COIT20265 Networks and Information Security Capstone Project Case Study Tivoli Central University (TCU)
Tivoli Central University (TCU) is a public higher education institution founded in Northampton in late 1960. By 1970, it was the first Institute in Tivoli to launch distance education programs. During the 1980s, the university expanded its operations to other regional areas outside Northampton including Carlsberg, Radcliff, Bluestone and Quay West. Likewise, TCU also expanded its presence throughout Tivoli with campuses in metropolitan areas including Armadale, Bass Strait, Coors, St Marie, and Golden Goose. At present TCU provides diverse range of trade qualifications, undergraduate and postgraduate programs as well as short professional or occupational courses. More than 30,000 students are currently studying various levels of programs at TCU as on-campus students. Additionally, more than 10,000 students are currently studying at TCU under the online and distance education programs.
TCU has three major facilities to support its information technology services: Headquarters, Operations (Data Centre) and Backup. The Headquarters facility is located in the Northampton main campus. The Operations facility is located 50Kms from the Headquarters in a warehouse near an industrial area in the outskirts of Northampton. The Operations facility houses the back-office technical functions, the data centre and IT staff. The Backup facility is located in the country area of Tivoli about 1000km from the headquarters. TCU uses the Backup as a warm-site facility that can be operational within minutes in the event the Operations facility fails.
Apart from the main campus in Northampton, all regional and metropolitan campuses are very similar in terms of size, staff, and technologies. Their IT infrastructure is spread around Tivoli in buildings and use relatively old and complex technologies. TCU still uses SNA (Systems Network Architecture) protocols to enable campus communication to the mainframe computer located at Operations. Currently, File servers still require IPX/SPX communication and some campuses (not all) use TCP/IP to connect to the Internet.
Additionally, each campus is connected to the Operations through an old Multiservice Platform Router for flexible LAN and WAN configurations, easy upgrades, and the handling of various protocols at the internet and transport layers. The router enables the campus to communicate with different TCU campuses located in different sites.
To support the day-to-day learning and teaching activities of students, academics and administrative staff TCU also deals with a dozen (12) of external partners including hospitals and research centres in many different ways.
Figure 1 outlines the complex WAN infrastructure TCU currently uses to support its operations.A mesh of three T3 leased lines connects the Headquarters, Operations (Data Centre) and Backup sites. These lines operate at 44.7 Mbps, providing redundancy between the major facilities.
Each campus building connects to the major facilities via a Frame Relay network: one 56kbps PVC2 leading to the Operations and 56 kbps PVC3 leading to the Backup facility, most of the time. There are ISDN backup lines in case of Frame Relay failure (Note that PCV1 represents two aggregate PVCs of 56 kbps each. PVC2 and PVC3 are both 56kbps). By the same token, the 12 educational partners are connected to TCU via a frame relay network of 56kbps. As shown in the diagram, TCU uses two separate ISPs for Internet connection via T1 leased lines.
Each TCU regional and metro campus is supported by 10Base-T Ethernet LANs, and TCU is expecting to upgrade to more modern Ethernets soon. Each of these campuses has an average of (a) 200 employees including academic, administrative and management staff and (2) about 2,000 oncampus students. The main campus at Northampton houses around 2,000 academic, administrative and management staff. Nearly 10,000 on-campus students are studying at the Northampton main campus.
Unlike regional and metro campuses, Northampton staffs are supported by 100Base-T Ethernet LANs. In the Operations facility, there are 100 engineers in charge of technical support of the data centre, networking, maintenance, and application development. The organisational and operational structure of the Backup facility is similar to the structure of the Operations facility.
Adobe Design Premium Suite including:
Microsoft Office suite including:
ICT infrastructure at Operations site
All operational servers including FTP, HTTP/HTTPS, SMTP/SMTPS, DHCP, DNS, Authentication, Telepresence, Domain Controllers, Database, SAN, Load Balancing and video are concentrated in this facility. The Operations facility also contains the infrastructure to support TCU’s enterprise resources and services (described below)
As mentioned, the Backup is a warm-site facility that can take over within minutes in the event that the Operations facility fails. Its infrastructure mirrors the Operations facility.
Enterprise resources and Services •
COIT20265 TCU business processes rely on a combination of systems including Internet, IPX/SPX, SNA and ICTrelated services with a very complex ICT infrastructure. TCU academic board acknowledges this as major issue: the bottleneck for future TCU growth and sustainability. The senior executive of TCU argues that currently the university is spending huge to maintain and integrate disparate and cumbersome systems; with little room to expand and improve services. The TCU academic board claims that TCU needs to change and re-provision the ICT infrastructure to provide high quality learning and teaching in the most cost effective way.
As part of this change, the transition to interoperability should be achieved in a smooth manner while leveraging the latest advancements in network and information security infrastructure in order to guarantee “zero” problems in the TCU processes. TCU is also planning to invest in a multimillion dollar venture to modernise the university’s ICT infrastructure. This will potentially include:  immersive telepresence system to support distance education students (expected to grow 50% in the next 3 years),  staff and student remote access and mobile services (staff BYOD and Work-athome (WAT) policies) that TCU currently does not have,  migration of a number of services to the Cloud including the Learning Management System, File, Web and Mail Servers.
In terms of network and information security, COIT20265 TCU ICT infrastructure should safeguard appropriate access and use of ICT resources; ensure unauthorised and malicious internal and external network attacks are properly blocked. Network redundancy is currently achieved with the mesh of three T3 leased lines connecting the Headquarters (Northampton), Operations and Backup buildings; however, nothing has been done so far in terms of a security plan including a robust disaster recovery (DRP) and business continuity plan (BCP) for the university.
