BSc (Hons) in Cyber Security and Digital Forensics (TopUp) - Kingston University Final Year Project Report

FACULTY OF SCIENCE, ENGINEERING AND
COMPUTING
School of Computer Science & Mathematics
BSc DEGREE
IN
Cyber Security and Digital Forensics
PROJECT FINAL REPORT
Name: W.A Neranjan Viduranga
ID Number: COL/A-069224
Project Title: Redesign the network of “Lakseya Digital Colour
Lab” with new Firewall and VPN implementation to build a secure
connection between its branches and head office
Project Type: Design
Date: 15/05/2021
Supervisor: Mrs. Ama Kulathilaka
Did you discuss and agree the viability of your project idea with your supervisor? Yes
Did you submit a draft of your proposal to your supervisor? Yes
Did you receive feedback from your supervisor on any submitted draft? Yes

i
Abstract
Lakseya Digital Colour Lab is one of the biggest digital colour laboratories in Sri Lanka. Even
though it is one of the biggest printing businesses in the country, it can be considered as a small
business due to the fewer number of employees. Their services expand from digital printing
services, editing and album creating to number of other printing and photography related
services.
Lakseya Digital Colour Lab started in 2009 at Kiribathgoda, as a small digital printing station
and a colour lab. With their expertise and excellent service record in the industry, they have been
able to grew up quickly and open two new branches in Matara and Gampaha. So, communication
between the head office and its branches is essential to do their businesses successfully.
Specially, the secure communication between the head office and the main branch, which is
located in Gampaha, is essential to the business. But, currently, there are no secure connection in
use between the head office and the Gampaha branch in order to communicate and share
resources efficiently and securely. Additionally, the head office does not have a firewall to
secure the main network. Since they are dealing with sensitive client’s data such as photos and
contact details they are vulnerable to cyber-attacks. Due to those reasons and emerging cyber
security threats, Lakseya Digital Colour Lab decided to redesign and implement cyber security
measurements in to their head office network (Kiribathgoda).
The new proposed design includes a new ASA firewall, Access Control List, Port Security and
VPN configuration. The VPN configuration will securely connect the biggest branch (Gampaha)
to the head office in order to communicate and share resources. By securing the head office
network of Lakseya Digital Colour Lab, they will be able to ensure the security of their client’s
data while keeping the good reputation in the industry.

ii
Contents
1. Introduction & Literature Review.............................................................................................1
1.1 Introduction .........................................................................................................................1
1.2 Background and Motivation...................................................................................................1
1.3 Problem in brief....................................................................................................................2
1.4 Aim & Objectives ...............................................................................................................4
1.4.1 Aim ..............................................................................................................................4
1.4.2 Objectives .....................................................................................................................4
1.5 Scope................................................................................................................................4
1.6 Deliverables.......................................................................................................................5
1.7 Literature Review...............................................................................................................5
2. Analysis ..................................................................................................................................8
3. Design...................................................................................................................................10
3.1 Design principles .............................................................................................................10
3.2 Design Techniques..........................................................................................................10
3.3 System Overview.............................................................................................................11
4. Proof of Concept ...................................................................................................................14
5. Validation..............................................................................................................................37
6. Critical Review & Conclusion ................................................................................................55
6.1 Closing executive summary.............................................................................................55
6.2 Conclusion.......................................................................................................................56
Password Policy for Lakseya Colour Lab ................................................................................57
References / Bibliography ............................................................................................................60
Appendices.................................................................................................................................61

iii
List of Figures/Tables
List of figures
Figure 1 - The Existing network of Lakseya (Head Office)...........................................................3
Figure 2 [6]................................................................................................................................10
Figure 3 - proposed design plan................................................................................................11
Figure 4 - Proposed design in cisco packet tracer.....................................................................12
Figure 5 - head office network with two branches......................................................................14
Figure 6 - host name, domain name and password in ASA.......................................................14
Figure 7 - Removing default DHCP in ASA ...............................................................................15
Figure 8 - Removing default IP address in VLAN 1 ...................................................................15
Figure 9 - Configuring VLANs in ASA........................................................................................16
Figure 10 - DHCP configuration on ASA ...................................................................................16
Figure 11 - DHCP activated in Inside VLAN PCs ......................................................................17
Figure 12 - Route configuration on ASA....................................................................................17
Figure 13 - NAT configuration on ASA ......................................................................................18
Figure 14 - Access List configuration on ASA............................................................................19
Figure 15 - SSH configuration on ASA ......................................................................................19
Figure 16 - Assigning IP addresses (H/O router).......................................................................20
Figure 17 - Assigning IP addresses (Middle router)...................................................................21
Figure 18 - Assigning IP addresses (Gampaha router)..............................................................22
Figure 19 - Configuring OSPF (H/O) .........................................................................................22
Figure 20 - Configuring OSPF (middle router)...........................................................................23
Figure 21 - Configuring OSPF (Gampaha router)......................................................................23
Figure 22 - Configuring OSPF (Matara router) ..........................................................................24
Figure 23 - Configuring Site-to-Site VPN (H/O) .........................................................................24
Figure 24 - Configuring Site-to-Site VPN (Gampaha router)......................................................25
Figure 25 - PfSense installation ................................................................................................26
Figure 31 - PfSense configuration.............................................................................................29
Figure 34 - PfSense configuration WAN config .........................................................................30
Figure 35 - PfSense configuration WAN config .........................................................................31
Figure 36 - PfSense configuration LAN config...........................................................................31
Figure 37 - PfSense configuration LAN config...........................................................................32
Figure 39 - PfSense configuration (Remotly).............................................................................33
Figure 40 - PfSense configuration password config...................................................................33
Figure 41 - PfSense configuration host name & domain............................................................34

