FACULTY OF SCIENCE, ENGINEERING AND

COMPUTING

School of Computer Science & Mathematics

BSc DEGREE
IN
Cybersecurity and Digital Forensics

PROJECT INTERIM REPORT

Name:

ID Number:

Project Title: Designing the Network Security Infrastructure of

Marine Quest Pvt Limited

Project Type: Design

Date:

Supervisor:

Did you discuss and agree the viability of your project idea with your supervisor? Yes

Did you submit a draft of your proposal to your supervisor? Yes

Did you receive feedback from your supervisor on any submitted draft? Yes
Abstract

This project titled ‘Designing the Network Security Infrastructure of Marine Quest
Pvt Limited’ tasks the author with the project planning, designing, testing and
implementation of different modules required for this project. With the use of
proper analysis, a detailed study of requirements which address the problem
statement, solutions have been found, well documented and implemented into the
design. The design requires for the expansion of Marine Quests network
infrastructure providing the security at different layers of communications
protocols involved. A study has been conducted by the author regarding the
necessary technologies which are involved in communication networks. The
projects main focus is looking at the design from a security perspective, hence a
well detailed section about the security protocols which could be secured within
the different layers of the OSI layer model is documented within this report. The
design of the network spans across into three different segments were implemented
according to the design prototype developed by the author. Tests have been
conducted, simply to test connectivity and routing within the internal network as
well as the functionality of outside links to the wide area network (WAN). Further
enhancements and upgrades will be tested before the final release of the network
prototype involving network monitoring options will be discussed in the final
report.

i
Contents

1. Introduction & Literature Review.............................................................................................1

1.1 Introduction..................................................................................................................... 1
1.2 Background and Motivation...................................................................................................2
1.3 Problem in brief.................................................................................................................... 3
1.4 Aim & Objectives.................................................................................................................4
1.4.1 Aim............................................................................................................................... 4
1.4.2 Objectives...................................................................................................................... 4
1.5 Scope................................................................................................................................... 5
1.6 Deliverables.......................................................................................................................... 6
1.7 Literature Review..................................................................................................................6
2. Analysis.................................................................................................................................. 21
Project Requirements................................................................................................................ 21
Functional Requirements........................................................................................................... 22
Nonfunctional requirements.......................................................................................................22
General requirements................................................................................................................ 22
3. Design..................................................................................................................................... 29
3.1 Design Techniques........................................................................................................... 29
3.1.1 Network Design Approach.............................................................................................29
3.1.2 Network blueprint diagram.............................................................................................30
3.1.3 IP Allocations............................................................................................................... 31
List of usable Ip’s.................................................................................................................. 31
3.2 Network Overview........................................................................................................... 32
4. Network Implementation........................................................................................................... 33
4.1.1 Ip Allocation tables (detailed).........................................................................................33
4.1.2 Network topology design (packet tracer)..........................................................................36
4.1.3 Configurations.............................................................................................................. 36
5. Progress review........................................................................................................................ 50
5.1 Project planning............................................................................................................... 51
6.1 Closing executive summary.....................................................................................................52
6.2 Conclusion...................................................................................................................... 54
References............................................................................................................................... 55

ii
iii
List of Figures/Tables

Figure 1: DHCP overview (source: researchgate.net, 2022)......................................................17

Figure 2: Firewalls, how it works (source: okta.com, 2022)........................................................18
Figure 3: Network blueprint diagram (source: Author)................................................................29
Figure 4: Network 1 (source: Author).........................................................................................32
Figure 5: Network 2 (source: Author).........................................................................................32
Figure 6: Network 3 (source: Author).........................................................................................33
Figure 7: Internal routing network 1 (source: Author).................................................................33
Figure 8: Internal network 2 (source: Author).............................................................................34
Figure 9: Internal network 3 (source: Author).............................................................................34
Figure 10: Packet tracer implementation of network (source: Author)........................................35
Figure 11: R3 (router 3) vlan assignation (source: Author)........................................................36
Figure 12: Assigned VLANs.......................................................................................................37
Figure 13: DHCP configuration for workshop pool (source: Author)...........................................37
Figure 14: DHCP configuration for Showroom pool (source: Author).........................................38
Figure 15: Router 1 OSPF conf (source: Author).......................................................................38
Figure 16: Router 2 OSPF conf (source: Author).......................................................................39
Figure 17: Router 1 ip routes (source: Author)...........................................................................44
Figure 18: Router 2 Ip routes (source: Author)...........................................................................44
Figure 19: Router 3 Ip routes (source: Author)...........................................................................45
Figure 20: Ext router rip v2 table (source: Author).....................................................................45
Figure 21: Ext router Ip routing table (source: Author)...............................................................46
Figure 22: switch trunking details (source: Author)....................................................................47
Figure 23: List of DNS records from local DNS server (source: Author).....................................48
Figure 24: Enabling ssh access (source: Author).......................................................................48
Figure 25: Shows ssh enabled on router with pass cisco (source: Author)................................49
Figure 26: Gannt chart (source: Author)....................................................................................50

iv
 1. Introduction & Literature Review

1.1 Introduction

As technology evolves in a rapid pace, it is very important to keep up with the advancements.
Daily new and improved methods of design and workarounds are being developed by teams are
deployed. There is always room for improvements and enhancements. The intentions are for the
betterment of existing businesses and maintain good relations between companies and their
customers.

In order to maintain a good and reputable name in the market, an organization must provide
quality service to their customers. To achieve this, companies need to have proper business
processes in place. Proper design infrastructure, good maintenance protocols and scheduled
backups and updates are crucial to a thriving company. And it is considered the most important,
that complete security or in other words securing company assets, communications, data and
infrastructure to be in place.

Enhancement of security for the organizational infrastructure companies need to deploy Cyber
security policies and secure their assets. Cyber security measures, also known as information
technology (IT) security, are designed to combat threats to networked systems and applications,
whether they come from within or outside the organization.

For this project, the author intends to re-design, secure and implement network security
infrastructure and security protocols for Marine Quest Private Limited.

Marine Quest Private Limited is one of the most recognized and well reputed companies, which
cater to the Maldivian Tourism and Fisheries Industry. The business was established in the year
2005 and has been operational since. Marine Quest is the sole distributors of ISUZU zenith
marine engines, generators and compressors in the selected Asia region. The office, showroom
and warehousing are located in the capital city of Male’.

1
1.2 Background and Motivation

Importance of Network Security

Network security is the protection of the underlying network infrastructure against unauthorized
access, misuse or theft. It includes creating a secure infrastructure for devices, applications,
users, and applications to operate on a secure continent.

In order to understand networking, we need to take a look at the OSI model. The Open Systems
Interconnect (OSI) model was developed by the International Organization for Standardization
(ISO) in 1981. It consists of seven functional layers that form the basis for computer-to-computer
communication.

Different types of security appliances and secure protocols can be deployed within the different
layers of the OSI model. And if not configured and maintained properly the security of the
network weakens on all of the levels.

Taking this to consideration the importance of having a highly strengthened (secured) network is
every network engineer or architect’s sole purpose. Networking best practices need to be
implemented within the network.

As stated by The IIA Research Foundation “Information is a significant component of most

organizations’ competitive strategy either by the direct collection, management, and
interpretation of business information or the retention of information for day-to-day business
processing. Some of the more obvious results of IS failures include reputational damage, placing
the organization at a competitive disadvantage, and contractual noncompliance. These impacts
should not be underestimated.”

