Advance Persistent Threat Apt Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The aim of this report is to review and implement an appropriate security level for Edinburgh Napier Universities, Merchiston Campus network. The report aims to evaluate the security level of the campus network and highlight certain vulnerabilities it is exposed to.

The security policy of Edinburgh Napier University is extremely important and therefore it needs to be highlighted and explained. A risk analysis will help us to identify the resources that need to be protected within the Merchiston campus related to the confidentiality, integrity, availability, accountability, and nonrepudiation.

Advance persistent threat (APT)

An advanced persistent threat (APT) is an attack on a network, this happens when an unauthorized individual gain an access to a network and remains undetected for a period of time. APT's are designed to steal data and information as opposed to causing damage to an organization or individual network. Main targets included are large companies, banks and government. This is a threat that should be taken extremely seriously and should have a dedicated task team assigned to dealing with them. APTs can access the financial information, intellectual property, business, employee and customer information by attacking the security controls to bypass. They attack companies by company's weaknesses and they have continuously existed and penetrating deeply. Any company wants to secure its self from APT, follow the below given checklist.

The company should create a list of assets (data, systems, peoples etc) which are at risk

Find and research for tools to analyze and detect APT

Using backup systems


Outside threat intelligence usage

Training and awareness of the staff about APT.

Closed security stance

A closed security stance is how security measures are applied to a network. This is a good measure to take as it eliminates malicious activities and blocks access to unauthorized individuals e.g. hackers. This option improves security drastically however it's downside is it reduces the functionality of the system.

Research and design

Network security:

The network security is a level of guarantee that all network devices work efficiently, due to a significant implementation of software and hardware, which prevent any attacks to break in into the private network.

This may include:

To prevent unauthorized persons to attempt any malicious activity on the network.

To prevent users to perform any attacks with bad intentions (or unintentionally) that may cause harm to the system.

To provide secure data outages.

To ensure non-interruption of service.

Perimeter Router

The topology used in the Merchiston campus provides the best security of the devices to filter the traffic from both sides and to employ a firewall appliance behind the perimeter router as in the figure below. In this topology, the perimeter router is the device, which represent the boundary between the outside and the inside network and acts as a screening device, passing all packets destined for the corporate network to the firewall for further processing as shown in the figure below. The firewall used in this topology provides additional security features, can perform user authentication in addition to more in-depth packet filtering. A DMZ (demilitarized zone) used in this topology is placed at the periphery of the internal and external networks. The resources such as Web server, FTP server, and mail severs, and database server etc. are located in the DMZ to be accessed from both the Internet and internal network to the DMZ.

The topology of Merchiston campus

The devices and technology used in the topology

The Firewalls:

A firewall is a software or a hardware barrier between an internal (trusted) network and an external (untrusted) network. In this sense, a firewall is a set of related programs that enforce an access control policy between two or more networks.

The topology used in the Merchiston campus by using Cisco PIX firewall can provide the best security of the devices to filter the traffic from both inside or outside the private network. The router is the device which represents the boundary between the outside and the inside network.

The firewall is the perimeter within the Access control list will specify the permissible traffic.

In the topology. The firewall rules are given below:

The direct traffic from the untrusted to the trusted network is forbidden.

The access of the DMZ is authorized from the outside.

Justification for firewalls:

It provides a part of the required security between the internal network of an enterprise and an external network. A firewall can be configured to allow Internet access to these systems while blocking or filtering admission to other protected resources. Firewalls can provide the following:

• Capability to inspect all inbound/outbound traffic

• Generation of audit systems and message logs

• Support of organizational security policy

Disadvantages of Firewalls:

Attackers can compromise the firewall itself and when a clever attacker compromise firewall, an attacker might be able to compromise the information system and cause damage before detected. Trapdoors can be potentially easy entry points for attackers.

Firewall Types:

Two solutions can be implemented within the network, the server-based/software-based firewall, and the network-Based firewall. The network based firewall is probably a better solution than the server based firewall, because it is faster and more efficient, and it is good for both small and big companies.

