10/02/2025, 15:23 Assignment | Eduvos

Assignment

Site: Eduvos LMS Printed by: Norette Joubert

Course: Network Security Assessments Date: Monday, 10 February 2025, 3:22 PM
Book: Assignment

Table of contents
1. Assignment
2. AI Checklist and Declaration
3. Instructions to Students
4. Section A
4.1. Question 1
4.2. Question 2
4.3. Question 3
4.4. Question 4

1. Assignment

Faculty: Information Technology

Module Code: ITNSA2-11

Module Name: Network Security Block A

Content Writer: Mr T Mphahlele

Internal Moderation: Community of Practice

Copy Editor: Keens, Kyle

Total Marks: 100

Submission Week: Week 6

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 1/9
10/02/2025, 15:23 Assignment | Eduvos
This module is presented on NQF level 6.

5% will be deducted from the student’s assignment mark for each calendar day the assignment is
submitted late, up to a maximum of three calendar days. The penalty will be based on the official
campus submission date.

Assignments submitted later than three calendar days after the deadline or not submitted will get
0%. [1]

This assignment contributes 40% towards the final mark.

[1] Under no circumstances will assignments be accepted for marking after the assignments of other students have been marked
and returned to the students.

2. AI Checklist and Declaration

Before you submit an assignment, you should be able to confidently and honestly make all the below statements. For group
work, you can also review the list, together, to hold one another accountable.

I confirm that my submission reflects my personal learning, knowledge, skills, and understanding.

If AI tools were employed for generating any part of this assignment (even in the drafting/research phase), I have
referenced the use of AI in the text and/or declared the use of AI. I am willing to discuss the process and its
contribution to my learning.

I am aware that the lecturer may request a demonstration of my learning, such as explaining choices in approach,
research, and the content I am submitting.

I am aware that, if I did use AI in any phase of preparing this submitted work, it is recommended that I save a copy of
the relevant chat history (prompts and answers), as this will help me demonstrate my writing/work process to my
lecturer, if I am asked to do so.

I have read the assignment instructions on whether AI tools are prohibited for this assignment, and if they are
prohibited, I can confirm that I did not use AI tools.

I understand that failure to agree to these terms may be deemed unethical, potentially leading to disciplinary action. I
understand my responsibility for the integrity of my work, including seeking clarification from academic staff and
adhering to instructions.

It is essential to acknowledge your use of ChatGPT or other generative AI in your learning. If you use ChatGPT or other
generative AI to help you generate ideas or plan your process, you should still acknowledge how you used the tool, even if
you don’t include any AI-generated content in the assignment.

Please note: The following guiding questions that you will be asked in an AI declaration questionnaire below this
assignment brief.

AI Declaration
It is compulsory to complete this AI declaration for each of your assignment submissions.

I carefully read the assignment instructions, and the extent to which AI may be used for the assignment.

I used the following AI system(s)/tool(s):

I used it for the following:

If I quoted or paraphrased an AI output, I have referenced the relevant tool, version, and the date I used the tool.

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 2/9
10/02/2025, 15:23 Assignment | Eduvos

I still consider this work my own. (i.e., I have not outsourced the final product, or significant portions of it, to AI
tools/systems).

If required, I can defend my argument/perspective, explain my choices and approach, and can show that I am
knowledgeable about the details of my work.

For further guidance on the use of AI at Eduvos, please refer to the AI FAQ glossary. You will locate the FAQs in the Artificial
Intelligence tile on the myDocuments page of myLMS.

3. Instructions to Students

1. Please ensure that your answer file (where applicable) is named as follows before submission: Module Code –
Assessment Type – Campus Name – Student Number.
2. Remember to keep a copy of all submitted assignments.
3. All work must be typed.
4. Please note that you will be evaluated on your writing skills in all your assignments.
5. All work must be submitted through Turnitin. The full originality report will be automatically generated and available
for the lecturer to assess. Negative marking will be applied if you are found guilty of plagiarism, poor writing skills, or if
you have applied incorrect or insufficient referencing. (See the "instructions to students" book activity before this
activity where the application of negative marking is explained.)
6. You are not allowed to offer your work for sale or to purchase the work of other students. This includes the use of
professional assignment writers and websites, such as Essay Box. You are also not allowed to make use of artificial
intelligence tools, such as ChatGPT, to create content and submit it as your own work. If this should happen, Eduvos
reserves the right not to accept future submissions from you.
7. Please submit both the Project Documentation and the packet Tracer file.

4. Section A

Section A

Learning Objective

Demonstrate an understanding of network security fundamentals and how they are applicable in
real-life scenarios.

Assignment Topic

Network Security fundamentals and tools.

