COIT20265 | Capstone Project Case Study | Networks and Information Security Project

The First National University (FNU) Background

The First National University (FNU) is a major public higher education institution. It was the first higher education institution in the country to launch distance education and more recently online programs. Apart from its main Campus, the University has operations in five (5) regional campuses (RCs) and ten (10) metropolitan campuses (MCs). At present, FNU provides diverse range of undergraduate and postgraduate programs as well as Vocational and Educational Training (VET) and short professional programs.

More than 45,000 students are currently studying various levels of programs at FNU as on-campus students. Additionally, around 15,000 students are currently studying at FNU under the online and distance education programs.

FNU has three (3) major facilities to support its information technology services, namely, Headquarters, Operations (Data Centre) and Backup. The Headquarters facility is located in the main Campus. The Operations facility is located 50Kms from the Headquarters in a warehouse the University owns near an industrial area. The Operations facility houses the back-office technical functions, the Data Centre, and the IT staff. The Backup facility is located in the country area about 1000km from the headquarters. FNU uses the Backup facility as a warm-site facility that can be operational within minutes in the event the Operations facility fails.

Apart from the main campus, all regional and metropolitan campuses are very similar in terms of size, staff, and technologies. Their IT infrastructure uses relatively old and complex technologies. FNU still uses a number of protocols to enable campus communication to the main server farm located at the Operations.

Each campus is connected to the university backbone through old Multiservice Platform Routers for flexible LAN and WAN configurations, easy upgrades, and the handling of various protocols at the internet and transport layers. The router enables the campus to communicate with different FNU campuses located in different sites.

To support the day-to-day learning and teaching activities, academics and administrative staff at FNU also deals with a dozen (12) of external partners including hospitals, research centres, vendor support, and technology partners in many different ways, non-necessarily compatible each other.

At FNU the current network has consistency, performance, and reliability problems owing to a growth in enrolments and recent operations expansion. The IT department has been informed about an increase in student and faculty complaints. Particularly, faculties and academic staff claim that owing to network problems, they cannot efficiently submit grades, maintain contact with colleagues at other campuses, keep up with research, and conduct their daily tasks. Similarly, students say they have submitted student work late due to network problems. Assignments submission has been problematic since the introduction of the online submission approach. Students complain that late submissions have impacted their grades badly. Despite the complaints about the network, faculty, academic staff, and students use of the network has almost tripled in the last three few years

Another issue at FNU is that there are no BYOD and Work-at-home (WAT) policies. This has become a focus of contention between the IT department, staff and students. The IT department is concerned about a number of rogue wireless ad-hoc access points often placed by students within the campus premises. The vast majority of staff, faculty and students agree that there is a need of implementing secure wireless and remote access including the WAT and BYOD policies. The evidence is overwhelming on the need to rethink the way network services are provided at FNU.

The senior management at FNU has identified a number of key business factors that need immediate attention:

1. Enrolment for both on-campus and distance education is to increase 50% in the next three
2. Improve faculty efficiency and allow academic staff to participate in more research projects with colleagues at other campuses and partner universities
3. Improve student support efficiency and eliminate problems with assignment online
4. As part of the BYOD policy, allow students, staff and visitors to the University to access the campus network and the Internet wirelessly using their mobile devices including notebooks, smartphones, and
5. As part of the WAT, allow students and staff to remotely access the campus network from
6. Secure the campus networks from

                                                                                                  

In response to the senior management call, the IT department at FNU developed a list of technical goals that should be implemented as soon as possible:

1. Redesign the current network including provision for wireless
2. Overhaul the IP addressing
3. Increase the bandwidth of the Internet connection to support new applications and the expanded use of current
4. Provide a secure, private wireless network for students, staff and visitors to access the campus network and the
5. Provide a network that offers a response time of less than a second for interactive applications.
6. Provide a network that is available approximately 99.9 percent of the time and offers an MTBF (mean-time-between-failure) of 6000 hours and an MTTR (mean-time-to- repair) of less than 90 minutes.
7. Provide security to protect the Internet connection and internal network from
8. Provide a network that can scale to support future expanded usage of multimedia applications including online
9. Automate the majority of the network tasks and services including plug and play, network configuration, network management, troubleshooting, network monitoring, resource sharing, load balancing, updates, and data backups.