There are two main categories of firewalls:

Software-based firewall

It is also known as server-based firewalls, which are software applications that are installed on an existing operating system, such as UNIX or Windows server as shown in the figure below. Advantages of using server-based firewalls are:

• Lower initial cost

• Good for small networks

• It has the ability to combine the firewall with any other application, like FTP server

• These firewalls are available for both small office/home office models and enterprise models.

Examples of server-based are:

• Check Point firewall

• Microsoft ISA server

• Novell Border Manager

• Linux ipfwadm

Figure 4 - Software-Based/server-based firewall

Hardware-based firewalls

They are also called dedicated firewalls, and they are the devices, which have the software are preinstalled on a specialized hardware platform (Cisco PIX firewall, NetScreen, SonicWALL, WatchGuard) as shown in the following figure.

Figure 5 - Hardware-Based/Dedicated firewall

Firewall operation:

The firewall must be capable of dealing with traffic at the Application layer (OSI model) in the Merchiston network, as there will be many connections from inside and outside of the web server and the mail server. In that case, the firewall can inspect the content of the packet to check the eventual malicious software. The IDPS is more adapted for inspecting and blocking packets on the layer 7.

The Cisco Pix Firewalls are for high performance securing devices, easy to install but a minimum of Cisco knowledge is required. It allows to protect the internal network from outside attacks as well as reduce the internal network traffics.

The Pix uses a dedicated real time security, and are very efficient.

It is dedicated to small and medium company. The Pix complies with virtual private network Ipsec.

The CISOC PIX firewall which is implemented in this topology, which is capable of dealing with traffic on the layer 7 (OSI model) in the Merchiston network, as there will be many connections from inside and outside of the web server and the mail server. In that case, the firewall can inspect the content of the packet to check the eventual malicious software. However, the IDPS is more adapted for inspecting and blocking packets in the layer 7.

The performance of the firewall: In the Merchiston network, a remote access to the network must be implemented; VPN is used to secure the connections through the insecure network. Therefore, implementing a firewall which can comply with transport protocol such as VPN or IPSEC. The number of connections through the firewall is also very important as, the firewall must deal with many connections.

The router:

Router 7200 used in this topology provides exceptional performance routing and processing performance, modularity, and scalability. It provides IPSec VPN and high-performance encryption, key generation, and compression services for site-to-site VPN applications.


A simple definition of a VPN is a private network, which uses the public network to create a safe remote communication between hosts, belongs to the same organization.

Only users or groups that are registered in the VPN can access it (authentication). The data pass through a tunnel after being encrypted (encryption).

In some words, it's a secure connection through the chaos of the public connection (internet)

In the Merchiston network, the utilization of the VPN seems to be appropriate, as it allows the staff to access to the network remotely in a secure way.

Even though we have mentioned the great advantage of implementing a VPN in a network, we will not really implement it in the Merchiston network. The Cisco VPN client is a client, which provides several encrypted connections for remote employees. The Cisco VPN client can establish many VPN IPSec connections through the firewall PIX / ASA and router IOS. It is multi-platform software compatible with Windows, Mac and Linux..

The egress and ingress traffic at the Merchiston network

Both ingress and egress filtering is provided in the Merchiston campus to protect the campus private network efficiently. It is the first step in elaborating the ingress and egress filtering in security policy, which gives the guidelines and procedures to follow. It defines that what kind of traffic can enter the network and what cannot.

Example of egress and ingress filtering is explained in the diagram below

Ingress filtering

According to the security policy, the Ingress filtering should:

Prevent any IP packets coming from an untrusted source address to enter the trusted network.

By analyzing the Merchiston campus it is clear that the network should be protected from Denial of Service Attack, which is one of the most popular attack against the network.

The type of attack is directly targeted against the availability of the assets in the network.

(Example of Sony the last year, with the unavailability of some services during several weeks.