(goodreads.com, 2021)

2
Today’s cyber security threat is very challenging. Attackers are constantly exploiting
vulnerabilities in applications and systems to gain access to or control sensitive information and
launch cyber-attacks, such as extortion programs.

This means building security as a key part of the development process, shifting security to the
left, and automating the infrastructure as much as possible to get rid of inefficient, time-
consuming, and costly tactics. One of the most fundamental aspects of building strong security is
maintaining a security configuration.

(cypressdatadefense.com, 2021)

Security misconfiguration is the implementation of improper security controls, for devices such
as servers or application configurations, network devices, and computers. Those lead to exposed
security vulnerabilities.

As the Network Security Engineer for the selected project the author intends to, properly
configure the network, design existing network to accommodate extra devices and additional
access points, and extend the network to the company showroom. Additionally installing all the
necessary security enhancements needed. All of the tasks mentioned, need to be secured from
potential threats and known vulnerabilities.

1.3 Problem in brief

Marine Quest Pvt Ltd is focusing on the security enhancement of existing network infrastructure
belonging to the organization and protecting the company’s existing assets and records in
addition to the expansion of their network and deploying state of the art technologies for
maximum gain and adherence.

3
1.4 Aim & Objectives

1.4.1 Aim

The project will focus on security enhancement of existing network infrastructure belonging to
Marine Quest Private Limited and protecting the company’s existing assets and records in
addition to the expansion of their network with the help of newest technologies and security
enhancement protocols.

A company must be able to trust that they have strong information security protocols initiated
and that they can protect themselves from cyber attacks and other unauthorized access and data
breaches. Poor data security can lead to the loss or theft of important data, create a bad customer
experience that can lead to loss of business and damage to reputation if the company does not
implement adequate protection of customer data and hackers take advantage of data security
holes. Solid Infosec reduces the risk of attacks on IT systems, monitors security measures to
prevent unauthorized access to sensitive data, prevents service disruptions from cyber-attacks
such as denial of service (DoS) attacks, and more.

1.4.2 Objectives

Listed below are the objectives needed to be achieved for the project:

 To introduce company’s business online via web portal.

 To analyze existing network architecture for potential security threats.
 To expand the company network for ease of operations.
 To introduce new services required to enhance cooperate performance.
 To digitize operations, which are currently done manually.
 To secure communications and expand existing connectivity methods, such as wi-fi
connectivity options.
 To install and maintain backup servers and connection options.
4
  To rid of any existing threats and vulnerabilities within the cooperate network and
educate staff regarding possible threat factors.
 To provide proper guidance in maintaining a secure environment for business operations.

1.5 Scope

The scope of this project is to update the existing network that connects the main office of
Marine Quest to showroom and go-down which are located in adjacent buildings. The main
office network will be accessed by administration department, management, accounting, sales
and engineering team. It is also within the scope that the showroom is equipped with wireless
connectivity to provide access for customers.

Following are in-scope and out-scope, which will be covered in this report:

In-scope

 Configuration of local networks for main office, showroom and go-down are done
separately and allows the staff users to communicate within the network.
 Security mechanism will be implemented, which will prevent un-authorized access to
organizations network.
 With wireless networks, internet connectivity will be provided to all customers and
clients from the showroom wireless access point.
 Network addressing scheme is developed accordingly connecting three networks to the
WAN via ISP.

5
Out of Scope

This report doesn’t include the cost analysis of procurement of mentioned devices and
peripherals required for the project.

1.6 Deliverables

The end result of the project would be a secure implementation of network infrastructure for
Marine Quest. When the implementation is completed all network resources will be
interconnected into one spanning network, this in-turn would result to fast communications and
information exchange throughout the LAN and segments segregated within the building, with the
help of latest technological enhancements.

 Gathering, analyzation, and validation of the information

 Evaluation of the alternatives and prioritization of the necessary requirements
 Examination the information needs of end-users and enhancement of the network
infrastructure
 This report includes the design of network with connectivity options for firewall and
honeypot amongst other enhancements once project is completed.

1.7 Literature Review

Cyber security

Cybersecurity is a broadly used term, whose definitions are highly variable, often subjective, and
at times, uninformative. The absence of a concise, broadly acceptable definition that captures the
multidimensionality of cybersecurity impedes technological and scientific advances by
reinforcing the predominantly technical view of cybersecurity while separating disciplines that
should be acting in concert to resolve complex cybersecurity challenges. In conjunction with an
in-depth literature review, we led multiple discussions on cybersecurity with a diverse group of
practitioners, academics, and graduate students to examine multiple perspectives of what should

6
be included in a definition of cybersecurity. (timereview.ca,
2022)

Cybersecurity is the organization and collection of resources, processes, and structures used to
protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from
de facto property rights." Articulating a concise, inclusive, meaningful, and unifying definition
will enable an enhanced and enriched focus on interdisciplinary cybersecurity dialectics and
thereby will influence the approaches of academia, industry, and government and non-
governmental organizations to cybersecurity challenges.

(timereview.ca, 2022)

Network security

Network security starts with authorization, commonly with a username and a password. Network
security consists of the provisions and policies adopted by a network administrator to prevent
and monitor unauthorized access, modification in system, misuse, or denial of a computer
network and network-accessible resources. Basically, network security involves the authorization
of access to data in a network, wh ich is controlled by the network admin. It has become more
important to pers onal computer users, and organizations. If this authorized, a firewall forces to
access policies such as what services are allowed to be accessed for network users. So that to
prevent unauthorized access to system, this component may fail to check potentially harmful
content such as computer worms or Trojans being transmitted over the network. Anti -virus
software or an intrusion detection system (IDS) help detect the malware.

(M.V. Pawar and Anuradha, 2015)

Today anomaly may also monitor the network like wire shark traffic and may be logged for
audit purposes and for later on high-level analysis in system. Communication between two hosts
using a network may be uses encryption to maintain privacy policy.

(M.V. Pawar and Anuradha, 2015)

The world is becoming more interconnected of the Internet and new networking technology.
There is a so large amount of personal, military, commercial, and government information on

7
networking infrastructures worldwide available. Network security is becoming of great
importance because of intellectual property that can be easily acquired through the internet.

(M.V. Pawar and Anuradha, 2015)

The growing need to secure data traffic has led to the development of several protocols that
provide very similar services, notably data confidentiality/integrity and lineage verification.
Examples of such protocols are IPsec, SSL/TLS and SSH. Although each protocol is based on
different assumptions regarding its usage model, implementation features, and supporting
applications, they all basically address the same problem of protecting the confidentiality and
integrity of data transmitted over an untrusted network such as the Internet.

(usenix.org, 2022)

Securing data during transport alone is not enough to build a secure network, data storage, key
management, user interface and backup security must also be taken into account as a
comprehensive data security approach. This is often overlooked, but is an essential part of a
secure system. In this article, we attempt to quantify the costs of certain mechanisms and explain
the options available to system and network architects. More specifically, we want to quantify
the efficiency effects of using different security protocols that are either widely used (e.g. SSL
and SSH) or likely to be widely used (e.g. IPsec).

