchester Institute. This research will then be tested with test plans, evaluated and summarised.

Other services which are currently being provided as a hosted will also be inspected for potential usewithin this scenario, and it will also compare the benefits and disadvantages of both internally hostedsolutions and externally hosted solutions.

4 SaaS – Software as a Service – This is software which is hosted by organisations and remote access isgiven to organisations to use this software for a set amount each month. An example of this is Office365. Users can access Microsoft software online but they can only access this whilst they pay for theservice.

Student ID: 1400869

8

3.3 – Project Methodology

Project Research

Design

Implementation

Testing

Deployment

Maintenance

FIGURE 2 - WATERFALL METHODOLOGY

For this specific project I have decided to utilise the waterfall methodology for development and testingto determine the best infrastructure setup of this particular scenario. I feel that this method would bebest suited to this project as it allows for continuous maintenance and testing, although the projectitself can grow and can be developed to protect the infrastructure from new threats, the project cannotend.

I personally feel that this method would be best suited to IT projects as requirements can sometimeschange after the project has been designed and implemented. This method doesn’t have much leewayfor modification but extra steps can be added to ensure the success of the project.

This project has many constraints and objectives as to what is required. Problems occur when designingand implementing for research projects, specifically with configuration issues which occur as a result ofrouting issues.

Student ID: 1400869

9

3 – Technical Chapter4.1 – Phase 1 – Preliminary Evaluation & Infrastructure design4.1.1 – Review of Survey and ResearchNote: A summarised response of all responses to the survey issued can be viewed in Appendix A1.

From responses gathered from my survey, it has become clear that the respondents utilise a widevariety of smart equipment which is capable of accessing the internet via IEEE 802.35 or IEEE 802.116.

The majority of respondents utilised smart phones with the capability of accessing the World Wide Webbut also stated that they either didn’t know that security software; such as ESET mobile security; wasavailable or they knew it was available but didn’t utilise it on their mobile devices.

95% of respondents know about potential risks to their personal devices when connecting to Wi-Finetworks. In the question following, respondents were asked “When using public WiFi access points doyou use encrypted VPN tunnels to reduce the risk of your data security being compromised?”. 23% ofrespondents admitted to utilising VPN tunnels when connected to a Wireless network to help ensurethat data being transmitted over the network is protected, but this is also dependent on the securitysettings of the VPN tunnel and if the VPN tunnel is utilising SSL to transmit data.

The following questions were targeted at IT Service providers working for an IT organisation.

In one of the following questions respondents were asked “How do you currently secure your wirelessaccess points?”. Responses which were given reflected that Wireless Access Points are secured using aform of wireless authentication and wireless encryption. Two respondents admitted that WEPauthentication is currently being used on their access points, but this could be down to the businessutilising legacy hardware which isn’t capable of transmitting data using some of the newerauthentication and encryption protocols such as WPA or WPA2 utilising AES or TKIP encryption.

No respondents stated within this question that 802.11x were being utilised, but in the followingquestion asking users “In the event of a member of staff leaving your organisation, how do you ensureyour wireless network remains secure?”, some respondents stated that user accounts are disabledwhere 802.11x is implemented.

Another respondent stated that another method of protecting wireless infrastructure has been used,this method utilises identifying addresses on that system, such as MAC addresses, but it is unclear whatthis system is and how it can be used to protect the wireless network from MAC address spoofing, andwhether MAC Address spoofing would grant users access to the wireless infrastructure by providing theserver with a different identity.

Respondents were then asked about the placement of the wireless access points and whether they havebeen placed in strategic locations to minimise wireless overspill.

Respondents were then asked how their IT services department monitors for unauthorised networkusage. Responses varied, some respondents stated that cloud security services, such as Sophos cloudfor monitoring internet usage and blocking threats. Other respondents have stated that on-sitehardware firewalls are being utilised to filter threats and other sites utilise on-site proxy servers to filterinternet access. Another response stated that DMZs are being utilised to allow external access to thenetwork, but restricted to a specific set of devices, such as web servers.

In the final question, respondents were asked if Wi-FI enabled phones are being used within theorganisation. One respondent stated Wi-Fi phones were utilised within the organisation, but they werenot in a position to state how those devices authenticate with wireless access points.

5 Cabled Network Infrastructure6 Wi-Fi Network Infrastructure

Student ID: 1400869

10

Other respondents have stated that IP phones are being utilised within the organisation but they arebeing routed by the IEEE 802.3 LAN instead over the IEEE 802.11 WLAN.

From all of the responses, many of the respondents admitted that Wireless Access Points within theorganisation do not utilise enterprise level authentication such as 802.11x. I personally feel that allorganisations should implement this method of authentication as it provides a more robust method ofauthentication which requires devices to be authenticated, users to be authorised to use the Wi-Fi, andall authentication events to be accounted.

4.1.2 – Definition of Aims and ObjectivesBelow are my Aims and Objectives which I will design and test for during the course of this project. Thisproject will also look at the possibility of providing a remotely hosted RADIUS authentication servicewhich Wireless Access Points can be implemented and configured to authenticate using the remoteRADIUS server.

Design and implement a network infrastructure core which provides VLAN support andredundancy at both the Layer 2 and Layer 3 network levels.

This objective will help ensure that the network can provide the ability to remain active in theevent of a hardware failure, such as a switch or router. This objective will also help ensure thatmultiple RADIUS servers can be implemented to authenticate users in the event of a serverfailure, minimising downtime.

Implement VLAN capabilities to separate Guests connecting to the DISS-GUEST SSID.

This objective will assist IT administrators in isolating the Guest wireless network from thecorporate network infrastructure by the use of Access control lists on the routers, preventingguest users from accessing business resources.

Implement configuration on Wi-Fi Access points restricting clients connecting to the networkwhich haven’t been authorised.

The aim of this objective is to limit unauthorised access to internal resources by restrictingaccess to the DISS-INTERNAL SSID to devices which have been pre-approved within activedirectory by network administrators.

Investigate the possibility of remote RADIUS server providing RADIUS authentication as ahosted service.

The aim of this objective is to determine whether it is possible to provide remote RADIUSauthentication by forwarding ports using NAT and Port Forwarding.

Implement 802.3 authentication on switches, preventing unauthorised network access. Thissetting will utilise the MAC address of the network adapters.

The aim of this objective is to also secure the wired Ethernet infrastructure using RADIUSauthentication on MAC addresses preventing unauthorised access to the network.

Student ID: 1400869

11

Investigate existing hosted RADIUS solutions

The aim of this objective is to investigate existing solutions which are being provided byorganisations with the sole intention to ensure that Wireless access points are being securedusing username and password authentication instead of traditional authentication methodswhich utilised a shared key.

4.1.3 – Evaluation of Available resourcesThis project will utilise resources available at the university and limited resources which have beenprovided by RawApple Communications Ltd.

Cables which have been used within this project have all been certified to gigabit speeds. Four types ofcable will be used in the implementation and configuration of this project

Straight through CAT5e cable Crossover CAT5e cable Cisco Rollover cable HWIC Serial DCE to DTE cable

Other resources which will be used to complete this project

5x Dell Optiplex 760 desktop computers running Microsoft Windows XP Professional SP1 (2 GBRAM, Intel Pentium 4 HT Processor, 80GB Hard Disk Drive)

Acer Aspire V5-575 (Microsoft Windows 8.1 Professional x64, 8GB RAM, 500GB HDD, Intel Corei3 Processor)

4x Cisco 2901 ISR (1x HWIC Installed, 2x Gig Eth) 3x Cisco 2960 Switch (24 Fast Ethernet Ports, 2 Gigabit Ethernet Ports) 1x DrayTek Vigor AP700 1x Cisco Linksys E1700 Wireless N Gigabit Router (DDWRT Firmware) 2x Dell PowerEdge 2850 (2x 76GB HDD (RAID 0), 4x 146GB HDD (RAID 5))

o Server 1 – Running Microsoft Windows Server 2008 R2o Server 2 – Running Asterisk IPPBX v13.3.2

1x Linux VM web server (Apache)

All CAT5e cables have been certified to gigabit speeds using the JDSU ValidatorPRO provided byRawApple Communications for the purpose of this project. A full report for the cable test can be viewedwithin the appendix A5.

4.1.4 – Design of infrastructureFor testing purposes two additional routers and anApache web server will be installed and configuredto simulate the internet service provider and awebsite host. The amended core network designwith the additional routers and servers can beviewed in appendix A4.

Configurations for both these additional routershave also been included and can be viewed inappendix A6.3 and A6.4.

FIGURE 3 - BACKBONE CORE NETWORK DESIGN

Student ID: 1400869

12

The network will be configured to utilise Port Address Translation to utilise a single public IP Address formultiple internal hosts.

The design has also been created to ensure the maximum possible up-time by utilising a rapid spanningtree protocol on the switches and at the same time combining multiple fast Ethernet interfaces usingchannel groups to provide double bandwidth and redundant links between switches, so no-matter whathappens on the network, another link can take the load.

The design above also shows two additional routers and an IPPBX server. The IPPBX server has beenincluded on the webhost router to test the traversal of voice data on a network with multiple redundantWAN connections.

From previous experience, voice data sometimes has trouble traversing across a network utilising VLANsand depending on the network traffic at any given time, call quality could also be affected. (Cisco, n.d.)

4.1.5 – Evaluation of existing solutionsExisting solutions are currently available for organisations on a pay per user basis with certainrestrictions. An example of this kind of solution is NoWiresSecurity.

NoWiresSecurity provides a hosted RADIUS authentication solution for organisations which utilises theProtected EAP authentication protocol for wireless access points.

The “AuthenticateMyWiFi™ is a hosted or cloud-based service that enables you to use the Enterprisemode of Wi-Fi Protected Access—WPA or WP2—security for your private Wi-Fi network. The serviceprovides you with access to a RADIUS server, which performs the required 802.1X authentication.”(NoWiresSecurity, n.d.)

This is a hosted solution which requires users to define the authentication server by IP along with thepassphrase to authenticate the access point.

Another authentication method which has been adopted by organisations is the use of access gatewayson networks instead of relying on RADIUS only for authentication. An example of this kind of solution isthe Aerohive Access Gateway and Access Point Manager. (Aerohive, 2015)

This system utilises either a cloud or in-house access point manager running on a 1U or VMWareinstance which controls all of the other access points which have been installed on the network.

Student ID: 1400869

13

Gateway Controller

Distribution Switch

Access Gateway

Internet

FIGURE 4 - EXAMPLE NETWORK SOLUTION UTILISING AN ACCESS GATEWAY

Depending on the configuration of the network this solution could make things easier for networkmanagement and ease of access but at the same time depending on the volume of users’ accessgateways could be easily overloaded.

4.1.6 – Justification of network designThe design has been created in a way which allows administrators easy management of the network.The design has also taken into consideration failover of routers by utilising standby IP addresses andchannel groups between the switches.

As I work closely with telephony solutions I need to determine the possible problems which could occuras a result of implementing 802.1X on wired and wireless networks. IP telephony is being adopted veryquickly with the range of IP telephony devices being much vaster than the initial range which wasavailable. Softphone clients can now be downloaded to computers for free and users can utilise aheadset with a microphone instead of just using a telephone handset which is additional costs for theorganisation. An example of this kind of software is Zoiper which has mobile clients and desktop clientswith a range of editions available.

Users can then set the SIP server and use that application instead of using a physical telephone handset.