Scope

Week 1 - 6

Technical Aspects

The practical is to be completed in Cisco Packet Tracer

Marking Criteria

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 3/9
10/02/2025, 15:23 Assignment | Eduvos
Verify all configurations done in Cisco Packet Tracer

4.1. Question 1

Question 1 30 Marks

Study the scenario and complete the question(s) that follow(s):

BusyBugs Breach

"BusyBugs" is a small but growing software development company based in Durban, South Africa,
specialising in custom application development and software solutions. To support its remote
development team and ensure smooth operation, BusyBugs has implemented a segmented
network infrastructure to manage traffic and enhance security.

Despite these measures, the company has made several configuration choices for convenience
that have inadvertently created vulnerabilities. For example, BusyBugs has an FTP service exposed
to the internet running on a server in the Management Subnet (10.10.4.25). To simplify file-sharing
for its globally dispersed team, anonymous access is enabled, allowing unrestricted login without
authentication.

The network architecture includes the following key subnets:

Development Subnet (10.10.1.0/24): Used by developers for coding and testing.

Production Subnet (10.10.2.0/24): Hosts the production servers where customer applications
are deployed.
Database Subnet (10.10.3.0/24): Contains database servers holding sensitive customer data.
Management Subnet (10.10.4.0/24): Used by the IT team for network management and
administration.
Guest Subnet (192.168.1.0/24): Provides internet access to guests without access to internal
resources.

Routing Protocols:

Internal Routing: OSPF (Open Shortest Path First) is used within the network to support
scalability and efficient routing.
External Routing: BGP (Border Gateway Protocol) connects BusyBugs' network to its ISP.

DHCP Configuration:

Development Subnet: DHCP range 10.10.1.100 - 10.10.1.200.

Production Subnet: Static IP addresses for all production servers.
Database Subnet: Static IP addresses for all database servers.
Management Subnet: DHCP range 10.10.4.50 - 10.10.4.100.
Guest Subnet: DHCP range 192.168.1.100 - 192.168.1.200.

The breach was discovered after customers reported unauthorised changes to their accounts
and unusual login attempts. An internal investigation revealed that attackers exploited the
anonymous FTP server to gain a foothold in the network, from which they accessed the Database
Subnet. Further analysis found gaps in the company's defence-in-depth strategy, highlighting
misconfigurations in routing protocols and insufficient monitoring.

Source: Mphahlele, TK (2025)

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 4/9
10/02/2025, 15:23 Assignment | Eduvos
1.1 Analyse how the lack of secure authentication on the FTP server and improper segmentation
of the subnets contributed to lateral movement within BusyBugs’ network. Propose a detailed plan
to prevent lateral movement in the future, including the implementation of access control
measures, network segmentation best practices, and monitoring solutions.

(20 marks)

1.2 Detail how BusyBugs could implement a comprehensive monitoring and incident response
strategy that addresses their current weaknesses. Consider how logs should be collected and
analysed to detect suspicious behaviour, how an IDS/IPS could be deployed to monitor traffic and
block malicious activity in real-time, and how a well-defined alerting and incident response process
would help prevent future lateral movement and data exfiltration.

(10 Marks)

End of Question 1

4.2. Question 2

Question 2 20 Marks

Study the scenario and complete the question(s) that follow(s):

You have been hired as a network security consultant for "SafeNet Financial Services," a medium-
sized company specialising in financial solutions for small and medium businesses. SafeNet
processes highly sensitive data, including customer financial records, transaction details, and
personal identifying information. The company is undergoing rapid growth, expanding its
workforce and client base, and is concerned about potential vulnerabilities in its network
infrastructure.

SafeNet’s current network setup includes:

A corporate headquarters LAN with departments such as Accounting, IT, and Customer
Support.
Three remote branch offices connected via VPN.
Perimeter firewalls at each location to control external access.
Hybrid infrastructure: a combination of on-premise servers for critical operations and cloud-
based platforms for scalability.
Remote access provided to employees through VPN and Remote Desktop Protocol (RDP), with
increased usage due to hybrid work policies.
A single-layer segmentation model, where all devices within the corporate LAN are on the
same subnet, and branch offices are connected directly to the corporate network.

The company has observed an increase in brute-force attacks on their RDP service and is
concerned about the security of data transmitted over the network, as well as the overall visibility
into their network traffic.

Source: Mphahlele, TK (2025)

2.1 As the network security consultant, recommend best practices for strengthening SafeNet's
network security management. In your response, address firewall policies, VPN security, network
segmentation, and access control, tailoring your recommendations to SafeNet’s specific

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 5/9
10/02/2025, 15:23 Assignment | Eduvos
infrastructure and security concerns.

(8 marks)

2.2 Evaluate how firewalls and VPNs can be configured to balance security and performance.
Provide specific recommendations, including encryption protocols, firewall settings, and measures
to protect against brute-force attacks on RDP, ensuring that data transmission remains secure and
the network performs efficiently.

(7 marks)

2.3 Explain the role of traffic monitoring and logging in improving SafeNet’s security. How would
implementing IDS/IPS enhance threat detection and prevent breaches? Suggest a monitoring
strategy suitable for SafeNet’s hybrid infrastructure.

(5 marks)

End of Question 2

4.3. Question 3

Question 3 20 Marks

Study the scenario and complete the question(s) that follow(s):

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 6/9
10/02/2025, 15:23 Assignment | Eduvos

You have been hired as a network engineer by "Karoo Manufacturing," a company based in the
Karoo, South Africa. The company is expanding its operations and requires a secure, scalable, and
efficient network infrastructure to support its growing workforce and production capabilities.

The company's current and planned network requirements include:

1. Subnetting:
Karoo Manufacturing has been assigned the IP range 10.20.0.0/24 and needs to create four
subnets to support the following departments:
Administration: Requires at least 40 devices.
Sales: Requires at least 30 devices.
Production: Requires at least 50 devices.
HR: Requires at least 25 devices.
2. Firewall Deployment:
The company uses a Cisco ASA Firewall to secure its network. The network is segmented into
three main zones:
Internal Network: Supports all office operations, primarily routed through the subnets
above.
DMZ (Demilitarised Zone): Hosts critical customer-facing services, including a web server
at 10.20.10.10 and an email server at 10.20.10.20.
External Network: Connects to the public internet.
3. Security Policies:
The web server in the DMZ must only allow HTTP (port 80) and HTTPS (port 443) traffic
from external clients.
The email server must allow SMTP traffic (port 25) for outgoing mail and POP3 (port 110)
for incoming mail.
Access to internal resources from the DMZ or external networks is strictly prohibited.
4. Routing and Connectivity:
The internal network must support communication between departments while being
isolated from the DMZ and external networks.
Remote workers need secure access to the internal network via a VPN configured on the
Cisco ASA Firewall.
5. Network Monitoring:
The company aims to implement logging and intrusion detection/prevention systems (IDS/IPS)
to monitor traffic and enhance security.

Source Mphahlele, T (2025)

Based on the scenario, implement a solution for Karoo Manufacturing that meets the following
requirements.

3.1 Subdivide 10.20.0.0/24 into four subnets for Administration, Sales, Production, and HR, ensuring
each subnet meets the device requirements. Assign IP addresses to the devices and Packet Tracer
routers/switches accordingly.

(8 Marks)

3.2 Firewall:

(12 Marks)

· Configure three zones: Internal, DMZ, and External.

· Place the web server (10.20.10.10) and email server (10.20.10.20) in the DMZ.

· Create ACLs and NAT rules so that:

o Only HTTP (80) and HTTPS (443) are allowed to the web server from the external network.

o SMTP (25) and POP3 (110) are allowed to the email server from the external network.

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 7/9
10/02/2025, 15:23 Assignment | Eduvos
o Direct access from the DMZ or external network to internal subnets is blocked.

End of Question 3

4.4. Question 4

Question 4 30 Marks

Study the scenario and complete the question(s) that follow(s):

You are working as a network engineer for "Harrismith Manufacturing Solutions," a company with two key
facilities: one in Harrismith and the other in Bloemfontein. The company requires secure communication
between these facilities to enable ERP system access, VoIP services, and collaborative document sharing.

Facility Details:

Harrismith Facility:
Network: 172.16.10.0/24
Router IP: 172.16.10.1
Bloemfontein Facility:
Network: 192.168.50.0/24
Router IP: 192.168.50.1

The facilities are connected via the public internet, and you need to establish a site-to-site IPsec
VPN to secure all inter-facility traffic. The VPN must ensure encrypted communication and adhere
to the following requirements:

1. Only the 172.16.10.0/24 network from the Harrismith facility and the 192.168.50.0/24 network
from the Bloemfontein facility are permitted to communicate over the VPN.
2. Non-VPN traffic (e.g., general internet browsing) from both facilities must flow directly to the
internet, bypassing the VPN.

Additionally, ensure proper monitoring and troubleshooting mechanisms are implemented to

verify and maintain the VPN connection.

Source: Mphahlele, TK (2025

4.1 Using Cisco Packet Tracer, create a basic topology representing the Harrismith and
Bloemfontein facilities. Set up a site-to-site IPsec VPN between the two routers.

(7 Marks)

4.2 Provide the exact commands and configurations you used in Cisco Packet Tracer to implement
the IPsec VPN.

(16 Marks)

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 8/9
10/02/2025, 15:23 Assignment | Eduvos
Access Lists for controlling which traffic is encrypted (only 172.16.10.0/24 to 192.168.50.0/24
should traverse the VPN).
IKE Phase 1 Settings (e.g., pre-shared keys, encryption methods, hashing algorithms).
IPsec Phase 2 Settings (e.g., transform sets, lifetime, and security associations).

4.3 Outline the verification steps you performed in Cisco Packet Tracer to confirm that the VPN is
functioning correctly.

(5 Marks)

End of Question 4

https://mylms.vossie.net/mod/book/tool/print/index.php?id=910550 9/9