CV Resume of Dave Sweigert - Cyber Security Expert
Dissertation Report - Submitted
1. Hayden Hooper
COLCHESTER INSTITUTE | SHEEPEN ROAD, COLCHESTER, ESSEX
DOCUMENT BODY WORD COUNT: 8261
How can an organisation
improve network security by
implementing AAA protocols
such as RADIUS on private
IEEE 802.11 and 802.3
networks?
2. Student ID: 1400869
i
Abstract
This report investigates the potential uses for IEEE 802.1x authentication within organisations to help
improve organisational security compared to traditional authentication methods which utilised shared
keys which are commonly known. The report will also investigate existing solutions such as Access
Gateways, the benefits and disadvantages of access gateways compared to the use of RADIUS
authentication on Wired and Wireless networks.
3. Student ID: 1400869
ii
Declaration of Original work
I understand the nature of plagiarism, and I am aware of the policy set out by the University of Essex in
regard to this.
I hereby certify that this dissertation reports original work produced by myself during my individual
project, except for the following:
Note work sourced by third party authors
Signature : ______________________________
Printed : Mr Hayden Jeffrey Hooper
Date : Dated this first day of February of the year two thousand and fifteen.
Declaration of Ethical compliance
Research conducted within the report has been done in confidence and no information has been
collected and/or processed to personally identify an individual by name
1
or geolocation
2
.
Information such as MAC addresses and IP addresses (Both IPv4 and IPv6) may be present within this
report but do not relate to an implemented solution within any organisation nor in a public place.
The purpose of using this information is purely for academic purposes and does not infringe the rights
of any data subjects involved during the research of this project.
A full copy of the Ethical awareness declaration can be located within the appendix A11 of this
document.
1
In certain instances names may be replaced by a generated acronym, such as USFLMIS1. The first two
digits of the name will be country code, so in the example shown previously US = United States, The
second two digits will be State or County code, so in the example shown, FL = Florida, The third group of
two digits will be the town or city code, so in the example, MI = Miami and the remaining digits starting
with S will represent the site number. This will be randomly generated to ensure anonymity.
2
Geolocation meaning fixed location by specific address. Geolocations such as country names or codes
may be present within this report
4. Student ID: 1400869
iii
Contract of Allocation
Component Range Agreed %
Presentation of report 5% 5%
Content of report 40-50% 40%
Project Management 10% 10%
Practical implementation 10-25% 20%
Primary research 0-20% 5%
Literature research and references 10-15% 10%
Oral 10% 10%
Total 100%
Signatures
___________________________________
Supervisor – Mr Philip Cheung - Date:
___________________________________
Student – Mr Hayden Hooper – Date: 2
nd
May 2015
___________________________________
Project co-ordinator – Mrs Elizabeth Scott – Date:
H. Hooper
5. Student ID: 1400869
iv
Acknowledgements
I would like to take this opportunity to give thanks to Mr John Rawnsley (Managing Director of
RawApple Communications Ltd) who has assisted me in completing my research by providing resources
towards this research and by also allowing me to complete my coursework during working hours.
Resources provided by RawApple Communications Ltd
1x Microsoft Windows Server 2008 R2 Standard License
1x JDSU ValidatorPRO Network Certifier
1x DrayTek Vigor AP700
I would also like to extend my thanks to Mr Philip Cheung (Networks, Systems Security and CCNA
Certified Lecturer), Mr Marwan Mahassen (Workshop Supervisor (CCNA Certified Instructor and
Masters in Computer Networks)), and Mrs Elizabeth Scott (Head of Department for Business
Management and Computing at Colchester Institute) for providing support and resources which have
allowed me to complete this study.
6. Student ID: 1400869
v
Table of Contents
Abstract....................................................................................................................i
Declaration of Original work .................................................................................... ii
Declaration of Ethical compliance............................................................................. ii
Contract of Allocation ............................................................................................. iii
Acknowledgements................................................................................................. iv
Table of Contents..................................................................................................... v
List of Figures........................................................................................................ viii
1 – Introduction .......................................................................................................1
1.1 – Scope and Objectives .................................................................................................1
1.2 – Background Scenario..................................................................................................2
1.3 – The problem...............................................................................................................2
1.4 – Overview of Dissertation..................................................................................................2
2 – Literature Review ........................................................................................... 3
2.1 – Background of Wireless Technology..........................................................................3
2.1 – Previous Research ............................................................................................................4
2.2 – Previously Targeted infrastructure attacks......................................................................4
2.3 – Motives and Reasons for attacks .....................................................................................4
2.4 – The value of data..............................................................................................................4
2.5 – The problem.....................................................................................................................5
2.6 – The Question....................................................................................................................5
3 – Methodology and Design.................................................................................... 6
3.1 – Survey targeting ...............................................................................................................6
3.2 – Research flow...................................................................................................................7
3.3 – Project Methodology........................................................................................................8
3 – Technical Chapter........................................................................................... 9
4.1 – Phase 1 – Preliminary Evaluation & Infrastructure design...............................................9
4.1.1 – Review of Survey and Research ................................................................................9
4.1.2 – Definition of Aims and Objectives...........................................................................10
4.1.3 – Evaluation of Available resources ...........................................................................11
4.1.4 – Design of infrastructure ..........................................................................................11
4.1.5 – Evaluation of existing solutions...............................................................................12
4.1.6 – Justification of network design ...............................................................................13
4.2 – Phase 2 – Implementation of Infrastructure..................................................................14
4.3 – Phase 3 – Development of Infrastructure and Future Recommendations....................19
8. Student ID: 1400869
vii
A9.1.1 – Raw XML Data.......................................................................................................90
A9.1.2 – Description Raw XML Data....................................................................................90
A9.2 – Failed RADIUS Authentication request (GUI)...........................................................92
A10 – Testing of configuration................................................................................................93
A11 – Declaration of Ethical Compliance................................................................................95
A12 – Project Gantt Chart.....................................................................................................101
9. Student ID: 1400869
viii
List of Figures
List of figures included within this document are listed below
Figure 1 - Project Management Venn Diagram ...........................................................................................1
Figure 2 - Waterfall Methodology................................................................................................................8
Figure 3 - Backbone core network design..................................................................................................11
Figure 4 - Example network solution utilising an Access Gateway............................................................13
Figure 5 - Cable schedule and labelling......................................................................................................14
Figure 6 - Packet tracer diagram of network infrastructure ......................................................................15
Figure 7 - Services.msc snapin for Microsoft Management Console - WiredAutoConfig Service .............17
Figure 8 - WiredAutoConfig properties......................................................................................................17
Figure 9 - Ethernet Properties - Authentication tab ..................................................................................18
Figure 10 - Network diagram of project testing.........................................................................................42
Figure 11 - Backbone core of network design - Including IP Phone Server and Apache Webserver.........43
Figure 12 - Failed RADIUS authentication - Microsoft Event Viewer - (GUI) .............................................92
10. Student ID: 1400869
1
1 – Introduction
For my research project I will be researching around the area of Wireless network security and how
different methods of securing a Wi-Fi network can benefit an organisation when managing network
security.
The project will look at the use of AAA (Authorisation Authentication and Accounting) on business
networks, whilst taking into consideration implementation costs, ease of management and accounting
of devices and users connecting to the network infrastructure.
1.1 – Scope and Objectives
The purpose of this research project is to determine which authentication methods would be best
suited to different types of organisations, whilst at the same time taking into consideration three
factors; Cost of equipment and services, Quality of the equipment and applications, and the speed of
the system or application.
FIGURE 1 - PROJECT MANAGEMENT VENN DIAGRAM
When designing a project such as this businesses have to make a hard decision by picking two of the
three factors which comprise a project. These three factors are
1. Quality of the final product
2. Cost of the final product
3. Speed of the final product
It is impossible to create a final product which comprises of all 3 factors, so when creating a project on
behalf of an organisation businesses have to choose two of three factors to base the project on.
11. Student ID: 1400869
2
1.2 – Background Scenario
The main scenario for this project will be a small estate agents called “Great Estates Ltd”
3
who
employees 3-5 personnel, two of the employees are full time and one of the three remaining employees
work at the organisation part time as an administrative clerk. The other two remaining employees are
contractors employed by the organisation to work on the estate agents office and homes which are
managed by the estate agent.
Over the past year one employee has been dismissed for abuse of information technology systems and
for breach of the Data Protection Act 1998, Breach of the Computer Misuse Act 1990 and for breach of
contract by running a separate estate agents on the side and gaining customers through the data
obtained illegally.
The IT Service provider at the time didn’t prioritise this breach and user accounts remained active and
Wi-Fi keys were not changed. After the organisation found a new IT service provider, they discovered
the problem was much worse than initially thought. The dismissed employee had been returning to the
premises out of hours and accessing the systems using the Wireless infrastructure.
After this breach was detected passwords were immediately changed and user accounts were disabled.
1.3 – The problem
Many organisations use little or no security when implementing wireless access points due to two
factors, limited resources or limited funding. If an organisation requires Wi-Fi to be installed on a
network businesses may buy in Wi-Fi equipment and install it directly on the network without
configuring wireless security protocols such as WEP, WPA, WPA2 or WPA2 Enterprise (IEEE 802.11x).
From my personal experience, because of the costs involved with installing Wireless Access points
professionally, businesses will rather install equipment themselves (Rogue Access Points), which puts all
of the other network devices at risk and the business at risk of breaching the Data Protection Act 1998
and the Computer Misuse Act 1990. (Cisco, n.d.)
1.4 – Overview of Dissertation
This project investigates the use of IEEE 802.1x authentication on Wireless Access Points and Managed
Switches to ensure the wireless and wired network infrastructure remains secure. This report also
investigates existing solutions such as Access gateways which will provide a comparison of the two
different solutions and how each solution could benefit an organisation.