Figure 8 - IP spoofing attack

The egress filtering

It helps to ensure that unauthorized or malicious traffic never leaves the internal network which means that stop any packets with the wrong IP addresses leaving the Merchiston network, meaning that all the traffic requires are the legal address of the private network. It is guaranteed that the router (which is in fact a border router) and firewall in the Merchiston network do not permit any directed broadcast packets to be directed by default.

The ICMP can be used for broadcasting packets to test the connectivity. The Smurf attack uses the ICMP protocol to broadcast the packets to a subnet, but with a spoofed source address that can be the target of the attack.

Figure 9 - Smurf Attack

The design of the Network

The design of the Merchiston network , has been based on the good process of egress and ingress filtering, and device and technology used. There are therefore several possibilities for designing the network, the most significant and the easiest was used. The decision of installing the router as a boundary router (edge router) is based on several researches. Therefore there are several reasons for using a perimeter router directly after the WAN (instead of using a firewall, as a).

The router forwards and filters the traffic in the layer 3 and 4. Therefore, a right balance could be found between routing and filtering the traffic, unlike the firewall, which is more appropriate for filtering, thus protecting the network. That's why the router is often called stateless filtering and the firewall (the Statefull firewall) and is used as the line of defense.


The Router 7200 is really efficient because it can be used with Multiprotocol Label switching (MPLS), which can categorize and prioritize data to the importance by using labels, which increases the forwarding speed of data through the router. A router is suitable for inspecting any packets coming from the untrusted and the trusted network, and vice-versa. The firewall is designed to protect the different branches of the subnet, as it is a defense in depth. This configuration could be used by using a proxy server and the Network Address Translation to hide the private IP address from outside (internet).

The Database server and the Authentication server are used in inside (private network), as it is the most secure branch of the network (100%). The Network management should not be compromised by an attacker. The server database, contain some sensitive data, like personal data, and according of the Data Protection Act (1998), the process of data, particularly those which are affiliated to the privacy of people, should be processed securely.

The authentication server is also part of the most secure branch of the network, even though a secure tunnelling VPN provides the remote staff to access the network securely.

The student lab and the staff networks are allocated in a different network subnet, and are well protected by the right device configuration.

When some machines on the internal network need to be accessible from the outside (web server, mail server, FTP server, public, etc.)., It is often necessary to create a new interface to a network accessible both from the internal network and the outside, without compromised the security of the company. It is the DMZ that creates a secure isolated area hosting application servers available to the public.

The DMZ contains the public web server and the public mail server. It is the network area, which 50% trusted because it has to provide services for both the internet, which contain risk, and private network.

The security policy for the DMZ is given below:

The traffic coming from the private network to the DMZ is authorized

The traffic coming from the external (internet) to the DMZ is authorized

The traffic coming from the DMZ to an external address is forbidden as it may be originated by an attacker who attempts a SYN flood attack.

The traffic coming from the DMZ to the internal private network is forbidden as it may be the origin of an IP spoofing targeting the internal network.


Router configuration

First device in this topology needs to be configured is the edge router. The access control list is the release which specifies the rule in the router.

Define what kind of traffic is allowed and denied in the router. Then, by using the ACL, apply the proper rules in the router interface related to the traffic.

Configure the interface fa0/0 with a valid IP address because Denial of service attacks typically exploits fake source IP addresses to hide behind the attacks. Such addresses are usually selected from reserved known IP addresses. According to Team Cymru Community services, 66% of DOS use private addresses and half of these attacks use class D or E IP address range.

The RFC 1918 " address allocation for private network" defines the IP address range that can be used in the private network only. Theses addresses are not routed through the internet e.g.

Loopback addresses such as

Multicast addresses

The router uses the NAT to translate internal private IP addresses (non-routable ) to an external IP addresses (routable public addresses). The NAT has been created to fix the problem about the lack of ipv4 addresses. NAT provides some sort security to the network by hiding internal private addresses from the outside world (Internet).

The ACLs are applied on the Fa0/0 of the boundary router:

The Extended ACL is more appropriate as it concerns the source and destination IP addresses and source and destination ports, and also works on the layer 4.