Wide Area Networks (WANs) at FNU

Currently, FNU supports its wide area network operations using a mesh topology of three (3) Layer2 VPLS (Virtual Private LAN Service) point-to-point circuits. This mesh guarantees redundancy between the Headquarters, Operations (Data Centre), and Backup sites.

Each regional and metropolitan campus is also redundantly connected to the major facilities (links to Headquarters, Operations and Backup respectively) via Frame Relay permanent virtual circuits (PVC). Similarly, two separate frame relay Internet Service Providers (ISP) are used for redundant Internet access: one PVC via the main Campus (Headquarters) and the other PVC via the Backup site. The external partners are connected to FNU via DSL.

Campus Network in FNU (Main, Metro, and Regional Campuses)

Each FNU campus is supported by 100Base-TX Switched Ethernet LANs, and FNU is expecting to upgrade to more modern Switched Ethernets. Staff at FNU are distributed as follows:

1. 250 employees including academic (x150), administrative (x50) and management staff (x50). There are about 2,000 on-campus students in each of the regional and metro
2. The main campus houses around 2,000 employees including academic (x1000); administrative (x500) and management staff (x500). Nearly 15,000 on-campus students are studying at the main

The Operations facility is also supported by 100Base-TX Switched Ethernet LANs. In the Operations facility, there are 100 engineers in charge of technical support of the data centre, networking, maintenance, and application development. The organisational and operational structure of the Backup facility is similar to the structure of the Operations facility.

Academic staff at the main campus, regional, and metro campuses teach courses in seven faculties, namely: arts and humanities, business, social sciences, mathematics, computer science, the physical sciences, and health sciences. The administrative staff handle admissions, student records, and other student operational functions. The management staff consists of human resources, senior management and information technology. Enrolment at FNU has almost tripled in the past three years; and the faculty and admin staff has doubled in size.

Each campus backbone (including main, regional and metro campuses) supports the operations of the seven faculties, management, and administrative staff. The following are the details of the IT infrastructure:

1. A high-end switch in each building is connected to a high-end Campus core switch in the campus backbone.
2. Within each building, 24-port Ethernet switches on each floor connect end user
3. Floor switches are connected to the high-end building
4. The 100Base-TX switches are layer-2 switches running the IEEE 802.1D Spanning Tree Protocol.
5. All devices are part of the same broadcast domain. All devices (except public servers) are part of the 192.168.0.0 internal network
6. Addressing for end-user hosts is accomplished with DHCP. A Windows server in the cluster located in the Operations facility acts as the DHCP
7. A Windows-based network management software package monitors the switches using SNMP and RMON. The software runs on a server in the cluster located in the Operations
8. FNU email and web servers use public addresses assigned by AARNET (Discuss with your mentor the allocation of these public addresses). The system also provides a DNS server that the FNU All these public servers are located in the Operations facility.
9. The Multiservice Platform router in each campus has a default route to the WAN and does not run a routing protocol.
10. Campus servers support for local file storage (students and staff) and data backups that are periodically transferred to the main data centre at the Operations Facility

The logical topology of the Operations facility is similar to the Campus backbone. The main difference is that the server farm with the public services (Web, email and file services) are housed in the Data Centre of this facility. The Multiservice Platform router at the Operations facility acts as a NAT-Firewall.

Application and Enterprise Services

The following table provides a summary of the main network applications and enterprise services currently running in all FNU campuses.

Application / Service	Description	Users
Students and academics’ work	On-campus students use the network to write assignments and other documents. Computer Science academics and students use the network to develop code. They can save their work to file servers in the campus servers and print their tasks on printers within the campus and other buildings.	Students and academic staff
Electronic Mail (SMTP)	Email is used campus-wide (MS Outlook Desktop).	Students and University staff
Web services (HTTP and HTTPS)	Use of web browsers to access information, participate in chat rooms, and other typical Web services.	Students and University staff
University Library	The University has a main library at the main campus and smaller library facilities at each regional and metro campuses. Students and staff access the online library catalogue.	Students and University staff
HPC	Higher Performance Computing Cluster located in the Operations building. This system is part of the nation’s scientific research program.	Students and faculty in collaboration with external partners

Online and Distance Education	All faculties have online teaching programs that require video streaming via Blackboard Collaborate.	Students and Academic staff
Moodle Learning Management System	Management of learning resources	Students and Academic staff
ERP	Human Resource Management and SAP Enterprise Resource Planning	Administrative and Management staff
Student Information System	The University administration staff uses this system to keep track of class registrations, enrolments and student records.	Administrative and academic staff
Data Analytics	Business intelligence Platform to find, explore, and share data-driven insights within FNU.	University Senior Management
GoogleDocs	Online word processor to create and format documents and work collaboratively.	University staff
Office 365	To access Microsoft Office apps on Windows, macOS, iOS, Android, and Windows mobile. It also provides webmail and social networking services via the Exchange Server	Students and University staff
Adobe Creative Cloud	To access Adobe apps including Photoshop, Illustrator, InDesign and Premiere Pro.	Students and University staff
Academic Information Management System	Academic workflow support	Academic staff
Video Conferencing System	For Online meetings. Each campus has at least two virtual rooms fully configured.	Students and University staff
Laboratory Software	All computer labs are equipped with Microsoft Office and a wide range of software development tools (both proprietary and open source)	Students and University staff

ICT infrastructure at Metro and Regional campuses

Hardware

• Staff equipped with Desktop PCs running Windows 7 (dual monitors)
• Staff PCs equipped with first generation headsets and webcams
• 4 networked Laser Printers in each faculty
• 10 computer labs, each equipped with 24 PCs running Windows and a printer
• One Network Attachment Storage for local storage
• 100Base-TX Switched Ethernet

ICT infrastructure at Headquarters (main campus)

Hardware

• Staff equipped with Desktop PCs running Windows 10 (dual monitors)
• Staff PCs equipped with latest generation headsets and webcams
• 20 networked Laser Printers (also capable of scanning and photocopying)
• 50 computer labs, each equipped with 24 Desktop PCs running Windows 10 and a printer
• One Network Attachment Storage (NAS) for local storage
• Staff equipped with VoIP video phones
• 100Base-TX Switched Ethernet

ICT infrastructure at Operations site

• Operating systems: Combination of Windows and Linux servers
• Staff equipped with Desktop PCs running Windows 8

All operational servers including file, web, mail, DHCP, DNS, Authentication, Blackboard, Domain Controllers, Database, SAN, Load Balancing and video streaming servers are concentrated in this facility. The Operations facility also contains the infrastructure to support FNU’s learning management and student information systems; and ERP services.

ICT infrastructure at Backup site

As mentioned, the Backup is a warm-site facility that can take over within minutes in the event that the Operations facility fails. The backup site infrastructure mirrors the Operations facility.

Problem Statement

FNU business processes rely on a combination of systems and services with a very complex ICT infrastructure. FNU academic board acknowledges this as major issue that could compromise FNU’s growth and sustainability. The senior executive argues that currently the University is spending a huge amount of money to maintain and integrate disparate and cumbersome systems, with little room to expand and improve services. FNU needs to change and re-provision the ICT infrastructure to provide high quality learning and teaching in the most cost-effective way.

As part of this change, the transition to interoperability should be achieved in a smooth manner while leveraging the latest advancements in network and information security infrastructure to guarantee “zero” problems. This might also include the migration of key university applications and services to the Cloud.

In terms of network and information security, the ICT infrastructure should safeguard appropriate access and use of resources; and ensure unauthorised and malicious internal and external network attacks are properly blocked. Network redundancy is currently achieved with the mesh topologies (VPLS and Frame Relay); however, nothing has been done in terms of security plans for both disaster recovery (DRP) and business continuity (BCP).

Statement of Works

Your task is to plan and implement a project to help FNU re-provision its ICT infrastructure in accordance with its rapidly changing needs. The project consists of three parts: network security plan, network redesign, and technology implementation.

Part 1: Network Security plan

The network security plan should include as minimum the following items:

1. Introduction outlining the importance of the plan and its purpose. Your introduction should also provide a brief description of the components of the proposed network security plan in terms of the First National University
2. Scope outlining the areas of the organisation that the Plan applies. The scope also relates to the breakdown of the tasks that are needed to make sure that the network is
3. Assumptions documenting any assumptions you have made in order to prepare the plan. There are things that might not be clear from the case study, hence you have either to consult with the mentor or assume them in a reasonable way with a clear
4. Clear and concise statements about what the Security Plan is designed to achieve. This statement must relate the business and technical goals of
5. Summary and analysis of the organisation’s risks, highlighting the current threats, challenges and vulnerabilities along with an assessment of current security environment and treatments in place. This is perhaps the most important component of the security plan. It includes the complete assessment of each of the network assets (computer hardware, PCs, servers, application and system software, network devices, employees, partners and the like) and its importance for the normal operation of the network

The analysis also investigates the vulnerabilities of each asset and its associated threat that might exploit those vulnerabilities.

