Deanship of Graduate Studies | Researches | Analyzing security and performance of networks applying different network security architecture best practices

Main Page
Deanship
- The Dean
  - Dean's Word
  - Curriculum Vitae
  - Contact the Dean
- Vision and Mission
- Organizational Structure
- Vice- Deanship
- Vice- Dean
- KAU Graduate Studies
Research Services & Courses
- Research Services Unit
- Important Research for Society
- Deanship's Services
  - FAQs
  - Research
  - Staff Directory
  - Files
  - Favorite Websites
  - Deanship Access Map
Graduate Studies Awards
Deanship's Staff
- Staff Directory
Files
Researches
Contact us

- عربي
- English

Deanship of Graduate Studies

Document Details

Document Type	:	Thesis
Document Title	:	Analyzing security and performance of networks applying different network security architecture best practices تحليل أمن وأداء الشبكات لتطبق أفضل معمارية لأمن الشبكات
Subject	:	Faculty of Engineering
Document Language	:	Arabic
Abstract	:	Today, network security is one of the most prominent issues to be considered in networks. In general, network security depends on three main factors: network design, appropriate equipment, trained personnel. The attacks against network are designed to disrupt network services by either destroying data or disrupting network devices. These data and important equipment are usually contained in what is known as data centres, which are the most important parts of client-server networks. For secure data centre design, risk analysis should be conducted to find the risks involved in potential attacks to determine the security policies of the data centre. In this work, we will propose a network design that provides a higher security level for the data centre not affecting the network performance using a Demilitarized zone concept (DMZ) and virtual LANs (VLANs) then evaluate the improvement by using risk analysis technique. Through our research, we designed three safety ratings in networks. The network is designed by GNS3 and the main design of all networks is designed from 4 servers (web server, email server, web application, the domain controller) and other network devices based on each design Servers, users, and hackers are designed for virtual machines in VMware Workstation. Each device is connected to GNS3 and the penetration is tested using Kali Linux on a virtual machine. The penetration is then tested through the HTTP, FTP, and SMB protocols. The first design is less secure for the following reasons: network does not contain any firewall to secure and filter traffic. It only depends on the unsafe router access list effectively because it is highly vulnerable to IP spoofing attacks. The design is not secure because all servers are on the same network even if there is a public server connected to the Internet. The risk lies in allowing the hacker access to any public server and thus hacker can access other servers that are considered a domestic server. The second design is an average security because it contains a firewall that filters traffic and prevents any unwanted traffic and malicious activities occurring in the network. The third This design is considered advance secured design, it has two firewall one is multilayer firewall (stateful) and other is Next Generation firewall NGFW, and the public servers are isolated in different zone and subnet which is called DMZ zone because the servers are accessible from outside which internet and reduce and mitigate the risks, we isolated it. We attempted to conduct a port scan. This provided us with a listing of listening ports, which could be used to further target the web server. We set up a targeted attack against this system, and we scanned the target using OWASP-ZAP to find any gap in the website, so we got, two major weaknesses are Path Traversal (CWE-22), And SQL (CWE-89). We tried to exploit the gap in the path, then we got to the intranet site through the vulnerability. After we make sure that Path traversal vulnerability is exploitable, we used an exploit code in Metasploit to get unauthorized access to the web server. We have noticed the design of the three networks: In the first design, Hacker can reach all the machine in the network if he got access to the public server and he can be used the compromised machine to each other, so the Design is not secure. The second design: it is an average security because it contains a firewall that filters traffic and prevents any unwanted traffic and malicious activities occurring in the network. In third design: The design has next-generation firewall NGFW which can prevent application and network attacks and has a lot of features such as URL filtering, antivirus, IPS, etc. By extraction the result we have come up with a set of recommendations. All public servers connected to the Internet must be isolated and placed in a DMZ zone. The firewall must be configured to allow only traffic from the Internet to the DMZ zone, and to stop all traffic sent to the LAN. The firewall must be configured to allow LAN users to access the Internet through HTTP and https. All network users must be placed in VLANs. All websites and the web application must be secure and all security vulnerabilities detected before the application is deployed must be fixed. Finally, the web server must be secured by the web application firewall to prevent all application attacks (SQL injection, XSS, CSRF…etc)
Supervisor	:	DR. NAIF DEAFALLA HILAL ALOTAIBI
Thesis Type	:	Master Thesis
Publishing Year	:	1440 AH 2019 AD
Added Date	:	Monday, March 4, 2019

Researchers

Researcher Name (Arabic)	Researcher Name (English)	Researcher Type	Dr Grade	Email
ماجد محمد العنـزي	Al - Anezi, Majed Mohammed	Researcher	Master

Files

File Name	Type	Description
44008.pdf	pdf

Back To Researches Page