1) The document outlines a network design project for the University of Tripoli that involves designing the network infrastructure and implementing security policies and protocols.
2) The design includes VLANs, firewalls, VPN access, and wireless access across multiple engineering departments.
3) The implementation phase focuses on secure configuration of network devices, access control lists, firewall rules, encrypted management access, and a captive portal for wireless users.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
Think network forensics is just for security? Not with today’s 10G (and tomorrow’s 40G/100G) traffic, not to mention new 802.11ac wireless networks with multi-gigabit data rates. Data is traversing these networks so quickly that detailed, real-time analysis is at best a challenge. Network forensics provides key real-time statistics while saving a complete, packet-level recording of all network activity. You don’t need to worry about capturing the problem – your network forensics solution already has, allowing you to go back in time and analyze any network, application, or security condition.
Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulation is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass or during the sensitive data transmission. Distributed firewalls allow enforcement of security policies on a network without restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations.
In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.
LTE Security Training – LTE and LTE-Advanced SecurityBryan Len
Length: 2 Days
LTE Security Training course focuses in detail the security mechanisms employed to meet current and future LTE requirements.
LTE Security Training explains how LTE/E-UTRAN and EPC security substantially extends GSM, 3G/UMTS, and IMS security. LTE security training also highlights the E-UTRAN, EPC and IMS security architectural.
Some of the basics learning highlights:
Shows how GSM and 3G/UMTS security was enhanced and extended to meet the requirements of LTE and LTE/Advanced fourth generation systems
Shows concepts behind LTE/E-UTRAN, LTE-Advanced, EPC, IMS and Voice over LTE (VoLTE) Security
Explains why LTE security solutions are designed
Topics Included:
Evolution of Cellular Systems from GSM to LTE-Advanced
Introduction to LTE and LTE-Advanced
Basic Security Concepts
Basic Cryptographic Concepts
Principles of GSM Security
GSM Cryptographic Algorithms
Principles of Third-Generation (3G) Security
UMTS Cryptographic Algorithms
3G–WLAN Interworking
Generic Bootstrapping Architecture (GBA /GAA)
Security Mechanisms of 3G–WLAN Interworking
Cryptographic Algorithms for 3G–WLAN Interworking
EPS Security Architecture
Requirements and Features of EPS Security
EPS Authentication and Key Agreement (AKA)
EPS Authentication and Key Agreement Procedure
Key Hierarchy
EPS Protection for Signaling and User Data
NAS Signaling Protection
AS Signaling and User Data Protection
The AS (RRC and UP) and NAS Security
NAS and AS protection keys
The eNB cryptographically keys
NAS (EPC/UE) level AKA procedure (KASME)
key identifier (KSIASME)
Certificate Enrolment for Base Stations
Security in Intra-LTE State Transitions and Mobility
Transitions to and from Registered State
Periodic Local Authentication Procedure
More...
Request more information regarding LTE and LTE advanced security training. Visit tonex.com for course and workshop detail.
LTE Security Training – LTE and LTE-Advanced Security
https://www.tonex.com/training-courses/lte-security-training/
Network Architecture review in context of Information security helps to understand how to actually review the components of network with respect to best practices.
LAN Design and implementation of Shanto Mariam University of Creative TechnologyAbdullah Al Mamun
Campus Area Network is the Local Area Network of the Shanto Mariam University of Creative Technology.As final year project, we want to build the LAN of Computer LABs at Uttara campus of Shanto-Mariam University of Creativity of Technology. It will centralize the control over all the computer LABs throughout the campus. To do this we make some changes and rebuild the Local Area network of the university LAB System. To make an organized control over the network we install windows server 2012 r2. Where user can access to any LAB computer and can save his work data in user’s distinct folder.
Installasi GNS3 dan Virtualbox sebagai virtualisasi jaringan, sehingga user untuk memplejari beberapa platform jaringan ( Mikrotik, Cisco, Juniper ) ataupun server ( Linux, Windows ) tidak terkedala dengan keterbatasan perangkat.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
Think network forensics is just for security? Not with today’s 10G (and tomorrow’s 40G/100G) traffic, not to mention new 802.11ac wireless networks with multi-gigabit data rates. Data is traversing these networks so quickly that detailed, real-time analysis is at best a challenge. Network forensics provides key real-time statistics while saving a complete, packet-level recording of all network activity. You don’t need to worry about capturing the problem – your network forensics solution already has, allowing you to go back in time and analyze any network, application, or security condition.
Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulation is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass or during the sensitive data transmission. Distributed firewalls allow enforcement of security policies on a network without restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations.
In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.
LTE Security Training – LTE and LTE-Advanced SecurityBryan Len
Length: 2 Days
LTE Security Training course focuses in detail the security mechanisms employed to meet current and future LTE requirements.
LTE Security Training explains how LTE/E-UTRAN and EPC security substantially extends GSM, 3G/UMTS, and IMS security. LTE security training also highlights the E-UTRAN, EPC and IMS security architectural.
Some of the basics learning highlights:
Shows how GSM and 3G/UMTS security was enhanced and extended to meet the requirements of LTE and LTE/Advanced fourth generation systems
Shows concepts behind LTE/E-UTRAN, LTE-Advanced, EPC, IMS and Voice over LTE (VoLTE) Security
Explains why LTE security solutions are designed
Topics Included:
Evolution of Cellular Systems from GSM to LTE-Advanced
Introduction to LTE and LTE-Advanced
Basic Security Concepts
Basic Cryptographic Concepts
Principles of GSM Security
GSM Cryptographic Algorithms
Principles of Third-Generation (3G) Security
UMTS Cryptographic Algorithms
3G–WLAN Interworking
Generic Bootstrapping Architecture (GBA /GAA)
Security Mechanisms of 3G–WLAN Interworking
Cryptographic Algorithms for 3G–WLAN Interworking
EPS Security Architecture
Requirements and Features of EPS Security
EPS Authentication and Key Agreement (AKA)
EPS Authentication and Key Agreement Procedure
Key Hierarchy
EPS Protection for Signaling and User Data
NAS Signaling Protection
AS Signaling and User Data Protection
The AS (RRC and UP) and NAS Security
NAS and AS protection keys
The eNB cryptographically keys
NAS (EPC/UE) level AKA procedure (KASME)
key identifier (KSIASME)
Certificate Enrolment for Base Stations
Security in Intra-LTE State Transitions and Mobility
Transitions to and from Registered State
Periodic Local Authentication Procedure
More...
Request more information regarding LTE and LTE advanced security training. Visit tonex.com for course and workshop detail.
LTE Security Training – LTE and LTE-Advanced Security
https://www.tonex.com/training-courses/lte-security-training/
Network Architecture review in context of Information security helps to understand how to actually review the components of network with respect to best practices.
LAN Design and implementation of Shanto Mariam University of Creative TechnologyAbdullah Al Mamun
Campus Area Network is the Local Area Network of the Shanto Mariam University of Creative Technology.As final year project, we want to build the LAN of Computer LABs at Uttara campus of Shanto-Mariam University of Creativity of Technology. It will centralize the control over all the computer LABs throughout the campus. To do this we make some changes and rebuild the Local Area network of the university LAB System. To make an organized control over the network we install windows server 2012 r2. Where user can access to any LAB computer and can save his work data in user’s distinct folder.
Installasi GNS3 dan Virtualbox sebagai virtualisasi jaringan, sehingga user untuk memplejari beberapa platform jaringan ( Mikrotik, Cisco, Juniper ) ataupun server ( Linux, Windows ) tidak terkedala dengan keterbatasan perangkat.
1Pv6 is an IT Training company based in Hayes and Hounslow, Greater London. This sample PowerPoint serves as a brief user guide to the networking software "GNS3".
It is aimed at users with a basic understanding of networking, studying at the CCNA level.
It is also ideal for those already proficient in Cisco's "Packet Tracer" lab simulation software.
Visit us at www.1Pv6.com for further information
This document contains study of Peer to Peer Distributed system.Three Models of Distributed system.Such as Centralizes,Decentralized,Hybird Model and Pros and cons of these models. Skpye and Bit torrent architecture is also discussed.This tutorial can be very help full for those who are beginners.
