Prepare for the capstone by consolidating tools and workflow before moving to reading resources.

Opening Framing: Putting It All Together

Over the past eleven weeks, you've built a comprehensive understanding of network security: protocols, addressing, attacks, defenses, and monitoring. Now it's time to apply all of this knowledge in a realistic capstone project.

You'll conduct a network security assessment—the type of engagement that security professionals perform regularly. This involves reconnaissance, traffic analysis, vulnerability identification, and producing a professional report with findings and recommendations.

This capstone demonstrates your ability to think both offensively (finding weaknesses) and defensively (recommending improvements). It's the culmination of your networking security education.

Key insight: Real security work combines technical skills with communication skills. Finding vulnerabilities is only half the job; explaining them clearly is equally important.

Capstone Requirements

Your capstone must demonstrate proficiency across the course learning outcomes. The assessment includes multiple phases:

Phase 1: Reconnaissance (LO1, LO8)

• DNS enumeration of target domain
• Network mapping and host discovery
• Service identification and version detection
• Document all findings systematically

Phase 2: Traffic Analysis (LO2, LO3)

• Capture network traffic (provided PCAPs or your own lab)
• Analyze protocols and identify security concerns
• Extract indicators of compromise
• Document suspicious patterns

Phase 3: Security Configuration Review (LO4, LO6)

• Assess firewall rules for weaknesses
• Review network segmentation design
• Evaluate email authentication (SPF/DKIM/DMARC)
• Check for security header implementation

Phase 4: Detection Assessment (LO5)

• Analyze IDS alerts from sample traffic
• Identify true vs. false positives
• Recommend detection improvements

Phase 5: Report and Recommendations (All LOs)

• Executive summary for leadership
• Technical findings with evidence
• Risk-prioritized recommendations
• Professional presentation

Option 1: Provided Lab Environment

Use provided materials to conduct your assessment:

Materials Provided:

• Target domain information for DNS reconnaissance
• PCAP files with network traffic to analyze
• Sample firewall ruleset to review
• IDS alerts to triage
• Network diagram to assess

Scenario:

You've been hired as a security consultant for Acme Corporation. They've experienced some suspicious network activity and want a comprehensive security assessment. Your job is to analyze their network, identify vulnerabilities, and provide recommendations.

Acme Corporation Network:
- Public web presence: www.acme-example.com
- Email domain: acme-example.com
- Internal network: 10.0.0.0/8
- DMZ: 172.16.0.0/24
- User subnets: 10.1.0.0/16, 10.2.0.0/16
- Server subnet: 10.10.0.0/24

Provided files:
- acme_traffic.pcap (network capture)
- acme_firewall_rules.txt (firewall config)
- acme_ids_alerts.json (Suricata alerts)
- acme_network_diagram.png

Option 2: Build Your Own Lab

Create your own assessment environment:

Lab Setup Requirements:

• At least 2 VMs (attacker/analyst and target)
• Network services running (web server, SSH, etc.)
• Firewall configured on target
• IDS monitoring traffic

Recommended Setup:

VM 1 - Kali Linux (Attacker/Analyst):
- Nmap, Wireshark, dig, curl
- Suricata for IDS analysis

VM 2 - Ubuntu Server (Target):
- Apache web server
- SSH server
- UFW firewall configured
- Sample vulnerable services (optional)

Network:
- Both VMs on same virtual network
- Or use VirtualBox/VMware host-only network

Alternative: Use Public Resources

DNS Reconnaissance:
- Use any public domain (with permission or your own)
- Document SPF, DKIM, DMARC, MX records

Traffic Analysis:
- Download PCAPs from malware-traffic-analysis.net
- Use Wireshark sample captures

Firewall Review:
- Create a sample ruleset to analyze
- Or find sample configs online

Assessment Methodology

Follow this structured approach for your assessment:

Day 1-2: Reconnaissance

# DNS Enumeration
dig [domain] ANY
dig [domain] MX
dig [domain] TXT
dig _dmarc.[domain] TXT

# Check Certificate Transparency
# https://crt.sh/?q=%.[domain]

# Network Discovery (lab only)
nmap -sn [target-network]
nmap -sV -sC [target-host]

# Document:
# - All discovered hosts
# - Open ports and services
# - DNS records and configuration
# - Email authentication status