3
Note – Great Estates Ltd is a fictitious business and the business name does not relate to any
organisations with the same or similar name
12. Student ID: 1400869
3
2 – Literature Review
2.1 – Background of Wireless Technology
In 1985 the FCC (Federal Communications Commission) de-regulated the radio spectrum from 2.4Ghz to
2.5Ghz for use by the ISM (Industrial, Scientific, and Medical) communities.
This de-regulation enabled the spectrum to be used for individual, non-licensed applications. (Berg,
2011) This de-regulation enabled developers off wireless technology to design communications
technologies without the needs for costly licensing.
In the early 1990’s the IEEE (Institute of Electrical and Electronics Engineers) realised the potential of
data transfer using these de-regulated frequencies. In 1990 a new committee was established to
investigate the possibility of these frequencies for the use of data communication. (Institute of Electrical
and Electronics Engineers, 2015)
It was not until 1997 that the 802.11 standard was published. During the next two years two variations
of 802.11 were ratified. These two variations are 802.11a and 802.11b. The 802.11a variation unlike the
802.11b, utilises the 5Ghz frequency instead of the 2.4Ghz frequency which 802.11b utilises. (Berg,
2011)
The primary objective of the 802.11 committee was to provide a standard with the aim to provide a
reliable, fast, inexpensive and robust solution with wide spread acceptance.
One of the reasons for the wide spread success was its compatibility with other 802 protocols,
specifically IEEE 802.3 for Wired Ethernet networks. This compatibility enabled access points to be
implemented with direct connections to switches, routers and computers.
802.11 is very different now to what was originally designed in 1997. Speeds in the initial two variants of
802.11 (a and b) were only capable of achieving a maximum of 11Mbps for 802.11b and 54Mbps for
802.11a. (Curran & Canning, 2007)
Since the release of 802.11a and 802.11b, three additional variants of 802.11 have been released with
other variants being tested and designed. The first ratified variant of 802.11 since 802.11b was 802.11g.
802.11g was ratified on the 20
th
March 2003 by the IEEE (Institute of Electrical and Electronics
Engineers, 2015) and 802.11g is capable of providing network connectivity as speeds of up to 54Mbps.
(Curran & Canning, 2007)
802.11g like 802.11a, uses a more advanced form of modulation called OFDM (Orthogonal Frequency
Division Multiplexing), but it enables it to be used in the 2.4Ghz frequency band. The large attraction to
802.11g was its ability to provide data rates of up to 54Mbps.
In 2007 another variant of 802.11 was ratified and this variant was 802.11n. (Institute of Electrical and
Electronics Engineers, 2015) 802.11n is capable of providing network speeds exceeding 300Mbps which
is of great benefit to organisations running applications which require fast network connectivity, such as
remote desktop services and IP telephony.
In 2013 the 5
th
generation of IEEE 802.11 was ratified, this standard was published and approved by
ANSI on the 11
th
December 2013. (Institute of Electrical and Electronics Engineers, 2015). Unlike it’s
counterpart 802.11n, 802.11ac can only function using the 5Ghz frequency. Each 802.11ac access point
can provide network speeds of up to 500Mbps but by implementing a multi-station access point
configuration gigabit network speeds can be achieved. (Kassner, 2013)
13. Student ID: 1400869
4
2.1 – Previous Research
Every day business run the risk of exposing themselves to data breaches by not protecting their network
infrastructure sufficiently. In 2013 the department for Business, Innovation & Skills reported in the
executive summary of 2013 Information Security Breaches survey, the number of network security
breaches has increased significantly and smaller businesses are now becoming victims of security
breaches which have been seen by larger organisations in 2012. (Department for Business, Inovation
and Skills, 2013)
During the survey conducted by the Department for Business, Innovation and Skills, 93% of large
organisations surveyed in 2013 admitted to having at least 1 security breach in the period between
2012 and 2013. The survey was also targeted at smaller organisations, 87% of those smaller
organisations surveyed also admitted that security breaches had been detected during the period
between 2012 and 2013. This statistic showed an increase in breaches in network security of 11%, up on
the previous survey. Of those companies which were affected, on average a 50% increase was detected
on network security breaches than the previous year. (Department for Business, Inovation and Skills,
2013)
2.2 – Previously Targeted infrastructure attacks
On the 19
th
December 2013, the Target Superstores said that as many as 40 million credit card and debit
card accounts may have been compromised during Black Friday weekend through December 15, and
that information stolen included customer names, credit or debit card number, the card’s expiration
date and CVV (Card Verification Value). (Target Brands Inc, 2013) Upon further investigation by Forbes
Magazine the reality of this breach was much worse than what was initially thought. The average of end
users affected was almost double the initial report by Target and showed that up to 70 million
consumers may have been affected instead of the initial 40 million consumers. (Forbes Magazine, 2014)
This breach of security demonstrated the hacker’s ability to obtaining a mass amount of information
within such a short period of time.
As the breach was on the Black Friday event, the hack may have been targeted with pre-emptive threat
analysis being taken by the offending party, with the intent to attack during the busiest period where
millions of transactions will be processed within a 48 hour period thus gaining mass amounts of data
before the threat is detected, identified and mitigated. In the days leading up to Thanksgiving 2013,
malware was installed on Targets security and payments systems. This malware was designed to steal
every credit card used at the company’s one thousand, seven hundred and ninety seven stores within
the United States. (Business, Riley, Elgin, Lawrence, & Matlack, 2014)
2.3 – Motives and Reasons for attacks
There are many reasons for attacking a business, for example, it could be a personal vendetta against
that specific organisation for doing wrong, a targeted attack, such as that example above to obtain
information for malicious purposes; such as financial gain from profiteering from the sale of the stolen
data, or just attacking that organisation to deny others from using that service, such as DDOS attack.
2.4 – The value of data
The value of an individual piece of fluctuated between $0.10 USD to $100 USD in the black market in
2008, but in 2009 the value of each piece of data stabilised between $1 USD and $20 USD. In 2014 the
value of one thousand stolen email addresses ranged from $0.50 USD and $10 USD. This pricing is a
good incentive for hackers to sell data as they can profit very quickly on the black markets which can be
accessed using software such as Tor. (Wueest, 2014)
14. Student ID: 1400869
5
2.5 – The problem
From previous experiences with customers, employees at any level pose a risk to the network
infrastructure, authorised or unauthorised. Customers who have an IT infrastructure but do not require
a IT technician on-site sometimes leave their IT infrastructure exposed to risks, such as unauthorised
use of resources because passwords are not changed and user accounts are not disabled when an
employee leaves the organisation.
This is usually as a result of lack of understanding of how the technology works and how it can be
managed correctly to ensure maximum security and to also prevent unauthorised access of IT
resources.
An example of this could be a customer who has recently fired an employee for misconduct. If the fired
employee had previously setup devices to connect to the Wi-Fi they could then abuse the IT
infrastructure from outside the premises by using user accounts which haven’t been secured correctly
after that employee has left.
Resources such as Microsoft Windows Server 2012 R2 are becoming more common within organisations
as they are feature rich enabling organisations to utilise many features within their organisation which
they may not have had available without that resource prior to its installation and configuration.
(Microsoft Corp, 2014)
Business managers with little or no IT experience, may not completely understand the importance of
data security within their organisation, nor how to ensure that data correctly protected by ensuring
their IT infrastructure is secured.
This report will look at how businesses can ensure that computer accounts can be protected by
implementing features which are included within the Windows Server 2012 R2 operating system, and to
also ensure that resources such as Wi-Fi are secured using enterprise grade authentication.
2.6 – The Question
How can an organisation improve network security by implementing AAA protocols such as
RADIUS on private IEEE 802.11 and 802.3 networks?
This report will discover how an organisation can correctly protect their 802.11 (Wireless Infrastructure)
and their 802.3 (Cabled Network Infrastructure) by utilising server roles and features such as Microsoft’s
Active Directory and Microsoft’s Network Policy Server to authenticate users by utilising features such
as RADIUS authentication.
15. Student ID: 1400869
6
3 – Methodology and Design
3.1 – Survey targeting
Surveys are being targeted at a specific audience. The audience I have targeted are professionals in the
IT industry. This includes
IT and Telecommunication Infrastructure Engineers
Lecturers
NIS (Network Infrastructure Security) Analysts
The survey doesn’t have any specific age range set as the research will also determine whether certain
people of particular age groups go about their business with an enhanced security configuration on
their computers and other devices which connect to Wi-Fi networks.
16. Student ID: 1400869
7
3.2 – Research flow
For this project, the research will primarily be based on practical findings with additional research on
existing solutions being provided by organisations in the form of SaaS
4
. Surveys will also be distributed
to individuals working within the IT and Telecommunications industry. A blank copy of the survey which
was distributed to individuals can be located in the appendix – Section A2.
Additional research will be conducted using resources such as EBSCO Host which is provided by the
college for use by students and staff as an electronic library, containing academic papers and academic
journals.
Research will also be conducted using practical resources provided by RawApple communications Ltd
and Colchester Institute. This research will then be tested with test plans, evaluated and summarised.
Other services which are currently being provided as a hosted will also be inspected for potential use
within this scenario, and it will also compare the benefits and disadvantages of both internally hosted
solutions and externally hosted solutions.
4
SaaS – Software as a Service – This is software which is hosted by organisations and remote access is
given to organisations to use this software for a set amount each month. An example of this is Office
365. Users can access Microsoft software online but they can only access this whilst they pay for the
service.
17. Student ID: 1400869
8
3.3 – Project Methodology
Project Research
Design
Implementation
Testing
Deployment
Maintenance
FIGURE 2 - WATERFALL METHODOLOGY
For this specific project I have decided to utilise the waterfall methodology for development and testing
to determine the best infrastructure setup of this particular scenario. I feel that this method would be
best suited to this project as it allows for continuous maintenance and testing, although the project
itself can grow and can be developed to protect the infrastructure from new threats, the project cannot
end.
