Ready when you are.
A brand-new website, a network rebuild, a custom board or a tricky hardware fault, drop us a line and we'll respond within one working day. Quotes are free.
info@nyna.co.uk
All work
Information security · Coursework
Threat-modelling a network, peg by peg.
A security assessment that put a CEO's "Peg DHCP" idea, handing out WiFi access on a physical pegboard (RFC 2322), through operationalisation, usability, security and business-impact analysis, then used DREAD threat-modelling to score three firewall architectures and recommend the safest. Royal Holloway, IY2840 Information Security.
RFC 2322Peg DHCP under review
DREADQuantified threat model
CIAConfidentiality / integrity / availability
IY2840Information Security, RHUL
The brief
A pegboard for guest WiFi?
Peg DHCP assigns each guest a physical peg printed with a static IP, which they type in to get online, no automation, no authentication, no logging. The CEO liked it as a novelty. I assessed whether it belonged anywhere near a production guest network.
Operations Fails
A pegboard has to be built and hand-maintained; pegs get lost, stolen or damaged, causing IP conflicts. It does not scale, busy periods create bottlenecks, and every fault needs IT to step in.
Usability Fails
Guests expect a password or a portal, not a walk to a physical board. It is slow at peak times and inaccessible to users with mobility or vision needs.
Security Fails
A peg is a bearer token: stolen, duplicated or social-engineered, it grants access with no password or 2FA. There is no logging, so a breach leaves no trail.
Business impact Fails
It loads IT and reception staff, looks unprofessional to clients, and breaks compliance regimes that require authentication and activity logging, exposing the firm to regulatory risk.
Recommendation: drop Peg DHCP. Use a secure web-portal login, time-limited access codes issued at reception, and network segmentation that keeps guest traffic off the core network.
DREAD threat model
Scoring three firewall designs.
| Architecture | D | R | E | A | D | Score | Risk |
|---|---|---|---|---|---|---|---|
| Single main firewall | 9 | 6 | 8 | 9 | 7 | 7.8 | High |
| Firewall per Class-4 switch | 6 | 4 | 5 | 5 | 4 | 4.8 | Medium |
| Firewall per ZK435 switch + specialist | 3 | 2 | 3 | 2 | 3 | 2.6 | Low |
The call
A single perimeter firewall scores worst: one breach exposes everything across the CIA triad, and it is the easiest target. Distributing firewalls behind each switch and giving each business unit a dedicated specialist contains a breach to one segment and brings the score down to 2.6, so that distributed design is the recommendation.
Mitigations
- Strict access-control rules and least privilege at every firewall
- Intrusion-detection monitoring for anomalous behaviour
- Segment guest traffic away from the core network
- Regular configuration audits and IT-staff threat training
Get in touch
Let's build something that performs.
Email
info@nyna.co.uk Phone
020 8087 4237
info@nyna.co.uk Phone
020 8087 4237
Office
Office 1.42, Building 2, Croxley Business Park, WD18 8YA
Office 1.42, Building 2, Croxley Business Park, WD18 8YA