An internal RADIUS server is being utilised to enable administrators to log and manage devicesinternally enabling more control over the network security. Utilising an internal RADIUS solution insteadof a hosted solution enables authentication using a solution such as NPS which integrates withMicrosoft Active Directory.

Student ID: 1400869

14

4.2 – Phase 2 – Implementation of InfrastructureImplementing the core infrastructure proved to be somewhat tricky at times due to initial cable faults,as a result of some of my fellow students being careless with the RJ45 connectors both making up thecables and breaking off the RJ45 clips, meaning that some of the cables were unable to remain withinthe Ethernet ports.

I overcame this issue by replacing the damaged clips and re-wiring and re-crimping the RJ45 ends whichhad been wired incorrectly. Auto-MDIX7 has been enabled on the switch ports meaning crossover cablesare not required for the connectivity between other switches.

Cable ID Cable Type Start Device Start Port End Device End Port1 Straight Through - Red R1 G0/0 S1 G1/12 Straight Through - Red S1 F0/24 S3 F0/243 Straight Through – Red S1 F0/23 S3 F0/234 Straight Through – Red S1 F0/19 S2 F0/195 Straight Through – Red S1 F9/20 S2 F0/206 Straight Through – Red R2 G0/0 S2 G0/17 Straight Through – Red S2 F0/21 S3 F0/218 Straight Through – Red S2 F0/22 S3 F0/229 Straight Through – Red S2 F0/1 AD Server G0/010 Straight Through – Red S2 F0/3 Test PC 1 G0/011 Straight Through – Red S2 F0/5 Patch Panel CAB1PP1P412 Straight Through - Red Wall Socket N/a WAP01 N/a13 Straight Through – Blue R1 G0/1 ISP G0/014 Straight Through – Blue R2 G0/1 ISP G0/115 Straight Through – Blue WebHost G0/0 AsteriskPBX G0/016 Serial – Blue ISP S0/0/0 (DCE) WebHost S0/0/0 (DTE)FIGURE 5 - CABLE SCHEDULE AND LABELLING

The routers have been configured with standby IP addresses, meaning if a server fails, networkdowntime will be minimised as the infrastructure will automatically update the configuration on eachrouter to bring the virtual IP Address of each interface online.

The hardware has been configured in such a way, the LAN provides a redundancy solution for thenetwork to ensure correct and efficient failover in the event of a router or a switch failing. The switcheshave been configured with trunk links with channel groups configured with 2x FastEthernet linksbetween each of the routers. Rapid Spanning tree protocol has also been configured on the switches toensure

For security purposes both routers have been configured to use PAT8 using a single IP address providedby the internet service provider.

7 Auto-MDIX is a feature on switches which enables the automatic detection of particular cables.Switches can then re-adjust the configuration for that port meaning no special cables are required,whereas prior to this feature becoming available, switch to switch connections would have required acrossover cable instead of a straight through cable.8 PAT – Port Address Translation – PAT is used in the event when a single public IP address has beenprovided by the ISP. One public IP address is shared by many private hosts on a single network.

Student ID: 1400869

15

FIGURE 6 - PACKET TRACER DIAGRAM OF NETWORK INFRASTRUCTURE

The first server has been configured as a IPPBX utilising the Asterisk IP Phone system. This has been setup in a way so it is treated as a hosted IP telephone system. The phones are configured to utilise the IPaddress of 8.0.0.14 as the SIP authentication server. The authentication port which will be used is 5060.

Due to lack of resources a SIP SoftClient has been used. During the course of this project the SoftPhoneclient which will be used is called Zoiper. The purpose of including a VOIP Server in the network design isto test whether mobile devices which utilise WiFi as the network media can still function correctly whilstRADIUS is being utilised on the network. VOIP will also be tested using on mobile phones using theZOIPER software.

The second server which has been installed on port F0/1 on S2 on the LAN utilises Microsoft WindowsServer 2008 R2. This server has been configured with the following roles.

Active Directory Domain Services Domain Name Services Dynamic Host Configuration Protocol Services Network Policy and Access Services Active Directory Certificate Services

Under Microsoft Active directory two security groups have been configured, the groups are

Internal WiFi Users

This security group are users which have been trusted with access to the Wireless network onany device. They can connect to the access points manually and authenticate as a user. This islogged on the Windows Event viewer as either a success or failure along with the MAC address.

Student ID: 1400869

16

This has been demonstrated within appendix A9.2 which demonstrated that because of thesecurity settings defined within the Network Policy and Access Server the server rejected theauthentication as the wireless access point was using a less secure method of authentication.In this instance it was using PEAP in conjunction with MS-CHAP9. (Microsoft, n.d.)

Internal WiFi Computers

This security group is for computers which have been joined to Active Directory. This methodof authentication is best suited to organisations who do not trust their end users with limitedaccess to the WLAN such as the method above, but accounts are authenticated using theidentifying markers on the computer instead. When computers are joined to Microsoft Activedirectory the GUID of the device is recorded instead of the MAC address by default and insome instances both identifying markers may be recorded and may be used to authenticatethe computer.

Administrators can the utilise Group policy to define specific SSID’s to connect to automaticallyand the authentication methods which these utilise.

Although this is a valid method of authentication default timers configured on NPS can still pose asecurity risk to the network as users can remain authenticated and authorised to use the wirelessnetwork after their account has been disabled or deleted. (Microsoft, n.d.)

Threats to the network do not just exist on wireless network infrastructure, they also exist on theexisting Wired network infrastructure. From my personal experience one out of twenty switches whichhave been installed on customers networks are unmanaged switches. When I asked the customer whythis is, they responded with “It was a cheaper solution compared to using managed switches”. Managedswitches provide more functionality compared to unmanaged switches. (Holdan, 2007)

Managed switches provide the ability to provide port based authentication. This has been configured onthe switches within the example. The authentication server has been defined as 192.168.254.100 andthe authentication port has been defined as 1812. For this project Cisco 2960 series switches have beenused.

By default the Wired Network Authentication process is disabled by default. To enable this service usershave to access the services.msc snap-in for the Microsoft Management console. Users then have to lookfor the WiredAutoConfig process listed near the bottom of the list. This service then needs to be set toAutomatic start-up and then the service needs to be started so the authentication parameters can beconfigured.

9 MS-CHAP is an authentication protocol built by Microsoft for use with the Microsoft NPS server. Thisauthentication protocol is similar to others which are used by other vendors. MS-CHAP stands forMicrosoft Challenge Handshake Authentication Protocol.

Student ID: 1400869

17

FIGURE 7 - SERVICES.MSC SNAPIN FOR MICROSOFT MANAGEMENT CONSOLE - WIREDAUTOCONFIG SERVICE

FIGURE 8 - WIREDAUTOCONFIG PROPERTIES

After this setting has been configured an additional tab will appear on the Network adapterconfiguration page called authentication.

Student ID: 1400869

18

FIGURE 9 - ETHERNET PROPERTIES - AUTHENTICATION TAB

For this configuration IEEE 802.1X has been enabled and Microsoft Protected EAP or PEAP has beenselected and configured for the authentication method to be utilised by the switches.

By implementing IEEE 802.1X on the IEEE 802.3 Wired and IEEE 802.11 Wireless network infrastructure,organisations are minimising the risks caused by unauthorised network access on both the Wireless andWired network infrastructure. Logging is implemented on both 802.11 and 802.3 network connectionswhich means that any issues caused by unauthorised network activity can be traced back to a specificdevice and a specific account which the user used to authenticate themselves on the network.

During the project specific tests were performed to ensure un-interrupted network access. These testsdetermined whether specific devices could access specific VLANs and other network services. Ademonstration of this is the implementation of IP Telephony on the network where the phone system isbeing provided as a service. A full breakdown of tests which were conducted during this experiment canbe viewed within appendix A10.

Student ID: 1400869

19

4.3 – Phase 3 – Development of Infrastructure and FutureRecommendations

Network infrastructure could be further developed in the event of an organisation expanding andopening up a separate office at a different geo-location. An example of this kind of expansion could bethe organisation opening up another branch in the next town over.

Both sites could be then linked using VPN tunnels or leased line connections. Servers could then be usedto replicate the data across the large geo-location. The network policies would also be replicated acrossboth sites so in the event of staff moving constantly between offices the same devices would beauthorised to use the network infrastructure if the network has been configured using the same domainfor authentication.

This method would also provide a redundant solution which will ensure minimal to no data loss in theevent of a disaster, for example if the IT core infrastructure was destroyed by a fire. In addition to thisconfiguration, organisations could also implement further access control list rules on the routers for allother departments preventing users from accessing resources to which they have no right. An exampleof this kind of solution would be using a generic NAS drive (Network Attached Storage) for backup.Backups could be configured on a separate VLAN which the server farm has direct access and nointernet routed traffic can gain access.

This kind of measure would prevent unauthorised network access and would ensure that backups of theorganisations confidential data would remain secure.

Student ID: 1400869

20

ConclusionIn conclusion it was determined that using IEEE 802.1X for network authentication would provide abetter authentication method for ensuring network security on both the Wireless infrastructure and theWired Network infrastructure.

Authentication using 802.1X provides administrators with real-time logging for all devices which arecapable of using 802.1X as the authentication method. The RADIUS logging was provided on theWindows Microsoft Event Viewer which provided administrators with detailed information on all of theevents which occurred including, RADIUS server faults, Authentication Failures, and Authenticationauthorisations.

Other solutions are available which utilise an access gateway as the authentication method but thisrequires access points to use little or no security. This in turn results in the network traffic using verylittle encryption or no encryption in some instances, which could also in turn make it easier for hackersto conduct man in the middle attacks on the network using access gateways instead.

802.1X improves network security by ensuring that dismissed employees are removed immediatelyfrom the system which prevents them from accessing data remotely or by utilising wireless overspillcaused by the misplacement of wireless access points. 802.1X authentication also providesadministrators with the ability to revoke access to devices which may have been used on a network at aspecific time, an example of this kind of situation would be if a device has been stolen and has beengranted full access to the network infrastructure. Once the device has been reported as stolen thenetwork can be secured immediately as access can be revoked and at any time.

A disadvantage to using 802.1X is if unauthorised network access is reported, devices can remainconnected to the network until the session times out, whereas using an access gateway, sessions can beterminated immediately as all traffic passes through that gateway before it can be used on the rest ofthe network.

Access gateways cost more and sometimes require additional licensing to function. They are designedfor use by enterprises with large quantities of users but from experience this solution isn’t always stableand if the access gateway fails users will be unable to access the wireless infrastructure until the errorhas been rectified.

Comparing this to a direct RADIUS solution, network traffic is minimised as RADIUS utilised UDP whichhas been proven to reduce the load on the network. Comparing RADIUS to a TAC+ solution (CiscoProprietary) utilises TCP which has also been proven to increase network traffic.

RADIUS provides administrators with quick access to revoke and grant access to specific users withoutthe need to re-configure access points and devices, whereas using authentication methods such asWPA2 would require direct access to all devices at every site to re-configure for the new policies.

Student ID: 1400869

21

RecommendationsMy recommendations vary for each different scenario. For the scenario which was outlined within theintroduction, I recommend implementing an in-house Active Directory server with the Routing andremote access role installed.

For a small organisation such as this it is important that threats can be mitigated and investigated as fastas possible, so with the right training to the management, users that are deemed a threat to thenetwork can be given restricted access or no accesses by adding them to a security group as outlinedwithin Microsoft’s Active Directory.

