Section A: Design Concepts (20 marks)

1. Briefly explain the following design methodologies used in network and security projects:

(a) Top-Down Design (b) Hierarchical Design (c) Layered Design (3 marks)

Here are the key security considerations I would include when designing a secure network for a small e-
commerce company:

Network Segmentation:

 Separate the network into different segments:

o Public zone: This zone would host the web server accessible to the public internet, where
customers interact with the e-commerce website.
o DMZ (Demilitarized Zone): This optional zone could house additional services exposed to
the internet, such as a mail server, further isolating them from the internal network.
o Internal network: This zone would contain sensitive data and core business systems (e.g.,
database server, inventory management system) and be isolated from the public internet.

Firewalls:

 Implement firewalls between each network segment.

 Configure the firewalls with strict rules to allow only authorized traffic between zones.
 Use stateful firewalls that track connections to prevent unauthorized access attempts.

Intrusion Detection and Prevention System (IDS/IPS):

 Implement an IDS/IPS in the DMZ and internal network to monitor traffic for suspicious activity and
potential attacks.
 Configure the IDS/IPS to send alerts to security personnel for investigation and response.

Vulnerability Management:

 Regularly scan web servers, databases, and other critical systems for security vulnerabilities using
vulnerability scanning tools.
 Patch identified vulnerabilities promptly to minimize the attack surface.

Secure Coding Practices:

 Ensure the e-commerce platform and any custom code are developed following secure coding
practices to avoid common vulnerabilities like SQL injection and XSS attacks.

Data Security:

 Implement strong encryption for sensitive data at rest (e.g., customer information, financial data) and
in transit (e.g., during online transactions) using technologies like HTTPS and TLS.
 Regularly back up critical data and store backups securely offsite for disaster recovery purposes.

User Access Control (UAC):

Page 1 of 9
  Implement a robust user access control system that grants users the least privilege necessary to
perform their jobs. This prevents unauthorized access to sensitive data.
 Enforce strong password policies and consider implementing multi-factor authentication (MFA) for
additional security.

Security Awareness Training:

 Provide regular security awareness training to all employees to educate them on common threats,
phishing tactics, and best practices for password hygiene and secure online behavior.

Monitoring and Logging:

 Continuously monitor network activity, system logs, and security events for anomalies or suspicious
activity.
 Implement a centralized logging system to collect and analyze log data for better threat detection and
incident response.

Maintaining Security:

 Regularly review and update security policies and procedures to adapt to evolving threats.
 Conduct periodic security assessments to identify and address potential vulnerabilities in the network
and applications.

Additional Considerations:

 Physical security: Implement physical security measures to protect the server hardware and network
devices from unauthorized access.
 Denial-of-Service (DoS) protection: Consider implementing DoS protection mechanisms to
mitigate attacks aimed at overwhelming the website with traffic.

By implementing these security considerations, you can create a robust and secure network infrastructure
that protects the e-commerce company's data, systems, and customer information. Remember, security is an
ongoing process, and it's crucial to continuously adapt and improve your security posture to stay ahead of
emerging threats.

2. You are tasked with designing a secure network for a small e-commerce company. Describe the key
security considerations you would include in your design. (3 marks)

Here are the key security considerations I would include when designing a secure network for a small e-
commerce company:

Network Segmentation:
Page 2 of 9
  Separate the network into different segments:
o Public zone: This zone would host the web server accessible to the public internet, where
customers interact with the e-commerce website.
o DMZ (Demilitarized Zone): This optional zone could house additional services exposed to
the internet, such as a mail server, further isolating them from the internal network.
o Internal network: This zone would contain sensitive data and core business systems (e.g.,
database server, inventory management system) and be isolated from the public internet.

Firewalls:

 Implement firewalls between each network segment.

 Configure the firewalls with strict rules to allow only authorized traffic between zones.
 Use stateful firewalls that track connections to prevent unauthorized access attempts.

Intrusion Detection and Prevention System (IDS/IPS):

 Implement an IDS/IPS in the DMZ and internal network to monitor traffic for suspicious activity and
potential attacks.
 Configure the IDS/IPS to send alerts to security personnel for investigation and response.

Vulnerability Management:

 Regularly scan web servers, databases, and other critical systems for security vulnerabilities using
vulnerability scanning tools.
 Patch identified vulnerabilities promptly to minimize the attack surface.

Secure Coding Practices:

 Ensure the e-commerce platform and any custom code are developed following secure coding
practices to avoid common vulnerabilities like SQL injection and XSS attacks.

Data Security:

 Implement strong encryption for sensitive data at rest (e.g., customer information, financial data) and
in transit (e.g., during online transactions) using technologies like HTTPS and TLS.
 Regularly back up critical data and store backups securely offsite for disaster recovery purposes.

User Access Control (UAC):

 Implement a robust user access control system that grants users the least privilege necessary to
perform their jobs. This prevents unauthorized access to sensitive data.
 Enforce strong password policies and consider implementing multi-factor authentication (MFA) for
additional security.

Security Awareness Training:

 Provide regular security awareness training to all employees to educate them on common threats,
phishing tactics, and best practices for password hygiene and secure online behavior.