(usenix.org, 2022)

8
Types of attacks on different layers of the OSI model

Figure 1: Attacks on different layers (source: Instagram)

Figure 2: Risk triangle for OSI model (source: Instagram)

The main reason network administrators have less power to protect applications at higher OSI
levels is that, in these upper layers, developers have more control over security measures. Even
so, security measures are possible at each OSI layer. Tackling security threats at every level
reduces the risk of enterprise application compromise or denial of service. Exploring
vulnerabilities and solutions at each level provides a better understanding of the issues that are

9
presented. The OSI physical layer represents physical application security, access control,
Electricity, fire, water and emergency maintenance. Many physical layer security threats cause a
Denial of service (DoS) of a business application, making the application unavailable for
business users.

The data or data link layer of the OSI model includes link security issues such as ARP Spoofing,
MAC flooding, and spanning tree attacks. Easy to change proper configurations of a switch can
help protect business applications from data layer attacks.

The network and transport layers of the OSI model is where the most widely used information
security measures take place. Routers and firewalls are implemented at this level. Threats at this
level are unauthorized retrieval of the identity of the endpoints and unauthorized use of internal
data takes place in the systems, SYN flood attacks and Ping of Death. Proper implementation of
web address translation, access control lists and firewall techniques reduce these risks. The
session and presentation layers are the lowest layers of the application set in the OSI model.

Network admins can block unauthorized persons Using login/password and unauthorized data
access which are common attacks against them levels using encryption and authentication
methods. The application layer is the last layer of the application set and the OSI model. Lots of
security is needed at this level. The protection methods are using secured applications at this
level. Backdoor attacks do happen at this level, and it is the responsibility of the network admin
to close these doors. Network admins can use the described access control methods to prevent
backdoor attacks, and such. These attacks can also be prevented by configuring tools such as
virus scanning, Antivirus guards and intrusion detection systems/intrusion prevention systems.

Common types of attacks

 Sniffing (Physical).
 Spoofing (Data-link).
 Man-in-the-middle (Network).
 Reconnaissance (Transport).
 Hijacking (Session).
 Phishing (Presentation).
 Exploits (Application).

10
Sniffing (Physical)

Packet sniffers can intercept and log many of the packets that travel over a network. This is a
dangerous power when it falls into the wrong hands, especially if sensitive data travels over the
network in an unencrypted format.

(comparitech.com, 2022)

Wiretapping is the most common analogy used to help people understand sniffing attacks. In the
old days, the police would get a technician to reroute the physical circuit so that they could listen
in on the calls of a suspected criminal and record them. By inserting themselves into the
connection, they would know everything that the criminal discusses over the phone line, and they
could use this information to build a case.

(comparitech.com, 2022)

Sniffing attacks follow very similar concepts, except with updated technology. Basically, an
attacker can insert themselves into the network, and then record all of the packets passing
through it. This can give them access to information that an organization or the users of its
network want to keep private.

Attackers may be able to use a packet sniffer to intercept data packets that contain things like
usernames, passwords and other valuable data. They could use what they learn from the sniffing
attack to take over accounts, escalate their privileges, and further penetrate into the targeted
network. This could lead to all kinds of havoc for the victims.

Attackers could also attempt to directly intercept data packets that contain valuable information
like credit card numbers and electronic protected health information. Then they could take this
information and abuse it themselves, or sell it on darknet marketplaces.

When data is sent via unencrypted protocols, it is vulnerable to sniffing attacks. These insecure
protocols include:

 HTTP

11
  POP
 SMTP
 IMAP
 TELNET
 FTP
 DNS

(comparitech.com, 2022)

Spoofing (Data-link)

Spoofing is the act of a person or a program that successfully identifies itself which is from an
unknown source as being from a known, trusted source. Spoofing can apply to emails, phone
calls, and websites, or can be more technical, such as a computer spoofing an IP address,
Address Resolution Protocol (ARP), or Domain Name System (DNS) server.

IP spoofing and ARP spoofing, in particular, may be used to leverage man-in-the-middle attacks
against hosts on a computer network. Spoofing attacks that take advantage of TCP/IP suite
protocols may be mitigated with the use of firewalls capable of deep packet inspection or by
taking measures to verify the identity of the sender or recipient of a message.

(medium.com, 2022)

Man-in-the-Middle (Network)

Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the
source or destination of a message, leaving them vulnerable cause an attacker secretly relays and
possibly alters the communications between two parties who believe that they are directly
communicating with each other.
(medium.com, 2022)

12
Reconnaissance (Transport)

In the context of cybersecurity, reconnaissance is the practice of discovering and collecting

information about a system. One of the most common techniques involved with reconnaissance
is port scanning, which sends data to various TCP and UDP (user datagram protocol) ports on a
device and evaluates the response. Some common examples of reconnaissance attacks include
packet sniffing, ping sweeping, port scanning, phishing, social engineering, and internet
information queries.
(medium.com, 2022)

Hijacking (Session)

Also known as cookie hijacking is the exploitation of a valid computer session to gain
unauthorized access to information or services in a computer system. In particular, it is used to
refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular
relevance to web developers, as the HTTP cookies used to maintain a session on many websites
can be easily stolen by an attacker using an intermediary computer or with access to the saved
cookies on the victim’s computer.

(medium.com, 2022)

These explosions can be carried out by these attacks:

 Cross-site scripting: XSS attacks enable attackers to inject client-side scripts into web
pages. It causes running codes, which is treated as trustworthy because it appears to
belong to the server, on the victim computer. It allows the attacker to obtain a copy of the
cookie or perform other operations.
 Session side jacking: where the attacker uses packet sniffing to read network traffic
between two parties to steal the session cookie.
 Malware and unwanted programs can use browser hijacking to steal a browser’s cookie
files without a user’s knowledge.

(medium.com, 2022)

13
Phishing (Presentation)

Phishing attacks are the practice of sending fraudulent messages that appear to come from a
trusted source. It is usually performed through email. The goal is to steal sensitive data like credit
card and login information or install malware on the victim’s machine. Phishing is a common
type of cyber-attack that everyone should learn about in order to protect themselves.
(medium.com, 2022)

Exploits (Application)

An exploit is a program that takes advantage of a bug or vulnerability in other systems. the cause
vulnerability may be due to bad system configuration or a bug in a specific version of software
installed on the victim system. Many exploits are designed to provide super user-level access to a
victim system or are designed to cause DoS (denial of service) or DDoS (distributed denial of
service) attacks, in which attackers can bring down a website or critical system without even
using an exploit. For an example BlueKeep is an exploitable vulnerability discovered in
Microsoft’s Remote Desktop Protocol (RDP) that can allow attackers to log in to a victim’s
computer remotely.

(medium.com, 2022)

IPsec

IPsec is a group of protocols that are used together to set up encrypted connections between
devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs,
and it works by encrypting IP packets, along with authenticating the source where the packets
come from.

Within the term "IPsec," "IP" stands for "Internet Protocol" and "sec" for "secure." The Internet
Protocol is the main routing protocol used on the Internet; it designates where data will go using
IP addresses. IPsec is secure because it adds encryption and authentication to this process.

(cloudflare.com, 2022)

14
OSPF

OSPF protocol was developed due to a need in the internet community to introduce a high
functionality non-proprietary Internal Gateway Protocol (IGP) for the TCP/IP protocol family.
The discussion of the creation of a common interoperable IGP for the Internet started in 1988
and did not get formalized until 1991. At that time the OSPF Working Group requested that
OSPF be considered for advancement to Draft Internet Standard.