The statement of work is divided in two parts: Part A and Part B.
Part A For this part you are required to design and implement a secure information and network infrastructure that ensures high availability, reliability, scalability, performance and security to support TCU services. This requires  the redesign of the network;  the delivery of a comprehensive network security plan; and  Security technology implementation – proof of concept.
The following is a breakdown of the tasks for part A.
1. Network redesign including LANs, VLANs, WANs and VPNs. In this redesign, the IP address allocation should use the CIDR format (x.y.z.t/n). Discuss with your mentor the range of IP addresses you are planning to use.
2. Each LAN, WAN, VLAN and VPN should be justified in terms of traffic, reliability, performance, availability, scalability and security. To do this you need to make a number of assumptions (discuss this with your mentor / facilitator / teacher). For example, assume that a great number of university services operate 24/7. Other facilities are to operate from 6:00am to 8:00pm daily, Monday to Friday
For this redesign, take into account the following:
a. Traffic generated by the hosts: clients, servers and backup devices
b. Appropriateness of current WAN links
c. Appropriateness of current WANs (Frame Relay)
d. Appropriateness of current LANs
e. VLANs requirements
f. All networking devices including routers and switches at each site or location
g. IP address allocation of each network and main network devices
h. Sub-netting to separate traffic including IP address allocation
i. Firewalls positioning and strategy
j. Proxy servers
k. DMZ configuration
l. Firewalls Access Control Lists
m. Network diagram of the topology and allocation of devices; and IP addresses for the main network devices
n. Provision data encryption to secure data travelling between internal and external networks
The network security plan should contain as minimum the following:
1. Introduction outlining the importance of the plan and its purpose
2. Scope outlining the areas of the organisation that the Plan applies
3. Assumptions documenting any assumptions you have made in order to prepare the plan
4. Clear and concise statements about what the Security Plan is designed to achieve.
5. Summary and analysis of the organisation’s risks, highlighting the current threats, challenges and vulnerabilities along with an assessment of current security environment and treatments in place.
6. Network Security policies to address all possible network attacks and vulnerabilities
7. Information Security policies to address unauthorized and misappropriate use of TCU data and software applications
8. Disaster recovery and Business continuity plans
9. Security Strategies and Recommended controls including security policies
10. Residual risks that remain after all possible (cost-effective) mitigation or treatment of risks. Your security plan should estimate, describe and rate these risks to guide the priorities for ongoing monitoring of risks.
11. Resources for implementing the recommendation
As part of the security technology implementation and in line with the recommended controls mentioned above in the network security plan (item 9), you need to provide the complete design and implementation of the following technology:
1. Data backup and recovery technology including the procedures for backup and recovery. Note that there are NASs at the campuses to back up the data generated locally, however the vast majority of data is backed up to the File Server Operations facility through the network.
2. A proper authentication system that takes care of highly secured roles and permissions to access, share, download, upload files and folders. This should include authentication for wireless and mobile services as well.
3. File, Web (and secure Web), Mail (and secure Mail including spam email prevention), DHCP, DNS, Domain Controllers, Database and LMS (Learning Management System) servers.
4. Hardening of servers described above in section 3.
5. Network security including DMZs, Firewalls, Intrusion Detection and Prevention Systems (IDSs and IPSs)
For the recommended technology implementation, you need to justify your recommendation (chosen technology) in terms of cost, reliability, maintainability, performance and scalability. For each technology, make sure to provide details of the vendor, and the version of hardware and software.
As part of the project requirements, you are required to test the recommended controls suggested in the security technology implementation section above. The solution should address current needs of COIT20265 TCU, including the installation of the software, configuration of the system, and developing of test cases to check the complete functionality of the system.
For the proof of concept, it is mandatory that you include the documented results (procedures and screen dumps) of various network security attacks tests (such as Network Penetration Test) as part of your final project report. You may use your choice of security software/tools (including freeware open software systems) and operating systems (Windows, Linux, or Ubuntu) in a virtualized environment to build and simulate the security tests. You are required to demonstrate your implementations at the end of the term.
In part B, your task is to recommend the TCU academic board on:
1. An appropriate immersive telepresence system to support distance education students. As mentioned above, TCU is expected to grow 50% in distance education in the next 3 years.
2. You are also to recommend the strategy for staff and student remote access and mobile services (COIT20265 staff BYOD and Work-at-home (WAT); and student BYOD and study-at-home policies).
3. Finally, a complete technical report on the migration of the LMS, File, Web and Mail Servers to the Cloud, including requirement analysis, cost benefit analysis, risk analysis and final recommendation from a list of at least three cloud service providers (CSPs).
Ciampa, M. (2015). CompTIA Security+ Guide to Network Security Fundamentals (5 Edition). Clifton Park, NY: Course Technology.
Forouzan, B. (2009). TCP/IP Protocol Suite (4 edition). Boston: McGraw-Hill Education.
Panko, R. R. (2003). Business Data Networks and Telecommunications. (4th Edition edition). Prentice Hall.
Weaver, R., Weaver, D., & Farwood, D. (2013). Guide to Network Defense and Countermeasures (3 edition). Australia ; Boston, MA, USA: Course Technology.
Whitman, M. E., Mattord, H. J., & Green, A. (2011). Guide to Firewalls and VPNs (3 edition). Boston, MA: Delmar Cengage Learning.