Higher National Unit Specification General information for centres Unit code: D7JV 35 Unit purpose: This Unit is designed to enable candidates to increase network security through authentication, encryption and to configure remote access methods. The Unit prepares candidates for this task by ensuring they apply advanced and specialised knowledge to configure network equipment, network services and software. Practical experience is gained in implementing typical network services using industry-standard equipment and protocols. The Unit is primarily intended for candidates who expect to work in a network installation environment, as a network administrator or in a network support role. On completion of the Unit the candidate should be able to: 1. Deploy Certificate Services 2. Implement Internet Protocol Security (IPSec) 3. Configure common remote access methods Credit value: 1 HN Credit(s) at SCQF level 8: (8 SCQF credit points at SCQF level 8) SCQF (the Scottish Credit and Qualifications Framework) brings Scottish qualifications into a single framework of 12 levels ranging from SQA Access 1 to doctorates. The SCQF includes degrees; HNC/Ds; SQA National Qualifications; and SVQs. Each SQA Unit is allocated a number of SCQF credit points at a specific level. 1 SCQF point = 10 hours of learning. HN candidates are normally expected to input a further number of hours, matched to the credit value of the Unit, of non-contact time or candidate-led effort to consolidate and reinforce learning. Recommended prior knowledge and skills: Access to this Unit will be at the discretion of the Centre, however it is recommended that candidates should have a good working knowledge of Networking and Protocols. It would be useful if candidates had either completed or were currently studying the HN Units D75T 34 Computer Networks: Building Local Area Networks or D77B 35 Computer Networks: Administering Network Systems or Computer Systems Security and Data Assurance. Core skills: There may be opportunities to gather evidence towards core skills in this Unit, although there is no automatic certification of core skills or core skills components. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 1
General information for centres (cont) Context for delivery: If this Unit is delivered as part of a group award, it is recommended that it should be taught and assessed within the subject area of the group award to which it contributes. Assessment: Two instruments of assessment could assess this Unit. The first would require candidates to produce short or restricted responses to written questions testing their underpinning knowledge. The second would contain a series of assignments testing their practical abilities to install network services. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 2
Higher National Unit specification: statement of standards Unit code: The sections of the Unit stating the Outcomes, knowledge and/or skills, and evidence requirements are mandatory. Where evidence for Outcomes is assessed on a sample basis, the whole of the content listed in the knowledge and/or skills section must be taught and available for assessment. Candidates should not know in advance the items on which they will be assessed and different items should be sampled on each assessment occasion. Outcome 1 Deploy Certificate Services Knowledge and/or skills Public Key Cryptography (PKI) concepts Deploy and Manage certificates Evidence requirements Candidates will need evidence to demonstrate their knowledge and/or skills by showing that they can: Describe the basic concepts of Public/Private key authentication and Digital Signatures. Describe the importance of Public Key Cryptography for e-commerce, Intranets and webenabled applications. The above must be assessed as a set of extended response questions that cover the basic concepts of both PKI and Digital Signatures. There should be at least one question on both of the knowledge and/or skills items shown above. The candidates response must be a minimum of 300 words for each item. Candidates must additionally be assessed on the importance of PKI for e-commerce, intranets and web-enabled applications. This may be sampled with only one of the three areas being covered and should include a description of a working example. It should be assessed by an extended response question of a minimum of 300 words. This assessment will be open book. Candidates are required to obtain a pass mark of 60% overall in order to pass this section of Outcome 1. Candidates will demonstrate that they can deploy certificate services by implementing a certification service to deploy and use key certificates. Candidates must have full access to HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 3
documentation throughout the completion of this task. Candidates must be able to create a private public key pair for a user or a group of users and have this used as authentication. Higher National Unit specification: statement of standards The evidence for this section of Outcome 1 will be produced in the form of an observation checklist that covers all the points listed above. Assessment guidelines All assessments in Outcome 1 should be open book. It is suggested that when investigating the importance of PKI that the candidates should try and identify a real life example of their chosen area. When configuring a key certificate server it is suggested that only one area is covered, such as intranets or e-commerce. This assessment is suited to candidates working in groups and each group may cover a different area in which PKI is suited. Outcome 2 Implement Internet Protocol Security (IPSec) Knowledge and/or skills Common security issues Goals of IPSec Implement IPSec Evidence requirements Candidates will need evidence to demonstrate their skills and/or knowledge by showing that they can: Identify common security issues Network monitoring, data modification, passwords, address spoofing, and denial of service. At least 3 of these should be sampled. Identify the goals of IPSec including mutual authentication and encryption of data. The above should be assessed using 5 short response questions. This must be a closed book assessment held under controlled conditions and of 1 hour s duration. Candidates are required to obtain a pass mark of 60% overall in order to pass this section of Outcome 2. Candidates must implement IPSec between two different machines. The evidence for this section of Outcome 2 will be produced in the form of an observation checklist that covers all the points listed above. Candidates should have full access to documentation throughout this task. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 4