iv
Figure 42 - PfSense configuration DNS.....................................................................................34
Figure 43 - PfSense configuration Localization .........................................................................35
Figure 44 - PfSense system info ...............................................................................................35
Figure 47 - Feedback from client...............................................................................................54
List of Tables
Table 1 - Strengths and Weaknesses .........................................................................................9
Table 2 - Opportunities and Threats............................................................................................9
Table 3 - test plan .....................................................................................................................37
Table 4 - Test case 1 ................................................................................................................39
Table 5 - Test case 2 ................................................................................................................40
Table 6 - Test case 3 ................................................................................................................40
Table 7 - Test case 4 ................................................................................................................42
Table 8 - Test case 5 ................................................................................................................43
Table 9 - Test case 6 ................................................................................................................45
Table 10 - Test case 7 ..............................................................................................................46
Table 11 - Test case 8 ..............................................................................................................47
Table 12 - Test case 9 ..............................................................................................................48
Table 13 - Test case 10 ............................................................................................................50
Table 14 - Test case 11 ............................................................................................................53

v
Glossary of Terms
CERT - Computer Emergency Response Team
VPN - Virtual Private Network
HSRP - Hot Standby Router Protocol
ACL - Access Control List
VLAN – Virtual Local Area Network
ASA - Adaptive Security Appliance
PC – Personal Computer
ISP – Internet Service Provider
H/O – Head Office

1
1. Introduction & Literature Review
1.1 Introduction
Lakseya Digital Colour Lab is one of the biggest digital colour laboratories in Sri Lanka with
modern cutting edge digital printing technologies. It provides digital printing services, editing,
album creating and other photography related services to a wide range of customers including
individuals, studios, event management companies and advertising companies.
Lakseya Digital Colour Lab started in 2009 at Kiribathgoda, as a small digital printing station
and a colour lab. With their expertise and excellent service record in the industry, they have been
able to grew up quickly and open two new branches in Matara and Gampaha. Even though a
secure communication method between main branch and the head office is essential to do their
business successfully, currently, there are no secure connection in use between the head office
and the main branch (Gampaha) in order to communicate and share resources efficiently and
securely.
1.2 Background and Motivation
Lakseya Digital colour lab deals with quite a lot of private and sensitive data in daily basis.
Those data can be categorized as client’s contact details, payment details, pictures, physical
addresses and company data. There are two major problems in the Lakseya head office network.
The first one is all the data that mentioned in above, are stored in various computers throughout
the head office LAN. They are not centralized and because of that securing those data is become
bit of a problem. The second major problem is the lack of security in the whole network (Head
office Local Area Network). The existing network has a direct connection to the internet. It
doesn’t go through a firewall or any other kind of security measurement.
Overall security of a network is very important to prevent any kind of unauthorized access to the
network. A firewall is the best way to ensure the security of the whole network. It will act like

2
the main line of defense between the LAN and the WAN (internet) by monitoring and
controlling the traffic. By installing and configuring a firewall between the head office LAN and
internet, Lakseya can ensure the overall security of their network. Due to those reasons, learner
chose to design a solution for the lack of overall security of the head office LAN.
1.3 Problem in brief
Lakseya Digital Colour Lab deals with quite a lot of sensitive data of their clients such as,
pictures, contact details and other essential data in their day to day work environment. Almost all
of those data stored in different computers inside the organization without proper security
measurements. Due to that reason, the security of those data is compromised. Apart from that
problem, the main branch (Gampaha) of the Lakseya Digital Colour Lab does not have access to
a secure communication line with the head office in Kiribathgoda. Because of that, they have to
transfer data between the main branch and the head office using unsecured communication
methods when, they need to communicate or share expensive resources between them.
Both situations compromise the security of organizational data and client’s data. So, the primary
problem is in hand, is the data security of Lakseya Digital Colour Lab. Because of that problem,
Lakseya digital colour lab decided to implement necessary cyber/network security measurements
in order to protect their and their client’s data.

3
Figure 1 - The Existing network of Lakseya (Head Office)

4
1.4 Aim & Objectives
1.4.1 Aim
The aim of this project is to identify potential cyber security threats and redesign the existing
network to be able to face against them with the use of Virtual Private Network and Firewall
technologies.
1.4.2 Objectives
• To identify potential cyber security threats that can effect to the company.
• To identify the cyber security weaknesses in the existing network in order to redesign it.
• To increase the organizational communication security by designing a Virtual Private
Network.
• To increase the network security by designing a Firewall.
• Preparation of final documentation.
1.5 Scope
The scope of this project is to redesign the existing network of Lakseya Digital colour lab head
office to increase the overall security of the network and create a secure connection between the
main branch in Gampaha and the head office in Kiribathgoda. To achieve both of those tasks, an
ASA firewall will be implemented between the head office LAN and the internet by giving it the
authority to monitor and control the outgoing and incoming traffic. The secure connection
between the main branch and head office will be implemented using Site-to-Site VPN (IPsec).
By achieving those tasks and securing the network, Lakseya digital colour lab will be able to
prevent unauthorized accesses and malicious activities which can be harmful to their network
and the business.

5
1.6 Deliverables
 Secure work environment in the Lakseya head office network (LAN).
 Efficient and secure connection between the head office and the main branch
through the internet.
 A full report of the project.
1.7 Literature Review
New and emergent threats to small businesses and how can we manage them
Patricia A H Williams, et al (2010), says due to the more relaxed and less controlled nature,
small businesses are become the prime target for cybercrimes [1]. Most of those cyber threats are
caused by human error. It can be intentional or accidental. But both kinds of human errors can
cause unimaginable harm to the business. One of the emerging cyber threats to small businesses
is caused by social media usage. Due to the more relaxed nature of small businesses, employees
are free to use their private social media accounts on working computers/network. The threat
arises when, shared links are clicked and malwares are downloaded. This action can be
intentional or accidental. But those downloaded malwares can destroy the network/system
instantaneously or quietly operated in background while utilizing user bandwidth and sending
sensitive data out of the business to a third party.
Managing cyber threats in a small business with limited computer security knowledge and
financial resources is a very difficult thing to do. Ideally, small businesses are also supposed to
implement cyber security measurements according to the ISO/IEC 27002 (Information
technology – Security techniques – Code of practice for information security management) like
bigger businesses [1]. But it is not possible due to the limited resources that small businesses can
spend on that kind of larger projects. So, the best way to secure a small business is to address
security requirements daily by monitoring the network traffic, network performance and keeping
a good and up-to-date antivirus application in their system. Apart from that, they can ensure their
security by configuring a good firewall and installing an Intrusion Prevention System (IPS) to
prevent outsiders from getting in to the system.

