This project demonstrates a secure network design that implements layered security principles, DMZ (Demilitarized Zone) segmentation, VLANs, firewalls, and intrusion detection/prevention to protect critical systems from internal and external threats.

The network design includes:

• Internet Gateway

  • Connects the internal network to the public internet.
  • Protected by an Edge Firewall (pfSense).

• DMZ Zone

  • Hosts public-facing services (Web Server, DNS Server, Mail Server).
  • Segregated using VLANs and firewall rules to limit traffic to/from internal LAN.
  • Monitored with Snort IDS/IPS.

• Internal LAN

  • Consists of employee workstations, internal file servers, and printers.
  • Isolated from DMZ with strict ACLs.

• Admin Network (VLAN 20)

  • Only accessible by system/network admins.
  • Used to manage servers, firewalls, switches.

• WiFi Network (VLAN 30)

  • Guest and employee WiFi access.
  • Isolated from LAN using VLAN tagging and firewall rules.

• Monitoring Server

  • Runs SIEM tools (e.g., Wazuh or Security Onion).
  • Collects logs from IDS, firewall, and servers.

• VirtualBox (Lab Environment)
• pfSense (Firewall/Router)
• Snort 3 (IDS/IPS)
• Ubuntu Server (Web, Mail, DNS)
• SIEM Platform (e.g., Wazuh/Security Onion)

• The principle of network segmentation and least privilege.
• How to structure DMZs to protect internal resources.
• Configuring firewall rules and access control lists.
• The role of SIEM tools in monitoring modern networks.
• Importance of redundancy and failover in secure design.

(Save your 3–4 key screenshots under screenshots/ folder and name them meaningfully)

• vm-layout.png
• pfsense-firewall-rules.png
• snort-ids-alerts.png
• network-diagram.png ✅

All architecture and security features were diagrammed, explained, and documented.