‫هندسة االتصاالت و الحاسبات‬

‫كليـــة الهندســـة‬
‫جامعـــة المنصـــورة‬

Design a Secure Network

BSc Comm. & Computers Eng.

Project and Report 2

Supervisor
Dr. Mohammed M. Ashour
Eng. Haitham Abdelghany

Team
Ahmed Samir Mohamed Ahmed Adel Saif

Ahmed Mahmoud Abdelsalam Abdelrahman Alsayed Abdelgelil

Saeed Naser Saeed Mohammed Mahmoud Alemam

Ahmed Atif Mostafa Mohammed Ahmed Mostafa Almghawri

Mahmoud Mostafa Alsaeed

Design a Secure Network

Abstract
The security of computer networks plays a strategic role in modern
computer systems. In order to enforce high protection levels against
malicious attack a number of software tools have been currently
developed.so in our project we started with the basic concepts of network
security like implementing secure device access so when anyone want to
access a network device on the network should have username and
password that has been Encrypted by Algorithm-Type and also for remote
access and SSH and we have configured different Privilege levels for
different users and some sort of views and super views using Role-Based
CLI , Next we started to create usernames and password for users but now
on a AAA-Server to authenticate and authorize and account all access to
our network devices. Next, we start to secure layer 2 infrastructure like
configure port security, mitigate VLAN attacks, mitigate DHCP attacks,
mitigate ARP spoofing. Next, we start to implement Intrusion Detection
System that has recently become a heated research topic due to its
capability of detecting and preventing the attacks from malicious network
users. Next, we start to implement Firewall that is a hardware solution
implemented within the network infrastructure to enforce an
organization’s security policies by restricting access to specific network
resources. Next, we start to implement VPN Site-To-Site to allow the
connection between Headquarter and branches with encrypted data that no
one on the internet network can capture this data and make use of it to
force attack on our private network. Next and last, we used some sort of
help desk servers to allow our users to inform the administrators of the
network with any bugs or vulnerabilities they may meet.

Comm. & Computer Engineering Program

Design a Secure Network

Table of Contents
Abstract
Table of Contents
 CHAPTER 1: Introduction
 CHAPTER 2: Installations, preparing environment
- Install Gns3
 Import CISCO Router 7200 & 3725
 Import CISCO Switch L2 & L3
 Import CISCO Firewall ASAs
- Install VMware Workstation & Configure Network Adapters
- Importing Gns3-VM & check connectivity
- Install Microsoft Windows 7 on VMware
 Import Win7-VM1 in Gns3
 Check Connectivity
- Install SecureCRT
 CHAPTER 3: Securing Device Access
- Configure Enable Mode Password & Algorithm-Type & Min-Length
- Configure Remote Access using ( Line VTY )
- Permit Specific Network Through Quiet-Mode
- Enhancing the login process
- Steps For Configuring SSH
- Configuring Privilege Levels
- Configuring Role-Based CLI
 CHAPTER 4: AAA
- Types of Authentication modes
 Local AAA Authentication
 Server-Based AAA Authentication
- Installing ACS on VMware Workstation
- Configure users on ACS Server
- Configure Cisco Router to use AAA Authentication (ACS)
 CHAPTER 5: Securing Layer 2 Infrastructure
- Configure Port Security
- Mitigate VLan Attacks
- Mitigate DHCP Attacks
- Mitigate ARP Spoofing

Comm. & Computer Engineering Program

Design a Secure Network

 CHAPTER 6: Intrusion Prevention System

- Import and Install IPS Module To Cisco Router
- IPS configuration Using CLI
- IPS configuration Using CCP Software
 CHAPTER 7: ASAv-Firewall
- Basic Configuration
 Configure ASA to work using Telnet ( SecureCRT )
 Configure the Host name and domain name
 Configure Banner motd
 Configure ip address for interfaces and Security Level
 Configure Time from NTP Server in the DMZ Zone
 Enable and Configure SSH from the inside Zone
 Configure DHCP Server For Inside Zone
- ACL & NAT Configuration
 Configure LoopBack ip on ISP
 Configure Static Route to LoopBack IP
 Create ACL using object Group
 Allow ICMP in Global Policy Map
 Configure Dynamic PAT from inside to outside
 Configure Static NAT for a Web-Server in DMZ