I personally feel that this method would be best suited to IT projects as requirements can sometimes
change after the project has been designed and implemented. This method doesn’t have much leeway
for modification but extra steps can be added to ensure the success of the project.
This project has many constraints and objectives as to what is required. Problems occur when designing
and implementing for research projects, specifically with configuration issues which occur as a result of
routing issues.
18. Student ID: 1400869
9
3 – Technical Chapter
4.1 – Phase 1 – Preliminary Evaluation & Infrastructure design
4.1.1 – Review of Survey and Research
Note: A summarised response of all responses to the survey issued can be viewed in Appendix A1.
From responses gathered from my survey, it has become clear that the respondents utilise a wide
variety of smart equipment which is capable of accessing the internet via IEEE 802.3
5
or IEEE 802.11
6
.
The majority of respondents utilised smart phones with the capability of accessing the World Wide Web
but also stated that they either didn’t know that security software; such as ESET mobile security; was
available or they knew it was available but didn’t utilise it on their mobile devices.
95% of respondents know about potential risks to their personal devices when connecting to Wi-Fi
networks. In the question following, respondents were asked “When using public WiFi access points do
you use encrypted VPN tunnels to reduce the risk of your data security being compromised?”. 23% of
respondents admitted to utilising VPN tunnels when connected to a Wireless network to help ensure
that data being transmitted over the network is protected, but this is also dependent on the security
settings of the VPN tunnel and if the VPN tunnel is utilising SSL to transmit data.
The following questions were targeted at IT Service providers working for an IT organisation.
In one of the following questions respondents were asked “How do you currently secure your wireless
access points?”. Responses which were given reflected that Wireless Access Points are secured using a
form of wireless authentication and wireless encryption. Two respondents admitted that WEP
authentication is currently being used on their access points, but this could be down to the business
utilising legacy hardware which isn’t capable of transmitting data using some of the newer
authentication and encryption protocols such as WPA or WPA2 utilising AES or TKIP encryption.
No respondents stated within this question that 802.11x were being utilised, but in the following
question asking users “In the event of a member of staff leaving your organisation, how do you ensure
your wireless network remains secure?”, some respondents stated that user accounts are disabled
where 802.11x is implemented.
Another respondent stated that another method of protecting wireless infrastructure has been used,
this method utilises identifying addresses on that system, such as MAC addresses, but it is unclear what
this system is and how it can be used to protect the wireless network from MAC address spoofing, and
whether MAC Address spoofing would grant users access to the wireless infrastructure by providing the
server with a different identity.
Respondents were then asked about the placement of the wireless access points and whether they have
been placed in strategic locations to minimise wireless overspill.
Respondents were then asked how their IT services department monitors for unauthorised network
usage. Responses varied, some respondents stated that cloud security services, such as Sophos cloud
for monitoring internet usage and blocking threats. Other respondents have stated that on-site
hardware firewalls are being utilised to filter threats and other sites utilise on-site proxy servers to filter
internet access. Another response stated that DMZs are being utilised to allow external access to the
network, but restricted to a specific set of devices, such as web servers.
In the final question, respondents were asked if Wi-FI enabled phones are being used within the
organisation. One respondent stated Wi-Fi phones were utilised within the organisation, but they were
not in a position to state how those devices authenticate with wireless access points.
5
Cabled Network Infrastructure
6
Wi-Fi Network Infrastructure
19. Student ID: 1400869
10
Other respondents have stated that IP phones are being utilised within the organisation but they are
being routed by the IEEE 802.3 LAN instead over the IEEE 802.11 WLAN.
From all of the responses, many of the respondents admitted that Wireless Access Points within the
organisation do not utilise enterprise level authentication such as 802.11x. I personally feel that all
organisations should implement this method of authentication as it provides a more robust method of
authentication which requires devices to be authenticated, users to be authorised to use the Wi-Fi, and
all authentication events to be accounted.
4.1.2 – Definition of Aims and Objectives
Below are my Aims and Objectives which I will design and test for during the course of this project. This
project will also look at the possibility of providing a remotely hosted RADIUS authentication service
which Wireless Access Points can be implemented and configured to authenticate using the remote
RADIUS server.
Design and implement a network infrastructure core which provides VLAN support and
redundancy at both the Layer 2 and Layer 3 network levels.
This objective will help ensure that the network can provide the ability to remain active in the
event of a hardware failure, such as a switch or router. This objective will also help ensure that
multiple RADIUS servers can be implemented to authenticate users in the event of a server
failure, minimising downtime.
Implement VLAN capabilities to separate Guests connecting to the DISS-GUEST SSID.
This objective will assist IT administrators in isolating the Guest wireless network from the
corporate network infrastructure by the use of Access control lists on the routers, preventing
guest users from accessing business resources.
Implement configuration on Wi-Fi Access points restricting clients connecting to the network
which haven’t been authorised.
The aim of this objective is to limit unauthorised access to internal resources by restricting
access to the DISS-INTERNAL SSID to devices which have been pre-approved within active
directory by network administrators.
Investigate the possibility of remote RADIUS server providing RADIUS authentication as a
hosted service.
The aim of this objective is to determine whether it is possible to provide remote RADIUS
authentication by forwarding ports using NAT and Port Forwarding.
Implement 802.3 authentication on switches, preventing unauthorised network access. This
setting will utilise the MAC address of the network adapters.
The aim of this objective is to also secure the wired Ethernet infrastructure using RADIUS
authentication on MAC addresses preventing unauthorised access to the network.
20. Student ID: 1400869
11
Investigate existing hosted RADIUS solutions
The aim of this objective is to investigate existing solutions which are being provided by
organisations with the sole intention to ensure that Wireless access points are being secured
using username and password authentication instead of traditional authentication methods
which utilised a shared key.
4.1.3 – Evaluation of Available resources
This project will utilise resources available at the university and limited resources which have been
provided by RawApple Communications Ltd.
Cables which have been used within this project have all been certified to gigabit speeds. Four types of
cable will be used in the implementation and configuration of this project
Straight through CAT5e cable
Crossover CAT5e cable
Cisco Rollover cable
HWIC Serial DCE to DTE cable
Other resources which will be used to complete this project
5x Dell Optiplex 760 desktop computers running Microsoft Windows XP Professional SP1 (2 GB
RAM, Intel Pentium 4 HT Processor, 80GB Hard Disk Drive)
Acer Aspire V5-575 (Microsoft Windows 8.1 Professional x64, 8GB RAM, 500GB HDD, Intel Core
i3 Processor)
4x Cisco 2901 ISR (1x HWIC Installed, 2x Gig Eth)
3x Cisco 2960 Switch (24 Fast Ethernet Ports, 2 Gigabit Ethernet Ports)
1x DrayTek Vigor AP700
1x Cisco Linksys E1700 Wireless N Gigabit Router (DDWRT Firmware)
2x Dell PowerEdge 2850 (2x 76GB HDD (RAID 0), 4x 146GB HDD (RAID 5))
o Server 1 – Running Microsoft Windows Server 2008 R2
o Server 2 – Running Asterisk IPPBX v13.3.2
1x Linux VM web server (Apache)
All CAT5e cables have been certified to gigabit speeds using the JDSU ValidatorPRO provided by
RawApple Communications for the purpose of this project. A full report for the cable test can be viewed
within the appendix A5.
4.1.4 – Design of infrastructure
For testing purposes two additional routers and an
Apache web server will be installed and configured
to simulate the internet service provider and a
website host. The amended core network design
with the additional routers and servers can be
viewed in appendix A4.
Configurations for both these additional routers
have also been included and can be viewed in
appendix A6.3 and A6.4.
FIGURE 3 - BACKBONE CORE NETWORK DESIGN
21. Student ID: 1400869
12
The network will be configured to utilise Port Address Translation to utilise a single public IP Address for
multiple internal hosts.
The design has also been created to ensure the maximum possible up-time by utilising a rapid spanning
tree protocol on the switches and at the same time combining multiple fast Ethernet interfaces using
channel groups to provide double bandwidth and redundant links between switches, so no-matter what
happens on the network, another link can take the load.
The design above also shows two additional routers and an IPPBX server. The IPPBX server has been
included on the webhost router to test the traversal of voice data on a network with multiple redundant
WAN connections.
From previous experience, voice data sometimes has trouble traversing across a network utilising VLANs
and depending on the network traffic at any given time, call quality could also be affected. (Cisco, n.d.)
4.1.5 – Evaluation of existing solutions
Existing solutions are currently available for organisations on a pay per user basis with certain
restrictions. An example of this kind of solution is NoWiresSecurity.
NoWiresSecurity provides a hosted RADIUS authentication solution for organisations which utilises the
Protected EAP authentication protocol for wireless access points.
The “AuthenticateMyWiFi™ is a hosted or cloud-based service that enables you to use the Enterprise
mode of Wi-Fi Protected Access—WPA or WP2—security for your private Wi-Fi network. The service
provides you with access to a RADIUS server, which performs the required 802.1X authentication.”
(NoWiresSecurity, n.d.)
This is a hosted solution which requires users to define the authentication server by IP along with the
passphrase to authenticate the access point.
Another authentication method which has been adopted by organisations is the use of access gateways
on networks instead of relying on RADIUS only for authentication. An example of this kind of solution is
the Aerohive Access Gateway and Access Point Manager. (Aerohive, 2015)
This system utilises either a cloud or in-house access point manager running on a 1U or VMWare
instance which controls all of the other access points which have been installed on the network.
22. Student ID: 1400869
13
Gateway Controller
Distribution Switch
Access Gateway
Internet
FIGURE 4 - EXAMPLE NETWORK SOLUTION UTILISING AN ACCESS GATEWAY
Depending on the configuration of the network this solution could make things easier for network
management and ease of access but at the same time depending on the volume of users’ access
gateways could be easily overloaded.