6. Network Security policies to address all possible network attacks and vulnerabilities. Note that these policies address the likely issues that might occur during the transmission of the data through the
7. Information Security policies to address unauthorized and misappropriate use of FNU data and software applications. Note that these policies address the likely issues that might occur during the storage and processing of the
8. Disaster recovery and Business continuity
9. Security Strategies and Recommended controls including security policies. The recommended controls are the action points you are to put in place to mitigate the risks you uncovered as part of your risk
10. In practice, achieving total security in an organisation is impossible. Residual risks that remain after all possible (cost-effective) mitigation or treatment of risks should be taken into account. Your security plan should estimate, describe and rate these residual risks to guide the priorities for ongoing monitoring of
11. Resources for implementing the recommendation. This should include any type of resources like humans, communities of practice, quality audit groups, and the

You are advised to use the network security plan template posted in the Moodle site to ensure you address all required items (refer to the marking criteria).

Part 2: Network Redesign

The redesign should be justified in terms of scalability, availability, network performance, security, manageability, usability, adaptability, and affordability. To do this, you need to make a number of assumptions. For example, assume that a great number of University services operate 24/7. Other services are to operate from 6:00am to 8:00pm Monday to Friday. Other aspects to consider are user’s behaviour, type of applications and services, bandwidth requirements, and the like. Make sure you discuss this further with your team mates, mentor, and teacher.

Specifically, for this redesign take into account the following:

1. Traffic generated by the hosts: clients, servers, and backup
2. Appropriateness of WAN links to support current traffic and forecast
3. Appropriateness of wired LANs and Wireless LANs to support future
4. VLAN configuration.
5. Network devices including routers and switches at each site (wired and wireless); and the respective network protocols and quality of service
6. IP address allocation of each network and main network
7. Sub-netting to separate traffic.
8. Firewalls positioning and
9. Proxy
10. DMZ
11. Firewalls Access Control
12. Network diagram (logical and physical topologies).

You are advised to use the network redesign template posted in the Moodle site to ensure you address all required items (refer to the marking criteria).

Part 3: Security Technology Implementation

As part of the security technology implementation, and in line with the recommended controls mentioned above in the network security plan (item 9), you are required to document, implement, and test at least five (5) recommended controls. The following are some suggestions of security technologies you could implement:

1. Data backup and recovery technology including the procedures for backup and recovery. Note that there are NASs at the campuses to back up the data generated locally, however the vast majority of data is backed up to the File Servers in each campus and ultimately to the Operations facility through the WAN. You need to provide the strategy of the backup, technical details, specifications and functionalities of the recommended backup
2. A proper authentication system that takes care of highly secured roles and permissions to access, share, download, upload files and folders. This should include authentication for wireless and mobile services as well (according to WAT and BYOD policies). You need to provide the complete details of the recommended technology including the product and vendor
3. Services like File, Web (and secure Web), Mail (and secure Mail including spam email prevention), DHCP, DNS, Domain Controllers. For example, you may suggest Apache HTTT Server as the Web server software. If that is the case, then you must describe the full configuration of the Apache HTTP Server and the application architecture used to include the load balancer, replica web server, and data server (if you opt for a three-tier architecture for example). Again, you need to provide details of the software vendor and recommended hardware to run the
4. Hardening of servers described mentioned in section 3. All the services need to be hardened with products as recommended in the network security
5. Network security including DMZs, Firewalls, Intrusion Detection and Prevention Systems (IDSs and IPSs).

Security technologies 1 to 5 mentioned above are suggestions only. Discuss with your mentor and teacher any other options of your interest.

Proof of concept

As part of the project requirements, you are required to implement and test the recommended controls suggested in the security technology implementation section above. The solution should address current needs of FNU, including the installation of the software, configuration of the system, and developing of test cases to check the complete functionality of the system.

For the proof of concept, it is mandatory that you include the documented results (procedures and screen dumps) of various network security attacks tests (such as Network Penetration Test) as part of your final project report. You may use your choice of security software/tools (including freeware open software systems) and operating systems (Windows, Linux, or Ubuntu) in a virtualized environment to build and simulate the security tests. You are required to demonstrate your implementations at the end of the term.

You are advised to use the security technology implementation template posted in the Moodle site to ensure you address all required items (refer to the marking criteria).