This solution could also then be integrated with a IPSec VPN solution in the future if users requireremote access to LAN resources, such as network shares.

For this particular scenario I would recommend implementing a single router as they only utilise a singlebroadband connection, but this router must be capable of providing VLAN connections as well asadditional features such as LAN-TO-LAN VPN, Integrated Firewall, Bandwidth Monitoring, SessionMonitoring etc. An example of this kind of router would be the DrayTek Vigor 2860ac Series Router. Thisrouter is capable of implementing VLAN’s and is also capable of providing 802.1X authentication usingthe build in WiFi.

In addition to this I recommend the DrayTek Vigor P2261 PoE Switch. This is a managed switch and isalso capable of providing Power Over Ethernet. This means that if the organisation implements IPphones, IP CCTV camera, additional Wireless access points etc, they can be powered using PoE. This willfurther reduce costs to the organisation in the long run as electricians will not be required to installadditional power sockets to power additional devices which the organisation may implement in thefuture to meet their growing needs.

For the server I recommend implementing the Dell PowerEdge T320 server running Windows Server2012 R2 Standard. This server provides an ideal storage solution for a business as they can implementand expand on their storage and services which the server can provide. Utilising the RAID configurationwithin the server will ensure the system has redundancies in the event of a hard disk drive failing. Theserver is capable of using multicore processors and has enough memory slots to support up to 196GBRAM.

The server is also capable of providing up to 32Tb of data storage by utilising 2.5” Hard Disk Drives. Thisserver is also capable of being rack mounted, so in the event of the organisation requiring more storagethan this server can provide, the server can be rack mounted along with a RAID array and other rackmounted equipment.

Student ID: 1400869

22

EvaluationProject EvaluationCompleting this project has enabled me to discover the potential uses for RADIUS and how RADIUSauthentication could be implemented on both Wireless access points and switches to help secure abusiness’s network infrastructure.

As technology is evolving at such a rapid pace, administrators are struggling to keep on top of allnetwork threats which could occur on a network. It is clear that a lack of understanding of thetechnology and how this technology should be correctly implemented compromises the digital securityof the organisation, with organisations preferring to implement cheaper equipment because of thecheaper prices, but at the same time this also impairs the security of the organisation as features suchas VLANs cannot be configured on devices such as unmanaged switches as manufacturers leave little orno control over the devices making them dumb.

Gaining this insight on RADIUS authentication has enabled me to recommend this security method toorganisations instead of traditional authentication methods such as WEP, WPA, and WPA2 whichrequire a more direct approach to configuring and maintaining in the event of a threat being detected.

Logging using 802.1X provides organisations with legal cover which is required by organisations asdefined under the Computer Misuse Act and the Data Protection Act. Port based authentication isn’tsomething which is really touched by organisations as it can sometimes be tricky to implement and inthe event of the server failing no devices are able to use network connectivity on protected ports, soleaving the ports open mitigates that risk but then leaves active ports vulnerable to physical networkattacks by users jacking into the Ethernet socket on the wall.

Technology is becoming more sophisticated and legacy equipment is no longer able to function in thework place. An example of this legacy IP phones which are unable to function using IPv6 networking.This means that administrators have to implement dual stack networks to allow those devices tofunction correctly without having to replace those devices.

Some legacy devices are also unable authenticate using newer authentication methods such as WPA2and rely on WEP authentication as a minimum. This exposes an organisation to risk as WEPauthentication can be cracked easily which exposes organisations to the risk of data breaches.

Evaluation of meetings and discussionsTwo formal meetings took place with Philip Cheung during this time with the purpose of enhancing thenetwork infrastructure to support routing and ease of management. Utilising physical hardware for thisproject showed that using simulators, different problems may occur which wouldn’t occur if the projectwas being designed within a network simulator, such as Cisco Packet Tracer or GSN3. An example ofkind of problem which I experienced was the Ethernet cables which were not made up correctly orEthernet cables which required replacement clips before they could be used within the rack for thepurpose of this dissertation.

Evaluation of project planningThis project as an overall final product completed on time even though there were a few delays as aresult of students or staff disconnecting the Ethernet cables, serial cables and erasing the configurationson the equipment.

This set back took a total of 12 hours including breaks to amend. The project remained within thetimeframe which was initially set out even with the unexpected interruptions. A breakdown of theproject in the form of a Gantt chart can be viewed within appendix A12.

Student ID: 1400869

23

ReferencesAerohive. (2015). HiveManager - On Premises. Retrieved from Aerohive:

http://www.aerohive.com/products/cloud-services-platform/hivemanager-onpremises

Berg, J. (2011). The IEEE 802.11 Standardization Its History, Specifications, Implementations and Future.Fairfax, VA: George Manson University.

Business, B., Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed Alarms and 40Million Stolen Credit Card Numbers: How Target Blew It. United States: Bloomberg. Retrieved04 19, 2015, from Bloomberg Business: http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

Cisco. (n.d.). Quality of Service for Voice Over IP. Retrieved from Cisco:http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/qos_solutions/QoSVoIP/QoSVoIP.html#wp1015329

Cisco. (n.d.). Rogue Access Point Detection. Retrieved from Cisco:http://www.cisco.com/assets/sol/sb/AP541N_Emulators/AP541N_Emulator_v1.9.2/help_Rogue_AP_Detection.htm

Curran, K., & Canning, P. (2007). Wireless Handheld Devices Become Trusted Network Devices.Information Systems Security, 134-146.

Department for Business, Inovation and Skills. (2013). Executive Summary. 2013 Information SecurityBreaches Survey. United Kingdom: Department for Business, Inovation and Skills.

Forbes Magazine. (2014, January 10). Target data breach spilled info on as many as 70 millioncustomers. Retrieved from Forbes Magazine:http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/

Holdan, A. (2007). Unmanaged versus Managed Switches . (S. Pereira, Interviewer) Cisco. San Jose.Retrieved fromhttp://www.cisco.com/c/dam/en/us/products/switches/networking_solutions_products_genericcontent0900aecd806c7afe.pdf

Institute of Electrical and Electronics Engineers. (2015, 03 17). OFFICIAL IEEE 802.11 WORKING GROUPPROJECT TIMELINES. Retrieved from IEEE 802 LAN/MAN Standards Committee:http://www.ieee802.org/11/Reports/802.11_Timelines.htm

Kassner, M. (2013, June 26). Cheat Sheet - What you need to know about 802.11ac. Retrieved fromTechRepublic: http://www.techrepublic.com/blog/data-center/cheat-sheet-what-you-need-to-know-about-80211ac/

Microsoft. (2015). Internet Authentication Service and Network Policy Server. Retrieved from MicrosoftDeveloper Network (MSDN): https://msdn.microsoft.com/en-us/library/bb892033(v=vs.85).aspx

Microsoft Corp. (2014, March 5). Server Roles and Technologies in Windows Server 2012 R2 andWindows Server 2012. Retrieved from Technet - Microsoft: https://technet.microsoft.com/en-us/library/hh831669.aspx

Microsoft. (n.d.). MS-CHAP v2. Retrieved from Technet: https://technet.microsoft.com/en-us/library/cc957983.aspx

Microsoft. (n.d.). Network Policy Settings Properties. Retrieved from Technet:https://technet.microsoft.com/en-gb/library/cc772474(v=ws.10).aspx

Student ID: 1400869

24

NoWiresSecurity. (n.d.). AuthenticateMyWiFi. Retrieved from NoWiresSecurity:http://www.nowiressecurity.com/#!hosted-cloud-radius-8021x-service/c1739

Target Brands Inc. (2013, December 19). Target Confirms Unauthorized Access to Payment Card Data inU.S. Stores. Retrieved from Target: http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores?_ga=1.40346594.1362588787.1429451538

Wi-Fi Alliance. (n.d.). Who We Are. Retrieved from Wi-Fi Alliance: http://www.wi-fi.org/who-we-are

Wueest, C. (2014, December 10). Underground black market: Thriving trade in stolen data, malware,and attack services. Symantec official blog. Retrieved 04 19, 2015, fromhttp://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services

Student ID: 1400869

25

GlossaryBelow is a glossary of commonly used words, abbreviations or phrases which have been used within thisdocument and the context of which these words were used.

Word / Phrase Context

Server A computer providing a range of services to clients connecting to it. Thisis a physical computer with large quantities of storage, memory andprocessing power. This is a computer which isn’t used by an end user andremains in the background processing incoming requests.

Service This is a piece of software installed on a server to provide a specificservice to an end user. An example of this could be the NPS serviceinstalled on Windows Server 2012 R2, providing RADIUS authentication.

Wi-Fi Wi-Fi meaning the radio frequency in which network communication isachieved

Access Point This is how users can physically connect to the cabled network. This doesnot include Wireless Access Points

Wireless Access Points This is the device which users will use to connect to the network usingradio frequencies, in this report using Wi-Fi as the medium

RADIUS RADIUS is the service which has been installed on Windows Server whichis the authentication server to the WPA2-Enterprise enabled WirelessAccess Points. RADIUS is a fast and lightweight authentication protocolwhich utilises UDP as its transport method.

R: RemoteA: AccessD: DialI : In

U: UserS : Service

TACACSTAC+

TACACS or TAC+ is a Cisco proprietary authentication protocol whichutilises TCP compared to RADIUS which utilises the UDP protocol.

T : TerminalA : AccessC : ControllerA : AccessC : ControlS : System

Rollover cable Rollover cables are used to configure routers and switches of differentvarieties. These cables connect to the serial interface on a computer andconnect directly to switches and routers using the console Ethernet port.

Student ID: 1400869

26

Wireless Overspill Wireless Overspill occurs as a result of a Wireless access point not beingplaced in strategic locations, for example, up against exterior walls whichmeans that Wi-Fi signal is being broadcast outside of the premises.

Hackers can then use this overspill to attack the network out of hours bypositioning themselves outside of the premises.

DMZ Demilitarised Zones are utilised within organisations to restrict externalnetwork access to a specific network range or a specific network device.

Internal resources have the ability to access other resources on thenetwork, but users connecting via the DMZ cannot connect directly toother internal resources.

An example of a server which would be placed in a DMZ would be theuser interface for Microsoft Exchange Server.

ACLAccess Control Lists

Access control lists are configured on routers to restrict or permit trafficflow. An example of this could be the IT services department can accessall networks configured on the router, but all other departments areunable to access resources such as the printers management userinterface directly.

NATNetwork AddressTranslation

Network address translation is commonly used with IPv4 because of thelack of IPv4 addresses. NAT is used to modify data packets with the IPaddress which has been assigned to the router by the internet serviceprovider. The most common configuration for NAT is Overload as one IPaddress is configured to serve many hosts on a LAN.

All devices connecting to the internet through the LAN will use that onepublic IP address and data will be re-routed back to the host based on theheader information of the packet received.

Port Forwarding Port forwarding is the method of forwarding a single or a range of portson the router to a specific host. Users connect to the router using thepublic IP address which then forwards traffic based on the defined rulesset out by the administrator.

Student ID: 1400869

27

AppendixA1 – Survey Response Summary - Network & Infrastructure securityA1.1 - Welcome

A1.2 - Questions for Individuals

1. What gender are you

ResponsePercent

ResponseTotal

1 Male 76.19% 16

2 Female 23.81% 5

3 Prefer not to say 0.00% 0

answered 21

skipped 0

2. What age range do you fall under

ResponsePercent

ResponseTotal

1 18 and Under 0.00% 0

2 19 - 21 9.52% 2

3 22 - 25 38.10% 8

4 26 - 30 4.76% 1

5 31 - 40 14.29% 3

6 40 - 60 28.57% 6

7 60 + 4.76% 1

8 Prefer not to say 0.00% 0

answered 21

skipped 0

Student ID: 1400869

28

3. Which devices do you own which use WiFi technology to communicate with anetwork infrastructure to gain access to the internet?