4.1.6 – Justification of network design
The design has been created in a way which allows administrators easy management of the network.
The design has also taken into consideration failover of routers by utilising standby IP addresses and
channel groups between the switches.
As I work closely with telephony solutions I need to determine the possible problems which could occur
as a result of implementing 802.1X on wired and wireless networks. IP telephony is being adopted very
quickly with the range of IP telephony devices being much vaster than the initial range which was
available. Softphone clients can now be downloaded to computers for free and users can utilise a
headset with a microphone instead of just using a telephone handset which is additional costs for the
organisation. An example of this kind of software is Zoiper which has mobile clients and desktop clients
with a range of editions available.
Users can then set the SIP server and use that application instead of using a physical telephone handset.
An internal RADIUS server is being utilised to enable administrators to log and manage devices
internally enabling more control over the network security. Utilising an internal RADIUS solution instead
of a hosted solution enables authentication using a solution such as NPS which integrates with
Microsoft Active Directory.
23. Student ID: 1400869
14
4.2 – Phase 2 – Implementation of Infrastructure
Implementing the core infrastructure proved to be somewhat tricky at times due to initial cable faults,
as a result of some of my fellow students being careless with the RJ45 connectors both making up the
cables and breaking off the RJ45 clips, meaning that some of the cables were unable to remain within
the Ethernet ports.
I overcame this issue by replacing the damaged clips and re-wiring and re-crimping the RJ45 ends which
had been wired incorrectly. Auto-MDIX
7
has been enabled on the switch ports meaning crossover cables
are not required for the connectivity between other switches.
Cable ID Cable Type Start Device Start Port End Device End Port
1 Straight Through - Red R1 G0/0 S1 G1/1
2 Straight Through - Red S1 F0/24 S3 F0/24
3 Straight Through – Red S1 F0/23 S3 F0/23
4 Straight Through – Red S1 F0/19 S2 F0/19
5 Straight Through – Red S1 F9/20 S2 F0/20
6 Straight Through – Red R2 G0/0 S2 G0/1
7 Straight Through – Red S2 F0/21 S3 F0/21
8 Straight Through – Red S2 F0/22 S3 F0/22
9 Straight Through – Red S2 F0/1 AD Server G0/0
10 Straight Through – Red S2 F0/3 Test PC 1 G0/0
11 Straight Through – Red S2 F0/5 Patch Panel CAB1PP1P4
12 Straight Through - Red Wall Socket N/a WAP01 N/a
13 Straight Through – Blue R1 G0/1 ISP G0/0
14 Straight Through – Blue R2 G0/1 ISP G0/1
15 Straight Through – Blue WebHost G0/0 AsteriskPBX G0/0
16 Serial – Blue ISP S0/0/0 (DCE) WebHost S0/0/0 (DTE)
FIGURE 5 - CABLE SCHEDULE AND LABELLING
The routers have been configured with standby IP addresses, meaning if a server fails, network
downtime will be minimised as the infrastructure will automatically update the configuration on each
router to bring the virtual IP Address of each interface online.
The hardware has been configured in such a way, the LAN provides a redundancy solution for the
network to ensure correct and efficient failover in the event of a router or a switch failing. The switches
have been configured with trunk links with channel groups configured with 2x FastEthernet links
between each of the routers. Rapid Spanning tree protocol has also been configured on the switches to
ensure
For security purposes both routers have been configured to use PAT
8
using a single IP address provided
by the internet service provider.
7
Auto-MDIX is a feature on switches which enables the automatic detection of particular cables.
Switches can then re-adjust the configuration for that port meaning no special cables are required,
whereas prior to this feature becoming available, switch to switch connections would have required a
crossover cable instead of a straight through cable.
8
PAT – Port Address Translation – PAT is used in the event when a single public IP address has been
provided by the ISP. One public IP address is shared by many private hosts on a single network.
24. Student ID: 1400869
15
FIGURE 6 - PACKET TRACER DIAGRAM OF NETWORK INFRASTRUCTURE
The first server has been configured as a IPPBX utilising the Asterisk IP Phone system. This has been set
up in a way so it is treated as a hosted IP telephone system. The phones are configured to utilise the IP
address of 8.0.0.14 as the SIP authentication server. The authentication port which will be used is 5060.
Due to lack of resources a SIP SoftClient has been used. During the course of this project the SoftPhone
client which will be used is called Zoiper. The purpose of including a VOIP Server in the network design is
to test whether mobile devices which utilise WiFi as the network media can still function correctly whilst
RADIUS is being utilised on the network. VOIP will also be tested using on mobile phones using the
ZOIPER software.
The second server which has been installed on port F0/1 on S2 on the LAN utilises Microsoft Windows
Server 2008 R2. This server has been configured with the following roles.
Active Directory Domain Services
Domain Name Services
Dynamic Host Configuration Protocol Services
Network Policy and Access Services
Active Directory Certificate Services
Under Microsoft Active directory two security groups have been configured, the groups are
Internal WiFi Users
This security group are users which have been trusted with access to the Wireless network on
any device. They can connect to the access points manually and authenticate as a user. This is
logged on the Windows Event viewer as either a success or failure along with the MAC address.
25. Student ID: 1400869
16
This has been demonstrated within appendix A9.2 which demonstrated that because of the
security settings defined within the Network Policy and Access Server the server rejected the
authentication as the wireless access point was using a less secure method of authentication.
In this instance it was using PEAP in conjunction with MS-CHAP
9
. (Microsoft, n.d.)
Internal WiFi Computers
This security group is for computers which have been joined to Active Directory. This method
of authentication is best suited to organisations who do not trust their end users with limited
access to the WLAN such as the method above, but accounts are authenticated using the
identifying markers on the computer instead. When computers are joined to Microsoft Active
directory the GUID of the device is recorded instead of the MAC address by default and in
some instances both identifying markers may be recorded and may be used to authenticate
the computer.
Administrators can the utilise Group policy to define specific SSID’s to connect to automatically
and the authentication methods which these utilise.
Although this is a valid method of authentication default timers configured on NPS can still pose a
security risk to the network as users can remain authenticated and authorised to use the wireless
network after their account has been disabled or deleted. (Microsoft, n.d.)
Threats to the network do not just exist on wireless network infrastructure, they also exist on the
existing Wired network infrastructure. From my personal experience one out of twenty switches which
have been installed on customers networks are unmanaged switches. When I asked the customer why
this is, they responded with “It was a cheaper solution compared to using managed switches”. Managed
switches provide more functionality compared to unmanaged switches. (Holdan, 2007)
Managed switches provide the ability to provide port based authentication. This has been configured on
the switches within the example. The authentication server has been defined as 192.168.254.100 and
the authentication port has been defined as 1812. For this project Cisco 2960 series switches have been
used.
By default the Wired Network Authentication process is disabled by default. To enable this service users
have to access the services.msc snap-in for the Microsoft Management console. Users then have to look
for the WiredAutoConfig process listed near the bottom of the list. This service then needs to be set to
Automatic start-up and then the service needs to be started so the authentication parameters can be
configured.
9
MS-CHAP is an authentication protocol built by Microsoft for use with the Microsoft NPS server. This
authentication protocol is similar to others which are used by other vendors. MS-CHAP stands for
Microsoft Challenge Handshake Authentication Protocol.
26. Student ID: 1400869
17
FIGURE 7 - SERVICES.MSC SNAPIN FOR MICROSOFT MANAGEMENT CONSOLE - WIREDAUTOCONFIG SERVICE
FIGURE 8 - WIREDAUTOCONFIG PROPERTIES
After this setting has been configured an additional tab will appear on the Network adapter
configuration page called authentication.
27. Student ID: 1400869
18
FIGURE 9 - ETHERNET PROPERTIES - AUTHENTICATION TAB
For this configuration IEEE 802.1X has been enabled and Microsoft Protected EAP or PEAP has been
selected and configured for the authentication method to be utilised by the switches.
By implementing IEEE 802.1X on the IEEE 802.3 Wired and IEEE 802.11 Wireless network infrastructure,
organisations are minimising the risks caused by unauthorised network access on both the Wireless and
Wired network infrastructure. Logging is implemented on both 802.11 and 802.3 network connections
which means that any issues caused by unauthorised network activity can be traced back to a specific
device and a specific account which the user used to authenticate themselves on the network.
During the project specific tests were performed to ensure un-interrupted network access. These tests
determined whether specific devices could access specific VLANs and other network services. A
demonstration of this is the implementation of IP Telephony on the network where the phone system is
being provided as a service. A full breakdown of tests which were conducted during this experiment can
be viewed within appendix A10.
28. Student ID: 1400869
19
4.3 – Phase 3 – Development of Infrastructure and Future
Recommendations
Network infrastructure could be further developed in the event of an organisation expanding and
opening up a separate office at a different geo-location. An example of this kind of expansion could be
the organisation opening up another branch in the next town over.
Both sites could be then linked using VPN tunnels or leased line connections. Servers could then be used
to replicate the data across the large geo-location. The network policies would also be replicated across
both sites so in the event of staff moving constantly between offices the same devices would be
authorised to use the network infrastructure if the network has been configured using the same domain
for authentication.
This method would also provide a redundant solution which will ensure minimal to no data loss in the
event of a disaster, for example if the IT core infrastructure was destroyed by a fire. In addition to this
configuration, organisations could also implement further access control list rules on the routers for all
other departments preventing users from accessing resources to which they have no right. An example
of this kind of solution would be using a generic NAS drive (Network Attached Storage) for backup.
Backups could be configured on a separate VLAN which the server farm has direct access and no
internet routed traffic can gain access.
