Networks and Information Security Case study – Copyright 2020 © Edilson Arenas – CQUniversityThe Global UniversityCase study for COIT20265 and COIT13236 UnitsObjectiveYou are to design and build a secure, responsive, reliable, scalable, and resilient distributedsystem to support the online learning operations of a large university.BackgroundThe Global University (TGU) is one of the world’s largest online learning universities withmore than 250,000 students undertaking undergraduate and postgraduate studiesworldwide. At TGU, all education services, courses, programs and units of study areinternally authored and delivered online both synchronously and asynchronously usingTGU’s proprietary network infrastructure. TGU’s headquarters is in France, where it housesaround 2,000 academics and about 4,000 administrative, operational and student supportstaff. In France, TGU also has a world class learning and teaching research centre (LTRC)with about 1,000 research staff. Since its inception, TGU has structured its academicoperations into faculties; but just recently, TGU decided to consolidate its operations intoseven schools, namely, 1. Arts and Social Sciences, 2. Business and Economics, 3.Education and Language Studies, 3. Engineering and Maths, 4. Health Sciences, 5.Learning Technologies and 6. Science.TGU network infrastructure interconnects its operations with the global research andeducation network community across multiple 100 gigabit per second (Gbps) densewavelengths division multiplexing (DWDM) leased links over multiprotocol label switching(MPLS). TGU has four (4) strategically located private cloud data centres (CDCs) in Japan,Argentina, India, and South Africa respectively. Each CDC is typically equipped withapplication servers, virtual machines, physical machines, load balancers, bare machines,storage and Internet access.At each CDC there is also a proprietary remote access laboratory, the university uses tosupport laboratory experiences for students enrolled in STEM units (Science, Technology,Engineering and Maths). A remote lab is a set of network-connected physical devices thatcan be observed and controlled at distance. Lately, these laboratories are becoming anissue for TGU because of their age, lack of interoperability, and high running costs. TGUdecided to upgrade these remote labs by a state-of-the-art massive open online laboratorysystem (MOOL) offered as services (Lab as a Service or LaaS). The LaaS, conceptualisedin Figure 1, features a modern service architecture typical of cloud computing . FromFigure 1, there is a lab service provider and a lab service consumer. Stakeholders can beteachers, students, learning designers, and lab owners.2 | P a g eNetworks and Information Security Case study – Copyright March 2020 © Edilson Arenas – CQUniversityFigure 1 Laas (Lab as a Service) concept Similarly, TGU uses a customised proprietary Learning Management System (LMS) tosupport the management of learning, teaching and research. The LMS server (located in theheadquarters) is nearly at the end of its lifetime, and like the old remote labs, TGU hasdecided to replace it for a more contemporary GNU General Public Licence. After anextensive research, TGU opted for Moodle  as the LMS to support its learning, teachingand research operations. There are hundreds of plugins for Moodle, extending the featuresof Moodle’s core functionality. Table 1 lists some examples of plugins TGU aims to use:
Plug-in AimVideo-on-Demand(VoD)To stream video lecturesElectronic Portfolio To enable students to keep their journals and learningexperiencesWeb Conferencing To support web conferencing including real-time online classes,online meetings, chat, and mobile collaborationLaaS via Moodle To support the learning experiences of students enrolled inSTEM units (Science, Technology, Engineering and Maths)SCORM ContentAuthoringTo create reusable SCORM contentAcademic Integrity To promote academic integrity, streamline grading and feedback,deter plagiarism, and improve student outcomesLearning andAcademic AnalyticsTo track students’ learning experiences, personalise the learningenvironments, and improve the academic practices in general.
