Posted: April 24th, 2025

Secure Network Design

 

You are the cybersecurity professional for Company A and are responsible for protecting the information of the company. Your roles include managing the company’s cybersecurity capabilities and tools, conducting vulnerability management, and assessing risk to sensitive information. Company A has recently purchased Company B and wants to merge both networks.

Executives of Company A have tasked you with making risk-based decisions on integrating Company B’s network with Company A’s existing network. Company B has provided its latest vulnerability scans, network diagrams, and existing cybersecurity capabilities and tools. As a deliverable to the executives, you will submit your recommendations for a secure network design that merges the two networks and allows remote access for employees of both companies in the form of a merger and implementation plan.

For this project, you will use the given scenario and the following supporting documents to complete your network merger and implementation plan:

•  “Company A Network Diagram”

•  “Company A Risk Analysis”

•  “Company B Network Diagram”

•  “Company B Vulnerability Report and Cybersecurity Tools”
Scenario Company A is a global company based in the United States that operates in the financial industry. Company A serves its customers with financial products, such as checking accounts, bank cards, and investment products. Company A has recently acquired Company B and needs to integrate with or remove similar capabilities and tools from Company B. Company B is smaller in size, has no dedicated cybersecurity professional role, and utilizes third-party support for infrastructure needs. Company B offers specialized software to medical providers and accepts credit cards as a payment option.  The executives of the newly merged company have expressed interest in integrating the use of the cloud to allow for scalability and redundancy. As the security professional of the merged networks, you are tasked with creating a secure network design that includes the use of zero trust principles and that utilizes both on-premises and cloud infrastructure. You also have been tasked with ensuring compliance with all regulatory requirements of the merged company, along with utilizing cloud-based technologies to provide security capabilities. Company executives have provided a budget of $50,000 in the first year to create a secure network design to utilize cloud-based services. Requirements Your submission must be your original work.
.    A.  Describe two current network security problems and two current infrastructure problems for each company, based on business requirements given in the scenario.
 B.  Analyze the given network diagram and vulnerability scan for both companies by doing the following:  1.  Describe two existing vulnerabilities for each company.  2.  Explain the impact, risk, and likelihood associated with each described vulnerability from part B1 as it relates to each company.  
C.  Create a network topology diagram with details of the proposed merged network requirements.  
D.  Identify the layer for all components in the topology diagram referencing the layers of the OSI model and TCP/IP protocol stack.  
E.  Explain the rationale for adding, deleting, or repurposing network components in the newly merged network topology diagram, including details of how each component addresses budgetary constraints.          F.   Explain two secure network design principles that are used in the proposed network topology diagram.  
G.  Explain how the proposed merged network topology diagram addresses two regulatory compliance requirements that are relevant to the newly merged company, including the following in your explanation:  •   the name of the regulatory compliance requirement  •   why the regulatory requirement is relevant to the newly merged company  •   how the proposed merged network topology diagram meets the regulatory requirement   
H.  Describe two emerging threats that are applicable to the merged organization, including the following in the description:  •   potential network security risks of implementing the topology  •   potential performance impacts on the merged network after implementation of the proposed design  •   how to manage the identified potential security risks  
I.  Summarize your recommendations for implementation of this proposed merged network based on the scenario and budgetary requirements, including the following in the summary:  •   a cost-benefit analysis for on-premises and cloud infrastructure solutions  •   a justification for your recommendations to implement the proposed secure merged network design  
J.  Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.   
K.  Demonstrate professional communication in the content and presentation of your submission.
Follow this rubric  :  A:BUSINESS REQUIREMENTS:The submission accurately describes 2 or more current network security problems and at 2 or more current infrastructure problems for each company and is aligned with the business requirements given in the scenario.  
B1:VULNERABILITIES : The submission accurately describes 2 or more existing vulnerabilities for each company. The vulnerabilities described are in alignment with the given network diagram and vulnerability scan.  
B2:IMPACT, RISK, LIKELIHOOD:  The submission explains the impact, risk, and likelihood associated with each described vulnerability from part B1 as it relates to each company. The explanation is complete and in alignment with the given network diagram and vulnerability scan.  
C:TOPOLOGY DIAGRAM: The network topology diagram with the details of the proposed merged network requirements is provided. The diagram is complete and meets the needs provided in the scenario. MAke a table under the topology for costs that include everything that we added and show that it stays under the 50k budget
D:TOPOLOGY COMPONENTS: The submission correctly identifies the layer for all components in the topology diagram referencing the layers of the OSI and TCP/IP protocol stack
E:RATIONALE : The submission explains the rationale for adding, deleting, or repurposing network components in the newly merged network topology diagram and includes the details of how each component addresses budgetary constraints. The explanation is in alignment with the given scenario.  F:SECURE NETWORK DESIGN PRINCIPLES :  The submission explains 2 or more secure network design principles that are used in the proposed network topology diagram. The explanation clearly names the secure network design principles being used and how each principle aligns with the proposed network topology diagram.  
G:REGULATORY COMPLIANCE : The submission accurately explains how the proposed merged network topology diagram addresses 2 or more regulatory compliance requirements and includes all of the listed components. The regulatory compliance requirements are relevant to the newly merged company.  
H:EMERGING THREATS : The submission accurately describes 2 or more emerging threats that are applicable to the newly merged organization and includes all the given points.
I:SUMMARY RECOMMENDATIONS: The submission summarizes the recommendations for implementation of the proposed merged network. The summary is logical and in alignment with the scenario and budgetary requirements and includes all listed specifications.  