The OSPF protocol is based on link-state technology, which is a departure from the Bellman-
Ford vector-based algorithms used in traditional Internet routing protocols such as RIP. OSPF
has introduced new concepts such as authentication of routing updates, Variable Length Subnet
Masks (VLSM), route summarization, and so forth. These chapters discuss the OSPF
terminology, algorithm and the pros and cons of the protocol in designing the large and
complicated networks of today.

(cisco.com, 2022)

RIP

RIP uses a distance vector algorithm to decide which path to put a packet on to get to its
destination. Each RIP router maintains a routing table, which is a list of all the destinations the
router knows how to reach. Each router broadcasts its entire routing table to its closest neighbors
every 30 seconds. In this context, neighbors are the other routers to which a router is connected
directly -- that is, the other routers on the same network segments as the selected router. The
neighbors, in turn, pass the information on to their nearest neighbors, and so on, until all RIP
hosts within the network have the same knowledge of routing paths. This shared knowledge is
known as convergence.

(techtarget.com, 2022)

If a router receives an update on a route, and the new path is shorter, it will update its table entry
with the length and next-hop address of the shorter path. If the new path is longer, it will wait

15
through a "hold-down" period to see if later updates reflect the higher value as well. It will only
update the table entry if the new, longer path has been determined to be stable.

(techtarget.com, 2022)

If a router crashes or a network connection is severed, the network discovers this because that
router stops sending updates to its neighbors, or stops sending and receiving updates along the
severed connection. If a given route in the routing table isn't updated across six successive update
cycles (that is, for 180 seconds) a RIP router will drop that route and let the rest of the network
know about the problem through its own periodic updates.

(techtarget.com, 2022)

DHCP

DHCP stands to Dynamic Host configuration protocol. Dynamic Host Configuration Protocol
(DHCP) is a client/server protocol that automatically supplies an IP host with an IP address and
other related configuration information, such as a subnet mask and default gateway. RFCs 2131
and 2132 define DHCP as an Internet Engineering Task Force (IETF) standard based on the
Bootstrap Protocol (BOOTP), with which DHCP shares many implementation details. DHCP
allows hosts to obtain the necessary TCP/IP configuration information from a DHCP server.

(docs.microsoft.com, 2022)

Each device on a TCP/IP-based network must have a unique unicast IP address to access the
network and its resources. Without DHCP, the IP addresses of new computers or computers
moving from one subnet to another must be assigned manually. The IP addresses of computers
removed from the network must be restored manually.

With DHCP, this entire process is automated and managed centrally. A DHCP server maintains
IP addresses and leases an address to each DHCP-enabled client when it starts up on the
network. Because IP addresses are dynamic (leased) rather than static (permanently assigned),
addresses that are no longer in use are automatically returned to the pool for reallocation.

16
(docs.microsoft.com, 2022)

A network administrator configures DHCP servers, which maintain TCP/IP configuration

information and provide address assignments to DHCP-enabled clients in the form of a lease.

The DHCP server stores the configuration information in a database that contains:

 Valid TCP/IP configuration parameters for all clients on the network.

 Valid IP addresses maintained in a pool for clients and excluded addresses.
 Reserved IP addresses assigned to specific DHCP clients. This allows a single IP address
to be consistently assigned to a single DHCP client.
 The duration of the lease or the time that the IP address can be used before the lease is
renewed.

After accepting the lease offer, the DHCP-enabled client receives:

 A valid IP address for the subnet to connect to.

 Requested DHCP options, which are additional parameters that the DHCP server is
configured to assign to clients. Some examples of DHCP options are router (default
gateway), DNS server, and DNS domain name.

(docs.microsoft.com, 2022)

Benefits of DCHP

DHCP provides the following benefits:

Reliable IP address configuration. DHCP minimizes configuration errors caused by manual IP

address configuration, such as typographical errors, or address conflicts caused by the
assignment of an IP address to more than one computer at the same time.

 Reduced network administration. DHCP includes the following features to reduce

network administration.
 Centralized and automated TCP/IP configuration.

17
 The ability to define TCP/IP configurations from a central location.
 The ability to assign a full range of additional TCP/IP configuration values by means of
DHCP options.
 The efficient handling of IP address changes for clients that must be updated frequently,
such as those for portable devices that move to different locations on a wireless network.
 The forwarding of initial DHCP messages by using a DHCP relay agent, which
eliminates the need for a DHCP server on every subnet.

Figure 3: DHCP overview (source: researchgate.net, 2022)

18
Firewalls

Figure 4: Firewalls, how it works (source: okta.com, 2022)

A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules.

Firewalls have been a first line of defense in network security for over 25 years. They establish a
barrier between secured and controlled internal networks that can be trusted and untrusted
outside networks, such as the Internet. A firewall can be hardware, software, or both.

(cisco.com, 2022)

Software firewalls are installed separately on individual devices. They provide more granular
control to allow access to apps or features while blocking others. However, they can be resource-
intensive because they use the CPU and memory of the devices they are installed on, and
administrators must configure and manage them on a per-device basis. Additionally, not all
intranet devices may be compatible with a single software firewall, and several different
firewalls may be required.

(parallels.com, 2022)

On the other hand, hardware firewalls are physical devices that each have their own computing
resources. They act as gateways between internal networks and the Internet, keeping data packets
and traffic requests from untrusted sources outside the private network. Physical firewalls are
useful for organizations that have multiple devices on the same network. While they block

19
malicious traffic before it reaches endpoints, they do not protect against insider attacks.
Therefore, a combination of software and hardware firewalls can provide optimal protection for
your organization's network.

(parallels.com, 2022)

SNMP

SNMP (Simple Network Management Protocol) is a network protocol used to manage and
monitor networked devices in Internet Protocol networks. The SNMP protocol is embedded in a
variety of local devices such as routers, switches, servers, firewalls, and wireless access points
that can be accessed via their IP address. SNMP provides a common mechanism for network
devices to communicate management information in LAN or WAN environments of one or more
manufacturers. It is an application layer protocol according to the OSI model.

(thousandeyes.com, 2022)

Typically, the SNMP protocol is implemented using the User Datagram Protocol (UDP). UDP is
a connectionless protocol that works like Transmission Control Protocol (TCP), but assumes that
error checking and recovery services are not required. Instead, UDP continuously sends
datagrams to the recipient, regardless of whether the recipient receives them or not.

(thousandeyes.com, 2022)

SNMP Management Information Bases (MIBs for short) are data structures that define what can
be captured from a local device and what can be modified and configured. Many MIBs have
been defined by standards bodies such as the IETF and ISO, as well as by certain IT equipment
vendors such as Cisco and software vendors such as Microsoft and Oracle.

(thousandeyes.com, 2022)

20
2. Analysis

The analysis phase may include a feasibility study to determine whether the general requirements
of the project can be met within certain constraints and should culminate in the creation of a user
requirements specification. As the project progresses, the next task is to create a network design
based on the requirements specification. Network design is used as a plan for network
implementation.

In large projects, simulation and / or prototyping allow for evaluation of design aspects prior to
deployment. Network monitoring and management are ongoing processes that are necessary to
ensure the continued proper operation of the network. Design flaws or other post-implementation
problems may require additional iterations of the lifecycle.

Proper analysis was conducted with meetings and interviews with the clients prior to the design
phase of the network.

Project Requirements

There are various requirements for building a project like this, which includes hardware,
software, integration, restrictions, communication, monitoring.