Yes No ResponseTotal

Smart Television 52.4%(11)

47.6%(10) 21

Mobile Phone 95.2%(20)

4.8%(1) 21

Tablet 100.0%(21)

0.0%(0) 21

Phablet (Large mobile phone crossed tablet) 14.3%(3)

85.7%(18) 21

Netbook 14.3%(3)

85.7%(18) 21

Notebook/Laptop 85.7%(18)

14.3%(3) 21

PDA 4.8%(1)

95.2%(20) 21

Desktop Computer 81.0%(17)

19.0%(4) 21

Hand held games console 33.3%(7)

66.7%(14) 21

Large games console (E.g. X-BOX 360 and Up, Playstation 3and up)

52.4%(11)

47.6%(10) 21

answered 21

skipped 0

Matrix Charts

3.1. Smart Television ResponsePercent

ResponseTotal

1 Yes 52.4% 11

2 No 47.6% 10

answered 21

Student ID: 1400869

29

3.2. Mobile Phone ResponsePercent

ResponseTotal

1 Yes 95.2% 20

2 No 4.8% 1

answered 21

3.3. Tablet ResponsePercent

ResponseTotal

1 Yes 100.0% 21

2 No 0.0% 0

answered 21

3.4. Phablet (Large mobile phone crossed tablet) ResponsePercent

ResponseTotal

1 Yes 14.3% 3

2 No 85.7% 18

answered 21

3.5. Netbook ResponsePercent

ResponseTotal

1 Yes 14.3% 3

2 No 85.7% 18

answered 21

3.6. Notebook/Laptop ResponsePercent

ResponseTotal

1 Yes 85.7% 18

2 No 14.3% 3

answered 21

3.7. PDA ResponsePercent

ResponseTotal

Student ID: 1400869

30

3.7. PDA ResponsePercent

ResponseTotal

1 Yes 4.8% 1

2 No 95.2% 20

answered 21

3.8. Desktop Computer ResponsePercent

ResponseTotal

1 Yes 81.0% 17

2 No 19.0% 4

answered 21

3.9. Hand held games console ResponsePercent

ResponseTotal

1 Yes 33.3% 7

2 No 66.7% 14

answered 21

3.10. Large games console (E.g. X-BOX 360 and Up, Playstation 3and up)

ResponsePercent

ResponseTotal

1 Yes 52.4% 11

2 No 47.6% 10

answered 21

4. Are you aware that using WiFi access points could potentially expose yourdevice to threats if the correct configuration isn't used by the network provider?

ResponsePercent

ResponseTotal

1 Yes 95.24% 20

2 No 4.76% 1

answered 21

skipped 0

Student ID: 1400869

31

5. When using public WiFi access points do you use encrypted VPN tunnels toreduce the risk of your data security being compromised.

ResponsePercent

ResponseTotal

1 Yes 23.81% 5

2 No 76.19% 16

answered 21

skipped 0

6. Do you utilise security software on your computer, such as software firewalls andantivirus protection to help reduce the risk of your computer becoming a victim ofhacking.

ResponsePercent

ResponseTotal

1 Yes 95.24% 20

2 No 4.76% 1

answered 21

skipped 0

7. Do you utilise mobile security software on mobile phones and tablets to helpprotect those devices?

ResponsePercent

ResponseTotal

1 Yes 42.86% 9

2 No 47.62% 10

3 Didn't know mobile securitysoftware was available 9.52% 2

answered 21

skipped 0

8. Do you have any say about the security of the Wireless networks you use, forexample connecting personal devices to a business network or connectingpersonal devices to your internet at home?

Student ID: 1400869

32

ResponsePercent

ResponseTotal

1 Yes 71.43% 15

2 No 14.29% 3

3 Do not know 14.29% 3

answered 21

skipped 0

A1.3 – Questions for Organisations and IT Professionals

9. How many employees work within your organisation

ResponsePercent

ResponseTotal

1 1 - 10 40.00% 6

2 10 - 20 0.00% 0

3 20 - 50 6.67% 1

4 50 - 100 13.33% 2

5 100 + 26.67% 4

6 Prefer not to say 13.33% 2

answered 15

skipped 6

10. How do your currently secure your wireless access points?

ResponsePercent

ResponseTotal

1 No Wireless protectionimplemented 0.00% 0

2 WEP Authentication 13.33% 2

3 WPA Authentication 6.67% 1

4 WPA2 Authenication 46.67% 7

Student ID: 1400869

33

10. How do your currently secure your wireless access points?

ResponsePercent

ResponseTotal

5 MixedAuthentication (WPA +WPA2 (AES/TKIP)) 26.67% 4

6 802.11x Authentication utilisingRADIUS 0.00% 0

7802.11x Authentication usingAccess Gateway withAuthentication webpage

0.00% 0

8 Other (please specify): 6.67% 1

answered 15

skipped 6

Other (please specify): (1)

1 20/03/15 4:47PMID: 17216308

I am not an IT technician so cannot answer this question

11. In the event of a member of staff leaving your organisation, how do you ensureyour wireless network remains secure

ResponsePercent

ResponseTotal

1 Wireless Keys are not changed 26.67% 4

2 Wireless Keys are changed onWireless access points manually 33.33% 5

3

Wireless Keys are changed onWireless access points remotelyusing software such as DrayTekACS-SI management platform

0.00% 0

4User accounts are disabled onthe network infrastructure where802.11x is implemented

20.00% 3

5 Other (please specify): 20.00% 3

answered 15

skipped 6

Other (please specify): (3)

Student ID: 1400869

34

11. In the event of a member of staff leaving your organisation, how do you ensureyour wireless network remains secure

ResponsePercent

ResponseTotal

1 20/03/15 4:42PMID: 17215958

Not Applicable

2 20/03/15 4:47PMID: 17216308

Have no idea as I am not in IT systems

3 22/03/15 11:35AMID: 17458692

All WIreless is MAC address specific. The the addresses are removed from thedatabase.

12. Wireless access points are of great benefit to organisations who utilise mobiledevices such as tablets and laptops, but at the same time this exposes a network toother threats which may go un-noticed because wireless access points are placedin "Vulnerable" places, Vulnerable meaning they can be accessed physically by anymember of staff, or they broadcast outside of the business premises. If you haveimplemented access points in your organisation, were they placed strategically withor were they placed in the area which they were required without prior planning.

ResponsePercent

ResponseTotal

1 Open-Ended Question 100.00% 11

1 20/03/15 3:00PMID: 17203729

We choose the correct places to install our wireless access points based onrange and reliability.

2 20/03/15 4:42PMID: 17215958

Strategically

3 20/03/15 4:47PMID: 17216308

They have been placed in the corridors outside classrooms

4 20/03/15 6:19PMID: 17225360

office is small. only one required.

5 21/03/15 2:30PMID: 17305001

Unfortunately, I don't have a certain answer to this question, but I think Accesspoints are distributed internally throughout the premises to provide services tothe areas not covered by physical medium, such as restaurants and cafés, or toprovide alternative options to users, who prefer using their laptops and mobiles.

6 22/03/15 11:35AMID: 17458692

wireless points placed dependent on organisational unit on each floor.

7 22/03/15 12:08PMID: 17462581

No prior planning except making sure the whole building could access

8 22/03/15 3:06PMID: 17478958

Wirless AP's installed in strategic locations to offer a meshed network, all runningdd-wrt with local reset button disabled in config for security.

9 23/03/15 8:51AM They were placed in vulnerable areas without regard for security.

Student ID: 1400869

35

12. Wireless access points are of great benefit to organisations who utilise mobiledevices such as tablets and laptops, but at the same time this exposes a network toother threats which may go un-noticed because wireless access points are placedin "Vulnerable" places, Vulnerable meaning they can be accessed physically by anymember of staff, or they broadcast outside of the business premises. If you haveimplemented access points in your organisation, were they placed strategically withor were they placed in the area which they were required without prior planning.

ResponsePercent

ResponseTotal

ID: 17546157

10 23/03/15 1:32PMID: 17613228

Before my time off employment, have given recommendations.

11 25/03/15 11:51AMID: 17926246

strategically

answered 11

skipped 10

13. How do you monitor for unauthorised usage on the network. This includesusage outside of the organisations IT policy or abuse of IT systems, e.g. Membersof staff accessing pornographic material on site and users trying to authenticatewith dud credentials

ResponsePercent

ResponseTotal

1 Open-Ended Question 100.00% 11

1 20/03/15 3:00PMID: 17203729

For internet protection we use Sohpos cloud and policies on our firewall. Wehave a policy in place (written and signed) about abusing the IT systems. If staffhave to take equipment home, it has to be inspected before and after with asigned contract from both parties.

2 20/03/15 4:42PMID: 17215958

We don't.

3 20/03/15 4:47PMID: 17216308

There is a firewall in place which blocks any unauthorised usage.

4 20/03/15 6:19PMID: 17225360

all staff actions logged, use of ids/ips and firewall .

5 21/03/15 2:30PMID: 17305001

I am not sure what the organisation has implemented in place, but I think anetwork monitoring software, Access Control List + logs have been implementedto identify users trying to misuse the system.

6 22/03/15 11:35AMID: 17458692

Each site has a firewall, blocking all traffic exept that which is officially requestedand business justified, we have DMZs for external access to the network so thatonly internal traffic is allowed access to the main network except for VPN, and 2blue coat proxy servers to prevent unauthorised access to sites etc.

Student ID: 1400869

36

13. How do you monitor for unauthorised usage on the network. This includesusage outside of the organisations IT policy or abuse of IT systems, e.g. Membersof staff accessing pornographic material on site and users trying to authenticatewith dud credentials

ResponsePercent

ResponseTotal

7 22/03/15 12:08PMID: 17462581

I don't really though I may notice if there was an unrecognisable device attached

8 22/03/15 3:06PMID: 17478958

All stations are locked to a mac address list, squid transparent proxying formonitoring of usage.

9 23/03/15 8:51AMID: 17546157

No idea.

10 23/03/15 1:32PMID: 17613228

ISP proxy filter.

11 25/03/15 11:51AMID: 17926246

Firewall content filtering

answered 11

skipped 10

14. Does your organisation utilise WiFi enabled IP Phones. If yes how do youovercome issues with regards to device authentication when they connect to thewireless access points. Please note: this does not include DECT phones withSeparate base stations

ResponsePercent

ResponseTotal

1 Open-Ended Question 100.00% 11

1 20/03/15 3:00PMID: 17203729

We don't use wireless phones.

2 20/03/15 4:42PMID: 17215958

No

3 20/03/15 4:47PMID: 17216308

Have no knowledge of this.

4 20/03/15 6:19PMID: 17225360

no, ip phones are wired.

5 21/03/15 2:30PMID: 17305001

I think yes, the organisation utilise WiFi enabled IP Phones, but have no ideaabout issues related to device authentication, because I am not in the positionwhere I can follow these issues.

6 22/03/15 11:35AMID: 17458692

no. All phones are routed via the LAN.