Monitoring and Logging:

 Continuously monitor network activity, system logs, and security events for anomalies or suspicious
activity.
Page 3 of 9
  Implement a centralized logging system to collect and analyze log data for better threat detection and
incident response.

Maintaining Security:

 Regularly review and update security policies and procedures to adapt to evolving threats.
 Conduct periodic security assessments to identify and address potential vulnerabilities in the network
and applications.

Additional Considerations:

 Physical security: Implement physical security measures to protect the server hardware and network
devices from unauthorized access.
 Denial-of-Service (DoS) protection: Consider implementing DoS protection mechanisms to
mitigate attacks aimed at overwhelming the website with traffic.

By implementing these security considerations, you can create a robust and secure network infrastructure
that protects the e-commerce company's data, systems, and customer information. Remember, security is an
ongoing process, and it's crucial to continuously adapt and improve your security posture to stay ahead of
emerging threats.

3. Explain the role of firewalls and intrusion detection systems (IDS) in network security. How do they
differ in their functionality? (4 marks)

Firewalls and Intrusion Detection Systems (IDS) are both essential components of network security, but they
play distinct roles:

Firewalls:

 Function: Act as a gateway between your trusted internal network and untrusted external networks
(like the internet).
 Analogy: Think of a firewall as a security guard at the entrance to a building.
 Functionality:
o Inspection: Firewalls examine incoming and outgoing network traffic based on predefined
rules (e.g., port numbers, protocols).
o Filtering: Based on the rules, firewalls allow or block specific traffic.
o Prevention: Firewalls proactively prevent unauthorized access by blocking suspicious traffic
before it reaches the internal network.
o Types: There are different types of firewalls, such as packet-filtering firewalls, stateful
firewalls, and application-level firewalls, each offering varying levels of control and
inspection.

Intrusion Detection Systems (IDS):

 Function: Monitor network traffic and system activity for malicious behavior within your internal
network.
 Analogy: Think of an IDS as a security patrol inside the building, constantly looking for suspicious
activity.
 Functionality:

Page 4 of 9
 o Monitoring: IDS continuously analyzes network traffic and system activity for patterns that
might indicate an attack.
o Detection: If an anomaly or suspicious activity is detected, the IDS raises an alert to notify
security administrators.
o Passive: IDS systems themselves do not actively block traffic. Their primary role is to detect
and report potential threats.
o Types: There are two main types of IDS: Network Intrusion Detection Systems (NIDS)
monitor network traffic, and Host-based IDS (HIDS) monitor activity on individual devices
within the network.

Key Differences:

Feature Firewall Intrusion Detection System (IDS)

Location Gateway between networks Internal network
Anomaly detection and threat
Focus Traffic filtering and access control
alerting
Blocks or allows traffic based on predefined Detects and reports suspicious
Action
rules activity
Prevention vs.
Primarily preventative Primarily detective
Detection
drive_spreadsheetExporter vers Sheets

Working Together:

Firewalls and IDS work together to provide a layered defense:

1. Firewall: Acts as the first line of defense, blocking known threats at the network perimeter.
2. IDS: Monitors internal network activity and alerts administrators to potential attacks that might
bypass the firewall.

Choosing the Right Combination:

The most effective security strategy utilizes both firewalls and IDS. Firewalls provide a strong preventative
barrier, while IDS helps identify and respond to internal threats that might evade the firewall.

4. Discuss the importance of user authentication and authorization in web applications. Briefly explain
two common authentication methods used in web development. (4 marks)

User authentication and authorization are fundamental pillars of web application security. Here's why they're
crucial:

Page 5 of 9
1. Prevent unauthorized access: They act as a gatekeeper, ensuring only authorized users can access
specific parts of the application. This safeguards sensitive data, functionalities, and administrative areas.2.
Enhance security: By verifying user identities and controlling access levels, these measures significantly
reduce the risk of data breaches, malicious activities, and privilege escalation attacks.3. Maintain data
integrity: By restricting access to those who have permission, you prevent unauthorized changes or
manipulation of data, ensuring its accuracy and reliability.4. Personalize user experience: Authentication
allows you to personalize the user experience by tailoring content, features, and settings based on individual
users and their authorization levels.5. Improve user trust: Secure authentication and authorization
demonstrate a commitment to user privacy and data protection, fostering trust and confidence in your
application.

1. Two Common Authentication Methods in Web Development

1. Username and Password:

 This is the most widely used method. Users create a unique username and password to log in.
 The server stores passwords securely (usually hashed with one-way encryption) and verifies them against the user's input
during login attempts.
 While convenient, it can be vulnerable to brute-force attacks or password leaks. Consider implementing additional
security measures like password strength requirements and multi-factor authentication (MFA).

2. Session-based Authentication:

 When a user successfully logs in, a unique session ID is generated and stored on the server-side (often in a cookie) and on
the user's browser.
 Subsequent requests from the user's browser include the session ID, allowing the server to verify the user's identity
without requiring constant re-entry of credentials.
 Session IDs typically expire after a period of inactivity, requiring users to log in again for security reasons.
 This method simplifies user experience, but session cookies can be vulnerable to hijacking if not properly secured.