- ASDM Configuration
 Install ASDM on ASAv Firewall
 Configure Basic Configuration using Startup Wizard
 Create Access-list for Outside
 Create PAT for inside Zone
 Show all inspected Services and Protocols
 CHAPTER 8: VPN Site-To-Site
- Setup the ISAKMP Policy ( IKE Phase 1 )
- Setup the IPSec Transform-set ( IKE Phase 2 )
- Define Interesting Traffic
- Setup Crypto-Map
- Assign Crypto-Map under Interface
- Verify
- Test Connectivity
- Apply Nat and Allow the VPN Connection Through it
- Configure VPN Site-To-Site on ASAv-Firewall using ASDM

 CHAPTER 9: Help Desk

- Installing Help desk
- Web Help Desk

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 1: Introduction
What Is Network Security?
Network security is any activity designed to protect
the usability and integrity of your network and
data.
 It includes both hardware and software
technologies
 It targets a variety of threats
 It stops them from entering or spreading
on your network
 Effective network security manages access
to the network

How does network security work?

Network security combines multiple layers of defenses at the edge and in the network. Each

network security layer implements policies and controls. Authorized users gain access to

network resources, but malicious actors are blocked from carrying out exploits and threats.

How do I benefit from network security?

Digitization has transformed our world. How we live, work, play, and learn have all changed.
Every organization that wants to deliver the services that customers and employees demand
must protect its network. Network security also helps you protect proprietary information
from attack. Ultimately it protects your reputation

Comm. & Computer Engineering Program

Design a Secure Network

Types of network security:

Firewalls
Firewalls put up a barrier between your trusted internal network and untrusted outside
networks, such as the Internet. They use a set of defined rules to allow or block traffic. A
firewall can be hardware, software, or both. Cisco offers unified threat management (UTM)
devices and threat-focused firewalls.
Network segmentation
Software-defined segmentation puts network traffic into different classifications and
makes enforcing security policies easier. Ideally, the classifications are based on endpoint
identity, not mere IP addresses. You can assign access rights based on role, location, and
more so that the right level of access is given to the right people and suspicious devices are
contained and remediated

Access control
Not every user should have access to your network. To keep out potential attackers,
you need to recognize each user and each device. Then you can enforce your security
policies. You can block noncompliant endpoint devices or give them only limited
access. This process is network access control (NAC).

Behavioral analytics
To detect abnormal network behavior, you must know what normal behavior looks
like. Behavioral analytics tools automatically discern activities that deviate from the
norm. Your security team can then better identify indicators of compromise that pose
a potential problem and quickly remediate threats.

Intrusion prevention systems

An intrusion prevention system (IPS) scans network traffic to actively block
attacks. Secure IPS appliances do this by correlating huge amounts of global threat
intelligence to not only block malicious activity but also track the progression of
suspect files and malware across the network to prevent the spread of outbreaks and
reinfection.

VPN
A virtual private network encrypts the connection from an endpoint to a network,
often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets
Layer to authenticate the communication between device and network.

Comm. & Computer Engineering Program

Design a Secure Network

Chapter 2: Installations
 Installing Gns3
The first screen of the wizard shows a welcome message and a suggestion to
close other applications before starting the installation of GNS3. It’s only a
suggestion, not a requirement. You can install GNS3 while other applications
are running, but in this case, you must have to restart the system before you
can use it.

Click the Next button to start the installation.

GNS3 installation package contains several additional tools and components.

Depending on how you want to use GNS3, select the components that you
need.

Comm. & Computer Engineering Program

Design a Secure Network

When GNS3 starts the first time, it presents the Setup wizard. This wizard allows us to
run GNS3 in different modes. We choose the first choice.

GNS3 is Ready now

Comm. & Computer Engineering Program

Design a Secure Network

 Importing Cisco Router 7200 & 3725

Comm. & Computer Engineering Program

Design a Secure Network

Importing Cisco Layer 2 & 3 Switch

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Importing Cisco ASAs Firewall

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

 Install VMware Workstation

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

 Configure Network Adapters

Comm. & Computer Engineering Program

Design a Secure Network

 Importing Gns3-VM

Comm. & Computer Engineering Program

Design a Secure Network

 Configuring the Machine Settings

Comm. & Computer Engineering Program

Design a Secure Network

 Power on the Machine & Check Connectivity

Comm. & Computer Engineering Program

Design a Secure Network

Install Microsoft Windows 7 on VMware

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Import Win7-VM1 in Gns3

Comm. & Computer Engineering Program

Design a Secure Network

 Check Connectivity

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

 Install SecureCRT

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 3 : Securing Device

Access
 Configure Enable Mode Password & Algorithm-Type
& Min-Length

 Configure Remote Access ( Line Vty )

Comm. & Computer Engineering Program

 Design a Secure Network

 Permit Specific Network through quiet-mode

 Enhancing the Login Process

Comm. & Computer Engineering Program

 Design a Secure Network

 Steps for Configuring SSH

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Transfer the command “ show running configuration

interface f0/0 to Privilege Level 0

 Configure Role-Based CLI

Comm. & Computer Engineering Program

 Design a Secure Network

 Create Parser View and include commands in it

 Include Router-RIP Commands Only for this View

 Create Another View

Comm. & Computer Engineering Program

 Design a Secure Network

 Create a Super-View and include in it the two previous

views

 Create New user and Assign it in the Super-View

 Configure AAA Authentication for login using Local

Database

Comm. & Computer Engineering Program

 Design a Secure Network

 Test Login

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 4: AAA
(Authentication,Authorization,Accounting)
 Local AAA Authentication

 Configure AAA for SSH on ASAv

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure AAA for Login on Cisco Router

 Create New Method in AAA with name “ vty-auth” &

apply it under vty login

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Max-Fail

Comm. & Computer Engineering Program

 Design a Secure Network

Server-Based AAA Authentication

 Install ACS on VMware

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure tacacs server on Cisco Router

 Add New Groups and Users on ACS Server

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 5 : Secure Layer 2

Infrastructure
 Configure port security

Comm. & Computer Engineering Program

 Design a Secure Network

 Mitigate VLan Attacks

Comm. & Computer Engineering Program

 Design a Secure Network

 Shutdown all Unused Ports

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Port Fast & BPDU-Guard on Access ports

 Mitigate DHCP Spoofing

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 6 : Intrusion Prevention

System

 Import and Install IPS on cisco router

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Check pubkey-chain

 Confirgure IPS using CLI

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 To clear all alerts from ips

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Ips using CCP “GUI”

 Connect to ips

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Event Action

Comm. & Computer Engineering Program

 Design a Secure Network

 Target Value Rating

Comm. & Computer Engineering Program

 Design a Secure Network

 Signatures
 Allow ICMP Signature on IPS

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 7 : ASAv-Firewall

 Basic Configuration
 Configure ASA to work using Telnet ( SecureCRT )

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Banner-Motd & Enable Mode Password

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure IP address for interfaces and security level

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Time From NTP Server in the DMZ Zone

 Enable And Configure SSH from the Inside Zone

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure DHCP Server For Inside Zone

 ACL & NAT Configuration

 Configue LoopBack ip on ISP

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Static Route To The loopback IP Adresses

 Create Access-Control-List Using Object Group

Comm. & Computer Engineering Program

 Design a Secure Network

 Allow ICMP in Global Policy Map

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Dynamic PAT From Inside To Outside

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Static NAT For a Web-Server in DMZ

 ASDM Configuration
 Install ASDM on ASAv-Firewall

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure Basic Configuration using Startup-Wizard

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Create Access-List For Outside zone Ping Inside Zone

Comm. & Computer Engineering Program

 Design a Secure Network

 Create PAT for Inside Zone

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

Chapter 8: VPN Site-To-Site

 Step 1: Setup the ISAKMP Policy ( IKE Phase 1 )

Comm. & Computer Engineering Program

 Design a Secure Network

 Step 2: Setup the IPSec Transform-Set ( IKE Phase 2 )

 Step 3: Define Interesting Traffic

Comm. & Computer Engineering Program

 Design a Secure Network

 Step 4: Setup Crypto-Map

 Step 5: Assgin the Crypto-Map Under Interface

 Verify

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Test Connectivity

Comm. & Computer Engineering Program

 Design a Secure Network

 Apply NAT and Allow the VPN Connection through it

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

 Configure VPN Site-To-Site on ASAv-Firewall using

ASDM

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

 Design a Secure Network

CHAPTER 9: Help Desk

 Installing Web Help Desk

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Web Help Desk

is a tool that organizes customer communication to help businesses respond to customers
more quickly and effectively. Using Web Help Desk allows your support team to offer the
.best possible experience to your customers

Comm. & Computer Engineering Program

Design a Secure Network

https://127.0.0.1:8443/helpdesk/WebObjects/Helpdesk.woa/wo/9.0

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program

Design a Secure Network

Comm. & Computer Engineering Program