Student ID: 1400869

37

14. Does your organisation utilise WiFi enabled IP Phones. If yes how do youovercome issues with regards to device authentication when they connect to thewireless access points. Please note: this does not include DECT phones withSeparate base stations

ResponsePercent

ResponseTotal

7 22/03/15 12:08PMID: 17462581

No

8 22/03/15 3:06PMID: 17478958

No

9 23/03/15 8:51AMID: 17546157

No my organization does not utilize WIFI enabled IP Iphones.

10 23/03/15 1:32PMID: 17613228

No.

11 23/04/15 7:44PMID: 20223100

no

answered 11

skipped 10

Student ID: 1400869

38

A2 – Blank Survey - Network & Infrastructure security

A2.1 - Page 1 – WelcomeThank-you for taking this time to complete my survey.

All responses towards this survey will be 100% anonymous and responses cannot be used to identifyyou as an individual or as an organisation.

Responses from this survey will be used to go towards my dissertation for my Bachelors Degree inComputing solutions.

This survey will be investigating your use of wireless technology and what security precautions youimplement and use when connected to wireless networks. There will be two sections to this survey, thefirst set of responses will be for individual responses as in 'You' as an entity.

The second section will be investigating business use of wireless technology to manage network userswho utilise Wireless networking for business use. Again information will be collected but will not bepublished or released identifying an individual or an organisation.

Please note: IP Addresses and other identifiable information will NOT be collected during this survey

Your time is very much appreciated and your response will be invaluable towards my dissertation

To continue please click next

A2.2 - Page 2: Questions for IndividualsQ1. What gender are you

Male / Female / Prefer not to say

Q2. What age range do you fall under

18 and Under / 19 – 21 / 22 – 25 / 26 – 30 / 31 – 40 / 40 – 60 / 60+ / Prefer not to say

A2.3 - Page 3: Questions for IndividualsQ3. Which devices do you own which use WiFi technology to communicate with a network infrastructure to gainaccess to the internet?

Yes No

Smart Television O O

Mobile Phone O O

Student ID: 1400869

39

Q3. Which devices do you own which use WiFi technology to communicate with a network infrastructure to gainaccess to the internet?

Tablet O O

Phablet (Large mobile phone crossed tablet) O O

Netbook O O

Notebook/Laptop O O

PDA O O

Desktop Computer O O

Hand held games console O O

Large games console (E.g. X-BOX 360 and Up, Playstation 3 and up) O O

Q4. Are you aware that using WiFi access points could potentially expose your device to threats if the correctconfiguration isn't used by the network provider?

Yes / No

Q5. When using public WiFi access points do you use encrypted VPN tunnels to reduce the risk of your datasecurity being compromised.

Yes / No

Q6. Do you utilise security software on your computer, such as software firewalls and antivirus protection to helpreduce the risk of your computer becoming a victim of hacking.

Yes / No

Q7. Do you utilise mobile security software on mobile phones and tablets to help protect those devices?

Yes / No / Didn’t know mobile security software was available

Student ID: 1400869

40

Q8. Do you have any say about the security of the Wireless networks you use, for example connecting personaldevices to a business network or connecting personal devices to your internet at home?

Yes / No / Do not know

A2.4 - Page 4: Questions for OrganisationsThese questions should be answered by IT Administrators in a position where they are allowed torespond to surveys of this type.

Please note: No information will be disclosed to any 3rd parties and responses are treated asanonymous. No information will be collected to disclose yourself as an individual or as an organisation.

Q9. How many employees work within your organisation

1 – 10 / 10 – 20 / 20 – 50 / 50 – 100 / 100+ / Prefer not to say

Q10. How do your currently secure your wireless access points?

No Wireless protection implemented / WEP Authentication / WPA Authentication / WPA2 Authentication /Mixed Authentication (WPA + WPA2(AES/TKIP)) / 802.11x Authentication utilising RADIUS / 802.11xAuthentication using Access Gateway with Authentication webpage / Other (please specify)

Q11. In the event of a member of staff leaving your organisation, how do you ensure your wireless networkremains secure

Wireless keys are not changed / Wireless keys are changed on Wireless Access points manually / Wireless keysare changed on Wireless access points remotely using software such as DrayTek ACS-SI Management platform /User accounts are disabled on the network infrastructure where 802.11x is implemented / Other (Please Specify)

Q12. Wireless access points are of great benefit to organisations who utilise mobile devices such as tablets andlaptops, but at the same time this exposes a network to other threats which may go un-noticed because wirelessaccess points are placed in "Vulnerable" places, Vulnerable meaning they can be accessed physically by anymember of staff, or they broadcast outside of the business premises. If you have implemented access points inyour organisation, were they placed strategically with or were they placed in the area which they were requiredwithout prior planning.

Open Question

Student ID: 1400869

41

Q13. How do you monitor for unauthorised usage on the network. This includes usage outside of theorganisations IT policy or abuse of IT systems, e.g. Members of staff accessing pornographic material on site andusers trying to authenticate with dud credentials

Open Question

Q14. Does your organisation utilise WiFi enabled IP Phones. If yes how do you overcome issues with regards todevice authentication when they connect to the wireless access points. Please note: this does not include DECTphones with Separate base stations

Open Question

Student ID: 1400869

42

A3 – Practical Network Design – NOTE CONFIGURATION LOCATION IN APPENDIXBelow is the network layout which will be used during the research project. Other details such as Rapid Spanning Tree Protocol will be used within the project and fullconfiguration breakdowns of the routers and switches can be located within the appendix.

FIGURE 10 - NETWORK DIAGRAM OF PROJECTTESTING

R1 R2

S1

S3

S2DISS-AD01

DISS-AP02

DISS-AP01

DISS-SALES-01DISS-ACCNTS-01

DISS-MGMT-01

Wireless Access Points3 SSIDs Each

SSID 1: DISS-IT-SERVICESAuth: WPA2 Enterprise (802.11x)

Visible: HiddenVLAN Tag: 103

SSID 2: DISS-INTERNALAuth: WPA2 Enterprise (802.11x)

Visible: TrueVLAN Tag: 104

SSID 3: DISS-GUESTAuth: WPA2 Personal

Visible: TrueVLAN Tag: 105

VLAN ConfigurationsVLAN 100 – Accounts Dept

VLAN 101 – Sales DeptVLAN 102 – Management Dept

VLAN 103 – IT ServicesVLAN 104 – Internal WiFiVLAN 105 – Guest WiFi

VLAN 254 – Server FarmVLAN 255 – Management VLAN

Internet

Router Configurations

Both routers on Hot StandbyStandby IP VLAN 100: 192.168.100.1/24Standby IP VLAN 101: 192.168.101.1/24Standby IP VLAN 102: 192.168.102.1/24Standby IP VLAN 103: 192.168.103.1/24Standby IP VLAN 104: 192.168.104.1/24Standby IP VLAN 105: 192.168.105.1/24Standby IP VLAN 254: 192.168.254.1/24Standby IP VLAN 255: 192.168.255.1/24

R1Standby IP VLAN 100: 192.168.100.2/24Standby IP VLAN 101: 192.168.101.2/24Standby IP VLAN 102: 192.168.102.2/24Standby IP VLAN 103: 192.168.103.2/24Standby IP VLAN 104: 192.168.104.2/24Standby IP VLAN 105: 192.168.105.2/24Standby IP VLAN 254: 192.168.254.2/24Standby IP VLAN 255: 192.168.255.2/24

R2Standby IP VLAN 100: 192.168.100.3/24Standby IP VLAN 101: 192.168.101.3/24Standby IP VLAN 102: 192.168.102.3/24Standby IP VLAN 103: 192.168.103.3/24Standby IP VLAN 104: 192.168.104.3/24Standby IP VLAN 105: 192.168.105.3/24Standby IP VLAN 254: 192.168.254.3/24Standby IP VLAN 255: 192.168.255.3/24

Student ID: 1400869

43

A4 – Practical Network Design – Backbone CoreFIGURE 11 - BACKBONE CORE OF NETWORK DESIGN - INCLUDING IP PHONE SERVER AND APACHEWEBSERVER

G0/1 – G0/0

G0/2 – G0/0 G0/2 – G0/0F0/24 – F0/24F0/23 – F0/23

G0/0–

G0/1

G0/0–

G0/1

G0/0–

G0/0

S1 S2

S3

AsteriskIPPBXServer

R1 R2

ISP

WEBHOST

WindowsServer

ApacheWeb

Server

Student ID: 1400869

44

A5 – ValidatorPRO cable certification reportPlease turn over to view the full JDSU ValidatorPRO cable certification report

Student ID: 1400869

45

Student ID: 1400869

46

Student ID: 1400869

47

Student ID: 1400869

48

Student ID: 1400869

49

Student ID: 1400869

50

Student ID: 1400869

51

Student ID: 1400869

52

Student ID: 1400869

53

Student ID: 1400869

54

Student ID: 1400869

55

Student ID: 1400869

56

Student ID: 1400869

57

Student ID: 1400869

58

Student ID: 1400869

59

Student ID: 1400869

60

Student ID: 1400869

61

Student ID: 1400869

62

Student ID: 1400869

63

Student ID: 1400869

64

A6 – Router ConfigurationsA6.1 – R1

!! Last configuration change at 13:34:33 UTC Thu May 7 2015 by adminversion 15.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname R1!boot-start-markerboot-end-marker!!enable secret 5 $1$ikD2$73leUsh/bduvKhj3mWEqN0!no aaa new-model!ip cef!!!!!!no ip domain lookupno ipv6 cefmultilink bundle-name authenticated!!!!license udi pid CISCO2901/K9 sn FCZ183994LH!!username admin privilege 15 secret 5 $1$2rM3$ptF4f4XUrnPoRxLvM/7qP1!!!!!!interface Embedded-Service-Engine0/0no ip addressshutdown

!interface GigabitEthernet0/0no ip addressip nat insideip virtual-reassembly induplex autospeed auto

Student ID: 1400869

65

!interface GigabitEthernet0/0.100description "Accounts Department"encapsulation dot1Q 100ip address 192.168.100.2 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.100.1standby 0 priority 1

!interface GigabitEthernet0/0.101description "Sales Department"encapsulation dot1Q 101ip address 192.168.101.2 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.101.1standby 0 priority 1

!interface GigabitEthernet0/0.102description "Management Deptartment"encapsulation dot1Q 102ip address 192.168.102.2 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.102.1standby 0 priority 1

!interface GigabitEthernet0/0.103description "IT Services"encapsulation dot1Q 103ip address 192.168.103.2 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.103.1

!interface GigabitEthernet0/0.104description "Internal WiFi"encapsulation dot1Q 104ip address 192.168.104.2 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.104.1standby 0 priority 1

!interface GigabitEthernet0/0.105description "Guest WiFi"encapsulation dot1Q 105ip address 192.168.105.2 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly in

Student ID: 1400869

66

standby 0 ip 192.168.105.1standby 0 priority 1

!interface GigabitEthernet0/0.254description "Server Farm"encapsulation dot1Q 254ip address 192.168.254.2 255.255.255.0ip nat insideip virtual-reassembly instandby 0 ip 192.168.254.1standby 0 priority 1

!interface GigabitEthernet0/0.255description "Management VLAN"encapsulation dot1Q 255ip address 192.168.255.2 255.255.255.0ip nat insideip virtual-reassembly instandby 0 ip 192.168.255.1standby 0 priority 1

!interface GigabitEthernet0/1description "WAN Interface 1"ip address 8.0.0.1 255.255.255.252ip nat outsideip virtual-reassembly induplex autospeed auto

!interface Serial0/0/0no ip addressshutdownclock rate 2000000

!interface Serial0/0/1no ip addressshutdownclock rate 2000000

!router ospf 1passive-interface GigabitEthernet0/0passive-interface GigabitEthernet0/0.100passive-interface GigabitEthernet0/0.101passive-interface GigabitEthernet0/0.102passive-interface GigabitEthernet0/0.103passive-interface GigabitEthernet0/0.104passive-interface GigabitEthernet0/0.105passive-interface GigabitEthernet0/0.254passive-interface GigabitEthernet0/0.255network 8.0.0.0 0.0.0.3 area 0

!ip forward-protocol nd!ip http serverip http authentication localno ip http secure-server!