Therefore, we want to block any traffic coming from the internet with the local IP address, because as it explained above, it can be a DOS attack.

ACLs applied to the perimeter router are given below:

IP access-list extended external-ingress-traffic

deny ip any log

deny ip any log

deny ip any log

deny ip any log

permit ip any any

The above access lists deny these IP addresses, and to permit any other traffic through the router.

The ingress traffic comes from the Internet and enters at the boundary router interface, which needs to be blocked. These access-lists also log any traffic to the management console, when the IP addresses from the above private address space try to get into the company's network. It will log all connection attempts that spoof local addresses and will protect from someone just disconnecting the router internet connection and plugging it into their own network (fake gateway or MITM attack) but it will not be the complete protection against all attacks.

The administrator can keep an eye on the traffic when there is a kind of alert generated by the router. The administrator is also connected remotely to the router by using ssh.

On the Fa0/0 of the router, the following ACL is applied to permit all the traffic coming from the private network with the IP address, to the internet.

IP access-list extended external-egress-traffic

Permit IP any

Deny IP any

On the interface Fa1/0 of the router, the following ACL is applied to give access the internal network users to the Internet:

IP access-list extended internal-ingress-traffic

Permit IP any

Deny IP any

The router can be attacked by the attacker by using IP spoofing. An attacker may therefore target hosts by sending packets to the network private IP address, then modifying the routing tables to spoof the source address in order to have it back to the attacker.

The use of the ICMP protocol can be really dangerous for the Merchiston campus. Indeed, the main function of the ICMP protocol is to localize if connectivity exists between hosts on a network. An attacker can use the ICMP protocol to perform a Smurf attack.

The Smurf attack consists to send broadcast ICMP packets to hosts in a subnet. Hosts will reply to the ICMP with a spoofed source IP address in the internal or the external network, which is actually the real target.

The above access-list can stop or mitigate the Smurf attack because the router only allow the private IP address to leave the internal network. It is really useful in case of the target of such attack, which is situated outside the private network. A perimeter router can prevent a Smurf attack to target a host inside the private network.

The firewall Configuration.

The idea of implementing a firewall is to filter all the traffic on the different segment of the network, and based on the security policy, it is needed to describe what type of traffic is allowed or denied, then created the firewall policy guidelines and firewall policy procedures. The security policy has been created based on a security risk analysis, to see the threats and vulnerabilities in Merchiston network.

The firewall policy for the Merchiston campus:

The firewall should filter the traffic with correct source and destination IP addresses such as the IP addresses, and are denied by the firewall. These IP addresses are known as Localhost or broadcast addresses and are invalid. The invalid source address for an inbound and outbound traffic is restricted, especially inbound traffic (RFC 1918). NAT can also be applied on a firewall perimeter meaning that ingress traffic with private destination IP addresses and egress traffic with internal source IP addresses must be stopped.

Invalid source addresses must be blocked when leaving the network and broadcast addresses from the outside destined for the private network are blocked as well.

No direct traffic transmitted to the firewall itself is permitted, because the PIX firewall can run out with the memory, and can therefore be targeted by DOS attacks.

The restriction can be applied for both traffic from outside to inside the network and from the inside to outside (If we need to do so).

The firewall should also deal with ICMP protocol.

Therefore, by applying rules which limit the maximum ICMP requests or incoming traffic as it can come from an attacker who perform a host discovery to check any live system in the network. The ping can also be used to send many ICMP packets with a spoofed source address to attack a precise target in the network (Smurf attack).

According to the National Institutes of standard and technology, ICMP packets have specific code that can be recognized over the network, thus make the use of ICMP protocol, only permitted for them. ICMP type 3 messages, is used for diagnosis the network, so, they cannot be restricted. The ping has also an ICMP code which is the code 8, and has the same function that the previous one.


The TCP and UDP are the transport layer protocols, which create the communication sessions across the network. There are plenty of known ports e.g. the web server(port 80), simple mail transport protocol (SMTP) usesport 25, for the Telnet uses 23 etc.