This kind of measure would prevent unauthorised network access and would ensure that backups of the
organisations confidential data would remain secure.
29. Student ID: 1400869
20
Conclusion
In conclusion it was determined that using IEEE 802.1X for network authentication would provide a
better authentication method for ensuring network security on both the Wireless infrastructure and the
Wired Network infrastructure.
Authentication using 802.1X provides administrators with real-time logging for all devices which are
capable of using 802.1X as the authentication method. The RADIUS logging was provided on the
Windows Microsoft Event Viewer which provided administrators with detailed information on all of the
events which occurred including, RADIUS server faults, Authentication Failures, and Authentication
authorisations.
Other solutions are available which utilise an access gateway as the authentication method but this
requires access points to use little or no security. This in turn results in the network traffic using very
little encryption or no encryption in some instances, which could also in turn make it easier for hackers
to conduct man in the middle attacks on the network using access gateways instead.
802.1X improves network security by ensuring that dismissed employees are removed immediately
from the system which prevents them from accessing data remotely or by utilising wireless overspill
caused by the misplacement of wireless access points. 802.1X authentication also provides
administrators with the ability to revoke access to devices which may have been used on a network at a
specific time, an example of this kind of situation would be if a device has been stolen and has been
granted full access to the network infrastructure. Once the device has been reported as stolen the
network can be secured immediately as access can be revoked and at any time.
A disadvantage to using 802.1X is if unauthorised network access is reported, devices can remain
connected to the network until the session times out, whereas using an access gateway, sessions can be
terminated immediately as all traffic passes through that gateway before it can be used on the rest of
the network.
Access gateways cost more and sometimes require additional licensing to function. They are designed
for use by enterprises with large quantities of users but from experience this solution isn’t always stable
and if the access gateway fails users will be unable to access the wireless infrastructure until the error
has been rectified.
Comparing this to a direct RADIUS solution, network traffic is minimised as RADIUS utilised UDP which
has been proven to reduce the load on the network. Comparing RADIUS to a TAC+ solution (Cisco
Proprietary) utilises TCP which has also been proven to increase network traffic.
RADIUS provides administrators with quick access to revoke and grant access to specific users without
the need to re-configure access points and devices, whereas using authentication methods such as
WPA2 would require direct access to all devices at every site to re-configure for the new policies.
30. Student ID: 1400869
21
Recommendations
My recommendations vary for each different scenario. For the scenario which was outlined within the
introduction, I recommend implementing an in-house Active Directory server with the Routing and
remote access role installed.
For a small organisation such as this it is important that threats can be mitigated and investigated as fast
as possible, so with the right training to the management, users that are deemed a threat to the
network can be given restricted access or no accesses by adding them to a security group as outlined
within Microsoft’s Active Directory.
This solution could also then be integrated with a IPSec VPN solution in the future if users require
remote access to LAN resources, such as network shares.
For this particular scenario I would recommend implementing a single router as they only utilise a single
broadband connection, but this router must be capable of providing VLAN connections as well as
additional features such as LAN-TO-LAN VPN, Integrated Firewall, Bandwidth Monitoring, Session
Monitoring etc. An example of this kind of router would be the DrayTek Vigor 2860ac Series Router. This
router is capable of implementing VLAN’s and is also capable of providing 802.1X authentication using
the build in WiFi.
In addition to this I recommend the DrayTek Vigor P2261 PoE Switch. This is a managed switch and is
also capable of providing Power Over Ethernet. This means that if the organisation implements IP
phones, IP CCTV camera, additional Wireless access points etc, they can be powered using PoE. This will
further reduce costs to the organisation in the long run as electricians will not be required to install
additional power sockets to power additional devices which the organisation may implement in the
future to meet their growing needs.
For the server I recommend implementing the Dell PowerEdge T320 server running Windows Server
2012 R2 Standard. This server provides an ideal storage solution for a business as they can implement
and expand on their storage and services which the server can provide. Utilising the RAID configuration
within the server will ensure the system has redundancies in the event of a hard disk drive failing. The
server is capable of using multicore processors and has enough memory slots to support up to 196GB
RAM.
The server is also capable of providing up to 32Tb of data storage by utilising 2.5” Hard Disk Drives. This
server is also capable of being rack mounted, so in the event of the organisation requiring more storage
than this server can provide, the server can be rack mounted along with a RAID array and other rack
mounted equipment.
31. Student ID: 1400869
22
Evaluation
Project Evaluation
Completing this project has enabled me to discover the potential uses for RADIUS and how RADIUS
authentication could be implemented on both Wireless access points and switches to help secure a
business’s network infrastructure.
As technology is evolving at such a rapid pace, administrators are struggling to keep on top of all
network threats which could occur on a network. It is clear that a lack of understanding of the
technology and how this technology should be correctly implemented compromises the digital security
of the organisation, with organisations preferring to implement cheaper equipment because of the
cheaper prices, but at the same time this also impairs the security of the organisation as features such
as VLANs cannot be configured on devices such as unmanaged switches as manufacturers leave little or
no control over the devices making them dumb.
Gaining this insight on RADIUS authentication has enabled me to recommend this security method to
organisations instead of traditional authentication methods such as WEP, WPA, and WPA2 which
require a more direct approach to configuring and maintaining in the event of a threat being detected.
Logging using 802.1X provides organisations with legal cover which is required by organisations as
defined under the Computer Misuse Act and the Data Protection Act. Port based authentication isn’t
something which is really touched by organisations as it can sometimes be tricky to implement and in
the event of the server failing no devices are able to use network connectivity on protected ports, so
leaving the ports open mitigates that risk but then leaves active ports vulnerable to physical network
attacks by users jacking into the Ethernet socket on the wall.
Technology is becoming more sophisticated and legacy equipment is no longer able to function in the
work place. An example of this legacy IP phones which are unable to function using IPv6 networking.
This means that administrators have to implement dual stack networks to allow those devices to
function correctly without having to replace those devices.
Some legacy devices are also unable authenticate using newer authentication methods such as WPA2
and rely on WEP authentication as a minimum. This exposes an organisation to risk as WEP
authentication can be cracked easily which exposes organisations to the risk of data breaches.
Evaluation of meetings and discussions
Two formal meetings took place with Philip Cheung during this time with the purpose of enhancing the
network infrastructure to support routing and ease of management. Utilising physical hardware for this
project showed that using simulators, different problems may occur which wouldn’t occur if the project
was being designed within a network simulator, such as Cisco Packet Tracer or GSN3. An example of
kind of problem which I experienced was the Ethernet cables which were not made up correctly or
Ethernet cables which required replacement clips before they could be used within the rack for the
purpose of this dissertation.
Evaluation of project planning
This project as an overall final product completed on time even though there were a few delays as a
result of students or staff disconnecting the Ethernet cables, serial cables and erasing the configurations
on the equipment.
This set back took a total of 12 hours including breaks to amend. The project remained within the
timeframe which was initially set out even with the unexpected interruptions. A breakdown of the
project in the form of a Gantt chart can be viewed within appendix A12.
32. Student ID: 1400869
23
References
Aerohive. (2015). HiveManager - On Premises. Retrieved from Aerohive:
http://www.aerohive.com/products/cloud-services-platform/hivemanager-onpremises
Berg, J. (2011). The IEEE 802.11 Standardization Its History, Specifications, Implementations and Future.
Fairfax, VA: George Manson University.
Business, B., Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Missed Alarms and 40
Million Stolen Credit Card Numbers: How Target Blew It. United States: Bloomberg. Retrieved
04 19, 2015, from Bloomberg Business: http://www.bloomberg.com/bw/articles/2014-03-
13/target-missed-alarms-in-epic-hack-of-credit-card-data
Cisco. (n.d.). Quality of Service for Voice Over IP. Retrieved from Cisco:
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/qos_solutions/QoSVoIP/QoSVoIP.h
tml#wp1015329
Cisco. (n.d.). Rogue Access Point Detection. Retrieved from Cisco:
http://www.cisco.com/assets/sol/sb/AP541N_Emulators/AP541N_Emulator_v1.9.2/help_Rogu
e_AP_Detection.htm
Curran, K., & Canning, P. (2007). Wireless Handheld Devices Become Trusted Network Devices.
Information Systems Security, 134-146.
Department for Business, Inovation and Skills. (2013). Executive Summary. 2013 Information Security
Breaches Survey. United Kingdom: Department for Business, Inovation and Skills.
Forbes Magazine. (2014, January 10). Target data breach spilled info on as many as 70 million
customers. Retrieved from Forbes Magazine:
http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-
as-many-as-70-million-customers/
Holdan, A. (2007). Unmanaged versus Managed Switches . (S. Pereira, Interviewer) Cisco. San Jose.