Student ID: 1400869

67

ip nat inside source list 1 interface GigabitEthernet0/1 overloadip route 0.0.0.0 0.0.0.0 8.0.0.2!access-list 1 permit 192.168.100.0 0.0.0.255access-list 1 permit 192.168.101.0 0.0.0.255access-list 1 permit 192.168.102.0 0.0.0.255access-list 1 permit 192.168.103.0 0.0.0.255access-list 1 permit 192.168.104.0 0.0.0.255access-list 1 permit 192.168.105.0 0.0.0.255access-list 1 permit 192.168.254.0 0.0.0.255access-list 1 permit 192.168.255.0 0.0.0.255!!!control-plane!!banner login A valid username and password isrequired to proceed. Please enter your username and password tocontinuebanner motd Authorised users only! Unauthorisedusers will be prosecuted to the full extent of thelaw!!line con 0logging synchronouslogin local

line aux 0logging synchronouslogin local

line 2no activation-characterno exectransport preferred nonetransport output pad telnet rlogin lapb-ta mop udptn v120 sshstopbits 1

line vty 0 4logging synchronouslogin localtransport input all

line vty 5 15logging synchronouslogin localtransport input all

!scheduler allocate 20000 1000!End

Student ID: 1400869

68

A6.2 – R2

!! Last configuration change at 13:39:32 UTC Thu May 7 2015 by adminversion 15.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname R2!boot-start-markerboot-end-marker!!enable secret 5 $1$ikD2$73leUsh/bduvKhj3mWEqN0!no aaa new-model!ip cef!!!!!!no ip domain lookupno ipv6 cefmultilink bundle-name authenticated!!!!license udi pid CISCO2901/K9 sn FCZ183994LV!!username admin privilege 15 secret 5 $1$2rM3$ptF4f4XUrnPoRxLvM/7qP1!!!!!!interface Embedded-Service-Engine0/0no ip addressshutdown

!interface GigabitEthernet0/0no ip addressip nat insideip virtual-reassembly induplex autospeed auto

!

Student ID: 1400869

69

interface GigabitEthernet0/0.100description "Accounts Department"encapsulation dot1Q 100ip address 192.168.100.3 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.100.1standby 0 priority 2

!interface GigabitEthernet0/0.101description "Sales Department"encapsulation dot1Q 101ip address 192.168.101.3 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.101.1standby 0 priority 2

!interface GigabitEthernet0/0.102description "Management Deptartment"encapsulation dot1Q 102ip address 192.168.102.3 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.102.1standby 0 priority 2

!interface GigabitEthernet0/0.103description "IT Services"encapsulation dot1Q 103ip address 192.168.103.3 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.103.1standby 0 priority 2

!interface GigabitEthernet0/0.104description "Internal WiFi"encapsulation dot1Q 104ip address 192.168.104.3 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly instandby 0 ip 192.168.104.1standby 0 priority 2

!interface GigabitEthernet0/0.105description "Guest WiFi"encapsulation dot1Q 105ip address 192.168.105.3 255.255.255.0ip helper-address 192.168.254.100ip nat insideip virtual-reassembly in

Student ID: 1400869

70

standby 0 ip 192.168.105.1standby 0 priority 2

!interface GigabitEthernet0/0.254description "Server Farm"encapsulation dot1Q 254ip address 192.168.254.3 255.255.255.0ip nat insideip virtual-reassembly instandby 0 ip 192.168.254.1standby 0 priority 2

!interface GigabitEthernet0/0.255description "Management VLAN"encapsulation dot1Q 255ip address 192.168.255.3 255.255.255.0ip nat insideip virtual-reassembly instandby 0 ip 192.168.255.1standby 0 priority 2

!interface GigabitEthernet0/1description "WAN Interface 2"ip address 8.0.0.5 255.255.255.252ip nat outsideip virtual-reassembly induplex autospeed auto

!interface Serial0/0/0no ip addressshutdownclock rate 2000000

!interface Serial0/0/1no ip addressshutdownclock rate 2000000

!router ospf 1passive-interface GigabitEthernet0/0passive-interface GigabitEthernet0/0.100passive-interface GigabitEthernet0/0.101passive-interface GigabitEthernet0/0.102passive-interface GigabitEthernet0/0.103passive-interface GigabitEthernet0/0.104passive-interface GigabitEthernet0/0.105passive-interface GigabitEthernet0/0.254passive-interface GigabitEthernet0/0.255passive-interface GigabitEthernet0/1network 8.0.0.0 0.0.0.3 area 0

!ip forward-protocol nd!ip http serverip http authentication localno ip http secure-server

Student ID: 1400869

71

!ip nat inside source list 1 interface GigabitEthernet0/1 overloadip route 0.0.0.0 0.0.0.0 8.0.0.6!access-list 1 permit 192.168.100.0 0.0.0.255access-list 1 permit 192.168.101.0 0.0.0.255access-list 1 permit 192.168.102.0 0.0.0.255access-list 1 permit 192.168.103.0 0.0.0.255access-list 1 permit 192.168.104.0 0.0.0.255access-list 1 permit 192.168.105.0 0.0.0.255access-list 1 permit 192.168.254.0 0.0.0.255access-list 1 permit 192.168.255.0 0.0.0.255!!!control-plane!!banner login A valid username and password isrequired to proceed. Please enter your username and password tocontinuebanner motd Authorised users only! Unauthorisedusers will be prosecuted to the full extent of thelaw!!line con 0logging synchronouslogin local

line aux 0logging synchronouslogin local

line 2no activation-characterno exectransport preferred nonetransport output pad telnet rlogin lapb-ta mop udptn v120 sshstopbits 1

line vty 0 4logging synchronouslogin localtransport input all

line vty 5 15logging synchronouslogin localtransport input all

!scheduler allocate 20000 1000!end

Student ID: 1400869

72

A6.3 – ISP

!! Last configuration change at 12:22:24 UTC Thu May 7 2015 by admin!version 15.1service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname ISP!boot-start-markerboot-end-marker!enable secret 5 $1$B2lm$ctNE.M.DMC1lLwx04JWQd.!no aaa new-model!no ipv6 cefip source-routeip cef!!!!no ip domain lookupmultilink bundle-name authenticated!!!!license udi pid CISCO2901/K9 sn FCZ173192EKlicense boot module c2900 technology-package securityk9license boot module c2900 technology-package uck9license boot module c2900 technology-package datak9!!username admin privilege 15 secret 5 $1$ZP2r$BdTBMeY1VsMefTXaw/wYt1!!!!!!interface GigabitEthernet0/0description "WAN Link to ISP R1"ip address 8.0.0.2 255.255.255.252duplex autospeed auto

!interface GigabitEthernet0/1ip address 8.0.0.6 255.255.255.252duplex autospeed auto

Student ID: 1400869

73

!interface Serial0/0/0ip address 8.0.0.9 255.255.255.252no fair-queueclock rate 128000

!interface Serial0/0/1no ip addressshutdownclock rate 2000000

!router ospf 1log-adjacency-changesnetwork 8.0.0.0 0.0.0.3 area 0network 8.0.0.4 0.0.0.3 area 0network 8.0.0.8 0.0.0.3 area 0

!ip forward-protocol nd!no ip http serverno ip http secure-server!!!!!control-plane!banner motd ^CAuthorised users only! Unauthorised users will be prosecuted tothe full extent of the law!^C!line con 0logging synchronouslogin local

line aux 0logging synchronouslogin local

line vty 0 4logging synchronouslogin localtransport input none

line vty 5 15logging synchronouslogin localtransport input none

!scheduler allocate 20000 1000end

Student ID: 1400869

74

A6.4 – WEBHOST

!! Last configuration change at 13:50:37 UTC Thu May 7 2015version 15.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname WEBHOST!boot-start-markerboot-end-marker!!enable secret 5 $1$B2lm$ctNE.M.DMC1lLwx04JWQd.!no aaa new-model!ip cef!!!!!!no ip domain lookupno ipv6 cefmultilink bundle-name authenticated!!!!license udi pid CISCO2901/K9 sn FCZ183994LQlicense boot module c2900 technology-package securityk9!!username admin privilege 15 secret 5 $1$i53N$Pc/hf4ISbHXm4w/fPpoXm/!!!!!!interface Embedded-Service-Engine0/0no ip addressshutdown

!interface GigabitEthernet0/0description "WAN Link to Server"ip address 8.0.0.13 255.255.255.252shutdownduplex autospeed auto

!

Student ID: 1400869

75

interface GigabitEthernet0/1no ip addressshutdownduplex autospeed auto

!interface Serial0/0/0ip address 8.0.0.10 255.255.255.252shutdown

!interface Serial0/0/1no ip addressshutdownclock rate 2000000

!router ospf 1passive-interface GigabitEthernet0/1network 8.0.0.8 0.0.0.3 area 0network 8.0.0.12 0.0.0.3 area 0

!ip forward-protocol nd!no ip http serverno ip http secure-server!!!!!control-plane!!!line con 0logging synchronouslogin local

line aux 0logging synchronous

line 2no activation-characterno exectransport preferred nonetransport output pad telnet rlogin lapb-ta mop udptn v120 sshstopbits 1

line vty 0 4no logintransport input none

line vty 5 14no logintransport input none

!scheduler allocate 20000 1000!End

Student ID: 1400869

76

A7 – Switch ConfigurationsA7.1 – S1

!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname S1!boot-start-markerboot-end-marker!enable secret 5 $1$saM0$1gP/zr0NV50j.4c1eGZM./!username admin privilege 15 secret 5 $1$W3fZ$9jtupCDGZjpuyiRGDmwFH.no aaa new-modelsystem mtu routing 1500!!no ip domain-lookup!!crypto pki trustpoint TP-self-signed-3240850944enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-3240850944revocation-check nonersakeypair TP-self-signed-3240850944

!!crypto pki certificate chain TP-self-signed-3240850944certificate self-signed 013082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 0505003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 33323430 38353039 3434301E 170D3933 30333031 3030303130325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 3234303835303934 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100D44B ED156B70 3E42F359 FC1D0790 BD05194C 39C3886A DD7565BB F6CE5CC8AE419F87 FE9630D9 E51AF3A4 736401E8 48C2EDFF EF42FFF5 55775E76 B062EB5B3E9C9169 367D0DD1 FF71F885 929950EB 674FBE23 5FBF650F AFC74DFA FDD5D580E28D6E86 B6152C65 CD40E868 86E46DA5 BD1A6AA1 D3E48A59 3A663099 8F1772D9F63D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603551D2304 18301680 14F41328 52AD8EC2 275F6CAA 1720AB9C 736BEAC9 F5301D0603551D0E 04160414 F4132852 AD8EC227 5F6CAA17 20AB9C73 6BEAC9F5 300D06092A864886 F70D0101 05050003 8181001C 9A604117 54E5C55F B952BA69 BB47DEDE5DF73AE0 AEC52EB0 FBF1C355 85BF9086 C18C675A E1E4B551 383436F7 23EC07F7266BDC81 61C21ADD 6CD73220 FBFC1380 D005F9BF D83ACFC3 D3533709 541AE047FF63C592 82DFD18B B9EFB644 9E175DD9 01C53C3D 73FBC8F9 90C889F7 F06ED2817132CBA8 46A65E0A 27F6A117 02820C

quit!!

