ROXL Lab
← Back to blog

Security and Network Management: Malware Defense and Network Architecture Plan

cybersecuritynetwork-securitymalwarefirewallsidscase-study
Published on
6 mins read
--- views

Security and Network Management

Activity 3

Objectives

The integrative practical activity connects students with concepts, tools, and methods that improve organizational security. The goal is to apply the technical knowledge gained during the course to propose and implement a security system for the selected organization.

In addition, the assignment requires designing an information security architecture that protects the company’s information assets and implements ongoing prevention, management, control, and monitoring of the network components.

Scenario

RAMSV SRL is a company led by a president and a general manager, with departments for Sales, Purchasing, Production, Systems, and Collections/Payments. It currently employs around fifty people across those areas.

The business sells products online through its own website. The site is maintained by in-house developers and analysts, and products are manufactured internally, which means raw materials must be sourced weekly depending on demand.

The website uses up-to-date SSL certificates, so client-server communications are protected. Customer passwords are stored using a one-way hash function, and users regularly exchange encrypted emails through PGP4Win.

Within the Systems Department, there is no dedicated information security office. The organization lacks both basic and advanced security measures.

Each employee has a workstation, and the internal network is segmented by department. The company has internet access and allows remote work. There is at least one PC running Windows XP with only a free antivirus solution, which does not cover all current threats.

Workstations are connected through a local area network where files and shared folders are exposed without access controls or logging. There is also a public WiFi network used by staff and visitors.

RAMSV SRL hosts its own database server, which runs a free version of the Yetiforce ERP/CRM system. All employees use it to register sales, suppliers, and marketing campaigns. Each department has a defined role and permissions. The database holds about 50,000 records containing customer and supplier data, invoices, and personal information.

The company lacks network monitoring software and packet filtering technology. Last month it suffered a ransomware attack and lost data on 50% of its devices, with no recovery due to the absence of a contingency plan.

Instructions

  1. Analyze the security measures currently deployed to prevent malware. If enterprise solutions are installed, identify the antivirus and anti-malware products, their licensing models, and how endpoints are protected. Research integrated solutions (AVG, ESET, Kaspersky, etc.), prepare a comparative pricing table, and select the best option.

  2. Design a secure internal network architecture. Consider perimeter security, firewalls, intrusion detection systems, access control lists, and monitoring/management technology. Provide a secure network prototype and diagram.

  3. Estimate implementation costs and the timeline. Build a schedule and research software and hardware costs based on the previous proposals.

Submission Format

Prepare a Word document detailing the research, no fewer than 20 pages, A4 size, Arial 12pt, 1.5 line spacing (total for the four activities).

While a minimum page count is required (excluding cover, index, bibliography, and appendices), research that exceeds the limits is encouraged.

Requirements

To diagram the secure network requested in instruction 2, you may use Visual Paradigm.

For more information on instruction 3, consult:

  • RedesZone
  • CyberSecurity
  • Fortinet

Submission

You have reached the end of this module’s activity. Save your responses and upload them by clicking “Submit task.”

Remember that you can discuss questions with classmates in the course forum.

Proposed Responses

  1. Current security posture and solution comparison

Existing controls include SSL on the website, hashed passwords, and encrypted email via PGP4Win. Endpoints, however, rely on Windows XP and free antivirus without centralized management or monitoring. There is no dedicated security team, no packet filtering, and the public WiFi is not segmented. This makes the environment vulnerable to malware, ransomware, and unauthorized access.

Baseline improvements should include upgrading all workstations to a supported operating system, deploying centrally managed endpoint protection with anti-ransomware capabilities, and enforcing least-privilege access.

Comparison table (reference pricing in USD per endpoint per year):

SolutionLicense modelKey capabilitiesEstimated range
ESET Protect EntryAnnual subscriptionAV/anti-malware, centralized console, web control25-40
Bitdefender GravityZone Business SecurityAnnual subscriptionAV/basic EDR, anti-ransomware, device control30-50
Kaspersky Endpoint Security CloudAnnual subscriptionAV/basic EDR, cloud console, web control30-55
Microsoft Defender for BusinessAnnual subscriptionAV/EDR, M365 integration, hardening35-60

Best fit for RAMSV SRL: a centrally managed suite with basic EDR and ransomware protection, such as Bitdefender GravityZone or Microsoft Defender for Business, because it scales to 50 devices and provides visibility and incident response. Final pricing should be verified with local vendors.

  1. Secure internal network architecture

The proposed design uses segmentation, strong perimeter security, and continuous monitoring. It introduces a firewall with IDS/IPS, a DMZ for the public website and sales systems, VLANs per department, isolated guest WiFi, and a VPN with MFA for remote users. Access control lists on switches limit lateral movement, while a SIEM aggregates alerts for incident response.

Reference logical diagram:

Internet
   |
[ISP]
   |
[NGFW + IDS/IPS]
   |--------------------[VPN/MFA]
   |
  DMZ (Web/WAF)
   |
[Core Switch]
   |-- VLAN Sales
   |-- VLAN Purchasing
   |-- VLAN Production
   |-- VLAN Systems
   |-- VLAN Collections/Payments
   |-- VLAN Servers (DB, ERP)
   |-- VLAN Guests (Isolated WiFi)

Key controls:

  • Firewall rules by source, destination, and service with full logging.
  • IDS/IPS for detection and automatic blocking of malicious traffic.
  • 802.1X (NAC) on access ports and corporate WiFi.
  • WAF for the public website.
  • SIEM for correlation, alerts, and response workflows.
  • 3-2-1 backups with an offline copy to mitigate ransomware impact.
  1. Cost estimate and implementation timeline

Initial investment estimate (reference values in USD):

ComponentQuantityEstimated range
NGFW with IDS/IPS12,000-5,000
Managed switches with ACL/VLAN21,200-2,400
WAF (cloud service)1600-1,200 / year
Endpoint security (50 devices)501,500-3,000 / year
Basic SIEM server (hardware + software)11,000-2,000
NAS/backup + cloud11,000-2,500
Training and policies1500-1,000

Suggested timeline (8-12 weeks):

  • Weeks 1-2: assessment, inventory, and risk analysis.
  • Weeks 3-4: procurement of hardware and licenses, change planning.
  • Weeks 5-8: VLAN segmentation, NGFW deployment, WAF, and VPN with MFA.
  • Weeks 9-10: endpoint security rollout and workstation hardening.
  • Weeks 11-12: SIEM setup, 3-2-1 backups, contingency testing, and training.

Open for contract collaboration

I am available for contract-based collaboration. If you have an interesting project idea, schedule a call via Calendly.

Schedule a 30-min call