Assessment guidelines Candidates should demonstrate a firm understanding of potential problems when administering TCP/IP based networks. This should especially be emphasised on externally connected networks to the Internet. Higher National Unit specification: statement of standards (cont) Candidates should demonstrate that they have successfully configured IP sec between two machines. A packet sniffer (TCP Dump Linux) or network monitoring tool may be used to demonstrate before and after IP/SEC is running for a service such as FTP. Outcome 3 Configure common remote access methods Knowledge and/or skills Common connectivity options. Remote Access Protocols Remote Access Authentication protocols Remote Authentication Dial-In User Service (RADIUS) Configure server for remote access. Evidence requirements Candidates will need evidence to demonstrate their knowledge and/or skills by showing that they can identify: Common remote connectivity options. As a minimum, Dial Up Connection and Virtual Private Network (VPN) must be assessed. Remote access protocols. A minimum of two protocols must be assessed. Common hardware connection options should be stated- PSTN, ISDN, ADSL, and cable modem, X.25. A minimum of one hardware connection option must be assessed. A remote access authentication protocol selection. RADIUS as an authentication and accounting service for interoperability between vendors. The above should be assessed using a set of 10 restricted response questions with two questions for each of the five topics shown above. This should be a closed-book assessment of 1 hours duration carried out under controlled conditions. Candidates are required to obtain a pass mark of 60% overall in order to pass this section of Outcome 3. Configure a server for remote access including permissions, caller id, callback. A minimum of two of these options must be configured. The evidence for this section of HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 5
Outcome 3 will be produced in the form of an observation checklist that covers all the points listed above. Candidates should have full access to documentation throughout this task. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 6
Higher National Unit specification: statement of standards (cont) Assessment guidelines Remote access protocols may include PPP, SLIP, Microsoft RAS, AppleTalk Remote Access Protocol (ARAP), LAN Protocols TCP/IP, NWLink, NetBEUI, Appletalk or others as appropriate. Remote authentication protocol may include PAP, SPAP, CHAP, MS-CHAP or others as appropriate. The examining centre must provide all facilities for remote access whether it is done by dial up connection or by use of a protocol over a fixed network. Administrative Information Unit code: D7JV 35 Unit title: Enhancing Network Security and Configuring Remote Access Superclass category: CB Date of publication: 1 October 2001 Source: SQA Scottish Qualifications Authority 2001 This publication may be reproduced in whole or in part for educational purposes provided that no profit is derived from reproduction and that, if reproduced in part, the source is acknowledged. Additional copies of this Unit specification can be purchased from the Scottish Qualifications Authority. The cost for each Unit specification is 2.50 (minimum order 5.00). HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 7
Higher National Unit specification: support notes This part of the Unit specification is offered as guidance. The support notes are not mandatory. While the exact time allocated to this Unit is at the discretion of the centre, the notional design length is 40 hours. Guidance on the content and context for this Unit It is important to demonstrate to the candidate the importance of network security in a world where we are becoming more reliant on using communications technologies. Hardly a day goes past without some organisation having its security procedures breached. Networks are no longer closed domains with staff working away from the office building wishing to connect to the company s data as well as potential clients and customers. Making data available is advantageous for most companies, but this does have its pitfalls. The aim of this Unit is to highlight a few of these pitfalls and produce modern solutions to help keep data safe. Outcome 1 is aimed at introducing the candidate to the importance of Public Key Cryptography and the facilities of key certification. This would be aided by a demonstration or investigation of SSL and by looking at trusted systems such as Verisign. Analogies such as passport generation which contains a unique number, attributes such as expiration date, name, address, etc, and is issued by a trusted simple may aid understanding. Once a general knowledge in this area is demonstrated then the candidate should be introduced to internally generated key certification. This may be done via Windows 2000, Unix, Novell or another appropriate system. Outcome 2 deals with investigating common security issues on an IP based network. Topical examples should be used to help generate an awareness of security issues. Packet sniffers should also be used to demonstrate what information could be obtained by monitoring a line, especially services such as FTP and Telnet, without the use of encrypted passwords. The security issues involved in traffic monitoring, such as quiet and busy times and the information that can be obtained from this basic data should be investigated. This should lead into an investigation of the challenges faced by network administrators to ensure that data is safe from modification, interception, viewing, copying and being accessed by unauthenticated parties. This then leads to standard encryption techniques such as IPSec to secure communications within an intranet and to create secure virtual private network (VPN) solutions across the Internet. A short description of the goals of IPSec including the differences between computer-to-computer and network-to-network should also be included in Outcome 2. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 8
Higher National Unit specification: support notes (cont) Outcome 3 is concerned with the issues involved in trying to access a network from an external location. This should cover dial up and virtual private network (VPN) connections. ISPs and the Internet would make a good starting point for common remote access to a network using a protocol such as PPP. Security features such as called id and call back should be introduced when talking about more private networks. Discussion of authentication and of RADIUS should provide one point of authentication between different network systems. Guidance on the delivery and assessment of this Unit Wherever possible, provide the candidates with examples of current real life scenarios of breaches of security. A candidate should have a clear understanding of what they are trying to achieve on all practical exercises before commencement. All practical exercises should only be attempted after a clear understanding of the theory is demonstrated in the written assessments. There is no importance placed on the order of delivery for the Outcomes although it is suggested that Outcomes 1 and 2 be closely linked in delivery. All software required for PKI and network monitoring should be made available to the candidates from the beginning of the Unit. Assessment Summary Outcome 1 Two extended responses of at least 300 words on Public/Private key authentication and Digital Signatures. Open Book. One extended response of at least 300 words on one of the following Public Key Cryptography for e-commerce, Intranets and web enabled applications. Open Book. Configure a Key Certification server to deploy and manage certificates. Outcome 2 Five short response questions on common security issues and the goals of IPSec Implement IPSec between two machines Outcome 3 Ten restricted response questions. Closed book. Configure a server for remote access. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 9
Higher National Unit specification: support notes (cont) Open learning If this Unit is delivered by open or distance learning methods, additional planning and resources may be required for candidate support, assessment and quality assurance. A combination of new and traditional authentication tools may have to be devised for assessment and re-assessment purposes. For further information and advice, please see Assessment and Quality Assurance for Open and Distance Learning (SQA, February 2001 publication code A1030). For information on normal open learning arrangements, please refer to the SQA guide Assessment and Quality Assurance of Open and Distance Learning (SQA, 2000). Special needs This Unit specification is intended to ensure that there are no artificial barriers to learning or assessment. Special needs of individual candidates should be taken into account when planning learning experiences, selecting assessment instruments or considering special alternative Outcomes for Units. For information on these, please refer to the SQA document Guidance on Special Assessment and Certification Arrangements for Candidates with Special Needs and Candidates for whom English is an Additional Language (SQA, 2000). HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 10
General information for candidates This Unit is primarily targeted at those of you expecting to work in a Networking Support or Administration role, but it is also relevant to those who want a greater awareness of security issues and solutions. This Unit should provide you with an understanding and appreciation of the complexities of securing data and access on a network, while still enabling availability to services and data for the appropriate personnel. You will develop hands on skills in installing, configuring, and managing a key certification server. With more and more people having to communicate over networks its important that you understand the key concepts involved in making sure your transmitted data is secure. It is also important that users and computers can identify themselves in a secure manner and not have impostors forge your identity. Key Certificates are becoming a more common way for connected machines and users to have trust in today s technologies. This may be done in a transparent manner such as SSL or by users carrying around their key certificates in devices such as smart cards and USB dongles. You will also be introduced to secure remote access methods, which allow any user either locally, or remotely to connect safely to any network. This will be looked at from both the hardware and software sides. Before commencement of this Unit you should have a good grounding in network technologies such as protocols and hardware required to construct and connect LANs and WANs. It would also be advantageous to have a good understanding basic network security and the Internet. In Outcome 1 you will be assessed using a set of extended response questions that cover the basic concepts of both PKI and Digital Signatures. Your response must be a minimum of 300 words for each item. Additionally, you will be assessed on the importance of PKI for one of, e-commerce, intranets and web-enabled applications. Again, your response to this question must be a minimum of 300 words. This assessment will be open book and you need to obtain a pass mark of 60% overall in order to pass this section of Outcome 1. There will be a further practical assessment where you must demonstrate that you can deploy certificate services by implementing a certification service to deploy and use key certificates. During this activity you will demonstrate that you can apply your practical knowledge and skills appropriately to your tutor/lecturer who will observe you during this period. You should have full access to documentation throughout this task. In Outcome 2 you will be assessed using 5 short response questions to test your theoretical knowledge and understanding of implementing Internet Protocol Security (IPSec). This will be a closed book assessment held under controlled conditions and of 1 hour s duration. You will need to obtain a pass mark of 60% overall in order to pass this section of Outcome 2. Additionally, there will be a practical assessment where you must implement IPSec between two different machines. During this activity you will demonstrate that you can apply your practical knowledge and skills appropriately to your tutor/lecturer who will observe you during this period. You should have full access to documentation throughout this task. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 11
General information for candidates Outcome 3 will be assessed using a set of 10 restricted response questions to test your theoretical knowledge and understanding of configuring common remote access methods. This will be a closed-book assessment of 1 hours duration carried out under controlled conditions. You will need to obtain a pass mark of 60% overall in order to pass this section of Outcome 3. Additionally, you will be given a practical exercise in which you configure a server for remote access including permissions, caller id and call-back you must demonstrate that you can configure at least two of these. During this activity you will demonstrate that you can apply your practical knowledge and skills appropriately to your tutor/lecturer who will observe you during this period. You should have full access to documentation throughout this task. HN Unit D7JV 35: Enhancing Network Security and Configuring Remote Access 12