TGU goal is to become the world’s largest online learning university by providing learningenvironments tailored to the learning needs of contemporary students. To that end, thefollowing is the list of requirements to consider.General Requirements1. The new system should scale to support a student base growth of 10% yearly for thenext three years.2. The new Moodle LMS should leverage four-tier application architectures.3. The new system should operate 24/7, except for some scheduled downtimemaintenance windows.4. The mean availability of the new system should fall within industry standard systems,typically between 99.5 per cent and 99.9 per cent uptime.3 | P a g eNetworks and Information Security Case study – Copyright March 2020 © Edilson Arenas – CQUniversity5. All network tasks and services concerning the new system should be automated toimprove business efficiency and effectiveness.6. The services running in the new system should be accessible from any deviceincluding desktops (Windows and MacOS), laptops (Windows and MacOS), tablets,and smart phones (Android and iOS).7. The services running in the new system should be compatible with all major browsersincluding Chrome, Firefox, Safari, Internet explorer, and Opera.8. The new infrastructure should provide support for the on-demand storing andstreaming of HDTV videos (1080p 1920×1080 progressive scan) produced for eachof the units of study.9. The new infrastructure should support the real-time streaming of online classes,online meetings, chat, and mobile collaboration.10. The new system should leverage micro-services technology. It is estimated thataround 1,000 micro-services will be available to control all the components of thenew network service.11. The new system should leverage the deployment of the latest 5G digital cellularnetwork services.12. The new system should leverage the Internet of Things (sensors located at eachLaaS); and devices like students’ Apple Watch and augmented / mix reality gearemployed by TGU to gather data on the habits and patterns of its students.13. The new system should support the implementation of learning and academicanalytics.Security Requirements1. The security of the Moodle system and remote labs (LaaS) should be as solid aspossible to defend against both physical and malware attacks specifically designed tocompromise the lab equipment, application stack, web services, micro-services, andthe cloud infrastructure in general.2. For remote lab access via a Moodle activity, the authentication should be done at theMoodle LMS and the authorisation at a third-party authorisation server that checksthe validity of the Moodle LMS as a consumer for the lab.3. The implementation and configuration of LaaS (at the four CDCs) should leverageload balancers, proxy servers, reverse proxy server, and NAT (Network AddressTranslation).4. The LaaS and the Moodle LMS internal range of private IPv4 addresses should be172.16.0.0/125. Any security event at LaaS or Moodle LMS should be resolved within three hours ofbeing logged (from event detection to ticket generation, and final resolution). Theoptimal goal would be the resolution of such events in real-time using automation asmuch as possible.Statement of WorksTGU is concerned that changing its infrastructure from proprietary to commercial-of-the-shelfsolutions (COTS) (LaaS and Moodle) will likely cause a big impact on the security of its4 | P a g eNetworks and Information Security Case study – Copyright March 2020 © Edilson Arenas – CQUniversityoperations. On these grounds, TGU has contracted YOU to conduct a preliminaryassessment of the situation and recommend the senior management on the feasibility of theproject. This should include:1. A business analysis and recommendation to TGU of the most appropriateinfrastructure to host the Moodle LMS and LaaS integration. You need to recommendfrom a mix of on-premises private and third-party; or fully public cloud services; orhybrid (private clouds running on rented datacentres spaces). Your business analysisshould be based on five factors, namely, compliance, performance, privacy, cost, andcontrol. In your final recommendation, you should justify your selection in terms oftechnical issues concerning the security, responsiveness, reliability, scalability, andresiliency of the system. This is not a copy and paste activity. You shouldcontextualise your analysis and recommendation in accordance with TGUrequirements and goals.2. Using both the general and security requirements; and the background outlined in theintroduction of the case study, conduct a thorough analysis and design of the newnetwork infrastructure (Moodle and LaaS integration). As part of this, and based onyour recommendation on point 1 above, provide a logical network diagram beforeand after the change of the infrastructure. Make sure to use the recommendedinternal range of private IPv4 addresses. You may use Packet Tracer or any othernetwork diagram tool to draw your diagram.3. For the new network and system infrastructure, use the NIST Special Publication800-30 Guide for Conducting Risk Assessments  to recommend a cyber securityrisk mitigation strategy to TGU.4. Using the NIST Contingency