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...IJNSA Journal
The proposed work describes the design of a multimedia platform managing users and implementing cybersecurity. The paper describes in details the use cases of the whole platform embedding Big Data and artificial intelligence (AI) engine predicting network attacks. The platform has been tested by Tree Ensemble algorithm classifying and predicting anomalous server logs of possible attacks. The data logs are collected in Cassandra Big Data System enabling the AI training model. The work has been developed within the framework of a research industry project.
Slides from panel talk at the annual IEEE Power and Energy Society meeting on Power System Cybersecurity.
After a 8 hour tutorial and a panel talk, there were a number of consistent themes and challenges that surfaced. The two that concern me the most are: a) blocking engineers from discussing security approaches at technical conferences and b) treating power system cybersecurity as only a compliance issue for the IT, legal, and compliance departments. With the hopes that this sparks a bigger conversation, I’m sharing a copy of my slides from our panel talk. Thoughts and comments are welcomed.
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
This presentation will review lessons learned from a deployment of behavior-based intrusion detection system (IDS) on a SCADA network that was part of a large-scale energy management system. The IDS architecture, sensor features, and sensor placement within the target SCADA environment proved to be key for successful detection of malicious activity. Challenges included simultaneous monitoring of multiple SCADA protocols (DNP3 and ICCP) across multiple network segments; monitoring of both encrypted and unencrypted network traffic; adapting to slow environment changes to minimize false positive output; and integration of the behavior-based IDS output into an existing monitoring system/SIEM
Types of Networks Week7 Part4-IS RevisionSu2013 .docxwillcoxjanay
Types of Networks
Week7 Part4-IS
RevisionSu2013
Types of Networks
There are different types of networks. Each type has different characteristics and
therefore different security needs. Some of the fundamental differentiating attributes of
the various types of networks are:
the physical distance the network spans
the topology of the network nodes
the types of media used for communication between nodes in the network
the different devices supported on the network
the different applications supported on the network
the different groups of users permitted on the network
the different protocols supported on each network
Depending on the type of network there may be different information security
requirements requiring that various protocols, security services, security mechanisms are
used in a fashion to support that type of network.
While each network environment has some characteristics and security needs unique to
that environment, there are many security techniques that should be universally applied to
all environments. For example; sound policies and procedures, risk assessment of the
assets, user awareness training, encryption technology, authentication technology, sound
credential (password) selection and protection, malware protection, firewalls are a few
security techniques that need to be applied in all of the networks albeit in configurations
that best suits a particular environment.
Local Area Network (LAN)
A LAN network covers a small geographic area that takes advantage of high speed data
transfers usually implemented through Ethernet or fiber. A LAN could be a home, office,
group of building with local proximity (university, business). LANs typically share
resources such as file servers and printers.
Wide Area Network (WAN)
A WAN covers a large geographic area that may require connection through satellite,
high speed dedicated lines and other means. The internet is a WAN. WANs can connect
LANs together into a larger organizational structure that can be used to share resources
such as file, email, dns servers to name a few. Resources can be shared using slower
connections on geographically separated areas across the WAN.
Wireless Networks and Mobile Networks
The movement to laptop systems at home and workplaces accelerated the mobility of
computing.
As employees traveled between offices, client sites, home and various other remote
locations they could remain connected to company servers as long as the remote site had
connectivity to the companies’ intranet. Initially this connectivity was provided by
having Ethernet cabling available for remote users to physically plug their laptops into.
Eventually, companies started installing wireless hotspots that could be automatically
detected by systems that had wireless cards.
The proliferation of wireless connectivity and internet use spread from the workplace to
genera ...
Firewall and vpn investigation on cloud computing performanceIJCSES Journal
The paper presents the way to provide the security to one of the recent development in computing, cloud
computing. The main interest is to investigate the impact of using Virtual Private Network VPN together
with firewall on cloud computing performance. Therefore, computer modeling and simulation of cloud
computing with OPNET modular simulator has been conducted for the cases of cloud computing with and
without VPN and firewall. To achieve clear idea on these impacts, the simulation considers different
scenarios and different form application traffic applied. Simulation results showing throughput, delay,
servers traffic sent and received have been collected and presented. The results clearly show that there is
impact in throughput and delay through the use of VPN and firewall. The impact on throughput is higher
than that on the delay. Furthermore, the impact show that the email traffic is more affected than web
traffic.