5. Briefly describe the process and tools used to create a dynamic web site (6 marks)

1. Planning and Design:

o Define website purpose and target audience.
o Information architecture: Plan content organization using sitemaps and user flows.
o User interface (UI) design: Consider elements like layout, navigation, and visual appeal.
2. Development:
o Server-side scripting: Languages like PHP, Python, or Node.js are used to generate content
based on user interaction or database queries.
o Front-end development: HTML, CSS, and JavaScript handle the visual presentation and
user interaction in the browser.
o Database (optional): Stores dynamic content like user accounts, product listings, or articles.
3. Deployment:
o Web hosting: Choose a web hosting service to store your website's files and make them
accessible online.
o Domain name: Register a unique domain name (e.g., [invalid URL removed]) as your
website's address.

Securing a Dynamic Website:

Page 6 of 9
  Secure coding practices: Avoid common vulnerabilities like SQL injection and XSS. Use prepared
statements and input validation.
 Strong server configuration: Keep software updated, disable unused services, and use strong
passwords for server access.
 HTTPS encryption: Implement HTTPS to encrypt communication between website and user,
protecting sensitive data.
 Regular security scans: Identify and address vulnerabilities before attackers exploit them.
 Secure CMS and plugins: Keep your CMS (if used) and plugins updated with the latest security
patches.
 User access control: Grant users only the minimum level of access they need for their tasks.
 Secure data storage: Encrypt sensitive data at rest and in transit.
 Regular backups: Back up your website regularly to recover quickly in case of security incidents.

Tools:

 Development tools: Code editors, version control systems (e.g., Git), web development frameworks
(e.g., Laravel, Django)
 Security scanners: Tools like Acunetix or OpenVAS can identify vulnerabilities.
 Database management tools: Tools for managing and interacting with your database (if used).

Section B: Scenario-Based Design (20 marks)

A medium-sized university with 5000 students and 200 faculty members needs to upgrade its network
infrastructure. The university requires a secure and reliable network to support various services such as
online learning, email, research computing, and administrative tasks. And also, the students need to upgrade
their skills as web programming is concern. They need to produce the bellow page:

Instructions:

Using the scenario above, answer the following questions:

1. Describe the type of network topology (e.g., star, bus, mesh) that would be most suitable for the
university and justify your choice. (3 marks)

Page 7 of 9
 Recommended Topology: Hierarchical Star with Core-Distribution-Access (CDA) Architecture
 Justification:

 Scalability: The hierarchical structure allows for easy expansion to accommodate future growth
(more students, faculty, devices).
 Manageability: Each layer has specific functions, simplifying network administration.
 Security: Different security policies can be applied at each layer for better control.
o Core layer focuses on high-speed data transfer with minimal security filtering.
o Distribution layer manages traffic between departments and can enforce security policies.
o Access layer connects individual devices and implements granular access control.

2. What network protocols would you recommend for secure communication within the university
network? Briefly explain the reasons for your choices. (3 marks)

Secure Communication Protocols:

 TCP/IP: Foundation protocol for internetworking, ensuring reliable data delivery.

 HTTPS: Secure communication protocol for web traffic, encrypting data (e.g., online learning
platforms) to protect sensitive information.
 SSH: Secure Shell protocol for encrypted remote access, allowing secure access for faculty and
administrators to manage systems.
 WPA2/WPA3: Secure wireless network protocols for encrypted Wi-Fi access, protecting student
and faculty devices.

3. Identify two potential security threats that the university network might face and propose
corresponding security measures to mitigate these threats. (3 marks)

 Threat 1: Phishing Attacks: Emails or websites designed to trick users into revealing sensitive
information (passwords, credit cards).

 Mitigation:

 User education: Train users to identify suspicious emails and avoid clicking on unknown links.
 Email filtering: Implement email filtering solutions to block phishing attempts.

 Threat 2: Malware Attacks: Malicious software that can infect devices and steal data or disrupt
operations.

 Mitigation:

 Antivirus software: Install and maintain antivirus software on all university devices.
 Intrusion Detection/Prevention System (IDS/IPS): Implement an IDS/IPS to monitor network traffic
for suspicious activity and block malware attempts.

4. Briefly outline your plan for user authentication and access control within the university network.

(3 marks)

 User Authentication:

Page 8 of 9
  Centralized authentication server: Implement a central server to manage user accounts and login
credentials for all university users (students, faculty, staff).
 Multi-factor authentication (MFA): Enforce MFA for accessing sensitive systems and
applications, adding an extra layer of security beyond usernames and passwords.

 Access Control:

 Role-based access control (RBAC): Assign access permissions based on user roles (e.g., students
access learning platforms, faculty access research resources).
 Network Access Control (NAC): Implement NAC to enforce security policies and restrict
unauthorized devices from connecting to the network.

5. Using HTML and JavaScript produce the above web page (8 marks)

Judge by the examiner

« Striving for success without hard work is like trying to harvest when you haven't planted." »
David Bly
GOOD LUCK

Page 9 of 9