The Solution for The Cube Farm

There is no issue with the networked topology in this corporation. Furthermore, it would be too costly to change the topology. It is much easier and more cost efficient to fix the security issues found in the running configuration.

The security precaution that must be taken is secure passwords.  The first step in correcting the security flaws in the router correction is to ensure that the passwords can not be easily discovered by hackers.  To do so, it is imperative to enable service password-encryption to make sure the passwords and valuable information to hackers are not easily visible in plain text within the configuration. Next, both passwords should be changed using upper and lower cases as well as a combination of numbers and letters to divert some brute-force attackers.  The SNMP passwords need to be secured as well in order to ensure that the SNMP service is not easily used to compromise the router. 

The internal network should not be accessable outside of the internal corporate network.  Instead of making the inside network directly accessable from the outside, a NAT should be configured in its stead.  With a NAT configured, the internal network will remain hidden from potential attackers, significantly increasing the security of the corporate network. 

As a recommendation, the routing protocol should be changed to EIGRP because it allows classless routing is preferred to the today obsolete IGRP. The 198.168.0.0 internal network should not be added into the network statement so it remains invisible to the outside networks for enhanced security.

The next security measure, which is particularly useful in this situation, would be to configure security on the VTY lines to restrict telnet access which needs to be done in many stages. For efficient security, a privilege level user account should be configured, where the privilege level is highest, 15. The VTY lines also need to be configured to privilege level 15 access only. The VTY lines should also be configured to allow telnet and SSH connections with a login local for local authentication. By using SSH, this allows for a more secure transfer of information.  Access lists should be configured to ensure that only specified hosts can access the router via telnet. 

Lastly, to detect prevent further intrusion on the corporate network, logging should be configured on a host or server on the internal network. This can be done by using intrusion detection software and would allow the administrator to receive alerts and messages based on network activity which is flagged as negative or harmful.

The changes have been implemented into a new configuration and both the old and new configurations are included in this document. In the new configuration, the host which will log all harmful network traffic was configured as 10.1.1.2. This is useful in the future in case the corporation needs to configure DHCP or NAT and will be required to exclude the address in the DHCP pool.