Recent Question/Assignment

Assessment Details
Qualification Code/Title ICT60215 Advanced Diploma of Network Security
Assessment Type Assessment -02 ( Practical Demonstration) Time allowed
Due Date Location AHIC Term / Year
Student Details
Student Name Student ID
Unit of Competency
National Code/Title ICTNWK608 Configure network devices for a secure network infrastructure
Student Declaration: I declare that the work submitted is my own, and has not been copied or plagiarised from any person or source. Signature:
Date:
Assessor Details
Assessor’s Name
RESULTS (Please Circle) SATISFACTORY NOT SATISFACTORY
Feedback to student:
..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Student Declaration: I declare that I have been assessed in this unit, and I have been advised of my result. I am also aware of my appeal rights.
Signature: _______________________________
Date: ______/_______/___________
Assessor Declaration: I declare that I have conducted a fair, valid, reliable and flexible assessment with this student, and I have provided appropriate feedback.
Signature: ___________________________________
Date: ______/_______/___________
Instructions to the Candidates
? This assessment is to be completed according to the instructions given below in this document.
? Should you not answer the tasks correctly, you will be given feedback on the results and gaps in knowledge. You will be entitled to one (1) resubmit in showing your competence with this unit.
? If you are not sure about any aspect of this assessment, please ask for clarification from your assessor.
? Please refer to the College re-submission and re-sit policy for more information.
? If you have questions and other concerns that may affect your performance in the Assessment, please inform the assessor immediately.
? Please read the Tasks carefully then complete all Tasks.
? To be deemed competent for this unit you must achieve a satisfactory result with tasks of this Assessment along with a satisfactory result for the Assessment.
? This is an Open book assessment which you will do in your own time but complete in the time designated by your assessor. Remember, that it must be your own work and if you use other sources then you must reference these appropriately
? Submitted document must follow the given criteria. Font must be Times New Roman, Font size need to be 12, line spacing has to be Single line and Footer of submitted document must include Student ID, Student Name and Page Number. Document must be printed double sided.
? This is Individual Assessments. Once you have completed the assessment, please upload the softcopy of the Assessment into AHIC Moodle.
? Plagiarism is copying someone else’s work and submitting it as your own. Any Plagiarism will result in a mark of Zero.
Assessment 02 – Practical Demonstration
Practical 1: Implementing Layer 2 Security

Objectives
1. Assign the Central switch as the root bridge.
2. Secure spanning-tree parameters to prevent STP manipulation attacks.
3. Enable storm control to prevent broadcast storms.
4. Enable port security to prevent MAC address table overflow attacks.
Senario:
There have been a number of attacks on the network recently. For this reason, the network administrator has assigned you the task of configuring Layer 2 security.
For optimum performance and security, the administrator would like to ensure that the root bridge is the 3560 Central switch. To prevent against spanning-tree manipulation attacks, the administrator wants to ensure that the STP parameters are secure. In addition, the network administrator would like to enable storm control to prevent broadcast storms. Finally, to prevent against MAC address table overflow attacks, the network administrator has decided to configure port security to limit the number of MAC addresses that can be learned per switch port. If the number of MAC addresses exceeds the set limit, the administrator would like for the port to be shutdown.
All devices have been preconfigured with:
? Enable secret password: ciscoenpa55
? Console password: ciscoconpa55
? VTY line password: ciscovtypa55
Your Tasks:
Task 1: Verify Connectivity
Task 2: Create a Redundant Link Between SW-1 and SW-2
Task 3: Enable VLAN 20 as a Management VLAN
Task 4: Enable the Management PC to Access Router R1
Practical 2: Configure IOS Intrusion Prevention System (IPS) using CLI on Cisco routers

Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
R1 G0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.0 N/A
R2 S0/0/0 (DCE) 10.1.1.2 255.255.255.0 N/A
S0/0/1 (DCE) 10.2.2.1 255.255.255.0 N/A
R3 G0/1 192.168.3.1 255.255.255.0 N/A
S0/0/0 10.2.2.2 255.255.255.0 N/A
Syslog Server NIC 192.168.1.50 255.255.255.0 192.168.1.1
PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.2 255.255.255.0 192.168.3.1
Learning Objectives
1. Enable IOS IPS.
2. Configure logging.
3. Modify an IPS signature.
4. Verify IPS.

