Back to Projects
Capstone Project2026

Enterprise Network Redesign and Security Validation

Masterschool AI Cybersecurity Analyst Track

NIST CSF v2.0OPNsense CEWazuh SIEMVMwareKali LinuxOpenVASSTRIDE
4
Segments
7
VLANs designed
6
VMs deployed
3
Live attacks

Project Context and Real-World Considerations

This project was built to the specific requirements of a simulated client engagement and assessed against a defined set of scoring criteria. A reader with real-world engineering experience will recognise some deliberate simplifications, which I want to address directly.

  • Headcount and subnet sizing: The 92-employee figure represents the firm's projected headcount, not a ceiling. In a real deployment, subnets would be sized with meaningful growth headroom to avoid costly re-addressing.
  • Lab subnets: The virtual lab uses /24 across all VLANs for simplicity. Production uses correctly-sized subnets (/26, /27). This is a documented simplification and does not affect isolation testing validity.
  • Single Hyper-V server: Retaining the existing host was the right cost decision for this engagement. In a greenfield design, HA clustering would be the starting point, not an afterthought.
  • OPNsense in the lab: OPNsense CE is a functionally equivalent substitute for the FortiGate 100F. Both are stateful firewall platforms with the same policy model. The substitution is documented in Segment 2.

Project Overview

This four-segment capstone project simulates the full lifecycle of a cybersecurity engagement for a midsize professional services firm: from stakeholder-driven network design through hands-on attack execution and SIEM validation. It is not a theoretical exercise. Every design decision was justified against real budget constraints and stakeholder priorities, every firewall rule was tested in a live virtual lab, every attack was executed and captured in a SIEM, and every vulnerability finding was remediated and verified with a post-fix scan. The project covers network architecture, firewall policy, threat modelling, SOC operations planning, penetration testing methodology, and vulnerability management in one connected body of work.

The Brief

The Problem

A midsize professional services firm with 92 employees had a flat, undersegmented network. 58 remote workers, corporate endpoints, finance and HR systems, VoIP phones, IoT devices, and a growing guest WiFi footprint all sharing the same trust boundary.

The Constraints

  • CapEx: €25,000 – €45,000
  • OpEx ceiling: €1,200 – €4,200 / month
  • Existing FortiGate 100F and Hyper-V server retained
  • 5 stakeholders with competing priorities
  • Governing framework: NIST CSF v2.0

Stakeholders

Alex
CEO
Productivity
Jordan
CFO
Cost control
Casey
COO / IT Manager
Technical ownership
Riley
HR Director
Data handling
Morgan
Compliance Officer
Regulatory requirements

The Four Segments

1

Network Redesign Proposal

The task

Design a segmented network architecture that addresses the firm's risk posture, fits the budget, and survives scrutiny from five stakeholders with different priorities.

Four rounds of stakeholder interviews before finalising the design. The submitted proposal ran 11 pages and received the panel comment: “Approved (Option A). The most real-world signable draft produced.”

VLANNameSubnetNotes
10Corporate10.10.10.0/24~165 devices
20Guest10.10.20.0/25Internet-only, no lateral access
30VoIP10.10.30.0/2721 phones, QoS DSCP EF
40Servers10.10.40.0/26Static IPs, AD/DNS/DHCP/File/Print/Backup
50IoT10.10.50.0/25~50 devices, strict egress policy
60Finance/HR10.10.60.0/27~20 devices, allow-list only, MFA required
100VPN Pool10.10.100.0/2633 concurrent sessions at peak
Total CapEx: €33,250 (within ceiling)  |  Monthly OpEx: €2,900 (within ceiling). Existing FortiGate 100F and Hyper-V server retained, saving an estimated €21,000 – €45,000 against replacement cost.
Logical network topology diagram showing 7 VLANs, dual ISP, FortiGate 100F, L3 core switch, and access layer
Logical network topology — 7 VLANs, dual ISP failover, FortiGate 100F, L3 core switch, 9 Wi-Fi 6 APs
2

Virtual Lab Build

The task

Build a proof-of-concept lab that validates the Segment 1 architecture, demonstrates VLAN isolation, and produces verifiable evidence. VMware Workstation Pro on Windows 11, 64GB RAM. Default-deny firewall policy mirroring the production FortiGate design.

OPNsense CE
Firewall / Router / DHCP
WAN: 192.168.179.129 | LAN: 10.10.10.254
Client-01
Ubuntu 24.04 — VLAN 10
10.10.10.10 /24
Server-01
Ubuntu 24.04 — VLAN 40
10.10.40.10 /24
Client-02
Ubuntu 24.04 — VLAN 60
10.10.60.10 /24

Evidence collected: DHCP lease screenshots from all three VLANs, firewall rule exports, ping and traceroute from every VM confirming correct routing and blocking, and three packet captures. Every lab component is mapped to its production equivalent in an alignment section.

OPNsense firewall rules for OPT2 (VLAN 60 Finance/HR) showing default-deny policy with explicit permit rules
OPNsense firewall rules for OPT2 (VLAN 60 Finance/HR) — default-deny baseline with explicit permit rules mirroring the production FortiGate policy
3

Security and SOC Plan

The task

Produce a formal 12-page security document covering threat modelling, firewall policy, device hardening, logging, SOC operations, incident response playbooks, and a seven-phase deployment roadmap. Structured around NIST CSF v2.0. Seven threats scored on a 5x5 Likelihood x Impact matrix (STRIDE-categorised).