Planning Guide 800-34, provide a tailored DisasterRecovery Plan (DRP) and a Business Continuity Plan (BCP)  that meets TGUbusiness goals.5. Based on your cyber security risk management approach in point 3 above, provide aproof of concept (PoC) to demonstrate the security of the Moodle LMS asimplemented in a four-tier architecture (see Figure 2).About the PoCThe Moodle security PoC is not expected to be a full-fledged production system but a proofof concept. To that end, you need to decide on your infrastructure, i.e. network hardware,load balancers, servers, virtual machines, firewalls, and storage to host and secure thesystem. There are many alternatives. For example, you could set up a small home Internetnetwork using three or four computers connected to a home router. You could also use ahypervisor like VirtualBox or VMware to create three or four instances of virtualisedmachines in your personal computer. However, given the popularity of cloud computingservices, you are encouraged to develop a small virtual private cloud using the free optionsFW- Firewall LB-Load Balancer WS-Web Server (Auto Scaling) App- Application Server DB-Database ServerFigure 2 Implementation Outline5 | P a g eNetworks and Information Security Case study – Copyright March 2020 © Edilson Arenas – CQUniversityof educational cloud computing services from OpenStack Public Cloud, Microsoft Azure,Google Cloud or Amazon Web Services (AWS). In this case, you need to carefully select thecomputing platform to host your system including operating systems, data, utilities,application engines, and databases.The PoC consists of three sub-tasks: 1. Moodle installation and configuration, 2. MoodleHardening, and 3. Vulnerability / Penetration Test, described next.1. Moodle installation and configurationDownload and install the Moodle package along with its associated software in the platformyou chose to demonstrate the PoC. Then, configure the application according to therecommendations given by the Moodle site. The Moodle site contains many communityresources and tutorials showing you how to do that.Using Figure 2 as a reference, provide a physical network diagram of your PoC labelling thetechnical components of your infrastructure including the interfaces, type of connections,operating systems, databases, servers, firewalls, etc.2. Moodle HardeningThe Moodle hardening process should be a holistic approach consistent with your cybersecurity risk management approach recommended in point 3 above. It should encompassten (10) system administration good practices aimed to make the Moodle system more solidand secure. These practices might include, but not limited to, data encryption, the use ofsecure protocols (HTTPs, SMTPs, etc), closing of unnecessary service ports, use of twofactor authentication, enforcement of strong password policies, automation of passwordrecovery and password change, change of SSH TCP port from the default 22 to a nonstandard TCP port, data backup and recovery automation, use of host-based IDSs andnetwork-based IDSs, configuration of firewalls and NATs, DHCP hardening, use ofwhitelisting, and organisation of users into groups.In hardening the Moodle system, you are required to explain how your Moodle securityimplementation protects against each of the security risks listed and compiled by OWASPtop 10 (Ten Most Critical Web Application Security Risks).3. Vulnerability / Penetration TestBased on your security risk management approach recommended in point 3 above, use freetools, for example Kali tools , to perform both vulnerability and penetration tests in yoursystem. You should perform 10 tests. For each test provide the following:a) a screen shot of the test,b) a short description of the test (what was the test about),c) the test activity (how the test was conducted),d) the desired outcome (expected result), ande) the observed outcome (what you found)6 | P a g eNetworks and Information Security Case study – Copyright March 2020 © Edilson Arenas – CQUniversityYou MUST use the accompanying MS WORD template found in the unit website to submityour final assignment. DO NOT CHANGE the format of the MS WORD template. Thetemplate is a specially formatted document that contains useful tips and important guidelinesto address the project requirements.For the latest information and supporting resources on this project, please refer to the unitwebsite.References M. Tawfik et al., “Laboratory as a Service (LaaS): A Novel Paradigm for Developing andImplementing Modular Remote Laboratories,” International Journal of Online Engineering(iJOE), vol. 10, no. 4, pp. 13–21, Jun. 2014. ‘Moodle – Open-source learning platform | Moodle.org’. [Online]. Available:https://moodle.org/. [Accessed: 10-Feb-2020]. ‘Guide for Conducting Risk Assessments | NIST’. [Online]. Available:https://www.nist.gov/publications/guide-conducting-risk-assessments?pub_id=912091.[Accessed: 10-Feb-2020]. ‘SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems |CSRC’. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final.[Accessed: 10-Feb-2020]. ‘Penetration Testing Tools – Kali Linux’. [Online]. Available: https://tools.kali.org/.[Accessed: 10-Feb-2020].
Let’s block ads! (Why?)