To distinguish them the author has divided them into three groups. These are functional
requirements, non-functional requirements and general requirements as discussed below:

21
Functional Requirements

 Four spaces of the building should have separate local area networks. Moreover, staff
users must be able to access resources of other spaces as well.
 Security mechanism should be deployed to restrict access to outside of the office’s
networks.
 Printing services should be configured in all spaces.
 Internet connectivity should be configured for all users, who are accessing the network.

Nonfunctional requirements

 Security: Configured network for Marine Quest should have advanced security
 algorithms to prevent attacks.
 Availability: A high availability of the network is required, so users can access network
without facing any interruption in operations and access to internet.
 Scalability: The network deployed for Marine Quest is scalable, which means network
can be modified with addition of more devices to the network.

General requirements

1.1 Versatile connections

All buildings must be equipped with two or more separate and dedicated ICT channels resilience
paths. The connections between the buildings must be made using inflation fiber in
microchannels. Connections must be made between the switching centers in the same building.
Standard fiber optic cable along with Cat6 (copper wire) is to be used as requested by Marine
Quest.

22
The connections between the office floors in the building must be made schematically
Communication layouts designed by the project architect needs to be presented to Marine Quest
for preliminary approval.

Wireless Infrastructure

Showroom area will be equipped with data connections to wireless base stations (WiFi, wireless
access points) in accordance to requirements. To ensure the organization is equipped properly for
customers. The technology, the design will be provided in the network blueprint as required. All
work involving the installation, reinstallation, modification or transfer of data outlets require
outlets to be tested and re-certified. All data connections are dual RJ45 connections according to
the category 6A standard, unless previously agreed with Marine Quest and selected from the
products listed.

Connecting devices

All network infrastructure devices such as switches, routers, wireless access points, etc. Must be
only provided, installed and repaired by Marine Quest or its employees by direct agreement with
Marine Quest.
Do not use or install any switches, routers, wireless controllers, wireless access points, etc.
Contractors intended to connect or communicate with other equipment unless instructed to do so
by Marine Quest.

2. Access

The server room must be locked with the key. Keys issued to Marine Quest. Access must be by
authorized Marine Quest personnel, including
outside opening hours. Please note that this may require access routes, alerts, etc. Access to
workers other than Marine Quest staff are prohibited.
Contractor access will be agreed with Marine Quest. All the keys will be removed from the
registry and returned to Marine Quest.

23
Performance and environment

Adequate ventilation and / or cooling must be provided to maintain space. Temperature below 26
° C is optimal. Building must be equipped with a fire alarm - device to which it is connected
Marine Quests fire alarm system and optionally to all relevant property authorities System.

4. Installation

All data points must be marked and installed as described in the network blueprint diagram
provided. All horizontal cables (that is, the cables connecting the data outputs) must be made
approved products sealed in boxes and certified in accordance with the relevant standards.

The cable bundles must be fastened with Velcro or a similar cable tie to prevent cable
compression or deformation. All data cables must be the same length from the switch panel to
the outlet and must not have any connections or in-line connections other than those built into the
patch panel and room socket. No "consolidation points" may be used. For warranty reasons, the
contractor will not use cables and terminated / tested by another without the prior approval of
Marine Quest.

Installation and configuration of network equipment and firewall are to be well documented in
the final report.

Final approval of the installation requires the receipt of documents. Marine Quest staff will not
repair or prepare outlets directly until the service is finally adopted as stated above.

4.1 Office space

Each office workstation must have at least 2 dual RJ45 data connections
(i.e., four outlets).

24
4.2 Meeting and seminar facilities

Meeting room is equipped with an adequate dual data connection, telephone service, audiovisual
equipment, at least one wireless access point and more than at least one available dual data
connection at the back of the room.

This will likely include a desktop with two data outputs to support, for example, a managed
computer or a laptop connection, controller connection and telephone. Additional network
requirements may include a smart card and / or a ceiling-mounted data projector (as extended
plan) in accordance to network infrastructure specifications.

4.3 Wireless

Marine Quest design and layout requirement for data outlets that support wireless access points
are being considered with each employer requirements for new construction or renovation.

The inclusion of Dual Data Wireless Access Points is planned for the showroom and the main
office building (meeting room). Wireless access points are set up and installed wirelessly Marine
Quest is responsible for all radio operations at 2.4 GHz and 2.4 GHz

The two data sockets on the wireless base stations must either be mounted on a high wall, or
ceiling-mounted base stations are provided by the company depending on the type and model of
wireless access point planned. High quality sockets and mounting bracket locations for wall
mounting brackets about 2.3 meters above the ground, but in all situations be installed so that the
distance between the roof and both diameters is at least 270 mm data socket and mounting
bracket.

Data points for horizontal ceiling-mounted access points shall be located in a position that is
easily accessible to an authorized Marine Quest staff without special tools or equipment for the
purpose of repairs or services.

25
5. Data Connections

Rooms and other rooms must be given a final room code before dates can be entered sockets or
plasterboard. Sockets and plasterboard must not be marked in the meantime Numbers that can be
issued as needed. Self-adhesive labels are recommended.

6. Acceptance testing and documentation

The author intends to test the network and document the installation and configurations
according to client requests. Test results are to be published in the finalized report.

7. Fiber Optic Installations

Optical fibers are terminated in pairs on LC-duplex connectors mounted on patch panels. Optical
fibers must be marked accordingly. Each pair of fiber optic installations must be assembled as a
grid. As an alternative to fiber. The connections require general Tx-Rx cross-connections, that is
important since it is a requirement for the ISP providing the fiber connection.

This work shall be delegated to the internet service providers as per their requirements of
installation.

8. Paired devices

8.1 Registration

Unless otherwise stated by Marine Quest Network Operations personnel, the devices will not
connect to any part of the company network until they connect with the IP address and host name
correctly registered in the LAN database and the corresponding part of the "network" is made
available.

26
Requests for assigning IP addresses to for expansion of devices. Only the contractor who
actually installs the device can apply for registration of the device. The equipment must be
marked with the host-name provided by Marine Quest and this name must appear in all
communications. If equipment is moved or replaced, Marine Quest must be notified of the
change in location or MAC address and new or otherwise installed devices will not be connected
(reconnected) until they have been authorized. In some cases, it may be necessary to provide a
different hostname.

8.2 Prohibition Regulations

All common active network devices (routers, switches, etc.) can be used in cramped conditions.

Wi-Fi access points) will be funded by a construction / refurbishment project, but defined and /
or provided by Marine Quest. Exceptions to this are before the project is negotiated with Marine
Quest. Other special devices with a network element may be provided for contractors, but can
only be connected to the network after consultation with Marine Quest management.

All devices must be directly connected to the marine quest network outlets are to ensure that the
device does not use other devices operating at 2.4 GHz or 5 GHz.
All other devices connected to the network will be installed by a corresponding contractor in
compliance with safety and investment requirements recommended by Marine Quest and is
connected directly to a data-sockets.

9. Compliance

9.1 Compliance with Laws

All solutions must comply with applicable law(s), including, but not limited to Building
Regulations 2021(or later), in particular "Access and Use of the Building'.

9.2 Property and Network maintenance Requirements

All contractors must adhere to the qualifications of Marine Quest contractor’s requirement.

27
10. Hardware requirements

The company is responsible for the procurement of the hardware necessary as described and
detailed in the report. For the proper implementation of the network the hardware suggested
below needs to be obtained prior to the start of network implementation.