Retrieved from
http://www.cisco.com/c/dam/en/us/products/switches/networking_solutions_products_gene
riccontent0900aecd806c7afe.pdf
Institute of Electrical and Electronics Engineers. (2015, 03 17). OFFICIAL IEEE 802.11 WORKING GROUP
PROJECT TIMELINES. Retrieved from IEEE 802 LAN/MAN Standards Committee:
http://www.ieee802.org/11/Reports/802.11_Timelines.htm
Kassner, M. (2013, June 26). Cheat Sheet - What you need to know about 802.11ac. Retrieved from
TechRepublic: http://www.techrepublic.com/blog/data-center/cheat-sheet-what-you-need-to-
know-about-80211ac/
Microsoft. (2015). Internet Authentication Service and Network Policy Server. Retrieved from Microsoft
Developer Network (MSDN): https://msdn.microsoft.com/en-
us/library/bb892033(v=vs.85).aspx
Microsoft Corp. (2014, March 5). Server Roles and Technologies in Windows Server 2012 R2 and
Windows Server 2012. Retrieved from Technet - Microsoft: https://technet.microsoft.com/en-
us/library/hh831669.aspx
Microsoft. (n.d.). MS-CHAP v2. Retrieved from Technet: https://technet.microsoft.com/en-
us/library/cc957983.aspx
Microsoft. (n.d.). Network Policy Settings Properties. Retrieved from Technet:
https://technet.microsoft.com/en-gb/library/cc772474(v=ws.10).aspx
33. Student ID: 1400869
24
NoWiresSecurity. (n.d.). AuthenticateMyWiFi. Retrieved from NoWiresSecurity:
http://www.nowiressecurity.com/#!hosted-cloud-radius-8021x-service/c1739
Target Brands Inc. (2013, December 19). Target Confirms Unauthorized Access to Payment Card Data in
U.S. Stores. Retrieved from Target: http://pressroom.target.com/news/target-confirms-
unauthorized-access-to-payment-card-data-in-u-s-
stores?_ga=1.40346594.1362588787.1429451538
Wi-Fi Alliance. (n.d.). Who We Are. Retrieved from Wi-Fi Alliance: http://www.wi-fi.org/who-we-are
Wueest, C. (2014, December 10). Underground black market: Thriving trade in stolen data, malware,
and attack services. Symantec official blog. Retrieved 04 19, 2015, from
http://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-
data-malware-and-attack-services
34. Student ID: 1400869
25
Glossary
Below is a glossary of commonly used words, abbreviations or phrases which have been used within this
document and the context of which these words were used.
Word / Phrase Context
Server A computer providing a range of services to clients connecting to it. This
is a physical computer with large quantities of storage, memory and
processing power. This is a computer which isn’t used by an end user and
remains in the background processing incoming requests.
Service This is a piece of software installed on a server to provide a specific
service to an end user. An example of this could be the NPS service
installed on Windows Server 2012 R2, providing RADIUS authentication.
Wi-Fi Wi-Fi meaning the radio frequency in which network communication is
achieved
Access Point This is how users can physically connect to the cabled network. This does
not include Wireless Access Points
Wireless Access Points This is the device which users will use to connect to the network using
radio frequencies, in this report using Wi-Fi as the medium
RADIUS RADIUS is the service which has been installed on Windows Server which
is the authentication server to the WPA2-Enterprise enabled Wireless
Access Points. RADIUS is a fast and lightweight authentication protocol
which utilises UDP as its transport method.
R: Remote
A: Access
D: Dial
I : In
U: User
S : Service
TACACS
TAC+
TACACS or TAC+ is a Cisco proprietary authentication protocol which
utilises TCP compared to RADIUS which utilises the UDP protocol.
T : Terminal
A : Access
C : Controller
A : Access
C : Control
S : System
Rollover cable Rollover cables are used to configure routers and switches of different
varieties. These cables connect to the serial interface on a computer and
connect directly to switches and routers using the console Ethernet port.
35. Student ID: 1400869
26
Wireless Overspill Wireless Overspill occurs as a result of a Wireless access point not being
placed in strategic locations, for example, up against exterior walls which
means that Wi-Fi signal is being broadcast outside of the premises.
Hackers can then use this overspill to attack the network out of hours by
positioning themselves outside of the premises.
DMZ Demilitarised Zones are utilised within organisations to restrict external
network access to a specific network range or a specific network device.
Internal resources have the ability to access other resources on the
network, but users connecting via the DMZ cannot connect directly to
other internal resources.
An example of a server which would be placed in a DMZ would be the
user interface for Microsoft Exchange Server.
ACL
Access Control Lists
Access control lists are configured on routers to restrict or permit traffic
flow. An example of this could be the IT services department can access
all networks configured on the router, but all other departments are
unable to access resources such as the printers management user
interface directly.
NAT
Network Address
Translation
Network address translation is commonly used with IPv4 because of the
lack of IPv4 addresses. NAT is used to modify data packets with the IP
address which has been assigned to the router by the internet service
provider. The most common configuration for NAT is Overload as one IP
address is configured to serve many hosts on a LAN.
All devices connecting to the internet through the LAN will use that one
public IP address and data will be re-routed back to the host based on the
header information of the packet received.
Port Forwarding Port forwarding is the method of forwarding a single or a range of ports
on the router to a specific host. Users connect to the router using the
public IP address which then forwards traffic based on the defined rules
set out by the administrator.
36. Student ID: 1400869
27
Appendix
A1 – Survey Response Summary - Network & Infrastructure security
A1.1 - Welcome
A1.2 - Questions for Individuals
1. What gender are you
Response
Percent
Response
Total
1 Male 76.19% 16
2 Female 23.81% 5
3 Prefer not to say 0.00% 0
answered 21
skipped 0
2. What age range do you fall under
Response
Percent
Response
Total
1 18 and Under 0.00% 0
2 19 - 21 9.52% 2
3 22 - 25 38.10% 8
4 26 - 30 4.76% 1
5 31 - 40 14.29% 3
6 40 - 60 28.57% 6
7 60 + 4.76% 1
8 Prefer not to say 0.00% 0
answered 21
skipped 0
37. Student ID: 1400869
28
3. Which devices do you own which use WiFi technology to communicate with a
network infrastructure to gain access to the internet?
Yes No
Response
Total
Smart Television
52.4%
(11)
47.6%
(10)
21
Mobile Phone
95.2%
(20)
4.8%
(1)
21
Tablet
100.0%
(21)
0.0%
(0)
21
Phablet (Large mobile phone crossed tablet)
14.3%
(3)
85.7%
(18)
21
Netbook
14.3%
(3)
85.7%
(18)
21
Notebook/Laptop
85.7%
(18)
14.3%
(3)
21
PDA
4.8%
(1)
95.2%
(20)
21
Desktop Computer
81.0%
(17)
19.0%
(4)
21
Hand held games console
33.3%
(7)
66.7%
(14)
21
Large games console (E.g. X-BOX 360 and Up, Playstation 3
and up)
52.4%
(11)
47.6%
(10)
21
answered 21
skipped 0
Matrix Charts
3.1. Smart Television
Response
Percent
Response
Total
1 Yes 52.4% 11
2 No 47.6% 10
answered 21
38. Student ID: 1400869
29
3.2. Mobile Phone
Response
Percent
Response
Total
1 Yes 95.2% 20
2 No 4.8% 1
answered 21
3.3. Tablet
Response
Percent
Response
Total
1 Yes 100.0% 21
2 No 0.0% 0
answered 21
3.4. Phablet (Large mobile phone crossed tablet)
Response
Percent
Response
Total
1 Yes 14.3% 3
2 No 85.7% 18
answered 21
3.5. Netbook
Response
Percent
Response
Total
1 Yes 14.3% 3
2 No 85.7% 18
answered 21
3.6. Notebook/Laptop
Response
Percent
Response
Total
1 Yes 85.7% 18
2 No 14.3% 3
answered 21
3.7. PDA
Response
Percent
Response
Total
39. Student ID: 1400869
30
3.7. PDA
Response
Percent
Response
Total
1 Yes 4.8% 1
2 No 95.2% 20
answered 21
3.8. Desktop Computer
Response
Percent
Response
Total
1 Yes 81.0% 17
2 No 19.0% 4
answered 21
3.9. Hand held games console
Response
Percent
Response
Total
1 Yes 33.3% 7
2 No 66.7% 14
answered 21
3.10. Large games console (E.g. X-BOX 360 and Up, Playstation 3
and up)
Response
Percent
Response
Total
1 Yes 52.4% 11
2 No 47.6% 10
answered 21
4. Are you aware that using WiFi access points could potentially expose your
device to threats if the correct configuration isn't used by the network provider?
Response
Percent
Response
Total
1 Yes 95.24% 20
2 No 4.76% 1
answered 21
skipped 0
40. Student ID: 1400869
31
5. When using public WiFi access points do you use encrypted VPN tunnels to
reduce the risk of your data security being compromised.
Response
Percent
Response
Total
1 Yes 23.81% 5
2 No 76.19% 16
answered 21
skipped 0
6. Do you utilise security software on your computer, such as software firewalls and
antivirus protection to help reduce the risk of your computer becoming a victim of
hacking.
Response
Percent
Response
Total
1 Yes 95.24% 20
2 No 4.76% 1
answered 21
skipped 0
7. Do you utilise mobile security software on mobile phones and tablets to help
protect those devices?
Response
Percent
Response
Total
1 Yes 42.86% 9
2 No 47.62% 10
3
Didn't know mobile security
software was available
9.52% 2
answered 21
skipped 0
8. Do you have any say about the security of the Wireless networks you use, for
example connecting personal devices to a business network or connecting
personal devices to your internet at home?
41. Student ID: 1400869
32
Response
Percent
Response
Total
1 Yes 71.43% 15
2 No 14.29% 3
3 Do not know 14.29% 3
answered 21
skipped 0
A1.3 – Questions for Organisations and IT Professionals
9. How many employees work within your organisation
Response
Percent
Response
Total
1 1 - 10 40.00% 6
2 10 - 20 0.00% 0
3 20 - 50 6.67% 1
4 50 - 100 13.33% 2
5 100 + 26.67% 4
6 Prefer not to say 13.33% 2
answered 15
skipped 6
10. How do your currently secure your wireless access points?
Response
Percent
Response
Total
1
No Wireless protection
implemented
0.00% 0
2 WEP Authentication 13.33% 2
3 WPA Authentication 6.67% 1
4 WPA2 Authenication 46.67% 7
42. Student ID: 1400869
33
10. How do your currently secure your wireless access points?
Response
Percent
Response
Total
5
MixedAuthentication (WPA +
WPA2 (AES/TKIP))
26.67% 4
6
802.11x Authentication utilising
RADIUS
0.00% 0
7
802.11x Authentication using
Access Gateway with
Authentication webpage
0.00% 0
8 Other (please specify): 6.67% 1
answered 15
skipped 6
Other (please specify): (1)
1 20/03/15 4:47PM
ID: 17216308
I am not an IT technician so cannot answer this question
11. In the event of a member of staff leaving your organisation, how do you ensure
your wireless network remains secure
Response
Percent
Response
Total
1 Wireless Keys are not changed 26.67% 4
2
Wireless Keys are changed on
Wireless access points manually
33.33% 5
3
Wireless Keys are changed on
Wireless access points remotely
using software such as DrayTek
ACS-SI management platform
0.00% 0
4
User accounts are disabled on
the network infrastructure where
802.11x is implemented
20.00% 3
5 Other (please specify): 20.00% 3
answered 15
skipped 6
Other (please specify): (3)
43. Student ID: 1400869
34
11. In the event of a member of staff leaving your organisation, how do you ensure
your wireless network remains secure
Response
Percent
Response
Total
1 20/03/15 4:42PM
ID: 17215958
Not Applicable
2 20/03/15 4:47PM
ID: 17216308
Have no idea as I am not in IT systems
3 22/03/15 11:35AM
ID: 17458692
All WIreless is MAC address specific. The the addresses are removed from the
database.