network network securityCyber Security

D482: Secure Network Design

DHN1: Secure Network Design Company A Risk Analysis

PAGE 1

PAGE 2

Company A Risk Analysis

Company A performed an internal risk analysis in anticipation of system integration with Company B. This risk analysis was performed in accordance with NIST SP 800-30 Rev 1 to identify the following:

• vulnerabilities

• risk likelihood

Table A. Risk Classifications

Risk Level

Description

High

The loss of confidentiality, integrity, or availability may be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Moderate

The loss of confidentiality, integrity, or availability may be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

Low

The loss of confidentiality, integrity, or availability may be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Table B. Data Sensitivity

Type of Data

Sensitivity

Confidentiality

Integrity

Availability

Customer PII (e.g., Account Numbers, Social Security Numbers, and Phone Numbers)

High

High

Moderate

Employee PII (e.g., Social Security Numbers and Employee Identification Numbers)

High

High

Moderate

Company intellectual property (e.g., credit scoring calculations)

High

High

Moderate

Marketing and advertising

Moderate

Moderate

Low

Table C. System Inventory

System Components

Servers

Windows server 2019; role: internal SharePoint server
Windows server 2019; role: Exchange server
Windows server 2012; role: Application server
Windows server 2012R2; File server
DMZ Windows server 2012; role: FTP and external Web Server

Workstations

75 – Windows 10 Pro
20 – configured for remote desktop access

Switches

4 – Cisco 3750X

Firewall

Fortinet’s Fortigate 800D NGFW

Border router

Cisco 7600

Laptops

14 – Windows 7
6 – Windows 11

Wireless Access Points

2 – Meraki MR28

Cable plant

Cat5e

Table D. Risk Identification

Risk #

Vulnerability

Risk Likelihood

1

Open ports 21-90, 3389

High

2

All users use eight-character passwords

High

3

User accounts no longer required are not removed

Moderate

4

All users have local administrative privileges

Moderate

5

Regular password changes are not enforced

Moderate

6

End-of-Life Equipment in use

Low

image1

D482 – Secure Network Design

DHN1: Secure Network Design

PAGE 1

PAGE 2

Company B Vulnerability Report

Company B performed this vulnerability assessment in anticipation of system integration with Company A. This assessment was performed by a qualified third-party assessor, and this report has been generated with the results. This assessment was performed in accordance with a methodology described in NIST 800-30 Rev 1 to identify the following:

· Vulnerabilities using the CVSS model

· Severity

· Likelihood of occurrence

Table A. Risk Classifications

Risk Level

Description

High

The loss of confidentiality, integrity, or availability may be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Moderate

The loss of confidentiality, integrity, or availability may be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

Low

The loss of confidentiality, integrity, or availability may be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Table B. Severity

Severity Level (CVSS Model)

Description

Critical

· Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
· Exploitation is usually straightforward in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims and does not need to persuade a target user, for example, via social engineering, to perform any special functions.

High

· The vulnerability is difficult to exploit.
· Exploitation could result in elevated privileges.
· Exploitation could result in significant data loss or downtime.

Medium

· Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
· Denial of service vulnerabilities that are difficult to set up.
· Exploits that require an attacker to reside on the same local network as the victim.
· Vulnerabilities where exploitation provides only very limited access.
· Vulnerabilities that require user privileges for successful exploitation. 

Low

Exploitation of such vulnerabilities usually requires local or physical system access and would have little impact on the organization.

Table C. Level of Effort

Level of Effort

Description

High

This requires a high level of dedicated effort from one or more teams on critical systems, including patching, multiple configuration changes, or highly technical changes that risk bringing services down.

Moderate

This is a medium-level effort that requires substantial dedication from a partial or entire team. This could impact services or cause a partial outage.

Low

These are individual or small team efforts generally requiring a minimal time commitment and require running an update or remedial command or series of commands that will not impact production services.