Qty Description Details

Nos. 9 Cisco switch Model: 2960-24TT
Nos. 3 Cisco routers Model: 2911
Nos. 14 (includes existing Generic Desktop systems Generic
devices)
Nos. 3 Printers Generic
Nos. 3 Servers Generic
Nos. 1 Firewall system Generic system for firewall
installation
Nos. 2 Cisco wireless routers Model: WRT 300N

Note: Existing computer systems will be refurbished and used accordingly.

28
3. Design

3.1 Design Techniques

After the analysis phase, the author has selected to work with the “bottom-up” approach to
design the network. This is an alternative approach more commonly used, that is when optimal.
Instead of focusing on applications that require the need for a new or redesigned network, this
approach usually starts lower in the OSI model and handles things like certain technologies,
protocols, network media, etc.

3.1.1 Network Design Approach

The design process starts at this level and leave the applications and services afterwards for later
consideration. After all, without the necessary equipment, the network will do nothing according
to common belief. In most cases, the bottom-up approach requires less in-depth preliminary
analysis and is easier to implement than a turnkey solution.

The application layer is the starting point, and the much-needed applications and services are
first analyzed according to their specific needs.

Bottom-up approach is seldom opted for unless deemed necessary, as it is usually based on a
number of fixes to solve problems that were not initially considered. However, for the purposes
of this project, since there is an existing network infrastructure and business processes currently
implemented, the author feels that this should be the correct way to approach. Since starting from
scratch would be more time consuming and resource hungry.

29
3.1.2 Network blueprint diagram

30
Figure 5: Network blueprint diagram (source: Author)

31
3.1.3 IP Allocations

Ip Allocation tables

Dept. Vlan no Network Ip B.cast Ip Gateway Ip Subnet mask

Admin Vlan 10 192.168.10.0 192.168.10.14 192.168.10.1 255.255.255.240
Accounts Vlan 20 192.168.10.1 192.168.10.30 192.168.10.17 255.255.255.240
6
Managemen Vlan 30 192.168.10.3 192.168.10.46 192.168.10.33 255.255.255.240
t 2
Sales Vlan 40 192.168.10.4 192.168.10.62 192.168.10.49 255.255.255.240
8
Engineering Vlan 50 192.168.10.6 192.168.10.78 192.168.10.65 255.255.255.240
4
Showroom N/A 192.168.20.0 192.168.10.25 192.168.10.1 255.255.255.240
5
Go-down N/A 192.168.30.0 192.168.30.25 192.168.30.1 255.255.255.240
5

List of usable Ip’s

Location (Dept). Usable Ip range

Admin 192.168.10.2 - 192.168.10.13
Accounts 192.168.10.18 - 192.168.10.29
Management 192.168.10.34 - 192.168.10.45
Sales 192.168.10.50 - 192.168.10.61
Engineering 192.168.10.66 - 192.168.10.77
Ip external link 9.0.0.0 - 9.0.0.254
Internal routing 10.0.0.0 -10.0.0.254
(a)
Internal routing 20.0.0.0 - 20.0.0.254
(b)
Internal routing 30.0.0.0 - 30.0.0.254
(c)

32
3.2 Network Overview

The design of the network is based off of the current existing network, which is the main office.
Enhancements are going to be made via expansion of the said network into three parts which are
main office, the showroom and go-down. The main office network would be divided into vlan
sections respective to each of the departments.

Each of these sections of the company will be assigned specific class c network range such as:
Main office network would be assigned at 192.168.10.* range
Showroom network would be assigned at 192.168.20.* range
Go-down network would be assigned 192.168.30.* range

Detailed network segmentation is provided in the previous sections of this report.

Routing protocols such as ospf and rip would be implemented into the design. In addition the
company web server will be hosted via third party service providers which is cloudbased. This
server will be secured with services from cloudflare WAF (web application firewall) service
which would provide state of the art protection against cyber attacks. The author intends to host a
honeypot to deter cyber criminals (which will be added in the final stage of the project).

Connection protocols that will be functional are ssh for administrative purposes and an ftp
service to download/upload data from respective servers. The company website would be
developed by a third party.

33
4. Network Implementation

4.1.1 Ip Allocation tables (detailed)

Figure 6: Network 1 (source: Author)

Figure 7: Network 2 (source: Author)

34
 Figure 8: Network 3 (source: Author)

Figure 9: Internal routing network 1 (source: Author)

35
Figure 10: Internal network 2 (source: Author)

Figure 11: Internal network 3 (source: Author)

36
4.1.2 Network topology design (packet tracer)

Figure 12: Packet tracer implementation of network (source: Author)

4.1.3 Configurations

VLAN Configurations

VLANs offer several advantages, such as: B. Ease of administration, limitation of broadcast
areas, reduction of broadcast traffic, and enforcement of security policies.
VLANs offer the following advantages:

 VLANs enable the logical grouping of end stations that are physically distributed in the
network.
 When users in a VLAN move to a new physical location but continue to perform the
same work task, there is no need to reconfigure endpoints for those users. Similarly,
when users change job roles, they do not need to physically move: by changing the

37
 VLAN membership of the endpoints to members of the new team, the users' endpoints
are locally connected to the new team's resources.
 VLANs reduce the need to deploy routers in the network to limit broadcast traffic.
 The packet flood is limited to the switch ports belonging to the VLAN network. Limiting
sending domains online will significantly reduce traffic.
 Limiting transmission areas prevents the End Stations of the VLAN network from
listening or receiving transmissions that are not intended for them. Also, if there is no
router connected between the VLANs, the end stations of one VLAN cannot
communicate with the end stations of other VLANs.

Office router vlan assignation

Figure 13: R3 (router 3) vlan assignation (source: Author)

38
 Figure 14: Assigned VLANs

Note: VLAN configuration has been implemented to the office segment of the network since the
other parts of the network doesn’t require VLANs as per requirements agreement.

DHCP configuration

Dynamic Host Configuration Protocol (DHCP) determines the necessary settings automatically
when the computer is connected to the network. This makes it easier to connect your computer to
the university network from any participating UR location.

Figure 15: DHCP configuration for workshop pool (source: Author)

39
 Figure 16: DHCP configuration for Showroom pool (source: Author)

Note: Office network does not require DHCP automation since the network has been configured
manually.

OSPF configurations

Open Shortest Path First (OSPF) is a link-state routing protocol that is used to find the best path
between the source and the destination router using its own Shortest Path First). OSPF is
developed by Internet Engineering Task Force (IETF) as one of the Interior Gateway Protocol
(IGP), i.e, the protocol which aims at moving the packet within a large autonomous system or
routing domain. It is a network layer protocol which works on protocol number 89 and uses AD
value 110. OSPF uses multicast address 224.0.0.5 for normal communication and 224.0.0.6 for
update to designated router (DR)/Backup Designated Router (BDR).
(geeksforgeeks.org, 2022)

Router 1 OSPF config

Figure 17: Router 1 OSPF conf (source: Author)

Router#show ip ospf interface

GigabitEthernet0/0 is up, line protocol is up

Internet address is 192.168.20.1/24, Area 0
Process ID 1, Router ID 192.168.20.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1

40
Designated Router (ID) 192.168.20.1, Interface address 192.168.20.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:01
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Serial0/0/1 is up, line protocol is up
Internet address is 20.0.0.2/8, Area 0
Process ID 1, Router ID 192.168.20.1, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:00
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.30.1
Suppress hello for 0 neighbor(s)
Serial0/0/0 is up, line protocol is up
Internet address is 10.0.0.3/8, Area 0
Process ID 1, Router ID 192.168.20.1, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:01
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.10.100
Suppress hello for 0 neighbor(s)