Some application uses multi port such as FTP. The DMZ subnet network contains the Web server and the mail server. These servers have to be accessible both from inside and outside of the Merchiston campus, because PIX Stateful firewall works on the layer 3, 4 and 5 creating a dynamic port (unlike the router

Before applying any rules, define the Adaptive Security Algorithm (ASA). The security level value needs to be set up to the firewall in order to make it discriminate each segment of the subnet from the internet, and drop any packet by default coming from the un-trusted network (internet).

Pix (config) # interface Ethernet0

Pix (config-if) # nameif outside

Pix (config-if) # IP address

Pix (config-if) # no shutdown

Outside means security level 0 % which is not trusted al all.

Management network has assigned a different subnet by creating a VLAN 50 and it has a maximum security level as all the devices can be monitored and managed remotely, tried to avoid it from being compromised or disrupt from the untrusted network and the subnets which are allowed to have access to this subnet (management). e3 = 100%

The DMZ network has given two subnets (webserver and email servers), which were created by two separate VLANs (VLAN 20, VLAN 10). DMZ is a public facing server, which is a direct connection between the private network and internet. Someone from the outside network can have an access to the web server and a 50% security level is applied to this subnet. e2 = 50%

On the e4, four subnets are used such as student, staff, database server, and authentication server by four separate VLANs (VLAN 70, VLAN 60, VLAN 30, VLAN 40). These subnets have been considered to be more secure than the network management more secure than the DMZ. These subnets have a security level of 100%.

Configuring the ICMP packets to test connectivity between hosts on Merchiston network.

The PIX block all the traffic coming from a less secure subnet to a more secure subnet, meaning that if we want to test the connectivity from the network management subnet to the DMZ, there will be no reply. The same result will appear from the network management to the edge router.

Therefore we have to make sure that all the hosts inside the private network can reply to the ping without being blocked by the perimeter firewall.

Here the ACL for each interface:

On e0, ping from the inside network can reach the router from inside network and can get a reply back. Others are trafficked may be hostile to the firewall.

Access-list ICMP_REPLY extended permit icmp any any echo-reply

Access-list ICMP_REPLY extended permit icmp any any source-quench

Access-list ICMP_REPLY extended permit icmp any any unreachable

Access-list ICMP_REPLY extended permit icmp any any time-exceeded

Access-group ICMP_REPLY extended in interface outside

The Management network (Virtual Machine) should send ICMP packets to the DMZ web server or any network branches, and have a reply, because it has the highest security level. The same ACL rules should apply to these subnets, and it can be observed that only the management network can send packets to the DMZ with reply get back.

On e2, the following access-lists were applied

Access-list ICMP_REPLY extended permit icmp echo-reply

Access-list ICMP_REPLY extended permit icmp source-quench

Access-list ICMP_REPLY extended permit icmp unreachable

Access-list ICMP_REPLY extended permit icmp time-exceeded

access-group ICMP_REPLY extended in interface DMZ

If the student lab want to have an access to the DMZ, it need to apply the same rules on the interface e2, but with different source addresses.

Due to the security level, rules on the PIX firewall, the internet VM do not have access to the web server or the mail server. It needed to allow the access from the remote user in the DMZ having public facing servers with a return traffic.

The following ACL rule is applied on the e0 to allow the traffic through the PIX firewall.

Access-list inbound extended permit tcp any host eq 25

Access-list inbound extended permit tcp any host eq 80

Also as it is mentioned in this report, all the traffic generated from the DMZ to the external and the internal network is not allowed, as it can be a sign flood attack or an IP spoofing attack. Therefore, to avoid these threats, the following ACL need to be defined in the firewall.

