End-to-end network security project covering planning, threat modelling, lab implementation, and compliance validation for a 50–100 user office environment.
The project is structured in two phases:
| Phase | Focus | Key Output |
|---|---|---|
| Week 1 | Plan & Secure | Topology, threat model, ACL design, SOC planning |
| Week 2 | Implement & Validate | pfSense lab, firewall tests, simulated vulnerability scan |
Compliance note: A dedicated supplemental section maps all deliverables to ISO/IEC 27001:2022, NIST CSF v1.1, GDPR Article 32, and CIS Controls v8.
Internet
│
▼
Perimeter Firewall (pfSense) ← NAT · ACL · Logging
│
▼
Core Switch — Layer 3 (Inter-VLAN Routing)
│
├── VLAN 10 │ Users │ 10.0.10.0/24
├── VLAN 20 │ Servers │ 10.0.20.0/24
├── VLAN 30 │ IT / Admin │ 10.0.30.0/24
└── VLAN 40 │ Guest WiFi │ 10.0.40.0/24
Firewall posture: deny-by-default — 8 explicit rules with implicit logged deny-all.
- Requirements: 10 functional & security requirements gathered via stakeholder interview prompts
- Topology: Logical VLAN diagram with subnet allocation, gateways, and DHCP scopes
- Threat Model: STRIDE × NIST CSF mapping — 8 threats scored on a Likelihood × Impact (1–5) matrix
- Framework Justification: STRIDE + NIST CSF v1.1 + ISO 27001 Annex A (300-word rationale)
- Firewall / ACL: 8-rule deny-by-default policy mapped to ISO 27001 Annex A controls
- Hardening Plan: 10-step checklist aligned to CIS Controls v8 IG1 — includes MFA enforcement
- SOC Design: Tier 1/2/IR roles, escalation SLAs linked to risk scores, 8-phase IR playbook
- Lab stack: VirtualBox · pfSense 2.8.1 · Ubuntu 24.04 · Kali Linux · Windows Server 2025
- VLAN implementation: Logical segmentation via pfSense sub-interfaces (em1.10–em1.40)
- Firewall validation: 7 controlled tests (ping, nmap) — all pass/fail results documented
- Attack simulation: Nmap port scan; pfSense logs reviewed as part of SOC triage workflow
- Vulnerability assessment: Simulated OpenVAS scan — 5 findings (2 Critical, 2 Medium, 1 Low); all Critical & Medium remediated
| Control Area | Standard | Reference |
|---|---|---|
| Network segmentation | ISO 27001 | A.13.1.1 / A.13.1.3 |
| Access control & MFA | ISO 27001 | A.9.1.2 / A.9.4.2 |
| Data classification | ISO 27001 | A.8.2 |
| Log retention (90d hot / 1yr cold) | GDPR Art.32 + ISO 27001 | A.12.4.1 |
| Log integrity (SHA-256) | ISO 27001 | A.12.4.2 |
| Vulnerability management | NIST CSF | ID.RA-1 |
| SOC triage & escalation SLAs | NIST CSF | RS.AN-1 |
| Incident response + chain of custody | ISO 27001 | A.16.1.7 |
| Device hardening (10 steps) | CIS Controls v8 | IG1 |
pfSense 2.8 VirtualBox Ubuntu 24.04 Kali Linux Windows Server 2025
Nmap OpenVAS (simulated) Syslog / SIEM DHCP NAT
📄 MSIT Final Project — Mar 2026.pdf ← Full project report (42 pages)
├── Cover page & Table of Contents
├── Part A — Original project (Weeks 1 & 2, with screenshots)
└── Part B — Compliance improvements (ISO 27001 · NIST · GDPR · CIS)
🌐 index.html ← GitHub Pages portfolio page
Dima Serge Patrick
Junior GRC Analyst | DevSecOps | GDPR
🏅 CompTIA Security+ (Jan 2026) · CompTIA A+ (Aug 2025)
📍 Frankfurt area, Germany — Open to relocation
🔗 GitHub Profile