LTE is designed with strong cryptographic techniques, mutual authentication between LTE network elements with security mechanisms built into its architecture.
With the emergence of the open, all IP based, distributed architecture of LTE, attackers can target mobile devices and networks with spam, eavesdropping, malware, IP-spoofing, data and service theft, DDoS attacks and numerous other variants of cyber-attacks and crimes.
9. Security
Security has one purpose: „to protect assets“
In terms of computer networks the assets can be:
- Information
- files, data streams …
- Servers
- Configurations
- User accounts
- Passwords
- Devices
10. Network Security Goals (CIA Model)
1. Confidentiality: Ensure that the secrecy is
enforced and the information is not read by
unauthorized users.
2. Integrity: modification of data is not
permitted to unauthorized Users.
3. Availability: prevention of loss of access
to resources and information.
11. Security Policy
• Policy define how the security is implemented with a set of laws. And that’s done
by answering the following questions
What are you trying to protect?
What data is confidential?
What resources are precious?
What are you trying to protect against?
Who is authorized to login into the management plan ?
12. Vulnerabilities
Vulnerability is a weakness which is inherent in network, device, technology or
policy.
Types of vulnerabilities:
- Technology weaknesses
- Configuration weaknesses
- Security policy weaknesses
13. Threats
Threats: are the people eager, willing, and qualified to take advantage of each
security weakness, and they continually search for new methods and techniques to
do so.
`
Types of threats:
- Internal Threat
- External Threat
16. Firewalls
Is a network security system (Software/hardware) that monitors and controls
the incoming and outgoing network traffic, based on predetermined security
rules.
• Modern firewalls includes
- Intrusion Prevention System
- Authentication, Authorization, and Vulnerability assessment systems.
17. Intrusion Detection System (IDS)
Used to monitor for “suspicious activity” on a network
• Syslog Server :
18. VPN
Virtual Private Network is a type of private network that uses public
telecommunication, such as the Internet, instead of leased lines to communicate.
VPN uses several protocols such as:
• PPTP -- Point-to-Point Tunneling Protocol
• L2TP -- Layer 2 Tunneling Protocol
19. Encryption
• Encryption -- is a method of “scrambling” data before transmitting it onto the Internet.
- Public Key Encryption Technique - Digital signature
20. k
1- phase one : Network infrastructure Design & layout planning
2- Phase Two : Application of Protection & Implementation of Secure
Policy
21. Network Design
Is the process of arranging the various components of a network to supply the
demands of the subscribers.
Our network design must answer some pretty basic questions
- What stuff do we get for the network ?
- What’s the size and type of the devices ?
- How do we connect it all ?
- How do we configure it to work right ?
- What’s method of connection ?
- Finally Is the network secure ?
22. Phase one Objectives
Design a sophisticated network Infrastructure to EEE and the other surrounding
departments of the Engineering faculty that accomplishes the concept of
availability
Connect the total infrastructure of the department’s by a main core-switch.
Assigning interfaces and different DHCP pools for each department
Distribute VLAN subnets that covers (Classes, Labs and Staff offices)
Configure the Wireless access point for each
23. GNS3
GNS3 is a Graphical Network Emulator that allows us to
design complex network topologies. It provides Real
Implementation to various devices such as Routers,
Switches and Firewalls
29. Switches distribution in each department
Department Floors 24 - Port
Switches
48 – Port
Switch
Wireless
access
Points
Electric and Electronic
Eng.
3 1 2 1
Marine Eng. 2 2 - 1
Mechanical Eng. 1 1 1 1
Architectural Eng. 3 1 1 1
31. Phase Two
Applying the security protocols.
Creating encrypted password for the management plan
Configure Isolation mechanism.
Allowing the head of department’s networks to be able to connect to each other.
Creating a syslog server.
Configure VPN private network.
Creating a zone-base firewall.
Applying authentication for users.
32. Securing the Management plan:
Enable password for each network device and authentication retries limit.
Enable SSH encryption for VTY auxiliary port.
35. Initialize the Zone based Firewall
Separate the Network into three zones
1- In Zone (internal network)
2- Out zone (ISP)
3- Self (Firewall)
configure the interfaces of the firewall
Inside(trusted) Interfaces: Outside(untrusted) Interface:
FastEthernet0/0 (20.1.0.2)/24 FastEthernet1/0 (192.168.137.5)/24
37. Configure VPN tunnel for Wireless Users
Define the interface for the wireless access point in the CCP then select the Pre-
shared Key authentication
47. Conclusion
Network designing and security is an important field that is getting more and more
attention as the internet expands. Providing the resources and the type for connection is a
primary task that should be considered before implementing a network, keeping in mind
the security measures and policies needed to be applied for the clients and the
communication chain to keep it safe.
An effective network design should be developed with:
1- Understanding of the network design concepts such as reliability and availability .
2- learning the factors that make a network vulnerable and weak to potential threats and
attackers.
3-Needed level of security that’s required to achieve stability and confidentiality of the
subscribers.
4- Finally implementing and configuring the network components to supply the demand of
the clients while aligns with the security plan that has been imprinted.
Topology : the arrangement of the network components
Speed: of the data transition between source and distiation
Cost: less money more honey
Security: indicates how protected the network is
Avalibility: of the network to the subscribers 24/7 of the time
Sacbility: how easily the network can accommodate more users and data transmission requirements
Reliability: indicates the dependability of the components that make up the network
PAN: is a computer network organized around an individual person.
LAN: is a group of devices that share a common communications line.
Wan: used in large geographical area such as cities or countries.
Network components can be divided into 4 groups :
1- End Points: such as PC, Servers
2- Interconnections: NIC LAN Card
3- Network media: which can be a physical media such as cables, wireless media
4-Connector devices : switch, router
Assets can be defined as something of value
In network security certain concepts needed to be attained, which are :
Confidin: who’s authorized to be log in or reading the data
Intig: Is the data that arrived is the same data that has being sent
Avalib: of the network resources and services to subscribers.
Vulnerabilities may exist in computer systems and networks, allowing the system to be open to a technical attack or in administrative procedures
Internal threats can cause more damages to the network information than the external ones
Dos : attacks that originate from a large number of systems that usually controlled from a single master sending a ping packet to network server causing it to fail.
Min: Is an attack where the attacker secretly relays and alters the communication between two parties who believe they are directly communicating with each other
Firewall acts like a shield from outside threats, allowing only pre-determined protocols to pass throw while denying the others.
Is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities
VPN acts like a private tunnel in untrusted network such as the internet, establishing encrypted communication between the two parties.
or simply alters the data in such way to hide it from unauthorized Individuals to see it
Encryption have several techniques such as:
As shown in figure, the EEE Department consist three floors
The first floor contains 7 classes and one beta office for students
The second floor consist of the staff offices and 3 labs
The last floor consist of two labs and the admistration office
The total contains 4 departments of the Eng faculty, (names)
The infrastructure consist of 3 layers
Which Provides connectivity for network hosts and end devices, contains the 48 and 24 port switches, also the wireless access points
Core layer contains fast switching layer 3 device that connect the departments together.
As shown this layer contains the AAA and syslog server that are connected to the Firewall then to the isp
Access switches are chosen depending on the number of the classes, labs, and floors that has been estimated in each department
1- to designate when and who is authorized to access/configure the network components.
2- designated for administrators.
3- to separate each VLAN for the other
4- !!!!!
5-to receive and correlate events
6-for Wireless access point users.
7-using captive portal application.
3 authentication retries and 60 sec idle time
To segregate each vlan from the other, we used extended access list protocols in main core-switch as shown in this figure
Using kiwi syslog program to receive messages from the core-switch and firewall, while choosing the debugging level of log
The figure demonstrate the firewall applied policies form in zone to out zone
In this action we Emulate the password spoofing attack to aquire the usern & passw of the administrator, this action attack was a failure due to the ssh protocol that has been used