12. Wireless access points are of great benefit to organisations who utilise mobile
devices such as tablets and laptops, but at the same time this exposes a network to
other threats which may go un-noticed because wireless access points are placed
in "Vulnerable" places, Vulnerable meaning they can be accessed physically by any
member of staff, or they broadcast outside of the business premises. If you have
implemented access points in your organisation, were they placed strategically with
or were they placed in the area which they were required without prior planning.
Response
Percent
Response
Total
1 Open-Ended Question 100.00% 11
1 20/03/15 3:00PM
ID: 17203729
We choose the correct places to install our wireless access points based on
range and reliability.
2 20/03/15 4:42PM
ID: 17215958
Strategically
3 20/03/15 4:47PM
ID: 17216308
They have been placed in the corridors outside classrooms
4 20/03/15 6:19PM
ID: 17225360
office is small. only one required.
5 21/03/15 2:30PM
ID: 17305001
Unfortunately, I don't have a certain answer to this question, but I think Access
points are distributed internally throughout the premises to provide services to
the areas not covered by physical medium, such as restaurants and cafés, or to
provide alternative options to users, who prefer using their laptops and mobiles.
6 22/03/15 11:35AM
ID: 17458692
wireless points placed dependent on organisational unit on each floor.
7 22/03/15 12:08PM
ID: 17462581
No prior planning except making sure the whole building could access
8 22/03/15 3:06PM
ID: 17478958
Wirless AP's installed in strategic locations to offer a meshed network, all running
dd-wrt with local reset button disabled in config for security.
9 23/03/15 8:51AM They were placed in vulnerable areas without regard for security.
44. Student ID: 1400869
35
12. Wireless access points are of great benefit to organisations who utilise mobile
devices such as tablets and laptops, but at the same time this exposes a network to
other threats which may go un-noticed because wireless access points are placed
in "Vulnerable" places, Vulnerable meaning they can be accessed physically by any
member of staff, or they broadcast outside of the business premises. If you have
implemented access points in your organisation, were they placed strategically with
or were they placed in the area which they were required without prior planning.
Response
Percent
Response
Total
ID: 17546157
10 23/03/15 1:32PM
ID: 17613228
Before my time off employment, have given recommendations.
11 25/03/15 11:51AM
ID: 17926246
strategically
answered 11
skipped 10
13. How do you monitor for unauthorised usage on the network. This includes
usage outside of the organisations IT policy or abuse of IT systems, e.g. Members
of staff accessing pornographic material on site and users trying to authenticate
with dud credentials
Response
Percent
Response
Total
1 Open-Ended Question 100.00% 11
1 20/03/15 3:00PM
ID: 17203729
For internet protection we use Sohpos cloud and policies on our firewall. We
have a policy in place (written and signed) about abusing the IT systems. If staff
have to take equipment home, it has to be inspected before and after with a
signed contract from both parties.
2 20/03/15 4:42PM
ID: 17215958
We don't.
3 20/03/15 4:47PM
ID: 17216308
There is a firewall in place which blocks any unauthorised usage.
4 20/03/15 6:19PM
ID: 17225360
all staff actions logged, use of ids/ips and firewall .
5 21/03/15 2:30PM
ID: 17305001
I am not sure what the organisation has implemented in place, but I think a
network monitoring software, Access Control List + logs have been implemented
to identify users trying to misuse the system.
6 22/03/15 11:35AM
ID: 17458692
Each site has a firewall, blocking all traffic exept that which is officially requested
and business justified, we have DMZs for external access to the network so that
only internal traffic is allowed access to the main network except for VPN, and 2
blue coat proxy servers to prevent unauthorised access to sites etc.
45. Student ID: 1400869
36
13. How do you monitor for unauthorised usage on the network. This includes
usage outside of the organisations IT policy or abuse of IT systems, e.g. Members
of staff accessing pornographic material on site and users trying to authenticate
with dud credentials
Response
Percent
Response
Total
7 22/03/15 12:08PM
ID: 17462581
I don't really though I may notice if there was an unrecognisable device attached
8 22/03/15 3:06PM
ID: 17478958
All stations are locked to a mac address list, squid transparent proxying for
monitoring of usage.
9 23/03/15 8:51AM
ID: 17546157
No idea.
10 23/03/15 1:32PM
ID: 17613228
ISP proxy filter.
11 25/03/15 11:51AM
ID: 17926246
Firewall content filtering
answered 11
skipped 10
14. Does your organisation utilise WiFi enabled IP Phones. If yes how do you
overcome issues with regards to device authentication when they connect to the
wireless access points. Please note: this does not include DECT phones with
Separate base stations
Response
Percent
Response
Total
1 Open-Ended Question 100.00% 11
1 20/03/15 3:00PM
ID: 17203729
We don't use wireless phones.
2 20/03/15 4:42PM
ID: 17215958
No
3 20/03/15 4:47PM
ID: 17216308
Have no knowledge of this.
4 20/03/15 6:19PM
ID: 17225360
no, ip phones are wired.
5 21/03/15 2:30PM
ID: 17305001
I think yes, the organisation utilise WiFi enabled IP Phones, but have no idea
about issues related to device authentication, because I am not in the position
where I can follow these issues.
6 22/03/15 11:35AM
ID: 17458692
no. All phones are routed via the LAN.
46. Student ID: 1400869
37
14. Does your organisation utilise WiFi enabled IP Phones. If yes how do you
overcome issues with regards to device authentication when they connect to the
wireless access points. Please note: this does not include DECT phones with
Separate base stations
Response
Percent
Response
Total
7 22/03/15 12:08PM
ID: 17462581
No
8 22/03/15 3:06PM
ID: 17478958
No
9 23/03/15 8:51AM
ID: 17546157
No my organization does not utilize WIFI enabled IP Iphones.
10 23/03/15 1:32PM
ID: 17613228
No.
11 23/04/15 7:44PM
ID: 20223100
no
answered 11
skipped 10
47. Student ID: 1400869
38
A2 – Blank Survey - Network & Infrastructure security
A2.1 - Page 1 – Welcome
Thank-you for taking this time to complete my survey.
All responses towards this survey will be 100% anonymous and responses cannot be used to identify
you as an individual or as an organisation.
Responses from this survey will be used to go towards my dissertation for my Bachelors Degree in
Computing solutions.
This survey will be investigating your use of wireless technology and what security precautions you
implement and use when connected to wireless networks. There will be two sections to this survey, the
first set of responses will be for individual responses as in 'You' as an entity.
The second section will be investigating business use of wireless technology to manage network users
who utilise Wireless networking for business use. Again information will be collected but will not be
published or released identifying an individual or an organisation.
Please note: IP Addresses and other identifiable information will NOT be collected during this survey
Your time is very much appreciated and your response will be invaluable towards my dissertation
To continue please click next
A2.2 - Page 2: Questions for Individuals
Q1. What gender are you
Male / Female / Prefer not to say
Q2. What age range do you fall under
18 and Under / 19 – 21 / 22 – 25 / 26 – 30 / 31 – 40 / 40 – 60 / 60+ / Prefer not to say
A2.3 - Page 3: Questions for Individuals
Q3. Which devices do you own which use WiFi technology to communicate with a network infrastructure to gain
access to the internet?
Yes No
Smart Television O O
Mobile Phone O O
48. Student ID: 1400869
39
Q3. Which devices do you own which use WiFi technology to communicate with a network infrastructure to gain
access to the internet?
Tablet O O
Phablet (Large mobile phone crossed tablet) O O
Netbook O O
Notebook/Laptop O O
PDA O O
Desktop Computer O O
Hand held games console O O
Large games console (E.g. X-BOX 360 and Up, Playstation 3 and up) O O
Q4. Are you aware that using WiFi access points could potentially expose your device to threats if the correct
configuration isn't used by the network provider?
Yes / No
Q5. When using public WiFi access points do you use encrypted VPN tunnels to reduce the risk of your data
security being compromised.
Yes / No
Q6. Do you utilise security software on your computer, such as software firewalls and antivirus protection to help
reduce the risk of your computer becoming a victim of hacking.
Yes / No
Q7. Do you utilise mobile security software on mobile phones and tablets to help protect those devices?
Yes / No / Didn’t know mobile security software was available
49. Student ID: 1400869
40
Q8. Do you have any say about the security of the Wireless networks you use, for example connecting personal
devices to a business network or connecting personal devices to your internet at home?
Yes / No / Do not know
A2.4 - Page 4: Questions for Organisations
These questions should be answered by IT Administrators in a position where they are allowed to
respond to surveys of this type.
Please note: No information will be disclosed to any 3rd parties and responses are treated as
anonymous. No information will be collected to disclose yourself as an individual or as an organisation.