Student ID: 1400869

77

!!!!spanning-tree mode rapid-pvstspanning-tree extend system-id!vlan internal allocation policy ascending!!!!!!interface Port-channel1!interface Port-channel2!interface FastEthernet0/1switchport access vlan 255switchport mode access

!interface FastEthernet0/2shutdown

!interface FastEthernet0/3shutdown

!interface FastEthernet0/4shutdown

!interface FastEthernet0/5shutdown

!interface FastEthernet0/6shutdown

!interface FastEthernet0/7shutdown

!interface FastEthernet0/8shutdown

!interface FastEthernet0/9shutdown

!interface FastEthernet0/10shutdown

!interface FastEthernet0/11shutdown

!interface FastEthernet0/12shutdown

!interface FastEthernet0/13shutdown

Student ID: 1400869

78

!interface FastEthernet0/14shutdown

!interface FastEthernet0/15shutdown

!interface FastEthernet0/16shutdown

!interface FastEthernet0/17shutdown

!interface FastEthernet0/18shutdown

!interface FastEthernet0/19switchport mode trunkchannel-group 1 mode auto

!interface FastEthernet0/20switchport mode trunkchannel-group 1 mode auto

!interface FastEthernet0/21shutdown

!interface FastEthernet0/22shutdown

!interface FastEthernet0/23switchport mode trunkchannel-group 2 mode auto

!interface FastEthernet0/24switchport mode trunkchannel-group 2 mode auto

!interface GigabitEthernet0/1switchport mode trunk

!interface GigabitEthernet0/2shutdown

!interface Vlan1no ip addressshutdown

!interface Vlan100description "Accounts Department"no ip address

!interface Vlan101description "Sales Department"no ip address

!interface Vlan102

Student ID: 1400869

79

description "Management Department"no ip address

!interface Vlan103description "IT Services"no ip address

!interface Vlan104description "Internal WiFi"no ip address

!interface Vlan105description "Guest WiFi"no ip address

!interface Vlan254description "Server Farm"no ip address

!interface Vlan255ip address 192.168.255.11 255.255.255.0

!ip default-gateway 192.168.255.1ip http serverip http secure-server!banner login ^CPlease enter a valid username and password to continue^Cbanner motd ^CAuthorised users only! Unauthorised users will be prosecuted tothe full extent of the law!^C!line con 0logging synchronouslogin local

line vty 0 4logging synchronouslogin local

line vty 5 15logging synchronouslogin local

!End

Student ID: 1400869

80

A7.2 – S2

!! Last configuration change at 02:07:49 UTC Mon Mar 1 1993 by admin!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname S2!boot-start-markerboot-end-marker!enable secret 5 $1$saM0$1gP/zr0NV50j.4c1eGZM./!username admin privilege 15 secret 5 $1$W3fZ$9jtupCDGZjpuyiRGDmwFH.no aaa new-modelsystem mtu routing 1500!!no ip domain-lookup!!crypto pki trustpoint TP-self-signed-3248152576enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-3248152576revocation-check nonersakeypair TP-self-signed-3248152576

!!crypto pki certificate chain TP-self-signed-3248152576certificate self-signed 013082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 0505003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 33323438 31353235 3736301E 170D3933 30333031 3030303035375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 3234383135323537 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100B1BE C360EFAE 4E80E976 0008DDD1 608B5E38 2C34D028 F2EDFFBB 82F6F0AF7E2D8661 DCD7FBF6 DB9C650C 9CD2D6F7 753D3E11 0F8B4404 AF21D5AA E0863A583844ABAA 86CDDEC0 7359DE26 D7BB910D 5A9CBA1F A8ED1DFE DA37FC97 25362E48EB82B553 EFEDC6ED 490E064C 6CA70EC1 B027445D F2701316 87DAF66D 33E26BFE34090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603551D2304 18301680 14407E39 1ADE63FB 6B9C8F75 698EF824 B180B429 E5301D0603551D0E 04160414 407E391A DE63FB6B 9C8F7569 8EF824B1 80B429E5 300D06092A864886 F70D0101 05050003 81810094 675C8A1B 4B92FAE7 5CE64BCA 75780AAD116DC076 EDF28849 81FFBA4B 46711DC4 DB0836B1 1297699F F21DE39C BE2E31C0C6E4686D 54D72A6B 61BE6D06 B15FA7C1 670FD323 38C22A57 86AED5EF B9EE3C9539C7A3F9 712C6483 4C35C9AD C3089867 C4C2744B 2B26CCDC A6B311D9 22C77F8EE9E8D086 339B1610 8DE6A06C 8672BD

quit!

Student ID: 1400869

81

!!!!!spanning-tree mode rapid-pvstspanning-tree extend system-id!vlan internal allocation policy ascending!!!!!!interface Port-channel1!interface Port-channel2!interface Port-channel3!interface FastEthernet0/1switchport access vlan 254switchport mode access

!interface FastEthernet0/2shutdown

!interface FastEthernet0/3switchport access vlan 100switchport mode access

!interface FastEthernet0/4shutdown

!interface FastEthernet0/5switchport access vlan 254switchport trunk native vlan 104switchport mode trunk

!interface FastEthernet0/6shutdown

!interface FastEthernet0/7shutdown

!interface FastEthernet0/8shutdown

!interface FastEthernet0/9shutdown

!interface FastEthernet0/10shutdown

!interface FastEthernet0/11shutdown

Student ID: 1400869

82

!interface FastEthernet0/12shutdown

!interface FastEthernet0/13shutdown

!interface FastEthernet0/14shutdown

!interface FastEthernet0/15shutdown

!interface FastEthernet0/16shutdown

!interface FastEthernet0/17shutdown

!interface FastEthernet0/18shutdown

!interface FastEthernet0/19description "Trunk Link to S1"switchport mode trunkchannel-group 1 mode auto

!interface FastEthernet0/20description "Trunk Link to S1"switchport mode trunkchannel-group 1 mode auto

!interface FastEthernet0/21description "Trunk Link to S3"switchport mode trunkchannel-group 3 mode auto

!interface FastEthernet0/22description "Trunk Link to S3"switchport mode trunkchannel-group 3 mode auto

!interface FastEthernet0/23switchport mode trunkshutdown

!interface FastEthernet0/24switchport mode trunkshutdown

!interface GigabitEthernet0/1switchport mode trunk

!interface GigabitEthernet0/2shutdown

!interface Vlan1

Student ID: 1400869

83

no ip addressshutdown

!interface Vlan100description "Accounts Department"no ip address

!interface Vlan101description "Sales Department"no ip address

!interface Vlan102description "Management Department"no ip address

!interface Vlan103description "IT Services"no ip address

!interface Vlan104description "Internal WiFi"no ip address

!interface Vlan105description "Guest WiFi"no ip address

!interface Vlan254description "Server Farm"no ip address

!interface Vlan255ip address 192.168.255.12 255.255.255.0

!ip default-gateway 192.168.255.1ip http serverip http secure-server!banner login ^CPlease enter a valid username and password to continue^Cbanner motd ^CAuthorised users only! Unauthorised users will be prosecuted tothe full extent of the law!^C!line con 0logging synchronouslogin local

line vty 0 4logging synchronouslogin local

line vty 5 15logging synchronouslogin local

!End

Student ID: 1400869

84

A7.3 – S3

!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname S3!boot-start-markerboot-end-marker!enable secret 5 $1$saM0$1gP/zr0NV50j.4c1eGZM./!username admin privilege 15 secret 5 $1$W3fZ$9jtupCDGZjpuyiRGDmwFH.no aaa new-modelsystem mtu routing 1500!!no ip domain-lookup!!crypto pki trustpoint TP-self-signed-3247239296enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-3247239296revocation-check nonersakeypair TP-self-signed-3247239296

!!crypto pki certificate chain TP-self-signed-3247239296certificate self-signed 013082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 0505003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 33323437 32333932 3936301E 170D3933 30333031 3030303035375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 3234373233393239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100B22B 8371889A E85DDABC 4573158E 795FCFFA 2D99E76B A637D384 29FB308CCD9FEBAF DBBF41D2 E150BABD 25C27CB0 D798A85B FEEA0AAB 2779E7DB AB2AC9BDBBC45037 62B1CEB8 9633462E 3D9207E3 4E706487 B2F1E768 9AADA558 649F91BA81D28900 EFF492E5 39EBB1BC FE3F937D 39104066 A22DF371 2E36FE85 8868BEE5BFFD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603551D2304 18301680 148D2AAA 7E1F4387 ED7E1E10 887A98D9 9207B3BD EA301D0603551D0E 04160414 8D2AAA7E 1F4387ED 7E1E1088 7A98D992 07B3BDEA 300D06092A864886 F70D0101 05050003 8181006F 6150907C 16D45F8D E0AF901A ADCDD704ACE1E2D3 F3A0E160 87E1C636 AB8E0B0C 542CA673 23BBA186 BDFF2293 A3690B2F6CB2365A FD9216DC 75B40E4D 55DE90C6 C6AB9A38 15420243 96778EA6 0F0259DEDAEEABAB 37880EDA D67DFB47 5AD63F83 97CE1E4C 401B08F4 819EB31C 83430E9435EEA108 6CC2DB0B CF6F08E1 576613

quit!!!

Student ID: 1400869

85

!!!spanning-tree mode rapid-pvstspanning-tree extend system-id!vlan internal allocation policy ascending!!!!!!interface Port-channel1!interface Port-channel2!interface Port-channel3!interface FastEthernet0/1shutdown

!interface FastEthernet0/2shutdown

!interface FastEthernet0/3shutdown

!interface FastEthernet0/4shutdown

!interface FastEthernet0/5shutdown

!interface FastEthernet0/6shutdown

!interface FastEthernet0/7shutdown

!interface FastEthernet0/8shutdown

!interface FastEthernet0/9shutdown

!interface FastEthernet0/10shutdown

!interface FastEthernet0/11shutdown

!interface FastEthernet0/12shutdown

!interface FastEthernet0/13shutdown

Student ID: 1400869

86

!interface FastEthernet0/14shutdown

!interface FastEthernet0/15shutdown

!interface FastEthernet0/16shutdown

!interface FastEthernet0/17shutdown

!interface FastEthernet0/18shutdown

!interface FastEthernet0/19switchport mode trunkshutdownchannel-group 1 mode auto

!interface FastEthernet0/20switchport mode trunkshutdownchannel-group 1 mode auto

!interface FastEthernet0/21channel-group 3 mode auto

!interface FastEthernet0/22channel-group 3 mode auto

!interface FastEthernet0/23switchport mode trunkchannel-group 2 mode auto

!interface FastEthernet0/24switchport mode trunkchannel-group 2 mode auto

!interface GigabitEthernet0/1switchport mode trunk

!interface GigabitEthernet0/2shutdown

!interface Vlan1no ip addressshutdown

!interface Vlan100description "Accounts Department"no ip address

!interface Vlan101description "Sales Department"no ip address

Student ID: 1400869

87

!interface Vlan102description "Management Department"no ip address

!interface Vlan103description "IT Services"no ip address

!interface Vlan104description "Internal WiFi"no ip address

!interface Vlan105description "Guest WiFi"no ip address

!interface Vlan254description "Server Farm"no ip address

!interface Vlan255ip address 192.168.255.13 255.255.255.0

!ip default-gateway 192.168.255.1ip http serverip http secure-server!banner login ^CPlease enter a valid username and password to continue^Cbanner motd ^CAuthorised users only! Unauthorised users will be prosecuted tothe full extent of the law!^C!line con 0logging synchronouslogin local

line vty 0 4logging synchronouslogin local

line vty 5 15logging synchronouslogin local

!End

Student ID: 1400869

88

A8 – Subnet and IP ConfigurationA8.1 – Subnet ManagementNetwork Start IP End IP Broadcast Subnet Mask VLAN Purpose192.168.100.0 192.168.100.1 192.168.100.254 192.168.100.255 255.255.255.0 100 Sales192.168.101.0 192.168.101.1 192.168.101.254 192.168.101.255 255.255.255.0 101 Management192.168.102.0 192.168.102.1 192.168.102.254 192.168.102.255 255.255.255.0 102 Accounts192.168.103.0 192.168.103.1 192.168.103.254 192.168.103.255 255.255.255.0 103 IT Department192.168.104.0 192.168.104.1 192.168.104.254 192.168.104.255 255.255.255.0 104 Internal Wi-Fi192.168.105.0 192.168.105.1 192.168.105.254 192.168.105.255 255.255.255.0 105 Guest Wi-Fi192.168.254.0 192.168.254.1 192.168.254.254 192.168.254.255 255.255.255.0 254 Server Farm192.168.255.0 192.168.254.1 192.168.255.254 192.168.255.255 255.255.255.0 255 Management VLAN8.0.0.0 8.0.0.1 8.0.0.2 8.0.0.3 255.255.255.252 N/a WAN Link8.0.0.4 8.0.0.5 8.0.0.6 8.0.0.7 255.255.255.252 N/a WAN Link8.0.0.8 8.0.0.9 8.0.0.10 8.0.0.11 255.255.255.252 N/a WAN Link8.0.0.12 8.0.0.13 8.0.0.14 8.0.0.15 255.255.255.252 N/a WAN Link

Student ID: 1400869

89

A8.2 – IP Address Allocation

Device Interface Encapsulation IP Address Subnet Mask Description Standby IP Standby PriorityR1 G0/0 N/a N/a N/a Interface Not in use N/a N/aR1 G0/0.100 Dot1q 100 192.168.100.2 255.255.255.0 Sales 192.168.100.1 1R1 G0/0.101 Dot1q 100 192.168.101.2 255.255.255.0 Management 192.168.101.1 1R1 G0/0.102 Dot1q 100 192.168.102.2 255.255.255.0 Marketing 192.168.102.1 1R1 G0/0.103 Dot1q 100 192.168.103.2 255.255.255.0 IT Services 192.168.103.1 1R1 G0/0.104 Dot1q 100 192.168.104.2 255.255.255.0 Internal Wi-Fi 192.168.104.1 1R1 G0/0.105 Dot1q 100 192.168.105.2 255.255.255.0 Guest Wi-Fi Access 192.168.105.1 1R1 G0/0.254 Dot1q 100 192.168.254.2 255.255.255.0 Server Farm 192.168.254.1 1R1 G0/0.255 Dot1q 100 192.168.255.2 255.255.255.0 Management VLAN 192.168.255.1 1R1 G0/1 N/a 8.0.0.1 255.255.255.252 WAN Interface 1 N/a N/aR2 G0/0 N/a N/a N/a Interface Not in use N/a N/aR2 G0/0.100 Dot1q 100 192.168.100.3 255.255.255.0 Sales 192.168.100.1 2R2 G0/0.101 Dot1q 100 192.168.101.3 255.255.255.0 Management 192.168.101.1 2R2 G0/0.102 Dot1q 100 192.168.102.3 255.255.255.0 Marketing 192.168.102.1 2R2 G0/0.103 Dot1q 100 192.168.103.3 255.255.255.0 IT Services 192.168.103.1 2R2 G0/0.104 Dot1q 100 192.168.104.3 255.255.255.0 Internal Wi-Fi 192.168.104.1 2R2 G0/0.105 Dot1q 100 192.168.105.3 255.255.255.0 Guest Wi-Fi Access 192.168.105.1 2R2 G0/0.254 Dot1q 100 192.168.254.3 255.255.255.0 Server Farm 192.168.254.1 2R2 G0/0.255 Dot1q 100 192.168.255.3 255.255.255.0 Management VLAN 192.168.255.1 2R2 G0/1 N/a 8.0.0.5 255.255.255.252 WAN Interface 2 N/a N/aS1 VLAN255 N/a 192.168.255.11 255.255.255.0 Switch Management Interface N/a N/aS2 VLAN255 N/a 192.168.255.12 255.255.255.0 Switch Management Interface N/a N/aS3 VLAN255 N/a 192.168.255.13 255.255.255.0 Switch Management Interface N/a N/aAP01 G0/0 N/a 192.168.104.254 255.255.255.0 Wireless Access Point Management Interface N/a N/aServer G0/0 N/a 192.168.254.100 255.255.255.0 Active Directory and NPS Server N/a N/a

Student ID: 1400869

90

A9 – Failed RADIUS AuthenticationA9.1 – Failed RADIUS Authentication request (XML)A9.1.1 – Raw XML Data

<Event><Timestamp data_type="4">05/07/2015 15:47:11.142</Timestamp><Computer-Name data_type="1">DISS-AD01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.254.100 05/07/2015 08:28:09 376</Class><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP

v2)</EAP-Friendly-Name><Authentication-Type data_type="0">11</Authentication-Type><PEAP-Fast-Roamed-Session data_type="0">0</PEAP-Fast-Roamed-Session><Client-IP-Address data_type="3">192.168.104.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Vigor AP700 - AP1</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><MS-CHAP-Domain data_type="2">01444953534552544154494F4E</MS-CHAP-Domain><SAM-Account-Name data_type="1">DISSERTATION\hayden.hooper</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">dissertation.net/Dissertation/Network

Users/Hayden J. Hooper</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-

Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-

Compliant><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">65</Reason-Code>

</Event>

A9.1.2 – Description Raw XML Data

Element Description

Timestamp The timestamp is recorded on every log entry, it is accurate to the millisecond.This allows administrators determine when a user either failed theauthentication check; and or health check; or when a user met all of therequirements.

Computer-Name This is the name of the computer performing the authentication check. In thisinstance it is DISS-AD01 as it is processing the NPS checks.

Event-Source This is the service which reported the error. In this instance IAS reported thefailure. IAS stands for Internet Authentication Service. This service works inconjunction with NPS and reports everything which the server does dependingon what level of logging has been set by the server administrator.

Student ID: 1400869

91

Class This is the IP address, date and time of the authentication and the server inwhich the request was authenticated using.

EAP-Friendly-Name This is the method in which the access point attempted to authenticate using.In the above instance Microsoft: Secured Password (EAP-MSCHAPv2) wasused.

Some access points are unable to authenticate users using more encryptedauthentication methods, and for the purpose of this test, EncryptedAuthentication Protocol was used.

Client-IP-Address This is the IP address of the device which the end user is connecting to. In thetest the IP address for the authentication was 192.168.104.254

Client-Friendly-Name This is the name which was given to the wireless access point during theaddition of the client to NPS.

Fully-Qualified-User-Name

This Is the username which the user authenticated with, with a completebreakdown to the user account location listed within active directory. This isuseful for diagnosing and fault finding on the network.

Reason-Code This is the response which was returned by NPS. In this instance NPSresponded with error 65 which was caused as a result of an NPS configurationerror as the NPS policy was being overridden by group policy.

Again this can be overridden within NPS granting users access.

(Microsoft, 2015)

Student ID: 1400869

92

A9.2 – Failed RADIUS Authentication request (GUI)

FIGURE 12 - FAILED RADIUS AUTHENTICATION - MICROSOFT EVENT VIEWER - (GUI)

Student ID: 1400869

93

A10 – Testing of configurationTestID Device Test Expected Outcome Actual Outcome Remedial Work

1 R1 If the router fails does R2automatically become theprimary router.

Disconnect G0/0

R2 Automaticallybecomes theprimary router

R2 Automatically became theprimary router but onlybecame the primary routerafter 15 seconds

No remedial work required.

2 WAP01 Can users authenticateusing 802.1x (Username:hayden.hooper)

Users weresuccessfullyauthenticated using802.1x

Fail: Users couldn'tauthenticate using the server.The NPS server wasn'tauthorised within activedirectory

The server was authorisedwithin active directory

3 S2 In the event of 1 channelgroup failing did Rapid STPbring up the standby linkswithin an acceptabletimeframe (10 Seconds)

Redundant linkswere establishedand functional within10 Seconds

Redundant links wereestablished within 2 seconds ofthe primary links failing.

No remedial work required

4 S2 When the ports wereconfigured with Port-Authentication was accessrestricted to authorisedcomputers and users

Unauthorisedcomputers weredetected and theport entered protectmode

Authorised and Unauthorisedcomptuters were detected. Allrequests were blocked as theports entered protect mode

NPS wasn't configuredcorrectly with the authorisedcomputers and PEAP settings

5 SoftPhone Can the soft phoneauthenticate with theremote phone systembehind the NAT enabledinterfaces

Softphones wereable to communicatewith the remoteIPPBX server behindthe NAT interface

Softphones couldn'tauthenticate

NAT wasn't redirecting trafficcorrectly. Configuration error.NAT was re-configured withthe correct interfaces defined.

6 MobilePhone

Can the mobile phoneauthenticate using 802.1xconfigured with PEAP MS-CHAP

The mobile phonewas able toauthenticate usingthe 802.1x

The mobile phone couldn'tauthenticate.

Correct credentials wereprovided to the handset, butauthenticity of the devicecouldn't be confirmed on the

Student ID: 1400869

94

authenticationprotocol

NPS server. Request Rejected.

7 Laptop Can the Laptopauthenticate using 802.1x

The laptop was ableto authenticate using802.1x

Authentication successful No remedial work required

8 Laptop Can the laptop connect toDISS_INTERNAL and besuccessfully connected toVLAN 104

The computersuccessfullyconnected to VLAN104 and obtained avalid IP address forthat VLAN

The computer successfullyconnected and obtained the IPaddress 192.168.104.100

No remedial work required

9 Laptop Can the laptop connect toDISS_GUEST and besuccessfully connected toVLAN 105

The computersuccessfullyconnected to VLAN105 and obtained avalid IP address forthat VLAN

The computer successfullyconnected and obtained the IPaddress 192.168.105.100

No remedial work required

10 SIP Phone Can the SIP phone makeand receive a test phonecall from the IPPBX

The SIP phone wasable to make andreceive test phonecalls

Phone calls were initiated andreceived. Call quality wasexcellent.

No remedial work required

Student ID: 1400869

95

A11 – Declaration of Ethical CompliancePlease turn over

Student ID: 1400869

96

Student ID: 1400869

97

Student ID: 1400869

98

Student ID: 1400869

99

Student ID: 1400869

100

Student ID: 1400869

101

A12 – Project Gantt Chart

Please turn over…

Student ID: 1400869

102

Student ID: 1400869

103