Table D. System Inventory

System Components

Servers

Virtualized farm running on Hyper-V (2 hosts). Windows Server 2019 and Ubuntu Linux. Approximately 20 virtualized servers (across the 2 hosts), including the following roles:
· (Ubuntu Linux) FTP server for EDI Incoming Operations
· 3x Domain Controllers (1 used for M365 identity sync)
· 1x File Storage/Server
· 1x Ruby On Rails server
· 3x ElasticSearch servers (cluster)
· 5x web application servers (Ubuntu Linux cluster, 1x PostGRESQL, 1x MariaDB SQL, 3x running nginX Plus w\reverse caching proxy, 1x running Apache Tomcat, PHP 8, hosting SSL/TLS certificates)
· 4x Remote Desktop Servers for internal shared/applications
· 2x legacy Exchange servers (post-migration)

75 Workstations

Windows XP, 7, 10/11 Pro, Ubuntu Linux, MacOS

Switches

HPE JL262A Aruba 2930F 48G PoE+

Firewall

2x Sophos XG firewalls

Border router

Verizon FIOS router (CR1000A)

Laptops

Windows 10, 11, Ubuntu 22.04 LTS, MacOS (Ventura, Monterey, Big Sur)

Wireless Access Points

10x HPE JZ337A Aruba AP-535

Cable plant

Cat6a

Table E. Risk Identification

Risk #

Vulnerability (NVT Name)

NVT OID

Severity

Risk

Level of Effort

1

Distributed Ruby (dRuby/DRb) Multiple Remote Code Execution Vulnerabilities

1.3.6.1.4.1.25623.1.0.108010

Critical

High

High

2

MFA not enforced across all users

High

High

High

3

Rexec service is running

1.3.6.1.4.1.25623.1.0.100111

High

High

Low

4

All users have local administrative privileges

Medium

Moderate

High

5

Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability on publicly-facing server

1.3.6.1.4.1.25623.1.0.140051

Critical

High

Moderate

6

Operating System (OS) End of Life (EOL) Detection

1.3.6.1.4.1.25623.1.0.103674

Critical

High

Low

7

rlogin Passwordless Login

1.3.6.1.4.1.25623.1.0.113766

High

Moderate

Low

8

Apache Tomcat AJP RCE Vulnerability (Ghostcat)

1.3.6.1.4.1.25623.1.0.143545

Critical

High

Moderate

9

PostgreSQL weak password

1.3.6.1.4.1.25623.1.0.103552

High

High

Low

10

PostgreSQL admin is reachable from internet

Critical

High

Low

11

VNC Brute Force Login

1.3.6.1.4.1.25623.1.0.106056

High

High

Low

12

FTP Brute Force Logins Reporting

1.3.6.1.4.1.25623.1.0.108718

High

High

Low

13

phpinfo() output Reporting

1.3.6.1.4.1.25623.1.0.11229

High

Moderate

Low

14

vsftpd Compromised Source Packages Backdoor Vulnerability

1.3.6.1.4.1.25623.1.0.103185

High

High

Moderate

15

rsh Unencrypted Cleartext Login

1.3.6.1.4.1.25623.1.0.100080

High

Moderate

Moderate

16

SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability

1.3.6.1.4.1.25623.1.0.105042

High

Moderate

Moderate

17

Anonymous FTP Login Reporting

1.3.6.1.4.1.25623.1.0.900600

Moderate

Low

18

Samba MS-RPC Remote Shell Command Execution Vulnerability – Active Check

1.3.6.1.4.1.25623.1.0.108011

High

Moderate

High

19

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

1.3.6.1.4.1.25623.1.0.111012

Moderate

Moderate

Moderate

20

Weak Host Key Algorithm(s) (SSH)

1.3.6.1.4.1.25623.1.0.117687

Moderate

Moderate

Moderate

Company B Cyber Security Tools

Company B has provided this list of cyber security tools in anticipation of being acquired by Company A. This list is assumed to be complete.

Table A. Cyber Security Tools

Tool Name

Purpose

Sophos/Intercept X

Endpoint Detection and Response

OneTrust

Data privacy/Data lifecycle management

Code42

Data-centric security

Sophos XG

Next-Gen Firewalls

No tool available

Mobile Device & Application Management

DUO

Identity and Access Management

Akamai

Application Security

Mimecast

Messaging Security

Arctic Wolf

Managed Security Services Provider

Cisco Umbrella

DNS Security

In progress

Cyber security policy

In progress

Written Information Security Policy (WISP)

In progress

Written procedures

Minimal

Documentation of environment

image1

Assessment Code and Task

D482: Secure Network Design Company A Network Topology Diagram

PAGE 1

PAGE 2

image1

image2

Assessment Code and Task

D482: Secure Network Design Company B Network Topology Diagram

PAGE 1

PAGE 2

image1

image2