Senario:
Your task is to configure router R1 for IPS in order to scan traffic entering the 192.168.1.0 network.
The server labeled ‘Syslog Serve’ is used to log IPS messages. You must configure the router to identify the syslog server in order to receive logging messages. Displaying the correct time and date in syslog messages is vital when using syslog to monitor the network. Set the clock and configure timestamp service for logging on the routers. Finally, enable IPS to produce an alert and drop ICMP echo reply packets inline.
The server and PCs have been preconfigured. The routers have also been preconfigured with the following:
? Enable password: ciscoenpa55
? Console password: ciscoconpa55
? SSH username and password: SSHadmin / ciscosshpa55
? OSPF 101
Your Tasks:
Task 1: Enable IOS IPS
Task 2: Modify the Signature
Practical 3: Configuring a Zone-Based Policy Firewall (ZPF) on Cisco routers

Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
R1 G0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
R3 G0/1 192.168.3.1 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1
Learning Objectives
1. Verify connectivity among devices before firewall configuration.
2. Configure a zone-based policy (ZPF) firewall on router R3.
3. Verify ZPF firewall functionality using ping, SSH and a web browser.
Senario:
Zone-based policy (ZPF) firewalls are the latest development in the evolution of Cisco firewall technologies. In this activity, you configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and blocks external hosts from accessing internal resources. You then verify firewall functionality from internal and external hosts.
The routers have been pre-configured with the following:
? Console password: ciscoconpa55
? Password for vty lines: ciscovtypa55
? Enable password: ciscoenpa55
? Host names and IP addressing
? Local username and password: Admin / Adminpa55
? Static routing
Your Tasks:
Task 1: Verify Basic Network Connectivity
Task 2: Create the Firewall Zones on Router R3
Task 3: Define a Traffic Class and Access List
Task 4: Specify Firewall Policies
Task 5: Apply Firewall Policies
Task 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE
Task 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE
Practical 4: Configuring Context-Based Access Control (CBAC) on Cisco routers

Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1
Learning Objectives
1. Verify connectivity among devices before firewall configuration.
2. Configure an IOS firewall with CBAC on router R3.
3. Verify CBAC functionality using ping, Telnet, and HTTP.
Senario:
Context-Based Access Control (CBAC) is used to create an IOS firewall. In this activity, you will create a basic CBAC configuration on edge router R3. R3 provides access to resources outside of the network for hosts on the inside network. R3 blocks external hosts from accessing internal resources. After the configuration is complete, you will verify firewall functionality from internal and external hosts.
The routers have been pre-configured with the following:
? Enable password: ciscoenpa55
? Password for console: ciscoconpa55
? Password for VTY lines: ciscosshpa55
? IP addressing
? Static routing
? All switch ports are in VLAN 1 for switches S1 and S3
Your Tasks:
Task 1: Block Traffic From Outside
Task 2: Create a CBAC Inspection Rule
Task 3: Verify Firewall Functionality
Task 4: Review CBAC Configuration
Practical 5: Configure and Verify a Site-to-Site IPsec VPN using CLI on Cisco routers

Addressing Table
Device Interface IP Address Subnet Mask
R1 G0/0 192.168.1.1 255.255.255.0
S0/0/0 (DCE) 10.1.1.2 255.255.255.252
R2 S0/0/0 10.1.1.1 255.255.255.252
G0/0 192.168.2.1 255.255.255.0
S0/0/1(DCE) 10.2.2.1 255.255.255.252
R3 S0/0/1 10.2.2.2 255.255.255.252
G0/0 192.168.3.1 255.255.255.0
PC-A NIC 192.168.1.3 255.255.255.0
PC-B NIC 192.168.2.3 255.255.255.0
PC-C NIC 192.168.3.3 255.255.255.0
Learning Objectives
• Verify connectivity throughout the network.
• Configure router R1 to support a site-to-site IPsec VPN with R3.
Senario:
The network topology shows three routers. Your task is to configure routers R1 and R3 to support a site-to-site IPsec VPN when traffic flows from their respective LANs. The IPsec VPN tunnel is from router R1 to router R3 via R2. R2 acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.
ISAKMP Phase 1 Policy Parameters
Parameters R1 R3
Key distribution method Manual or ISAKMP ISAKMP ISAKMP
Encryption algorithm DES, 3DES, or AES AES AES
Hash algorithm MD5 or SHA-1 SHA-1 SHA-1
Authentication method Pre-shared keys or RSA pre-share pre-share
Key exchange DH Group 1, 2, or 5 DH 2 DH 2
IKE SA Lifetime 86400 seconds or less 86400 86400
ISAKMP Key vpnpa55 vpnpa55
Bolded parameters are defaults. Only unbolded parameters have to be explicitly configured.
IPsec Phase 2 Policy Parameters
Parameters R1 R3
Transform Set Name VPN-SET VPN-SET
ESP Transform Encryption esp-aes esp-aes
ESP Transform Authentication esp-sha-hmac esp-sha-hmac
Peer IP Address 10.2.2.2 10.1.1.2
Traffic to be encrypted access-list 110 (source 192.168.1.0 dest 192.168.3.0) access-list 110 (source 192.168.3.0 dest 192.168.1.0)
Crypto Map name VPN-MAP VPN-MAP
SA Establishment ipsec-isakmp ipsec-isakmp
The routers have been pre-configured with the following:
• Password for console line: ciscoconpa55
• Password for vty lines: ciscovtypa55
• Enable password: ciscoenpa55
• OSPF 101
• SSH username and password: SSHadmin / ciscosshpa55
Your Tasks:
Task 1: Configure IPsec parameters on R1
Task 2: Configure IPsec Parameters on R3
Task 3: Verify the IPsec VPN

Looking for answers ?