Day 3-4: Traffic Analysis

# Analyze PCAP in Wireshark
# Look for:
# - Unencrypted credentials
# - Suspicious connections
# - Malware indicators
# - Policy violations

# Protocol statistics
# Conversations view
# Follow streams

# Extract IOCs:
# - Suspicious IPs
# - Malicious domains
# - File hashes (if files extracted)

Day 5: Configuration Review

# Firewall Rules
# Look for:
# - Overly permissive rules
# - Missing deny rules
# - Rule ordering issues
# - Exposed services

# Email Security
# Check SPF, DKIM, DMARC
# Note missing or weak configurations

# Security Headers
curl -I https://[target]
# Check HSTS, CSP, X-Frame-Options

Day 6: IDS Analysis

# Review alerts
cat alerts.json | jq 'select(.event_type=="alert")'

# Categorize:
# - True positives (real threats)
# - False positives (benign)
# - Priority (critical, high, medium, low)

# For each significant alert:
# - What triggered it?
# - Is it valid?
# - What's the recommended action?

Day 7: Report Writing

Report structure:
1. Executive Summary (1 page)
2. Scope and Methodology
3. Findings (prioritized)
4. Detailed Technical Analysis
5. Recommendations
6. Appendices (raw data, screenshots)

Report Template

Your final report should follow this structure:

# Network Security Assessment Report
## Acme Corporation
### Date: [Date]
### Assessor: [Your Name]

---

## Executive Summary

Brief overview for leadership:
- Scope of assessment
- Key findings (3-5 bullet points)
- Overall risk rating
- Top recommendations

---

## 1. Scope and Methodology

### 1.1 Scope
- Systems assessed
- Time period
- Limitations

### 1.2 Methodology
- Tools used
- Approach taken
- Standards referenced (if any)

---

## 2. Findings Summary

| ID | Finding | Severity | Status |
|----|---------|----------|--------|
| F1 | [Title] | Critical | Open   |
| F2 | [Title] | High     | Open   |
| F3 | [Title] | Medium   | Open   |

---

## 3. Detailed Findings

### Finding F1: [Title]

**Severity:** Critical
**Affected Systems:** [List]

**Description:**
What was found and why it matters.

**Evidence:**
Screenshots, log entries, technical details.

**Risk:**
What could happen if exploited.

**Recommendation:**
Specific steps to remediate.

---

## 4. Recommendations Summary

Prioritized list of actions:
1. [Immediate - Critical items]
2. [Short-term - High items]
3. [Medium-term - Improvements]

---

## Appendices

A. Raw Scan Results
B. PCAP Analysis Details
C. IDS Alert Summary
D. Screenshots

Evaluation Criteria

Your capstone will be evaluated on:

Total: 100 points. Projects scoring 80+ demonstrate professional-level work.

Real-World Context: Security Assessments

Network security assessments are routine professional work:

Penetration Testing: Organizations hire pen testers to find vulnerabilities before attackers do. Your capstone mirrors the reconnaissance and analysis phases of a pen test engagement.

Security Audits: Compliance frameworks (PCI-DSS, HIPAA, SOC 2) require regular security assessments. Auditors review firewall rules, network segmentation, and monitoring capabilities— exactly what you're doing in this capstone.

Incident Response: When breaches occur, responders analyze traffic, review logs, and trace attacker activity. The analysis skills you're demonstrating are core IR competencies.

Security Architecture: Before deploying new systems, architects assess network security implications. Your ability to evaluate configurations and recommend improvements is directly applicable.

Key insight: This capstone demonstrates skills used daily by security professionals. Your report could serve as a portfolio piece when applying for security roles.

Example Finding Write-Up

Here's an example of a well-documented finding:

### Finding F1: Unencrypted Internal Web Traffic

**Severity:** High
**Affected Systems:** Internal web application (10.10.0.25)

**Description:**
During traffic analysis, HTTP (unencrypted) traffic was observed
between user workstations and the internal HR application at
10.10.0.25:80. This application handles sensitive employee data
including SSNs and salary information.