Router 2 OSPF config

Figure 18: Router 2 OSPF conf (source: Author)

41
Router#show ip ospf interface

GigabitEthernet0/0 is up, line protocol is up

Internet address is 192.168.30.1/24, Area 0
Process ID 1, Router ID 192.168.30.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.30.1, Interface address 192.168.30.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:01
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Serial0/2/0 is up, line protocol is up
Internet address is 9.0.0.2/8, Area 0
Process ID 1, Router ID 192.168.30.1, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 9.0.0.3
Suppress hello for 0 neighbor(s)
Serial0/0/0 is up, line protocol is up
Internet address is 20.0.0.3/8, Area 0
Process ID 1, Router ID 192.168.30.1, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.20.1
Suppress hello for 0 neighbor(s)
Serial0/0/1 is up, line protocol is up
Internet address is 30.0.0.2/8, Area 0
Process ID 1, Router ID 192.168.30.1, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02

42
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.10.100
Suppress hello for 0 neighbor(s)

Router 3 OSPF config

R1#show ip ospf interface

FastEthernet0/0 is up, line protocol is up

Internet address is 192.168.10.100/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.100
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
FastEthernet0/0.10 is up, line protocol is up
Internet address is 192.168.10.1/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
FastEthernet0/0.20 is up, line protocol is up
Internet address is 192.168.10.17/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.17
No backup designated router on this network

43
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
FastEthernet0/0.30 is up, line protocol is up
Internet address is 192.168.10.33/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.33
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
FastEthernet0/0.40 is up, line protocol is up
Internet address is 192.168.10.49/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.49
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 5/5, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
FastEthernet0/0.50 is up, line protocol is up
Internet address is 192.168.10.65/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.65
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 6/6, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec

44
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
FastEthernet0/0.60 is up, line protocol is up
Internet address is 192.168.10.81/28, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.10.100, Interface address 192.168.10.81
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 7/7, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Serial0/0/1 is up, line protocol is up
Internet address is 30.0.0.3/8, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 8/8, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.30.1
Suppress hello for 0 neighbor(s)
Serial0/0/0 is up, line protocol is up
Internet address is 10.0.0.2/8, Area 0
Process ID 1, Router ID 192.168.10.100, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 9/9, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1 , Adjacent neighbor count is 1
Adjacent with neighbor 192.168.20.1
Suppress hello for 0 neighbor(s)

45
Router 1 Ip routes

Figure 19: Router 1 ip routes (source: Author)

Router 2 Ip routes

Figure 20: Router 2 Ip routes (source: Author)

46
Router 3 Ip routes

Figure 21: Router 3 Ip routes (source: Author)

External router configs

RIP

Figure 22: Ext router rip v2 table (source: Author)

47
Ext router ip routing information

Figure 23: Ext router Ip routing table (source: Author)

(VLAN) Trunking

With a VLAN trunking, it is possible to extend the VLAN network across the network. When
implementing multiple VLANs in a network, backbone connections are required to ensure that
the VLAN signals remain properly separated so that each reaches its intended destination. It is
also more efficient because multiple VLANs can be assigned to a single port.

When these multiple VLANs are on a single port, the system must have a way to separate and
forward the signals. A trunk VLAN port always uses identifier tags to tag frames when they are
transmitted between switches. The most common trunking protocol, IEEE 802.1Q, adds a tag to
an Ethernet frame as it travels and marks it as belonging to a specific VLAN. This identifier,
which contains the Media Access Control (MAC) address, ultimately helps route the Ethernet
frame to the correct endpoint as it travels over the trunk connection and the host port.

48
 Figure 24: switch trunking details (source: Author)

DNS configurations

DNS is a record system for domain names and IP addresses that allows browsers to find the
correct IP address that matches the hostname URL entered into it. When we try to access a
website, we usually type its domain name like cdnetworks.com or wired.com or nytimes.com
into a web browser. However, web browsers need to know the exact IP addresses in order to load
content on a website. DNS translates domain names into IP addresses so that resources can be
downloaded from a website's server.

49
Sometimes websites can have multiple IP addresses corresponding to a single domain name. For
example, on large websites like Google, users make queries from servers in distant parts of the
world.

Figure 25: List of DNS records from local DNS server (source: Author)

SSH Administration

Secure Shell (SSH) is a widely accepted protocol that allows users, usually administrators, to
securely authenticate and execute commands on remote systems.

Figure 26: Enabling ssh access (source: Author)

50
 Figure 27: Shows ssh enabled on router with pass cisco (source: Author)

5. Progress review

The author would like to state that the work that has been completed according to the
requirements and analyzations of this project.

The network has been designed and implemented using cisco packet tracer software. As per
requirement, the network has been segregated into three smaller networks providing connectivity
to the wide area network (WAN). The office network has been divided to use separate VLANS
for each assigned department. Routers have been configured to assign ip addresses using DHCP
for ease of configurations. Apart from this the routers are setup in a way which requires desired
credentials for increase of security. Routing protocols such as OSPF and RIP have been
implemented for the ease of access and communications.

Servers providing database and DNS access have been added to the network as required. And
wireless access points have been enabled on both parts of the network as depicted in the design
documentation and diagrams. The internal network has been modified in accordance to the
design documentation provided in this report.

Some implementations such as installation and configuration of the firewall, adding ACL (access
control lists) to network, proper implementation of using a honeypot and network monitoring
solution via SNMP are still at the pending stage.

51
5.1 Project planning

Project planning involves the general mapping and organization of project goals, tasks,
schedules, and resources before someone assigns roles to the project and the team begins
implementing the plan. With proper project planning, you can avoid almost all the problems that
cause projects to fail.

Gannt chart

Figure 28: Gannt chart (source: Author)

Work completed

 Designing the network.

 Designing network prototype with packet tracer.
 Implementation of VLAN segregation across the office network.
 Implementation of DHCP configurations for the routers.
 Implementation of routing protocols such as OSPF and RIP.
 Minor testing of connectivity within the network infrastructure.
 Setting up SSH for administrative purposes.
 Setting up http connectivity to www.marinequest.com domain.
 Setting up FTP service for data backups within the network.
 Proper assignment of network addressing for the network.
 Setting up local DNS servers for ease of address resolutions.
 Setup of wireless access points with DHCP capabilities.

52
Further pending works

 Configuration and installation of firewall.

 Configuration of IPsec tunnel via firewall.
 Configuration and installation of Honeypot.6. Critical Review & Conclusion.
 Data backups configuration.
 Adding additional ISP route.

6.1 Closing executive summary

During the course of the individual project, the author had to perform multiple job roles and
demonstrate different skill sets through-out the project nearing towards the interim stage. Interim
Project report means that the Project Planning has been completed and the begins the design
phase (with proper approval of ‘course). The ‘Interim Project Planning Period’ means the period
during which the Interim of the Project takes effect. It is the period from execution of this
agreement until the date the Final Project Plan is agreed to by all involving parties. ‘Materials’
compiled into the report includes detailing documents about the equipment, network designs,
network blueprints (including detailed configurations) information and data stored by any means
including all copies and extracts all of which are of the same project at hand.