Q9. How many employees work within your organisation
1 – 10 / 10 – 20 / 20 – 50 / 50 – 100 / 100+ / Prefer not to say
Q10. How do your currently secure your wireless access points?
No Wireless protection implemented / WEP Authentication / WPA Authentication / WPA2 Authentication /
Mixed Authentication (WPA + WPA2(AES/TKIP)) / 802.11x Authentication utilising RADIUS / 802.11x
Authentication using Access Gateway with Authentication webpage / Other (please specify)
Q11. In the event of a member of staff leaving your organisation, how do you ensure your wireless network
remains secure
Wireless keys are not changed / Wireless keys are changed on Wireless Access points manually / Wireless keys
are changed on Wireless access points remotely using software such as DrayTek ACS-SI Management platform /
User accounts are disabled on the network infrastructure where 802.11x is implemented / Other (Please Specify)
Q12. Wireless access points are of great benefit to organisations who utilise mobile devices such as tablets and
laptops, but at the same time this exposes a network to other threats which may go un-noticed because wireless
access points are placed in "Vulnerable" places, Vulnerable meaning they can be accessed physically by any
member of staff, or they broadcast outside of the business premises. If you have implemented access points in
your organisation, were they placed strategically with or were they placed in the area which they were required
without prior planning.
Open Question
50. Student ID: 1400869
41
Q13. How do you monitor for unauthorised usage on the network. This includes usage outside of the
organisations IT policy or abuse of IT systems, e.g. Members of staff accessing pornographic material on site and
users trying to authenticate with dud credentials
Open Question
Q14. Does your organisation utilise WiFi enabled IP Phones. If yes how do you overcome issues with regards to
device authentication when they connect to the wireless access points. Please note: this does not include DECT
phones with Separate base stations
Open Question
51. Student ID: 1400869
42
A3 – Practical Network Design – NOTE CONFIGURATION LOCATION IN APPENDIX
Below is the network layout which will be used during the research project. Other details such as Rapid Spanning Tree Protocol will be used within the project and full
configuration breakdowns of the routers and switches can be located within the appendix.
FIGURE 10 - NETWORK DIAGRAM OF PROJECT
TESTING
R1 R2
S1
S3
S2
DISS-AD01
DISS-AP02
DISS-AP01
DISS-SALES-01DISS-ACCNTS-01
DISS-MGMT-01
Wireless Access Points
3 SSIDs Each
SSID 1: DISS-IT-SERVICES
Auth: WPA2 Enterprise (802.11x)
Visible: Hidden
VLAN Tag: 103
SSID 2: DISS-INTERNAL
Auth: WPA2 Enterprise (802.11x)
Visible: True
VLAN Tag: 104
SSID 3: DISS-GUEST
Auth: WPA2 Personal
Visible: True
VLAN Tag: 105
VLAN Configurations
VLAN 100 – Accounts Dept
VLAN 101 – Sales Dept
VLAN 102 – Management Dept
VLAN 103 – IT Services
VLAN 104 – Internal WiFi
VLAN 105 – Guest WiFi
VLAN 254 – Server Farm
VLAN 255 – Management VLAN
Internet
Router Configurations
Both routers on Hot Standby
Standby IP VLAN 100: 192.168.100.1/24
Standby IP VLAN 101: 192.168.101.1/24
Standby IP VLAN 102: 192.168.102.1/24
Standby IP VLAN 103: 192.168.103.1/24
Standby IP VLAN 104: 192.168.104.1/24
Standby IP VLAN 105: 192.168.105.1/24
Standby IP VLAN 254: 192.168.254.1/24
Standby IP VLAN 255: 192.168.255.1/24
R1
Standby IP VLAN 100: 192.168.100.2/24
Standby IP VLAN 101: 192.168.101.2/24
Standby IP VLAN 102: 192.168.102.2/24
Standby IP VLAN 103: 192.168.103.2/24
Standby IP VLAN 104: 192.168.104.2/24
Standby IP VLAN 105: 192.168.105.2/24
Standby IP VLAN 254: 192.168.254.2/24
Standby IP VLAN 255: 192.168.255.2/24
R2
Standby IP VLAN 100: 192.168.100.3/24
Standby IP VLAN 101: 192.168.101.3/24
Standby IP VLAN 102: 192.168.102.3/24
Standby IP VLAN 103: 192.168.103.3/24
Standby IP VLAN 104: 192.168.104.3/24
Standby IP VLAN 105: 192.168.105.3/24
Standby IP VLAN 254: 192.168.254.3/24
Standby IP VLAN 255: 192.168.255.3/24
52. Student ID: 1400869
43
A4 – Practical Network Design – Backbone Core
FIGURE 11 - BACKBONE CORE OF NETWORK DESIGN - INCLUDING IP PHONE SERVER AND APACHE
WEBSERVER
G0/1 – G0/0
G0/2 – G0/0 G0/2 – G0/0F0/24 – F0/24
F0/23 – F0/23
G0/0–G0/1
G0/0–G0/1
G0/0–G0/0
S1 S2
S3
Asterisk
IPPBX
Server
R1 R2
ISP
WEBHOST
Windows
Server
Apache
Web
Server
53. Student ID: 1400869
44
A5 – ValidatorPRO cable certification report
Please turn over to view the full JDSU ValidatorPRO cable certification report
73. Student ID: 1400869
64
A6 – Router Configurations
A6.1 – R1
!
! Last configuration change at 13:34:33 UTC Thu May 7 2015 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ikD2$73leUsh/bduvKhj3mWEqN0
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ183994LH
!
!
username admin privilege 15 secret 5 $1$2rM3$ptF4f4XUrnPoRxLvM/7qP1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
74. Student ID: 1400869
65
!
interface GigabitEthernet0/0.100
description "Accounts Department"
encapsulation dot1Q 100
ip address 192.168.100.2 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.100.1
standby 0 priority 1
!
interface GigabitEthernet0/0.101
description "Sales Department"
encapsulation dot1Q 101
ip address 192.168.101.2 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.101.1
standby 0 priority 1
!
interface GigabitEthernet0/0.102
description "Management Deptartment"
encapsulation dot1Q 102
ip address 192.168.102.2 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.102.1
standby 0 priority 1
!
interface GigabitEthernet0/0.103
description "IT Services"
encapsulation dot1Q 103
ip address 192.168.103.2 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.103.1
!
interface GigabitEthernet0/0.104
description "Internal WiFi"
encapsulation dot1Q 104
ip address 192.168.104.2 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.104.1
standby 0 priority 1
!
interface GigabitEthernet0/0.105
description "Guest WiFi"
encapsulation dot1Q 105
ip address 192.168.105.2 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
75. Student ID: 1400869
66
standby 0 ip 192.168.105.1
standby 0 priority 1
!
interface GigabitEthernet0/0.254
description "Server Farm"
encapsulation dot1Q 254
ip address 192.168.254.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.254.1
standby 0 priority 1
!
interface GigabitEthernet0/0.255
description "Management VLAN"
encapsulation dot1Q 255
ip address 192.168.255.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.255.1
standby 0 priority 1
!
interface GigabitEthernet0/1
description "WAN Interface 1"
ip address 8.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router ospf 1
passive-interface GigabitEthernet0/0
passive-interface GigabitEthernet0/0.100
passive-interface GigabitEthernet0/0.101
passive-interface GigabitEthernet0/0.102
passive-interface GigabitEthernet0/0.103
passive-interface GigabitEthernet0/0.104
passive-interface GigabitEthernet0/0.105
passive-interface GigabitEthernet0/0.254
passive-interface GigabitEthernet0/0.255
network 8.0.0.0 0.0.0.3 area 0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
76. Student ID: 1400869
67
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 8.0.0.2
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.103.0 0.0.0.255
access-list 1 permit 192.168.104.0 0.0.0.255
access-list 1 permit 192.168.105.0 0.0.0.255
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 1 permit 192.168.255.0 0.0.0.255
!
!
!
control-plane
!
!
banner login A valid username and password is
required to proceed. Please enter your username and password to
continue
banner motd Authorised users only! Unauthorised
users will be prosecuted to the full extent of the
law!
!
line con 0
logging synchronous
login local
line aux 0
logging synchronous
login local
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
logging synchronous
login local
transport input all
line vty 5 15
logging synchronous
login local
transport input all
!
scheduler allocate 20000 1000
!
End
77. Student ID: 1400869
68
A6.2 – R2
!
! Last configuration change at 13:39:32 UTC Thu May 7 2015 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ikD2$73leUsh/bduvKhj3mWEqN0
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ183994LV
!
!
username admin privilege 15 secret 5 $1$2rM3$ptF4f4XUrnPoRxLvM/7qP1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
78. Student ID: 1400869
69
interface GigabitEthernet0/0.100
description "Accounts Department"
encapsulation dot1Q 100
ip address 192.168.100.3 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.100.1
standby 0 priority 2
!
interface GigabitEthernet0/0.101
description "Sales Department"
encapsulation dot1Q 101
ip address 192.168.101.3 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.101.1
standby 0 priority 2
!
interface GigabitEthernet0/0.102
description "Management Deptartment"
encapsulation dot1Q 102
ip address 192.168.102.3 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.102.1
standby 0 priority 2
!
interface GigabitEthernet0/0.103
description "IT Services"
encapsulation dot1Q 103
ip address 192.168.103.3 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.103.1
standby 0 priority 2
!
interface GigabitEthernet0/0.104
description "Internal WiFi"
encapsulation dot1Q 104
ip address 192.168.104.3 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
standby 0 ip 192.168.104.1
standby 0 priority 2
!
interface GigabitEthernet0/0.105
description "Guest WiFi"
encapsulation dot1Q 105
ip address 192.168.105.3 255.255.255.0
ip helper-address 192.168.254.100
ip nat inside
ip virtual-reassembly in
