#Network diagram

Hi I would like an opinion of my network diagram. What should I improve?

This seems a little odd. A switch that just goes to another switch?

Also internet -> router -> firewall -> router. Why two routers?

thought of it as core switch and edge switch or am I wrong?

forgot to change that my bad

It's not really serving a purpose? It might as well just be a cable

A switch with two connections is basically just a straight path through

There's no "switching" as traffic can only take one route?

I understand

Hypothetically there were 10 flats would we still use just one switch?

You could

It becomes a convenience thing at that point. If each flat is a different physical location then it might make sense to have a switch at each location. Then you just need to run a single cable between locations rather than one per room

oh ok makes sense thanks. one last question. what would be a main security flaw in this network?

Hmmm

Is it going to use VLANs?

Without knowing the configuration a pretty big security flaw would be that by default somebody in student halls would be able to print to the library printer

As an example

normally yes

hmm ok

If you're using VLANs that problem goes away since stuff is on a seperate networks and you can segregate the traffic. So if that problem goes away I'm not sure what the biggest flaw would be

I'm just a nooby but if it's configured properly it looks fine

ok thanks

time to find someone who can hack this network i guess

You might want to add the VLANs to the diagram so it's clear that there are seperate networks

will do cheers

What kinda testing do you need?

good question i have no idea. Am suppose to find a security, Dependability and performance issue with my network

Slap any wifi networks with deauth attacks and see if you can walk your way through the network to gain access through firewalls

for security the only thing i can come up with is that if someone has admin acces to terminal he can delete everything but seems kind of silly

fair

Privilege Escalations are possible attack vectors as well

yeah but seems to simple in my opinion

Never too simple if it can be used to gain full access to the systems

Gotta think the way anyone attacking the network would think

They'll use anything to gain access

So priv escalations definitely aren't "too simple"

good point

It's a tool amongst other tools

As are reverse shells and other payloads

Also, might want to figure out an "oh shit" plan

If at any point the network does get attacked and someone gets in, what are you gonna do?

you're losing me with these fancy wordshaha

Reverse shell = Networked "hidden" admin cmd/shell

no sure. enjoy a cup of tea and some digestives surely

You got data storages hooked up

You want to disconnect those into cold storages immediately

And add in a proper SIEM system

but how would someones know when to disconnect data storages?

That's why you want a SIEM system

You see anything potentially malicious, you lock down the entire network and start figuring out what's going on and how to fix it

And who is doing, and what

I'll look into it. Is it representable on a diagram?

SIEM?

yeh

Security Information and Event Management

It's a tool

Cisco got Stealthwatch and SecureX

Then there's Splunk, QRadar, ArcSight, LogRhythm and AlienVault

ok cheers

For home computers, there's GlassWire

And for security, the NIST Incident Response Plan is a good start

Thats exactly what i was looking for thanks

Here's a full standard for security incident handling:

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Keep in mind the NIST is just one possible response plan set

And it's to be used as a tool to build upon, depending on what your specific network requires

nist was the one I was looking for so its perfect

Ask yourself few questions:

How can I detect if there's something going on?
What can I do when a detection happens?
Is there something I can do to prevent intrusions?
What would be the first place that someone might try to attack?
What do I do after the incident is already controlled?

will do

You've been more than helpful thank you

You're welcome

Basically what you're trying to do, is built a system that you can use to report, handle, and control intrusions, and let higher up people know what's going on

basically reassure share holders that everything is going to be okay

Essentially create a standard for that specific network, on what might happen, what are the risks, how to minimalize risks, and how to handle said risks if they do happen

Mm, I'd wager that's not enough

Figure out a system that you can use to report incidents aka what happened, from where, and by what/who, and a plan on how to deal with those things

Transparency is the key here

A monthly review of network for example

Is everything up to date, what has been the last thing to be changed, are there any intrusions, and if yes, what are the intrusions, how they occurred, when they occurred, was any data stolen/taken, what happened during the intrusion, and how it was handled + controlled so it won't happen again

• instant reports during an intrusion

(also, the diagram, I would wire up each block of the flats to a separate connection on the switch leading up to them)

Ill probs deal with all that later and do it for my own sake. Am not asked to go in so much detail in this assignment so I'll probs be fine. Now i just have to deal with medium access control, tcp flows, addressing, forwarding and Routing.

to show two different wires?

Yeah

hmmm why?

Switch -> Flat 1 switch -> multiple separate connections from switch to each apartment
|
v
Flat 2 switch -> multiple separate connections from switch to each apartment

Connection monitoring for intrusions

Having all of the connections coming from one single wire to the switch is redundant, and also makes it harder to lock down things physically if an intrusion happens

Having the flats on separate ports for the main flat switch makes it way easier to lock down offending connections on a more granular level

You can just physically turn off the entire connection to the flat switch, and instantly know which switch the traffic is coming from

good point didn't think about that

starting to think that you know too much for normal human haha

Cause this doesn't make sense:

Main Switch -> Flat 1 Switch -> Flat 2 Switch
| | |
v v v

oh i changed that

looks like this now

This on the other hand does:

 ^
  |

Main Switch -> Flat 1 Switch -> Flat 1 Apartments
|
v
Flat 2 Switch
|
v
Flat 2 Apartments

I was thinking like this

But you can just wire those two switches directly into the router as there's more than enough ports available on that router

And omit the single switch entirely

apparently there wasnt a use for the secondary switches so i just removed them

There is an use for them

If you place one switch inside each flat, and route apartment connections as singles to ports on the switch

And, about this: I am a certified cybersecurity consultant and IoT cybersecurity specialist, heh

hmm i guess kintec was wrong

makes sense haha

Kintec wasn't wrong on that there's redundant switches in the network

im an idiot

i just realised what he suggested is what i meant to do

i feel big dumb dumb

Basically Kintec suggested this

Remove the "main flat switch" cause it's useless

And route the 2 other switches into the router

makes total sense now. was having a silly brain moment

Same thing for library

Have one switch for user endpoints, and another for reception/staff endpoints, and wire those as separate connections into the router

was goign to do that cheers

Also, I would consider upgrading the staff switches into firewall switches

Don't need staff computers to print things into the user endpoint printers, right?

And vice versa

firewall swtiches?

Yeah, to prevent connections from user endpoints to staff endpoints

already dealt with that 👌

Don't want users seeing or having any way to access staff endpoints, yeah?

Isolation is a good thing

If it's used wisely

And, I'm assuming the access point in library is a public, open one?

If yes, then that should be connected to the user switch

give me a sec to try and understand x)

Basically, when you're doing connections to endpoints (computers, printers, access points, etc, anything people can use basically), you want to figure out how to group those, and separate them by user endpoints and staff endpoints, and have a switch for each group

Or a hub, depending on what you need to do

And for the apartments, have one switch for each flat, so 1 switch for flat 1, 1 for flat 2 etc

okay yeah makes total sense when you think about it. however if this was a real world situation wouldnt it cost alot to have that many switches?

Cheaper to have good network that's easy to maintain, and simple for anyone in the future to learn, than to have less security and potentially more harm through incidents

fair point

• you had way more switches already, you can do all of this with less switches than in your first diagram

Here for example, omit the first switch, and wire the entire building into one main building switch

true also that router then firewall then router is uselss right? Only used it because i saw it somewhere

Think about it for a second

Internet -> Firewall -> Router -> Endpoints

Does that make sense?

from what i understand yes

(Router is an attack vector)

You want the router covered by firewall as well

Well, for intrusions inside the system

You want firewalls leading both ways, basically

There's a lot to concider when handling full networks

oh ok

i can see that haha

And you already have an open router facing the internet

So intrusions from outside the network are possible

And it's easier to pop things once you have gained some form of access to the network already

guess i'll add another firewall then

But, if it's an assignment

What were the parameters for the assignment?

Was it to concider the network as essentially it's own thing without concidering attacks from outside the network as possibilities?

b

i think i might be going overboard

You're building basically corporate level full system cybersecurity with all possible angles concidered and dealt with, with reporting here

Think: Fortune 500 level company

yeah I'm definitely going overboard

funny part is that its one question out of 20

Hahah, but consider this: Schools deal with sensitive user information such as social security numbers and other important details

true

still going way overboard though

But, then again, what I'm describing would be a job that'd be at around +4000€ a month if it'd be paid work

48000€ salary is not bad

And it is biased towards full security on both sides, inside and outside, and all angles

all angles?

Prevent all possible scenarios and intrusion attempts from inside the network, and outside, and have a system to easily detect/stop/report/fix said intrusions if/when they happen

Basically walk the diagram "both ways" to prevent access from Internet into the network, and from the network to the servers

Remember you're also securing the networks for basically any student in the flats as well

So they don't do dumb things or get their endpoints taken over by anyone else in the network

And even if they download any viruses, the network would detect and stop those before they get any chance of infecting anything or having access to anything

Technically what I'm describing would entirely disconnect any endpoint from any network as soon as an infection/malicious traffic is detected from any endpoint

cant imagine how hard it must be doing this for big company

too many scenarios to think about

Redteaming experience helps, hahah

plus new exploits being found all the time so have to take that into account

must be the best part of the job

NIST NVD and MITRE CVE are at heavy use, along with AlienVault among other things

There were new pulses from APT group handled viruses lately

pulses?

Detections of virus activities and C2s

Latest pulses:

MirrorFace unmasking
Royal Ransomware analysis
GoTrim botnet activity in bruteforcing wordpress sites
APT5: Citrix ADC hunt guide
Mallox Ransomware having increased activity
Linux mining attacks enhanced by CHAOS RAT
FortiOS heap buffer overflow in sslvpnd

New DeathStalker variant Janicab targets legal entities
Drokbk malware Github unmasked as a Dead Drop Resolver

RedGoBot detection for the first time

There's a lot

These are from the last day, lol

too many that I've never heard about

Yeah, there's a lot

I do realise that im reviving this post 7 hours later but this network would be considered a Campus Area Network right? Sorry just having doubts

Aahh

Actually, good point

Had to look that up

And it's either each separate building is connected to the Internet on one cable from building to Internet, or either one main building connected to Internet, and other buildings connecting to that building for the Internet