Mastering Network Architecture & Security Design for Corporate Environments ??

Network architecture is the backbone of any modern corporate infrastructure. In this project, I was tasked with solving a lab demonstration as part of a final-year project for a final year student. The project was split into three major tasks—each focusing on different aspects of network setup and security.

I’ll take you through each task step-by-step, from setting up a DNS server to implementing robust security measures across the corporate network. Let’s dive in! ????

??? Task A: DNS Server Setup Instruction

A Domain Name System (DNS) server is responsible for translating human-readable domain names into IP addresses. This forms the core of a scalable network infrastructure, ensuring users can easily access services within the network.

Steps to Implement the DNS Server:

1. Install Bind9

Bind9 is widely used for setting up DNS services. Start by updating your package lists and installing Bind9:

   sudo apt update        

   sudo apt install bind9 bind9utils bind9-doc        

2. Configure Forward Lookup Zone

We configure the forward zone to map domain names like corporate.local to internal IP addresses.

   sudo nano /etc/bind/named.conf.local        

Add the following forward zone configuration:

zone "corporate.local" {

type master;

file "/etc/bind/zones/db.corporate.local";

};

3. Create the Zone File

The zone file tells Bind9 how to resolve domain names to IP addresses.

   sudo nano /etc/bind/zones/db.corporate.local        

Inside the file, add your configurations:

```txt

@ IN SOA ns.corporate.local. admin.corporate.local. (

2024010101 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800 ) ; Negative Cache TTL

@ IN NS ns.corporate.local.

ns IN A 192.168.1.10

server IN A 192.168.1.20

```

4. Configure Reverse Lookup Zone

The reverse lookup zone allows us to resolve IP addresses back to domain names.

```bash

zone "1.168.192.in-addr.arpa" {

type master;

file "/etc/bind/zones/db.192.168.1";

};

```

Create the reverse zone file:

```bash

sudo nano /etc/bind/zones/db.192.168.1

```

5. Restart Bind9

After setting everything up, restart Bind9 to apply the changes.

   sudo systemctl restart bind9        

6. Test DNS Resolution

Use dig or nslookup to verify DNS functionality:

   dig corporate.local        

   nslookup 192.168.1.10        

? With the DNS server fully configured, we laid the groundwork for a secure and scalable corporate network.

?? Task B: Design a Scalable and Secure Network Architecture

Goal:

Designing a secure and scalable network architecture is crucial for business continuity and operational efficiency. In this task, the key was to ensure network segmentation through VLANs and subnets, robust firewalls, and other security features.

Key Design Components:

- VLAN (Virtual Local Area Network):

VLANs help segment different departments (e.g., IT, HR, Finance) into isolated virtual networks to improve performance and security.

?? Command to Create VLAN:

  sudo vconfig add eth0 10  # VLAN for HR (10)        

- Subnetting:

Breaking down IP addresses into smaller segments ensures efficient use of IP ranges and adds an extra layer of security.

?? Example Subnet for Finance:

  Subnet: 192.168.2.0/24        

- Firewall Configuration:

Firewalls protect the network from malicious traffic. Configuring firewalls at the edge of the network ensures only legitimate traffic is allowed.

?? Firewall Command Example:

  sudo ufw allow from 192.168.2.0/24 to any port 80        

- IDS/IPS (Intrusion Detection/Prevention Systems):

To safeguard the network against external threats, IDS/IPS systems were deployed to detect and prevent unauthorized access.

?? The network design created a foundation for secure communication and efficient resource management within the corporate environment.

??? Task C: Security Hardening and VPN Setup

With the network architecture in place, Task C focused on hardening security by setting up VPN, configuring Fail2Ban, and creating firewall rules.

1. VPN Setup:

A Virtual Private Network (VPN) ensures that remote employees can securely access corporate resources.

?? Steps for VPN Setup:

1. Install the VPN software (e.g., OpenVPN).

2. Create configuration files for server and clients.

3. Define firewall rules to allow secure VPN traffic.

   sudo ufw allow 1194/udp  # OpenVPN port        

4. Test the VPN connection from client machines to ensure encrypted traffic.

2. Fail2Ban Configuration:

Fail2Ban is essential for defending the network against brute-force attacks.

??? Configuration:

1. Install Fail2Ban:

   sudo apt install fail2ban        

2. Create configuration files to monitor specific services (e.g., SSH):

   sudo nano /etc/fail2ban/jail.local        

3. Set up ban rules to block IPs after a certain number of failed login attempts:

```ini

[sshd]

enabled = true

port = ssh

maxretry = 5

```

3. Firewall Rules:

A robust firewall is the last line of defense in network security. We configured iptables to restrict access to critical services.

?? Basic Rules Example:

sudo iptables -A INPUT -p tcp --dport 22 -j DROP  # Block SSH        

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT  # Allow HTTP        

?? Conclusion:

This project combined various aspects of network design, security, and implementation to create a scalable and secure corporate infrastructure. Each task played a crucial role in ensuring that the network could handle real-world traffic while staying protected against threats.

?? Key Takeaways:

- Setting up DNS is the cornerstone of any corporate network.

- A well-designed network architecture ensures scalability and security through segmentation and firewalls.

- Security hardening, including VPNs and firewalls, is essential to safeguarding corporate data.

With this detailed approach, we were able to create a network that is secure, scalable, and future-proof.

Would you like to know more about this project? Feel free to connect with me! ????

Betini Akarandut