On the interface e2:

Access-list OUTBOUND extended deny IP any any

Access-group OUTBOUND in interface e2

Now it can be reached the public servers in DMZ form inside the private network, For the staff network:

access-list DMZ extended permit tcp host eq 80

access-list DMZ extended deny IP any any

access-group DMZ in interface e4

To the student network the same ACL rules should be applied

access-list DMZ extended permit tcp host eq 80

access-list DMZ extended deny IP any any

access-group DMZ in interface e4

Same ACL rules can be created for the staff and student to have access on the mail server.

On the firewall, the ACL which defines the traffic from inside to the the outside should be created.

access-list INTERNET extended permit tcp host eq 80

access-group INTERNET out interface e4

Securing Management Subnet

Now ACL rules are configured on the firewall to give an access to management subnet.

It needs for authentication to tell the firewall that the network Management will use SSH to access all Merchiston network devices remotely and securely.

SSH Protocol authentication

To securely have an access to the different devices on the network, SSH is considered the safest protocol and Telnet is not secure because all the traffic travelling on the network is in clear text and therefore can be intercepted by an attacker using sniffer tools like Wireshark. Therefore, it is more appropriate to use protocol like TLS or SSH, as it uses an encryption algorithm to encrypt the message for several reasons:

The symmetric block cipher 3DS or DES encrypt the plaintext and the password when a SSH session is initiated between client and server. Then the PIX (which is acting as a server) and the client (the network management), use the session and public key to encrypt the login and data, and send it to each other ( we did not implement anything on the Firewall)

Local authentication

Username admin password cisco123 - create a local username and password pair

aaa authentication SSH console - this command configure firewall to ask for local authentication

aaa authenticationenable console local

aaa local authentication on attempts max-fail 5 ----- configured maximum failed attempts

Authentication using AAA server (External)

AAA can supports RAIUS TACACS+ authentication protocols.

Configuration of the AAA server is given below

SSH authentication server

http server enable

aaa-server JOHNER protocol tacacs+

aaa-server JOHNER (inside)

key verycomplex

aaa authentication ssh console JOHNER local

aaa authentication enable console JOHNER local

SSH inside - enable ssh access on inside interface

Then the password used for the Telnet, can be used for the SSH.

Telnet can be configured in the same way, installing the SSH client on the PC is needed.

Configuration of the authentication server in the network management subnet.

TACAS+ is used for authentication, authorization and accounting.

For example, a remote user tries to get access remotely to Merchiston network.

The RADIUS process will be based on a scenario, similar to this one:

Remote access VPN is used to establish a remote connection from outside to the inside network. Remote user needs to authenticate in order to use the VPN connection. Therefore TACACS+ and remote-access VPN can be both used for remote connection outside Merchiston campus.


In todays advance word security of computers and network devices plays an essential rule to avoid any risks related to the confidentiality, integrity and availability of the entire system.

Due this reason it is important to make sure that the systems in place are security and good working condition, and network security has been done at different levels including significant safety of the private network.

If the router is a device dedicated to route the traffic through the different public and private network, it will have been really useful to see in the report how to configure a firewall and how it help to protect every single part of the network.

Also, the report was the opportunity to review all the lab in the network security module, which contributed to clear up some dark point in network security.

A lot of the problems faced during the firewall configuration such as multiple virtual machines and servers could not run the properly, gone freeze most of the time, lack of knowledge about how to configure NAT, VLANs etc.


Cisco . (2004). Basic router and switch security. In: Kane, J Fundamentals of Network Security. Indianapolis: Cisco Press. p82-131.

Cisco . (2004). Router access list and CBAC. In: Kane, J Fundamentals of Network Security. Indianapolis: Cisco Press. p156-182.

Paquet, Catherine. (2011). Network security using Cisco IOS firewalls. In: Bartow, Brett Implementing Cisco IOS Network Security. Indianapolis: Cisco Press. p228-290.

Rufi, Antoon. (2006). Configure remote access VPN. In: Beth Ray, Mary Network Security 1 & 2 Companion Guide. Indianapolis: Cisco Press. p607-640.

Cole, Eric. (2008). Network and server security. In: Becker, Brian Network Security Fundamentals. Hoboken, New Jersey: Wiley. p32-60.