IDThreatScoreRating
T-01Ransomware via phishing to VLAN 4025CRITICAL
T-02VPN credential compromise16HIGH
T-03Insider threat / Finance-HR exfiltration15HIGH
T-04IoT firmware exploit pivot12MEDIUM
T-05DoS against primary ISP12MEDIUM
T-06Guest WiFi VLAN hopping8MEDIUM
T-07Supply chain firmware compromise5LOW

Three full incident response playbooks following NIST SP 800-61: Ransomware (RTO 4h, RPO 24h, GDPR 72h notification window), VPN Credential Compromise, and Insider Threat / Finance-HR Exfiltration. SOC model with four roles and SLA-based escalation paths.

4

Security Validation

The task

Extend the lab with attack infrastructure and a SIEM. Execute real attacks, validate that detections fire, run a vulnerability scan, remediate findings, and verify the fixes with a post-fix scan.

SIEM-01
Wazuh v4.9.2 — VLAN 40
10.10.40.20 /24
Kali-01
Attack VM — VLAN 10
10.10.10.161 /24
Attack 1: VLAN isolation test
nmap SYN scan from Kali (VLAN 10) targeting Client-02 (VLAN 60). All 1,000 ports filtered. OPNsense enforced isolation cleanly, Rules 100002 and 100003 fired.
Attack 2: SSH brute force
Hydra credential spray against Client-01. 10,121 authentication failures generated. Rule 100001 fired repeatedly with a real-time spike visible in the Wazuh dashboard.
Attack 3: Lateral movement attempt
nmap from VLAN 10 targeting VLAN 60 hosts. OPNsense dropped all packets. Rule 100002 fired and block events were logged and alerted.
nmap SYN scan from Kali against VLAN 60 showing all 1000 ports filtered
Attack 1: nmap from Kali (VLAN 10) against VLAN 60 — all 1,000 ports filtered, VLAN isolation confirmed
Wazuh Threat Hunting dashboard showing 10,121 authentication failures from Hydra brute force
Attack 2: Wazuh Threat Hunting dashboard — 10,121 authentication failures captured from Hydra brute force
Wazuh Network and Firewall Activity dashboard showing MITRE ATT&CK tactic mapping and Kali as top source IP
Wazuh Network and Firewall Activity dashboard — MITRE ATT&CK tactic mapping (Credential Access, Lateral Movement) with Kali (10.10.10.161) identified as top source at 7,244 events
Vulnerability scan (GVM / OpenVAS) on pre-hardened endpoints produced 2 Low-severity findings: TCP Timestamps information disclosure and weak SSH MAC algorithms. Both remediated and verified. Post-fix scan returned 0 findings above severity 0.0.
GVM OpenVAS scan results showing 2 Low severity findings: TCP Timestamps and Weak SSH MAC algorithms
GVM / OpenVAS scan results — 2 Low-severity findings on pre-hardened endpoints (TCP Timestamps and Weak SSH MAC algorithms), both subsequently remediated

Technical Challenges

Honest documentation of problems and how they were resolved is part of the work.

pfSense WAN failure

pfSense could not establish WAN connectivity in VMware. Diagnosed, documented, and substituted with OPNsense CE — recorded in the Segment 2 submission rather than omitted.

FreeBSD NIC enumeration

OPNsense (FreeBSD) enumerates network interfaces in a different order than VMware presents adapters. Resolved by assigning interfaces via MAC address comparison.

VMware host adapter IP conflict

vmnet11 host adapter (10.10.40.1) collided with OPNsense's OPT1 gateway, breaking inter-VLAN routing via ARP. Fixed by reassigning the host adapter to 10.10.40.250.

Wazuh syslog not appearing

OPNsense syslog traffic confirmed arriving via tcpdump, but not appearing in Wazuh. Root cause: remoted daemon not configured for external syslog on UDP 514. Fixed in ossec.conf.

GVM disk fill

GVM PostgreSQL database grew to 19GB and filled the disk to 100%. Recovery: pg_dropcluster, pg_createcluster, and full gvm-setup rebuild.

Wazuh CVE database fill

Wazuh vulnerability detection downloaded 12.7GB of CVE data and filled the 24GB disk. Fixed by extending the LVM volume to 48GB and disabling the vulnerability-detection module.

Skills and Tools Demonstrated

Networking

VLAN designSubnet sizingInter-VLAN routingQoS (DSCP EF)VPN sizingDual-ISP failover planning

Firewall and Security Policy

FortiGate 100FOPNsense CEDefault-deny policy designLeast-privilege permit rules

Virtualisation

VMware Workstation ProVM networkingCustom vmnetsISO deployment

Operating Systems

Ubuntu Server 24.04 LTSFreeBSD (OPNsense)Kali Linux

SIEM

Wazuh v4.9.2Agent deploymentCustom detection rules (XML)Syslog ingestionDashboard construction

Attack Tools

nmap (SYN scan)Hydra (SSH brute force)Lateral movement simulation

Vulnerability Management

Greenbone Vulnerability ManagerOpenVASScan configurationFinding interpretationRemediationPost-fix verification

Hardening

UFWsshd_configsysctlLinux system administration

Frameworks

NIST CSF v2.0NIST SP 800-61STRIDE threat modelling

Documentation

Stakeholder interview methodologyFormal security documentationIncident response playbooksTechnical evidence collection

Closing

This project represents the full scope of a junior-to-mid security practitioner's responsibility on a real engagement: understanding business requirements, translating them into a technical design, building and testing that design in a controlled environment, planning and operating a detection capability, and proving it works under adversarial conditions. The work is grounded in constraints that exist in real organisations, not clean-room assumptions. Every major decision has a documented reason, and every claimed outcome has evidence behind it.

The capstone deliberately mirrors what entry-level and mid-level security roles actually involve: a mix of architecture, operations, analysis, and communication. That breadth is intentional, and the depth within each segment demonstrates that the breadth is not superficial.

Back to Projects