**Evidence:**
- PCAP analysis shows HTTP GET/POST requests to /hr/employee/*
- Credentials visible in POST data (see Appendix B, Figure 3)
- 847 HTTP sessions observed over 24-hour capture period

**Risk:**
An attacker with network access (insider, compromised host, or
via ARP spoofing) could intercept sensitive employee data and
credentials. This violates data protection requirements and
could lead to identity theft or compliance violations.

**Recommendation:**
1. Implement HTTPS on the HR application (immediate)
2. Redirect HTTP to HTTPS with HSTS header
3. Consider network segmentation to isolate HR systems
4. Review other internal applications for similar issues

**References:**
- OWASP Transport Layer Protection Cheat Sheet
- CIS Control 3: Data Protection

Week 13 Outcome Check

By completing this capstone, you will have demonstrated:

• Network reconnaissance and enumeration skills
• Protocol analysis and traffic inspection
• Security configuration assessment
• IDS alert analysis and triage
• Professional security report writing
• Risk-based prioritization of findings
• Actionable security recommendations

Congratulations! Completing this capstone demonstrates you have the network security skills expected of an entry-level security analyst or junior penetration tester.

🎯 Hands-On Labs (Free & Essential)

Prepare for the capstone by consolidating tools and workflow before moving to reading resources.

💡 Lab Tip: Treat the capstone like a real engagement: define scope, collect evidence, and write for a non-technical reader.

Resources

Reference these resources as you complete your assessment.

• SANS White Papers - Security Assessment Guides · Reference · 50 XP · Resource ID: csy104_w13_r1 (Required)
• OWASP Testing Guide · Reference · 25 XP · Resource ID: csy104_w13_r2 (Optional)
• Malware Traffic Analysis - Training Exercises · Practice PCAPs · 25 XP · Resource ID: csy104_w13_r3 (Optional)

Capstone Submission

Submit your complete assessment including:

• Full assessment report (PDF format)
• Supporting evidence:
  • DNS enumeration results
  • Nmap scan outputs
  • PCAP analysis notes
  • Firewall rule analysis
  • IDS alert summary
• Screenshots demonstrating findings
• Executive summary (1 page, suitable for leadership)

Submission Checklist:

• ☐ Report follows professional template
• ☐ All findings include evidence
• ☐ Findings are severity-rated
• ☐ Recommendations are specific and actionable
• ☐ Executive summary is non-technical
• ☐ Appendices include raw data
• ☐ Report is proofread and professional

Final Checkpoint Questions

1. What were the most critical findings in your assessment?
2. How did you prioritize findings by risk?
3. What evidence supported your most significant finding?
4. How would you explain your findings to a non-technical executive?
5. What was the most challenging part of the assessment?
6. How has your understanding of network security evolved since Week 1?

Final Reflection

Reflection Prompt (400-500 words):

This capstone represents the culmination of your network security journey in CSY104. You've gone from understanding basic protocols to conducting a comprehensive security assessment.

Reflect on these questions:

• Compare your understanding of networks now versus Week 1. What concepts that seemed complex are now clear?
• Which skills from this course do you feel most confident in? Which areas do you want to develop further?
• How did conducting an assessment change your perspective on network security versus learning individual concepts?
• What role do you see network security playing in your cybersecurity career?
• What advice would you give to someone starting CSY104?

A strong final reflection will honestly assess your growth, identify areas for continued learning, and articulate how network security fits into your broader career goals.

What's Next?

Completing CSY104 opens doors to advanced security topics:

• CSY201 - Security Operations: SOC workflows, SIEM, incident response procedures
• CSY202 - Ethical Hacking: Penetration testing methodology and techniques
• CSY203 - Web Application Security: OWASP Top 10, web vulnerabilities, secure development
• CSY204 - Digital Forensics: Evidence collection, analysis, and investigation

Certifications to Consider:

• CompTIA Network+ (validates networking fundamentals)
• CompTIA Security+ (broad security foundation)
• Cisco CCNA (deep networking expertise)
• eJPT (entry-level penetration testing)

Congratulations on completing CSY104! You now have a solid foundation in network security—one of the most important domains in cybersecurity. Networks are everywhere, and the skills you've developed will serve you in any security role. Keep learning, keep practicing, and keep securing networks!