Assessor Resource

ICANWK602A
Plan, configure and test advanced server based security

Assessment tool

Version 1.0
Issue Date: April 2024


This unit applies to planning, designing, implementing, maintaining, monitoring and troubleshooting advanced security on network servers.

Relevant job roles include information and communications technology (ICT) network specialist, ICT network engineer, network security specialist, network security planner and network security designer.

This unit describes the performance outcomes, skills and knowledge required to implement advanced server security using secure authentication and network services on a network server.

You may want to include more information here about the target group and the purpose of the assessments (eg formative, summative, recognition)

Prerequisites

Not applicable.

Employability Skills

This unit contains employability skills.



Evidence Required

List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.

The evidence guide provides advice on assessment and must be read in conjunction with the performance criteria, required skills and knowledge, range statement and the Assessment Guidelines for the Training Package.

Overview of assessment

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the ability to:

identify network service security vulnerabilities and appropriate controls

plan, design and configure a secure network authentication service

secure a wide range of network services to ensure server and data security including: DNS, web and proxy, mail, FTP and firewall

implement cryptographic techniques

monitor the server for security breaches.

Context of and specific resources for assessment

Assessment must ensure access to:

site where server installation may be conducted

relevant server specifications:

cabling

networked (LAN) computers

server diagnostic software

switch

client requirements

WAN service point of presence

workstations

relevant regulatory documentation that impacts on installation activities

appropriate learning and assessment support when required

modified equipment for people with special needs.

Method of assessment

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

evaluation of security design report for a server with complex network service security requirements

direct observation of the candidate configuring complex security requirements

verbal or written questioning of required skills and knowledge

evaluation of prepared report outlining intrusion detection, recovery, reporting and documentation procedures

evaluation of system design and implementation in terms of network service security and suitability for business needs.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended, where appropriate.

Assessment processes and techniques must be culturally appropriate, and suitable to the communication skill level, language, literacy and numeracy capacity of the candidate and the work being performed.

Indigenous people and other people from a non-English speaking background may need additional support.

In cases where practical assessment is used it should be combined with targeted questioning to assess required knowledge.

Submission Requirements

List each assessment task's title, type (eg project, observation/demonstration, essay, assingnment, checklist) and due date here

Assessment task 1: [title]      Due date:

(add new lines for each of the assessment tasks)

Assessment Tasks

Copy and paste from the following data to produce each assessment task. Write these in plain English and spell out how, when and where the task is to be carried out, under what conditions, and what resources are needed. Include guidelines about how well the candidate has to perform a task for it to be judged satisfactory.

Required skills

communication skills to liaise with internal and external personnel on security-related matters

literacy skills to:

interpret technical documentation

write reports in required formats

read and interpret enterprise security procedures, policies and specifications

review vendor sites, bulletins and notifications for security information

planning and organisational skills to:

plan control methods for network service security and authentication

plan, prioritise and monitor own work

problem-solving and contingency-management skills to:

adapt configuration procedures to requirements of network service security and reconfigure depending on differing operational contingencies, risk situations and environments

detect, investigate and recover from security breaches

safety-awareness skills to:

apply precautions and required action to minimise, control or eliminate hazards that may exist during work activities

follow enterprise OHS procedures

work systematically with required attention to detail without injury to self or others, or damage to goods or equipment

research skills to interrogate vendor databases and websites to implement different configuration requirements to meet security levels

technical skills to:

design network service and authentication security

identify the technical requirements, constraints and manageability issues for given customer server-security requirements

implement security strategies

install network service and authentication security design

monitor log files for security information

select and use server and network diagnostics

test server security.

Required knowledge

auditing and penetration testing techniques

best practice procedures for implementing backup and restore

cryptographic techniques

procedures for error and event logging and reporting

intrusion detection and recovery procedures

network service configuration, including DNS, DHCP, web, mail, FTP, SMB, NTP and proxy

network service security features, options and limitations

network service vulnerabilities

operating system help and support utilities

planning, configuration, monitoring and troubleshooting techniques

security protection mechanisms

security threats and risks

server firewall configuration

server monitoring and troubleshooting tools and techniques, including network monitoring and diagnostic utilities

user authentication and directory services.

The range statement relates to the unit of competency as a whole. It allows for different work environments and situations that may affect performance. Bold italicised wording, if used in the performance criteria, is detailed below. Essential operating conditions that may be present with training and assessment (depending on the work situation, needs of the candidate, accessibility of the item, and local industry and regional contexts) may also be included.

Client may include:

external organisations

ICT company

individuals

internal departments

internal employees

service industry.

Stakeholders may include:

development team

IT manager or representative

project team

sponsor

user.

Network server may include:

applications server

communications server

content and media server

multiple servers

physical server

virtual server.

Client security documentation may include:

risk assessment reports

security incident reports and server logs

security plans

security policies

security procedures.

Network authentication may include:

biometrics

enterprise single sign-on

Hesiod

Kerberos

lightweight directory access protocol (LDAP)

Novell Directory Services (NDS)

network information service (NIS)

pluggable authentication modules (PAM)

public key authentication (PKA)

public key infrastructure (PKI) and digital certificates

Red Hat Directory Services (RHDS)

security tokens and smart cards

SMB or Samba software

two-factor and multifactor authentication

Windows Active Directory Services (WADS).

Network service may include:

dynamic host configuration protocol (DHCP)

dynamic name system (DNS)

firewall

file transfer protocol (FTP)

hypertext transfer protocol (HTTP) or secure (HTTPS)

internet message access protocol (IMAP)

network authentication:

remote procedure call (RPC)

NIS

Kerberos

network file system (NFS)

network time protocol (NTP)

open source secure shell software suite (open SSH)

post-office protocol (POP)

print services

proxy

server messages block (SMB)

simple mail transfer protocol (SMTP)

simple network management protocol (SNMP)

structured query language server (SQL)

transmission control protocol or internet protocol (TCP/IP).

Appropriate person may include:

authorised business representative

client

representative from the IT department

supervisor

security manager.

Update services may include:

Potentially Unwanted Program Remover (PUP)

Red Hat Network

Windows Server Update Services

Yellow Dog Update Manager (YUM).

Basic service security may include:

host-based access control

network service access control lists (ACL)

network service authentication

network share permissions

security-enhanced Linux (SE Linux)

TCP wrappers

Windows group policy

eXtended interNET Daemon (xinetd) and service limits.

Encryption may include:

asymmetric encryption

certificate authority configuration

digital signatures and signature verification

email encryption

encrypted file systems

encrypted network traffic

GNU Privacy Guard (GnuPG or GPG)

public key infrastructure (PKI)

secure sockets layer (SSL) certificates

symmetric encryption.

Security options for services may include:

network file services security options, such as:

disk quotas

distributed file system security

encrypted file systems

NFS security

shares and their permissions

SMB or Samba security options

name resolution services, such as:

bogus servers and blackholes

DNS topologies

dynamic DNS security

restrictive zone transfers and recursive queries

transaction signatures

transaction signature (TSIG)

views

web and proxy services, such as:

authentication

common gateway interface (CGI) security

server-side includes

SSL certificates

suEXEC

mail services, such as:

email encryption

mail filtering including spam filtering

mail topology design

secure sockets layer and transport layer security protocols (SSL/TLS)

start transport layer security (STARTTLS)

virus scanning

FTP services, such as:

anonymous FTP

FTP authentication

secure access to home directories.

Remote access security options may include:

dial-up

internet connection sharing (ICS)

inbound and outbound filters

network address translation (NAT)

open SSH

port forwarding

remote authentication dial-in user service (RADIUS)

RADIUS proxy

remote access policy

routing and remote access services (RRAS)

secure remote access protocols

secure wireless

terminal services

virtual private network (VPN).

Operating system may include:

Linux

Unix

Windows server.

Third-party firewall may include:

incoming and outgoing traffic filtering

iptables

internet security and acceleration (ISA) server

kernel level firewalls

Microsoft Windows Firewall

netfilter

SmoothWall

traffic filtering by ports and protocols.

Backup and recovery may include:

automated backups using operating system backup and job scheduling tools

backup and recovery of mail systems

backup and recovery of network directory service objects

backups using third party software

database backup and recovery

volume shadow copies.

Copy and paste from the following performance criteria to create an observation checklist for each task. When you have finished writing your assessment tool every one of these must have been addressed, preferably several times in a variety of contexts. To ensure this occurs download the assessment matrix for the unit; enter each assessment task as a column header and place check marks against each performance criteria that task addresses.

Observation Checklist

Tasks to be observed according to workplace/college/TAFE policy and procedures, relevant legislation and Codes of Practice Yes No Comments/feedback
Consult with client and key stakeholders to identify security requirements in an advanced network server environment 
Analyse and review existing client security documentation and predict network service vulnerabilities 
Research network authentication and network service configuration options and implications to produce network security solutions 
Ensure features and capabilities of network service security options meet the business needs 
Produce or update server security design documentation to include new solutions 
Obtain sign-off for the security design from the appropriate person 
Prepare for work in line with site-specific safety requirements and enterprise OHS processes and procedures 
Identify safety hazards and implement risk control measures in consultation with appropriate personnel 
Consult appropriate person to ensure the task is coordinated effectively with others involved at the worksite 
Back up server before implementing configuration changes 
Configure update services to provide automatic updates to ensure maximum security and reliability 
Configure network authentication, authorisation and accounting services to log and prevent unauthorised access to the server 
Configure basic service security and access control lists to limit access to authorised users, groups or networks 
Implement encryption as required by the design 
Configure advanced network service security options for services and remote access 
Configure the operating system or third-party firewall to filter traffic in line with security requirements 
Ensure security of server logs and log servers are appropriately implemented for system integrity 
Implement backup and recovery methods to enable restoration capability in the event of a disaster 
Test server to assess the effectiveness of network service security according to agreed design plan 
Monitor server logs, network traffic and open ports to detect possible intrusions 
Monitor important files to detect unauthorised modifications 
Investigate and verify alleged violations of server or data security and privacy breaches 
Recover from, report and document security breaches according to security policies and procedures 
Evaluate monitored results and reports to implement and test improvement actions required to maintain the required level of network service security 

Forms

Assessment Cover Sheet

ICANWK602A - Plan, configure and test advanced server based security
Assessment task 1: [title]

Student name:

Student ID:

I declare that the assessment tasks submitted for this unit are my own work.

Student signature:

Result: Competent Not yet competent

Feedback to student

 

 

 

 

 

 

 

 

Assessor name:

Signature:

Date:

Assessment Record Sheet

ICANWK602A - Plan, configure and test advanced server based security

Student name:

Student ID:

Assessment task 1: [title] Result: Competent Not yet competent

(add lines for each task)

Feedback to student:

 

 

 

 

 

 

 

 

Overall assessment result: Competent Not yet competent

Assessor name:

Signature:

Date:

Student signature:

Date: