Assessor Resource

ICTNWK608
Configure network devices for a secure network infrastructure

Assessment tool

Version 1.0
Issue Date: March 2024


This unit describes the skills and knowledge required to use software tools, equipment and protocols to configure network devices in the design of the infrastructure of a secure network.

It applies to individuals with advanced information and communications technology (ICT) skills who adapt router and switch operating system capabilities to mitigate attacks.

No licensing, legislative or certification requirements apply to this unit at the time of publication.

You may want to include more information here about the target group and the purpose of the assessments (eg formative, summative, recognition)



Evidence Required

List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.

ELEMENT

PERFORMANCE CRITERIA

Elements describe the essential outcomes.

Performance criteria describe the performance needed to demonstrate achievement of the element.

1. Implement layer 2 security

1.1 Configure using router operating system (OS) commands to mitigate layer 2 attacks

1.2 Implement identity-based networking services (IBNS) on switches to provide layer 2 security

1.3 Implement identity management using access control system (ACS) as the authentication server

2. Configure router OS intrusion prevention system (OS-IPS) to mitigate threats to network resources

2.1 Evaluate the advanced capabilities of router OS-IPS firewall feature set to include event action processing (EAP) for threats to network resources

2.2 Configure and verify IPS features to identify threats and dynamically block them from entering the network

2.3 Maintain, update and tune the IPS signatures

2.4 Configure and verify context-based access control (CBAC) and network address translation (NAT) to dynamically mitigate identified threats to the network

2.5 Configure and verify zone-based firewall (ZFW) to include advanced application inspections and uniform resource locator (URL) filtering for improved network security

3. Configure virtual private networks (VPNs) to provide secure connectivity for site-to-site and remote access communications

3.1 Analyse and evaluate internet protocol security (IPSec) and generic routing encapsulation (IPSec/GRE) features and functionality

3.2 Configure secure connectivity for site-to-site VPN using certificate authorities

3.3 Analyse dynamic multipoint VPN (DMVPN) features and capabilities

3.4 Configure and verify secure connectivity for site-to-site VPN operations

3.5 Provide highly secure network access with secure socket layer (SSL) VPN to deliver remote access connectivity features and benefits

3.6 Evaluate EasyVPN benefits and configure EasyVPN server with dynamic virtual tunnel interface (DVTI) to create a virtual access interface on the virtual tunnel interface

3.7 Configure and verify EasyVPN remote to establish a site-to-site connection using both router and VPN software clients

3.8 Implement group-encrypted transport (GET) VPN features to simplify the provisioning and management of VPN

4. Implement network foundation protection (NFP)

4.1 Evaluate NFP features and functionality to provide infrastructure protection

4.2 Secure the management plane, the data plane and the control plane using OS features of the router

Evidence of the ability to:

evaluate network security system requirements

design, implement and verify network security systems using layer 2 and layer 3 devices

mitigate threats to network security

configure virtual private networks (VPNs) for secure connectivity

evaluate and implement network foundation protection (NFP).

Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.

To complete the unit requirements safely and effectively, the individual must:

explain configuration, verification and troubleshooting procedures to undertake:

virtual local area network (VLAN) switching

inter-switching communications

outline the key features of deployment schemes

summarise setting up and securing firewalls

explain iDevice operating system (iOS) and internet protocol (IP) networking models

outline local area network (LAN) and wide area network (WAN) implementations

explain network address translation (NAT) concepts and configuration

outline network topologies, architectures and elements

explain networking standards and protocols

outline procedures for configuring, verifying and troubleshooting router operations and routing

summarise secure connectivity and remote access communications

explain security protocols, such as secure socket layer (SSL)

clarify threat mitigation strategies

outline tunnelling protocols

summarise VPN technologies.

Gather evidence to demonstrate consistent performance in conditions that are safe and replicate the workplace. Noise levels, production flow, interruptions and time variances must be typical of those experienced in the networking industry, and include access to:

a site or prototype where network security may be evaluated and tightened

hardware and software

organisational guidelines, procedures and policies

computers

hardware and software LAN and WLAN internetwork technologies

hardware and software security technologies.

Assessors must satisfy NVR/AQTF assessor requirements


Submission Requirements

List each assessment task's title, type (eg project, observation/demonstration, essay, assingnment, checklist) and due date here

Assessment task 1: [title]      Due date:

(add new lines for each of the assessment tasks)


Assessment Tasks

Copy and paste from the following data to produce each assessment task. Write these in plain English and spell out how, when and where the task is to be carried out, under what conditions, and what resources are needed. Include guidelines about how well the candidate has to perform a task for it to be judged satisfactory.

ELEMENT

PERFORMANCE CRITERIA

Elements describe the essential outcomes.

Performance criteria describe the performance needed to demonstrate achievement of the element.