6
Current status of cyber security in small businesses
Kamala Raghavan, et al (2017), says almost all businesses are turning toward to cloud computing
due to the large amount of benefits and lack of resources that need to implement in-house servers
[2]. Even though cloud computing can help small businesses to grow fast without having to
invest huge amounts of resources for IT infrastructure and security; it can be lead to serious data
breaches. By using cloud computing facilities, small businesses are exposed to the raw internet
more than ever now. It increases the potential cyber threats to the business. It becomes a major
problem when, those small businesses have bigger companies as their customers. By using those
situations cyber criminals can get access to the major businesses through unsecured small
businesses. “Target” and “Home Depot” incidents [2] are some of the examples to that kind of
situations. In those incidents cyber criminals used a smaller business which provides services to
those bigger companies as the entry point to a credit card theft.
Cyber Security threats and Awareness in Sri Lanka
R.T.S Nagahawatta, et al (2020), says Sri Lanka has established several laws to manage cyber
security and protect data. Almost all of those laws are based on English law and international
cyber security laws. Information and Communication Technology Act, Computer crimes Act,
Payment Devices Frauds Act and Electronic Transactions Act are some of those acts that passed
by the Sri Lankan parliament in recent years [3]. According to the Sri Lankan CERT (Computer
Emergency Response Team), in 2016, 2341 total cybercrimes have been reported. From those
incidents, more than 95% incidents are social media related incidents (2200).
R.T.S Nagahawatta, et al (2020), in their research, collected data from 88,855 undergraduate
students in order to find out the cyber security awareness among the youth of Sri Lanka. Results
of that research project shows, 39% of respondents have moderate level of cyber security
awareness, 30% has high level of knowledge, 9% has very high level of knowledge, 6% has very
low level of knowledge and 16% has low level of knowledge about cyber security [3]. According
to the research results, male students have more cyber security awareness compared to their
female counterpart. Also, it shows, even though students have acceptable level of knowledge
about cyber security, there are some knowledge gaps with new cyber threats.

7
A better solution for small businesses – ASA
Mohammed Faizan, et al (2019), says Cisco ASA is individual product that can secure a network
with its firewall features. ASA act like an interface between the LAN and the Internet in order to
secure the LAN [4]. ASA provides IDS and IPS services along with antivirus application, packet
filtering and load balancing. So, small businesses can save their resources by purchasing and
using ASA for multiple workloads. Apart from that, ASA provides remote access and site-to-site
connection by using Eliptic Curve Technology.
A cost effective way of secure communication - VPN
Ahmed A. Jaha, et al (2008), says, in the past, large businesses and enterprises who are capable
of spending large amounts of money would physically install communication lines over large
distances in order to communicate with their branches and remote offices in a secure way [5].
This method wasn’t particle due to the huge cost, space, laws and the time that required for this
kind of implementations. Also, maintaining such a network was not cheap. With the growing
popularity of internet, most businesses and other industries started to move towards to it. But
during the growth of internet, it has been found to be vulnerable to cyber-attacks which are
usually looking to grab sensitive data from the victims. As an answer to this problem, IP based
secure communication method, which uses the existing public network infrastructure and the
internet was invented. This VPN technology reduced the cost of older physical communication
networks and opens a way of secured communication to smaller businesses.
According to Ahmed A. Jaha, et al (2008), a VPN should always provide authentication, access
control, confidentiality and the data integrity to a network in order to ensure the security of data
[5]. At the same time a VPN should support the architecture which is consist of a Local Area
Network of a business, other LANs of remote offices and branches and the individuals, who are
working from home or connecting from out in the field. Site-to-Site VPNs and remote access
VPNs which are the two main types of VPN are capable of doing those kinds of workloads.

8
2. Analysis
Requirements of this project
Functional Requirements
 All of the workstations and printers inside the head office LAN should be
connected to each other.
 Every one of workstations inside the H/O LAN should be able to use printers
through the network.
 Every one of workstations should be able to communicate with other workstations
that are in other two branches through the internet.
 Outgoing traffic should be allowed.
 Incoming traffic that is requested by any workstation inside VLAN 1 of the head
office network should be allowed.
 Incoming traffic that is not requested by any workstation inside VLAN 1 should
not be allowed.
 The Admin inside the VLAN 1 should be able to use SSH connection to connect
remotely to the firewall.
 Firewall should have a console password to prevent any kind of unauthorized
access.
 Inside IP addresses should not be exposed to the outside of the network (NAT
configuration).
None-functional Requirements
 The network should be efficient.
 The network should be reliable.
 The network should keep the connectivity all the time.
 The network should be easy to maintain.

9
SWOT analysis of the proposed network design (of Lakseya head office network)
Table 1 - Strengths and Weaknesses
Strengths Weaknesses
 Employees can do their work inside the
head office LAN without worrying
about the security.
 Employees of Lakseya head office can
communicate with other two branches
securely.
 Lakseya can protect their company data
and client’s data easily.
 Lakseya head office can share
resources with their two other branches.
 To increase the security, portable
storage devices from outside should not
be allowed in any workstation. But it
will frame the employees and
customers to a tight place.
 Even though, the LAN is secure from
the unauthorized access, viruses can
came through the firewall as requested
incoming traffic by requesting a file
with a virus from inside the network.
Table 2 - Opportunities and Threats
Opportunities Threats
 By increasing the security of the network,
customers will be able to ensure security
of personnel data in that business. So, the
customer satisfaction will be increased.
 Because of the high level of security and
the ability to share resources among its
branches, Lakseya will be able to give a
faster service. It will help the reputation
of the company to grow.
 With the growing customer satisfaction
about the security and fast service, the
market share of the company will be
increased.
 By increasing the security of the
network, Lakseya can draw the
unwanted attention of cyber attackers
to them.
 Files, which are requested from the
inside LAN can be, contained
malicious softwares that can cause
potential risks of information theft.

10
3. Design
3.1 Design principles
 Understand the client’s requirements and design according to those requirements.
 Use matured and well tested network equipment to design the network.
 Avoid over-generalized designs and create a unique design according to the requirements.
 Keep your design as simple as possible
 Keep the flexibility and the scalability of your design to some degree.
3.2 Design Techniques
To design the network and develop this project the learner used a network design methodology
called “PPDIOO methodology”. It was presented by Cisco as a network lifecycle. PPDIOO
stands for Prepare, Plan, Design, Implement, Operate and Optimize.
Figure 2 [6]
 Prepare – In this stage, all the client’s requirements were gathered and technologies that
are suitable for this project were identified.
 Plan – In this stage, all the network requirements were gathered and basic plan of the
project including the scope, cost, aims and objectives were established.
 Design – The new network is designed according to the pre-gathered requirements and
the project plan. Additional changes can be added according to the new requirements
along the designing process. In this stage, the design is tested many times using a
network simulation tool.

11
 Implement – Implementation can be done after the design of the new network has been
approved.
 Operate – In this stage, final test of the implemented network can be done while allowing
the employees to work on the network.
 Optimize – in this stage, proper network management needs to be done by professionals.
Network monitoring, controlling the traffic and troubleshooting can be done in this stage.
To design this network, learner mainly used two applications. First, to draw the plan of the
proposed network, learner used an online application called “draw.io”. It was an easy to use and
simple application, which has numerous drawings of network devices and equipment.
As the second application, learner used the “Cisco packet tracer”. Cisco packet tracer is a
network simulation application that allows the user to create networks inside the application and
test them before having to implement the network in real life. By using that application, the
learner had been able to ensure the security and reliability of the newly designed network.
3.3 System Overview
01] Proposed Design
Figure 3 - proposed design plan

12
The main and final goal of this project is to implement necessary cyber/network security
measurements in Lakseya Digital Colour Lab, in order to protect their and their client’s data.
Since they are dealing with quite a lot of client’s data they need a secure network that, does not
allow unauthorized personnel from getting in. Also, they need a secure connection between their
head office and the branch located in Gampaha. The above network design is created to achieve
those goals. First, to achieve the secure communication (between the main branch and H/O)
requirement, a Virtual Private Network (VPN) will be used in the redesigned network. To protect
the network from outside, an Adaptive Security Appliance (ASA) firewall will be implemented.
Apart from the ASA firewall and VPN, port security will be implemented in the redesigned
network. To increase the security of the network and reduce the probability of inside threats, an
Access Control List (ACL) will help to control the accessibility of specific resources inside the
network. Finally, Virtual Local Area Network (VLAN) will prevent the unnecessary access of
resources from inside of the network.
02] Proposed Design in a network simulation software
Figure 4 - Proposed design in cisco packet tracer

13
The testing of the new network design was conducted by using Cisco packet tracer. Cisco packet
tracer is a network simulation application that allows the user to create networks inside the
application and test them before having to implement the network in real life.
In this Cisco packet tracer, the head office network is highlighted by using the green colour. The
yellow colour represents the Gampaha branch (branch 01) and blue colour represents the Matara
branch (branch 02). The two parallel lines between the head office and the Gampaha branch
represent the Site-to-Site VPN (IPsec) which is configured between head office Router and the
Gampaha branch router.

14
4. Proof of Concept
01] Head Office network with two branches
Figure 5 - head office network with two branches
02] Configurations of ASA 5505 firewall (Head Office)
2.1 Configuring host name, domain name and password in ASA 5505 firewall
Figure 6 - host name, domain name and password in ASA
Host name is configured for identification purposes. Domain name specifies the domain name
roe ASA firewall. A password is configured to secure the access of the firewall. Only the admin
of the head office network has that specific password and others are not allowed in the firewall
configuration mode.

15
2.2 Removing default DHCP configurations in ASA 5505 firewall
Figure 7 - Removing default DHCP in ASA
In default, ASA 5505 firewall has DHCP configurations in it. The default DHCP pool used
192.168.1.5 – 192.168.1.36 range for the inside VLAN. Since the new network design use the
DHCP pool of 172.16.10.5 – 172.16.10.30 range for inside VLAN, the default DHCP
configuration is removed.
2.3 Removing default IP address in VLAN 1
Figure 8 - Removing default IP address in VLAN 1
As mentioned in above, because of the use of different IP range, the default IP addresses are
removed in order to configure new IP addresses.
2.4 Configuring VLANs in ASA 5505 firewall

16
Figure 9 - Configuring VLANs in ASA
In the new network design, there are two VLANs. VLAN 1 and VLAN 2 are divided by the ASA
firewall. VLAN 1 is the inside VLAN of the network and it has the security level of 100. What
that means is VLAN 1 is configured to recognize as the most secure and trusted VLAN in the
network by ASA firewall. On the other hand, VLAN 2 (outside) has the security level of 0. So, it
is configured as the least secure and trusted VLAN in the network due to the direct connection of
the router and the untrusted internet.
2.5 DHCP configuration on ASA 5505 firewall
Figure 10 - DHCP configuration on ASA
By configuring DHCP, network administrator can save time without having to go and configure
each and every end device in order to connect to the network. DHCP is used here to automate the
process of configuring the end devices. It automatically assigns IP addresses and default
gateways to the client devices (end devices). DHCP configuration allows the network
administrator to make changes with less effort.

17
DHCP activated in Inside VLAN PCs
Figure 11 - DHCP activated in Inside VLAN PCs
After configuring DHCP in ASA firewall, IP configurations of the end devices must be changed
in to DHCP. Then, it will automatically request an IP from the DHCP server and server will send
an IP address along with the default gateway IP.
2.6 Route configuration on ASA 5505 firewall
Figure 12 - Route configuration on ASA
Route command is used to tell the route that data packets should go. Static route is configured in
the newly designed network. In here, inside the ASA firewall, static route is configured to send
any data packet from any IP address with any subnet mask which belongs to the inside VLAN to
the IP address 10.1.1.2 (ISP router) which is in the outside VLAN.

18
2.7 NAT (Network Address Translation) configuration on ASA 5505 firewall
Figure 13 - NAT configuration on ASA
In here, an object group called “INSIDE” created by including all the IP addresses which are in
the 172.16.10.0 network. After that, the INSIDE object group is configured to change their
private IP addresses in to the outside VLAN IP address of the ASA firewall in order to
communicate with the outside successfully. Using the “nat” command, the ASA is configured to
change any inside IP in to its outside IP. The NAT configuration will remember the requests
attached to inside IPs that converted to the outside IP. When that outside IP return to the ASA
firewall with the requested data from outside, the NAT configuration will convert back that
outside IP in to the exact same inside IP.

19
2.8 Access List configuration on ASA 5505 firewall
Figure 14 - Access List configuration on ASA
In here, an access list called INTERNET is created to give the internet access to the inside
VLAN. By using access-list command, any host which must be located inside VLAN, are
allowed to send TCP or ICMP packets to any destination in outside network and the internet.
2.9 SSH configuration on ASA 5505 firewall to give secure access to the Admin PC
Figure 15 - SSH configuration on ASA
In the new network design, there is an Admin PC (172.16.10.12) dedicated to the administrator
of the head office network. To monitor and configure ASA firewall, the administrator should
have a secure method of access to the ASA firewall. First, a username and a password are
configured to authentication purposes. Then, AAA authentication command is used here to

20
specify the pre-configured users in the ASA to allow the access of the ASA firewall. Finally, Ssh
command is used to create a rule that specify the end devices which can access the SSH. In here,
the IP address of the Admin PC (172.16.10.12) is specified as the only end device that can access
the SSH.
03] Router configurations
3.1 Assigning IP addresses to the head office router ports
Figure 16 - Assigning IP addresses (H/O router)
In here, IP addresses are assigned to the router. For the fast Ethernet 0/0 port, (which is facing
the head office Local Area Network) a private IP address is assigned. For the outside facing
serial 0/3/0 port, a public IP is assigned.

21
3.2 Assigning IP addresses to the middle router ports
Figure 17 - Assigning IP addresses (Middle router)
The middle router is acting as the internet and has three serial connections which are connected
to the head office router, Gampaha branch router and the Matara branch router. Those
connections are connected to s 0/3/0, s 0/2/1 and s 0/2/0 ports of the middle router. All of those
three ports are configured with public IP addresses.

22
3.3 Assigning IP addresses to the Branch 01 (Gampaha) router ports
Figure 18 - Assigning IP addresses (Gampaha router)
The Gampaha branch router is configured to have a public IP address in the outside facing
interface serial port. The inside facing fast Ethernet port is configured to have a private IP
address which act as the default gateway IP address of the Gampaha branch network.
3.4 Configuring OSPF (Open Shortest Path First) protocol on Head office router
Figure 19 - Configuring OSPF (H/O)
To connect the network to the internet, Open Shortest Path First protocol (OSPF) is configured in
the head office network. In here, the both sides of the routers are connected using router ospf 1
command. Outside VLAN of 10.1.1.0 and the WAN of 15.1.1.0 is connected and put in to the
same logical group using the same area (area 0). In OSPF, only the routers that are in the same
area can identify each other.

23
3.5 Configuring OSPF protocol on Middle router
Figure 20 - Configuring OSPF (middle router)
In here also, all the networks connected to the middle router are connected together using OSPF
and all the networks are put in to the same logical group (area 0).
3.6 Configuring OSPF protocol on Branch 01 (Gampaha) router
Figure 21 - Configuring OSPF (Gampaha router)
Also, in the Gampaha branch router, inside Local Area Network and the outside Wide Area
Network is connected together by using OSPF protocol. They are also configured in to the same
area.
NOTE: the above screenshot is missing one configuration that connects the inside LAN to the
outside and the area. The missing configuration should like the one in below.
Router (config) #router ospf 1
Router (config-router) #network 192.168.10.0 0.0.0.255 area 0

24
3.7 Configuring OSPF protocol on Branch 02 (Matara) router
Figure 22 - Configuring OSPF (Matara router)
Same as the Gampaha branch router, inside Local Area Network and the outside Wide Area
Network is connected together by using OSPF protocol in the Matara branch router. They are
also configured in to the same area.
3.8 Configuring Site-to-Site (IPsec) VPN on Head office router
Figure 23 - Configuring Site-to-Site VPN (H/O)

25
To create a secure communication line between head office and the Gampaha branch, a site-to-
site VPN is configured. So, in here, 15.1.10.1, which is the IP address of the Gampaha branch
router, is configured as the peer.
3.9 Configuring Site-to-Site (IPsec) VPN on Gampaha branch router
Figure 24 - Configuring Site-to-Site VPN (Gampaha router)
To complete the VPN, the same key and the crypto map is configured in the Gampaha branch as
well. In here, 15.1.1.1, which is the IP address of the head office router, is configured as the peer.

26
PfSense virtual firewall installation and configuration
Installation
Figure 25 - PfSense installation

27

28

29
Configuration
Figure 31 - PfSense configuration

30
Figure 34 - PfSense configuration WAN config

31
Figure 35 - PfSense configuration WAN config
Figure 36 - PfSense configuration LAN config

32
Figure 37 - PfSense configuration LAN config

33
Configuring PfSense through Admin PC
Figure 39 - PfSense configuration (Remotly)
Figure 40 - PfSense configuration password config

34
Figure 41 - PfSense configuration host name & domain
Figure 42 - PfSense configuration DNS

35
Figure 43 - PfSense configuration Localization
Figure 44 - PfSense system info

36

37
5. Validation
Test Plan
Table 3 - test plan
Test No: Description
001 Check the connectivity between hosts inside the head office network
C:>ping 172.16.10.15
002 Check the connectivity between VLAN 1 (inside) and VLAN 2 (outside)
C:>ping 10.1.1.2
003 Check the connectivity between head office network (inside) and Branch 1
(Gampaha) network
C:>ping 192.168.10.5
C:>ping 192.168.10.10
004 Check the connectivity between head office network (inside) and Branch 2
(Matara) network
C:>ping 192.168.20.5
C:>ping 192.168.20.7
005 Testing the ASA firewall by trying to ping inside network from branch 1 (Gampaha)
network
C:>ping 172.16.10.5
C:>ping 10.1.1.1
006 Testing the ASA firewall by trying to ping inside network from branch 2 (Matara)
network
C:>ping 172.16.10.7
C:>ping 10.1.1.1

38
007 Testing the console password of ASA firewall by trying log in to the firewall
008 i] Testing the SSH connectivity using “ssh -l” command.
ii] Testing the SSH access by trying to use SSH on Admin PC and other PC.
iii] Testing the AAA password by trying to access the firewall from Admin PC
009 Testing the NAT using a simple PDU in simulation mode and checking the source
IP in inbound and outbound PDU details
010 Testing the VPN by checking encapsulated and decapsulated packets in both head
office and Gampaha branch routers.
011 Testing the PfSense by logging in to the PfSense firewall through the Admin PC
and check the firewall logs.

39
Testing
Table 4 - Test case 1
Test case 001 Objective: Check the connectivity between hosts inside the head
office network
Description: Check the connectivity using “Ping” command.
C:>ping 172.16.10.15
Expected Outcome
4 replies and 0% packet loss
Real Outcome
Evidence:
Status: Ping statistics for 172.16.10.15:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 319ms, Average = 84ms

40
Test case 002 Objective: Check the connectivity between VLAN 1 (inside) and
VLAN 2 (outside)
C:>ping 10.1.1.2
Expected Outcome
Real Outcome
Evidence:
Test case 003 Objective: Check the connectivity between head office network
(inside) and Branch 1 (Gampaha) network
C:>ping 192.168.10.5

41
C:>ping 192.168.10.10
Expected Outcome
i] 4 replies and 0% packet loss
ii] 4 replies and 0% packet loss
Real Outcome
Evidence:
Ping statistics for 192.168.10.10:

42
Test case 004 Objective: Check the connectivity between head office network
(inside) and Branch 2 (Matara) network
C:>ping 192.168.20.5
C:>ping 192.168.20.7
Expected Outcome
Real Outcome
Evidence:

43
Test case 005 Objective: Testing the ASA firewall by trying to ping inside
network from branch 1 (Gampaha) network
C:>ping 172.16.10.5
C:>ping 10.1.1.1
Expected Outcome
i] 4 replies 0 received and 100% packet loss
*Destination host unreachable
*Branch should be able to ping the outside
VLAN of head office network
Real Outcome
*Branch can ping the outside VLAN of
head office network
Evidence:

44
Status: Reply from 15.1.10.2: Destination host unreachable
*ASA 5505 firewall is working successfully. Firewall didn’t let the packets go through it.
It secured the inside network from unauthorized outside access.
*Branch 1 (Gampaha) network can access the outside VLAN of the head office network.
But it cannot access the inside network due to the ASA firewall.

45
Test case 006 Objective: Testing the ASA firewall by trying to ping inside
network from branch 2 (Matara) network
C:>ping 172.16.10.7
C:>ping 10.1.1.1
Expected Outcome
*Branch should be able to ping the outside
VLAN of head office network
Real Outcome
*Branch can ping the outside VLAN of
head office network
Evidence:
Status: Reply from 192.168.20.1: Destination host unreachable

46
*ASA 5505 firewall is working successfully. Firewall didn’t let the packets go through it.
It secured the inside network from unauthorized outside access.
*Branch 2 (Matara) network can access the outside VLAN of the head office network. But
it cannot access the inside network due to the ASA firewall.
Test case 007 Objective: Testing the console password of ASA firewall by trying
log in to the firewall
Description: Test the console password of ASA by trying log in to the firewall and get access to
the privileged mode.
Expected Outcome
With correct PW: Access Granted
With incorrect PW: Access denied
Real Outcome
With correct PW: Access Granted
With incorrect PW: Access denied
Evidence:
Status: When the learner tried to enable the console of ASA firewall, it required the pre-given

47
password. First to test it, the learner gave 3 wrong password combinations. The firewall
immediately identified those wrong passwords and denied the access. Then the learner gave the
correct password and the firewall gave the access to the privileged mode.
Test case 008 Objective: Testing the SSH connectivity, access and AAA
password.
Description: i] Testing the SSH connectivity using “ssh -l” command.
ii] Testing the SSH access by trying to use SSH on Admin PC and other PC.
iii] Testing the AAA password by trying to access the firewall from Admin PC
Expected Outcome
i] Connection successful
ii] Connection successful (On Admin PC)
Connection timed out (On other PCs)
iii] Access granted (with correct PW)
Access denied (with incorrect PW)
Real Outcome
i] Connection successful
ii] Connection successful (On Admin PC)
Connection timed out (On other PCs)
iii] Access granted (with correct PW)
Access denied (with incorrect PW)
Evidence:

48
Status: When the learner tried to use SSH on Admin PC (172.16.10.12 this PC is the only
privileged PC to use SSH connection) it was successful. Then it asked the AAA password
that the learner pre-configured in order to authenticate the user. When the learner gave a
wrong password it denied the log in process. With the correct password given, it allowed
the access of the firewall to the user.
To test the SSH connection again, the learner tried to use the SSH connection on another
PC (172.16.10.5 this pc is not allowed to use SSH) It didn’t allow the learner to use SSH
connection on that PC.
Test case 009 Objective: Testing the NAT
Description: Test the NAT using a simple PDU and simulation mode
Check the source IP in inbound and outbound PDU details
Expected Outcome
Source IP address should be changed in to
10.1.1.1 in outbound PDU details
Real Outcome
Source IP address changed in to 10.1.1.1
in outbound PDU details

50
Status: When the simple PDU reach the firewall, the inbound PDU details show the
true source IP address which was 172.16.10.12. But in the outbound PDU details, the
source IP changed to the IP address of the firewall which is 10.1.1.1. So, according to
the test results, Network Transaction Protocol (NTP) is working correctly.
Test case 010 Objective: Testing the VPN
Description: Ping the Gampaha branch network from head office network and checking
the encapsulated and decapsulated packets in both head office and Gampaha branch
routers.
Router#show crypto ipsec sa
Expected Outcome
Amount of encapsulated packets should be
similar to the amount of decapsulated
packets on the other side.
Real Outcome
Amount of encapsulated packets are
similar to the amount of decapsulated
packets on the other side.
Evidence:
Ping
Head office router

52
Status: Encapsulated packets from H/O router are similar to the decapsulated packets in
the Gampaha branch router. Other way around is the same. Local crypto end points and
remote crypto endpoints are compatible. So, the VPN connection is secure and working
properly.

53
Test case 011 Objective: Testing the PfSense.
Description: Testing the PfSense by logging in to the PfSense firewall through the Admin PC
and check the firewall logs.
Expected Outcome
Login successful.
PfSense should have a log containing the IP
address of the device, date/time of the login
and the account username.
Real Outcome
Login successful.
PfSense have a log containing the IP address of
the device, date/time of the login and the
account username.
Evidence:
Status: Logs from two remote logins are available in PfSense. They contain login date, time and
the IP address of the device that logged in to the PfSense remotely. User names are also visible
in PfSense.

54
Feedback from client
Figure 47 - Feedback from client

55
6. Critical Review & Conclusion
6.1 Closing executive summary
This project and the design are developed according to client’s requirements. The main goal of
this project is to secure the Lakseya head office network by using minimum amount of resources.
So, along the designing process, some changes were added to the final design. The first design in
the project proposal included a HSRP configuration to the Lakseya head office network in order
to keep the connection between the LAN and the internet at any given time. But, almost all the
business activities of the Lakseya are done by physically. They are not relying on the internet or
any other kind of connection to the outside to do their businesses. Most of the clients of Lakseya
prefer to come to the head office and do their businesses in there. Since their business processes
are not totally rely on internet connection and as per client’s requirements, (Appendix 02) a new
design was created by removing the standby router and HSRP configurations. By doing that, the
company can save quite a lot of money otherwise will go to buy an extra router, cabling and
another ISP service. Additionally, the proposed VPN connections for both of the branches were
modified as per client’s instructions (Appendix 02). Due to the small scale of the Matara branch
along with small amount of business processes and the cost concerns, Lakseya has decided to
design only one VPN connection between the head office and the Gampaha branch (main
branch).
The security of the network can be increased further more by monitoring the network frequently.
Also, a DMZ implementation will secure the network further more by letting the admin of the
LAN to identify malicious activities before it becomes a major problem.

56
6.2 Conclusion
This project is completely focused on designing a secure network to ensure the security of the
data that flows inside the Lakseya head office network. Additionally, it focuses on implementing
a secure connection between the head office and the Gampaha branch to exchange important data
and resources securely.
Newly created design uses a single ASA firewall to do both of those tasks. The firewall will
allow the outgoing traffic while heavily monitoring and transforming the source IP to the
gateway IP that is pre-configured in the firewall. At the same time incoming traffic which is not
requested using an outgoing traffic will not be able to pass the ASA firewall. By doing that,
unauthorized access of the network can be prevented easily. The VPN function, which is
configured as a Site-to-Site VPN will create a secure connection between the head office and the
main branch located in Gampaha. In that way, Lakseya colour lab has the ability to prevent
cyber-attacks like man in the middle attacks and eavesdropping.
This project will strengthen the overall security of Lakseya head office network. It will help the
company to grow much faster and gain a good reputation in their industry.
During this project, details about the existing network of “Lakseya Digital Colour Lab” are
collected. Any kind of personal data, employee data or client’s (of Lakseya) data were not
collected or requested. All of the collected data of the existing network is only used for this
specific project and after completing this project those collected data will be properly disposed.
Until the proper dispose, all of the data will be only stored in learner’s personal computer. All of
the cabling for the network will be designed according to the general laws of wiring and Sri
Lankan government standards.
To strengthen the security of Lakseya digital colour lab, a password policy should be
implemented in future. A properly designed password policy for Lakseya digital colour lab is in
below.

57
Password Policy for Lakseya Colour Lab
1.0] Overview
Information security is one of the major concerns of a modern company. Passwords hold the last
standing protection against unauthorized access and resource exploitation of the company. To
prevent that, all the employees of “Lakseya colour lab” who has the access to the system must
take appropriate actions and actions as outlined below.
2.0] Purpose
The main purpose of this password policy is to create and establish a well-managed, standard
password policy in order to ensure the security of the system. This password policy will establish
a standard to create strong passwords and frequent password changes.
3.0] Scope
The scope of the password policy of “Lakseya colour lab” includes all of the employees and
people who have the authorized access to the company’s system, network or any kind of user
account that belongs to the company.
4.0] Policy
4.1] General
 All of the passwords must be changed after using for 90 days.
 All of the passwords that were expired in last year cannot be reused again for next 2
years.
 All of the expired passwords can be used again after 3 year time period but characters of
every password must be rearranged.
 Passwords or a part of a password must not be transmitted through any form of electronic
communication media under any kind of circumstances.
 All of the passwords must conform to the guidelines below.
4.2] Guidelines for password creation
1. A password must include minimum of 8 characters. 15 characters are recommended.
2. A password must not be same as the User ID or User name.

58
3. A password must not use birthdays, addresses or any kind of personal information.
4. A password must not be a dictionary word, common name or proper name.
5. A password must include uppercases, lowercases, digits and symbols.
6. A password must be changed after using for 90 days.
7. A password should not be identical to the previous passwords.
8. Ensure passwords must only be reset for authorized users.
9. Do not use personal passwords as the work account passwords.
4.3] Guidelines for password protection
1. Do not use any kind of digital or electronical media to store your password without
strong encryption.
2. Do not write down your password in a book, paper or any kind of a surface.
3. Do not share your password with your supervisor, co-workers or other employees.
4. Do not share your password with your family members.
5. Do not talk about your password in front of people.
6. Do not use your password in front of people (public)
7. Do not enable the “See password” option when you are logging in to the system/account.
8. Do not use “Remember password” or “Remember me” option on an application.
9. Do not reveal your password on questionnaires or security forms.
10. Do not use your password to log in to other applications that are suspicious.
11. Do not use the same password for different accounts.
12. If someone demands a password, please refer them to this document or the IT
department.
Security check-ups may be performed randomly by the network/system administrator. Users will
be informed and require changing their passwords if a password is guessed or cracked during
these security check-ups.
4.4] Guidelines for password deletion
All of the passwords and accounts that are no longer needed must be deleted immediately. When
an account no longer needed,
 Employee should notify his/her superior officer.

59
After that, that superior officer should notify IT department. The network/system administrator
should delete the password and suspend the user account within the day.
4.5] Guidelines for remote access
Remote access to the Lakseya colour lab must be limited to fewer numbers of authorized
employees. Remote access must be controlled by using a Virtual Private Network (VPN) / form
of advanced authentication method (biometrics) or combination of both methods.
5.0] Penalties
All the employees of Lakseya colour lab should not violate this policy. Any employee, who
violated this policy, may be subjected to disciplinary action or even termination of employment.

60
References / Bibliography
[1] Williams, P. and Manheke, R., 2010. Small Business - A Cyber Resilience Vulnerability. [ebook] Perth: Edith
Cowan University, pp.112 - 114. Available at:
<https://ro.ecu.edu.au/cgi/viewcontent.cgi?referer=https://scholar.google.com/&httpsredir=1&article=1013&context
=icr> [Accessed 26 November 2020].
[2] Raghavan, K., Desai, M. and Rajkumar, P., 2017. Managing Cybersecurity And E-Commerce Risks In Small
Businesses. [ebook] Houston: Department of Accounting and Finance. Texas Southern University, pp.10 - 11.
Available at: <http://ibii-us.org/Journals/JMSBI/V2N1/Publish/V2N1_2.pdf> [Accessed 26 November 2020].
[3] Nagahawatta, R., Warren, M. and Yeoh, W., 2020. A Study Of Cybersecurity Awareness In Sri Lanka. [ebook]
Melbourne: Australian Cyber Warfare, pp.50 - 56. Available at:
<https://www.researchgate.net/profile/Ruwan_Nagahawatta3/publication/342762456_A_Study_of_Cybersecurity_A
wareness_in_Sri_Lanka/links/5f051e92a6fdcc4ca455c498/A-Study-of-Cybersecurity-Awareness-in-Sri-Lanka.pdf>
[Accessed 26 November 2020].
[4] Faizan, M., Hegde, S. and Yaligar, N., 2019. Comparison Between Cisco ASA And Fortinet Fortigate. [ebook]
IOSR Journal of Computer Engineering (IOSR-JCE), p.34. Available at:
<https://www.researchgate.net/profile/Mohammed_Faizan7/publication/333516658_Comparison_between_Cisco_A
SA_and_Fortinet_FortiGate/links/5cf1431fa6fdcc8475fb709f/Comparison-between-Cisco-ASA-and-Fortinet-
FortiGate.pdf> [Accessed 26 November 2020].
[5] Jaha, A., Shatwan, F. and Ashibani, M., 2008. Proper Virtual Private Network (VPN) Solution. [online]
Ieeexplore.ieee.org. Available at: <https://ieeexplore.ieee.org/abstract/document/4756450> [Accessed 15 May
2021].
[6] Cisco Certified Expert. 2021. Network Design Methodology - Network Design - Cisco Certified Expert. [online]
Available at: <https://www.ccexpert.us/network-design/network-design-methodology.html> [Accessed 9 February
2021].

61
Appendices
Appendix 01
Client’s permission for the final year project
Appendix 02
Requested design changes (Feedback)

62
Appendix 03
Project Gantt chart
Appendix 04
Budget Plan

63
Appendix 05
Project registration approval (From project supervisor)
Appendix 06
Project proposal approval (From project supervisor)
Appendix 07
Project interim report feedback (From project supervisor)

64
Appendix 08
Project final report feedback (From project supervisor)

BSc (Hons) in Cyber Security and Digital Forensics (TopUp) - Kingston University Final Year Project Report

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to BSc (Hons) in Cyber Security and Digital Forensics (TopUp) - Kingston University Final Year Project Report

Similar to BSc (Hons) in Cyber Security and Digital Forensics (TopUp) - Kingston University Final Year Project Report (20)

Recently uploaded

Recently uploaded (20)

BSc (Hons) in Cyber Security and Digital Forensics (TopUp) - Kingston University Final Year Project Report