The emphasis on ‘The importance of proper project management’, reflects on the growing
understanding of the impact that good project management can have on a business. Good project
management is about more than just performing tasks according to timings and budgets.
Outstanding project management is important for stronger results and happier clients. These
aren’t just coincidences or side effects they’re functions of project management done properly.

Good networks communications work fast and smoothly. And with a plan in place before
enabling, you can be sure that your network is always running at high performance. This can be
observed clearly in the response time of an application and the response times between
computers within the network if you have a good network design plan to begin with.

53
Network security is one of the most important considerations when working over the Internet,
LAN or other methods, no matter how small or large your business is. Although no network is
immune from attacks, a stable and effective network security system is essential to protect
customer data. A secure network infrastructure with a proper security system helps companies
reduce the risk of falling victim to data theft and sabotage.

Network security protocols protect your workstation from harmful spyware. It also ensures that
shared data remains secure. The network's security infrastructure provides multiple layers of
protection to prevent a multitude of attacks by splitting data into multiple parts, encrypting those
parts, and sending them along independent paths, preventing incidents like eavesdropping.

In conclusion, the author would like to state that, the overall progress of this project has gone
accordingly to the plan and achieved its intended milestones in the proper timeframes. It has
demanded the author to brush off skill sets since it’s a one-man job, many roles need to be
played in order perform as a one-man-team. It was very exciting to learn new skills and
upgrading existing ones with proper upgrades as the Information Technology Industry dishes
out. This learning process in this industry or any industry would not end. It’s a circle of learning,
implementing, testing, fixing and trying for the maximum achievements.

54
6.2 Conclusion

Although the threat landscape is constantly evolving, the last few years have witnessed some
major changes in the ways that cyber criminals attack businesses, and there have been dire
consequences. With cyberattacks becoming more advanced and prevalent, it is important that all
businesses regardless of size or industry, understand the common attack methods, and have
systems and policies in place to reduce their cyber risk.

The aims and objectives required have been fully achieved up to the interim stage of the project.
Overall progress reveals that the use of proper time management proved to be very useful and
efficient, granting the author ample of time to work out the odd bits in design and
documentation. Provided that the project required the author to dive into various fields of skill
set enhancement, which was very exciting to work with. The help and support provided by our
supervisors and module leaders guidance provided a very clear path to work with the project.

Overall success rate was fully achieved and proper planning eliminated possibility of occurring
problems, and the work went smoothly as planned. There are more additional modules which
need to be implemented further along the way towards the final project submission and report. It
is the need to iron out the possible kinks in operations and enhance the security to the maximum
within the infrastructure. Further details of enhancement had been included in this report and will
be submitted in later stages.

55
References

Goodreads.com, (2022) “Cyber Security”[Online] Available

at:<https://www.goodreads.com/quotes/tag/cyber-security> [Accessed on 1 st August 2022]
Cypressdatadefence.com, (2022) “Impact of security misconfigurations” [Online] Available
at:<https://cypressdatadefense.com/blog/impact-of-security-misconfiguration/> [Accessed on 2 nd August
2022]
Netspotapp.com, (2022) “ Wifi encryption and security” [Online] Available
at:<https://www.netspotapp.com/blog/wifi-security/wifi-encryption-and-security.html#UPD> [Accessed
on 15th August 2022]
Projectmangement.com, (2022) “Prototyping” [Online] Available
at:<https://www.projectmanagement.com/contentPages/wiki.cfm?ID=233079&thisPageURL=/wikis/
233079/Prototyping#_=_> [Accessed on 2nd August 2022]
Openssh.com, (2020) “Open SSH” [Online] Available at:<http://www.openssh.com/> [Accessed on 15th
August 2022]
Computernetworkingnotes.com, (2022) “How to configure dhcp servers on cisco routers” [Online]
Available at:<https://www.computernetworkingnotes.com/ccna-study-guide/how-to-configure-dhcp-
server-on-cisco-routers.html> [Accessed on 2 nd August 2022]
Usenix.org, (2022) [Online] Available
at:<https://www.usenix.org/legacy/event/usenix02/tech/freenix/full_papers/miltchev/miltchev_html/
node1.html> [Accessed on 2nd August 2022]
Cloudflare.com, (2022) [Online] Available at:<https://www.cloudflare.com/learning/network-layer/what-
is-ipsec/> [Accessed on 2nd August 2022]
Cisco.com, (2022) “OSPF” [Online] Available at:<https://www.cisco.com/c/en/us/support/docs/ip/open-
shortest-path-first-ospf/7039-1.html> [Accessed on 3rd August 2022]
Techtarget.com, (2022) “Routing information protocols” [Online] Available
at:<https://www.techtarget.com/searchnetworking/definition/Routing-Information-Protocol> [Accessed
on 3rd August 2022]
Ssh.com, (2022) “The ssh protocol” [Online] Available at:<https://www.ssh.com/academy/ssh#the-ssh-
protocol> [Accessed on 3rd August 2022]
Hostinger.com, (2022) “SSH tutorial” [Online] Available at:<https://www.hostinger.com/tutorials/ssh-
tutorial-how-does-ssh-work#What_Is_SSH> [Accessed on 3rd August 2022]

56
Microsoft.com, (2022) “DHCP” [Online] Available at:<https://docs.microsoft.com/en-us/windows-
server/networking/technologies/dhcp/dhcp-top> [Accessed on 3 rd August]
Okta.com, (2022) “Firewall” [Online] Available at:<https://www.okta.com/identity-101/firewall/>
[Accessed on 3rd August 2022]
Parallels.com, (2022) “Types of firewalls” [Online] Available
at:<https://www.parallels.com/blogs/ras/types-of-firewalls/> [Accessed on 3 rd August 2022]
Thousandeyes.com, (2022) “Simple network management protocol” [Online] Available
at:<https://www.thousandeyes.com/learning/techtorials/snmp-simple-network-management-protocol>
[Accessed on 3rd August 2022]
Researchgate.net, (2022) “DHCP”[Online] Available at:<https://www.researchgate.net/figure/Message-
exchange-models-in-DHCP_fig1_259117702> [Accessed on 3rd August 2022]
Geeksforgeeks.org, (2022) “OSPF” [Online] Available at:<https://www.geeksforgeeks.org/open-shortest-
path-first-ospf-protocol-states/> [Accessed on 3 rd August 2022]
Timereview.ca, (2022) “Defining Cybersecurity” [Online] Available
at:<https://www.timreview.ca/article/835> [Accessed on 4 th August 2022]
Elsevier.com, (2022) “Network security types of attacks” [Online] Available
at:<https://reader.elsevier.com/reader/sd/pii/S1877050915006353?
token=F3AF405A79573294CB42D0DBDF7517EED9BDBECF5699248FB298BE3BEE340EFCDC2AB
2719A8E0DADE376261A95860578&originRegion=us-east-1&originCreation=20220805084221>
[Accessed on 4th August 2022]
Medium.com, 2022 “Attacks on various osi model layers” [Online] Available
at:<https://medium.com/@e.ahmadi/attacks-on-various-osi-model-layers-bd2fac5ab985> [Accessed on 4 th
August 2022]
Comparitech.com, (2022) “Sniffing attack” [Online] Available
at:<https://www.comparitech.com/blog/information-security/sniffing-attack/> [Accessed on 4 th August
2022]

57
Appendices

You may have several appendixes (Appendix 1, Appendix 2 or Appendix A, Appendix B) to refer to
further details related to chapters like: Technology adapted, Analysis and Design, Implementation,
evaluation, etc.

58