Information Security CEP

UETM Secure Network Architecture

System Online

Live Network Stats

0 Nodes

0 VLANs

0 Packets/s

0 Blocked

Defense-in-Depth Security Architecture

Multi-layered security model protecting UETM's internal and external communications across all network tiers.

Critical Data

Click on a security layer ring above to view its configuration details

Next-Gen Firewall

Deep packet inspection, IPS/IDS, application-aware filtering at network perimeter

Active Cisco Firepower 2100

IPSec/SSL VPN

Encrypted tunnels for remote faculty access and inter-campus WAN communication

Active AES-256 Encryption

802.1X NAC

Port-level authentication with RADIUS ensuring only authorized devices connect

Partial FreeRADIUS + AD

SIEM / SOC

Centralized log aggregation, correlation, and real-time threat intelligence analysis

Proposed Wazuh / ELK Stack

VLAN Segmentation

Microsegmentation isolating departments, labs, admin, and guest networks

Active 35+ VLANs

Endpoint Protection

EDR agents on all workstations with behavioral analysis and automated response

Partial CrowdStrike Falcon

Threat Simulation Engine

Simulate common attack vectors against the UETM network and observe how defense mechanisms respond in real-time.

Simulation Console

--:--:-- Select an attack scenario to begin simulation...

Current vs. Proposed Architecture

Analysis of UETM's existing network layout weaknesses and the proposed improvements for a secure, scalable campus network.

Flat Network — No Segmentation

All departments, labs, admin, and hostels share one broadcast domain. A single compromised device can reach every other device on the network.

Risk: 95% — Critical

No Next-Generation Firewall

Basic ACLs on the router provide no deep packet inspection, no IDS/IPS, no application-level filtering. Advanced threats pass through undetected.

Risk: 88% — High

No Centralized Authentication

No RADIUS/LDAP integration. Shared Wi-Fi passwords across departments. No individual accountability or device posture checking.

Risk: 82% — High

Unencrypted Internal Traffic

Exam data, grades, and administrative communications traverse the LAN in plaintext. Susceptible to MITM and packet sniffing attacks.

Risk: 75% — Medium-High

No Log Monitoring / SIEM

No centralized logging or security event correlation. Incidents go undetected for days or weeks. No forensic capability.

Risk: 70% — Medium-High

Physical Security Gaps

Server room access not restricted with biometric/card. Network switches in unlocked wiring closets accessible to students.

Risk: 55% — Medium

VLAN Micro-Segmentation

Deploy 35+ VLANs isolating each department, lab cluster, admin wing, hostels, and guest networks. Inter-VLAN routing controlled via L3 ACLs on the core switch with strict deny-all-except policies.

IEEE 802.1Q Private VLANs ACLs

Next-Gen Firewall Deployment

Install Cisco Firepower 2100 or Palo Alto PA-400 at the HEC PERN edge. Enable deep packet inspection, intrusion prevention (IPS), SSL decryption, and geo-IP blocking for known threat countries.

NGFW IPS/IDS DPI

802.1X Network Access Control

Implement FreeRADIUS or Cisco ISE with Active Directory backend. Every device authenticates before receiving network access. Guest portal with captive login for visitors.

RADIUS 802.1X AD Integration

End-to-End Encryption

Deploy TLS 1.3 for all internal web apps (LMS, exam portals). Implement IPSec tunnels for inter-building backbone links. Encrypt DNS with DoH/DoT to prevent snooping.

TLS 1.3 IPSec DoH/DoT

SIEM & SOC Establishment

Deploy Wazuh + ELK Stack for centralized log collection from all network devices. Set up correlation rules for brute-force, lateral movement, and data exfiltration detection.

Wazuh ELK Stack SOAR

Zero Trust Architecture

Move toward never-trust, always-verify model. Continuous authentication, micro-segmentation at application layer, and context-aware access policies for sensitive resources.

Zero Trust MFA Conditional Access

UETM Security Operations