1. Implement layer 2 security

1.1 Configure using router operating system (OS) commands to mitigate layer 2 attacks

1.2 Implement identity-based networking services (IBNS) on switches to provide layer 2 security

1.3 Implement identity management using access control system (ACS) as the authentication server

2. Configure router OS intrusion prevention system (OS-IPS) to mitigate threats to network resources

2.1 Evaluate the advanced capabilities of router OS-IPS firewall feature set to include event action processing (EAP) for threats to network resources

2.2 Configure and verify IPS features to identify threats and dynamically block them from entering the network

2.3 Maintain, update and tune the IPS signatures

2.4 Configure and verify context-based access control (CBAC) and network address translation (NAT) to dynamically mitigate identified threats to the network

2.5 Configure and verify zone-based firewall (ZFW) to include advanced application inspections and uniform resource locator (URL) filtering for improved network security

3. Configure virtual private networks (VPNs) to provide secure connectivity for site-to-site and remote access communications

3.1 Analyse and evaluate internet protocol security (IPSec) and generic routing encapsulation (IPSec/GRE) features and functionality

3.2 Configure secure connectivity for site-to-site VPN using certificate authorities

3.3 Analyse dynamic multipoint VPN (DMVPN) features and capabilities

3.4 Configure and verify secure connectivity for site-to-site VPN operations

3.5 Provide highly secure network access with secure socket layer (SSL) VPN to deliver remote access connectivity features and benefits

3.6 Evaluate EasyVPN benefits and configure EasyVPN server with dynamic virtual tunnel interface (DVTI) to create a virtual access interface on the virtual tunnel interface

3.7 Configure and verify EasyVPN remote to establish a site-to-site connection using both router and VPN software clients

3.8 Implement group-encrypted transport (GET) VPN features to simplify the provisioning and management of VPN

4. Implement network foundation protection (NFP)

4.1 Evaluate NFP features and functionality to provide infrastructure protection

4.2 Secure the management plane, the data plane and the control plane using OS features of the router

Evidence of the ability to:

evaluate network security system requirements

design, implement and verify network security systems using layer 2 and layer 3 devices

mitigate threats to network security

configure virtual private networks (VPNs) for secure connectivity

evaluate and implement network foundation protection (NFP).

Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.

To complete the unit requirements safely and effectively, the individual must:

explain configuration, verification and troubleshooting procedures to undertake:

virtual local area network (VLAN) switching

inter-switching communications

outline the key features of deployment schemes

summarise setting up and securing firewalls

explain iDevice operating system (iOS) and internet protocol (IP) networking models

outline local area network (LAN) and wide area network (WAN) implementations

explain network address translation (NAT) concepts and configuration

outline network topologies, architectures and elements

explain networking standards and protocols

outline procedures for configuring, verifying and troubleshooting router operations and routing

summarise secure connectivity and remote access communications

explain security protocols, such as secure socket layer (SSL)

clarify threat mitigation strategies

outline tunnelling protocols

summarise VPN technologies.

Gather evidence to demonstrate consistent performance in conditions that are safe and replicate the workplace. Noise levels, production flow, interruptions and time variances must be typical of those experienced in the networking industry, and include access to:

a site or prototype where network security may be evaluated and tightened

hardware and software

organisational guidelines, procedures and policies

computers

hardware and software LAN and WLAN internetwork technologies

hardware and software security technologies.

Assessors must satisfy NVR/AQTF assessor requirements

Copy and paste from the following performance criteria to create an observation checklist for each task. When you have finished writing your assessment tool every one of these must have been addressed, preferably several times in a variety of contexts. To ensure this occurs download the assessment matrix for the unit; enter each assessment task as a column header and place check marks against each performance criteria that task addresses.

Observation Checklist

Tasks to be observed according to workplace/college/TAFE policy and procedures, relevant legislation and Codes of Practice Yes No Comments/feedback
Configure using router operating system (OS) commands to mitigate layer 2 attacks 
Implement identity-based networking services (IBNS) on switches to provide layer 2 security 
Implement identity management using access control system (ACS) as the authentication server 
Evaluate the advanced capabilities of router OS-IPS firewall feature set to include event action processing (EAP) for threats to network resources 
Configure and verify IPS features to identify threats and dynamically block them from entering the network 
Maintain, update and tune the IPS signatures 
Configure and verify context-based access control (CBAC) and network address translation (NAT) to dynamically mitigate identified threats to the network 
Configure and verify zone-based firewall (ZFW) to include advanced application inspections and uniform resource locator (URL) filtering for improved network security 
Analyse and evaluate internet protocol security (IPSec) and generic routing encapsulation (IPSec/GRE) features and functionality 
Configure secure connectivity for site-to-site VPN using certificate authorities 
Analyse dynamic multipoint VPN (DMVPN) features and capabilities 
Configure and verify secure connectivity for site-to-site VPN operations 
Provide highly secure network access with secure socket layer (SSL) VPN to deliver remote access connectivity features and benefits 
Evaluate EasyVPN benefits and configure EasyVPN server with dynamic virtual tunnel interface (DVTI) to create a virtual access interface on the virtual tunnel interface 
Configure and verify EasyVPN remote to establish a site-to-site connection using both router and VPN software clients 
Implement group-encrypted transport (GET) VPN features to simplify the provisioning and management of VPN 
Evaluate NFP features and functionality to provide infrastructure protection 
Secure the management plane, the data plane and the control plane using OS features of the router 

Forms

Assessment Cover Sheet

ICTNWK608 - Configure network devices for a secure network infrastructure
Assessment task 1: [title]

Student name:

Student ID:

I declare that the assessment tasks submitted for this unit are my own work.

Student signature:

Result: Competent Not yet competent

Feedback to student

 

 

 

 

 

 

 

 

Assessor name:

Signature:

Date:


Assessment Record Sheet

ICTNWK608 - Configure network devices for a secure network infrastructure

Student name:

Student ID:

Assessment task 1: [title] Result: Competent Not yet competent

(add lines for each task)

Feedback to student:

 

 

 

 

 

 

 

 

Overall assessment result: Competent Not yet competent

Assessor name:

Signature:

Date:

Student signature:

Date: