Background Information for World-Wide Trading Company€¦ · Web viewComprehensive Authentic...
Transcript of Background Information for World-Wide Trading Company€¦ · Web viewComprehensive Authentic...
Comprehensive Authentic Assessment Plan Deliverables
A: Executive Summary (ES)
Background Information for World-Wide Trading Company
World-Wide Trading Company (WWTC) is a large online broker firm in the Singapore. The trading company has a staff of 9,000 who are scattered around the globe. Due to aggressive growth in business, they want to establish a regional office in New York City. They leased the entire floor of a building on Wall Street. You were selected as a contractor (your group) to build a state of the art high availability, secure network. The President of the company asked you to set up the state of the art network by end of this year. He shared with you the organizational structure and a list of the 100 employees. The current floor of the new site is solid and gigabit network can be set up on existing network wiring. Also, the existing power supply will meet the client’s current and future demand. The President has required these business goals:
Business and Technical Goals
Increase revenue from 5 billion to 35 billion in three to four years Reduce the operating cost from 28 to 16 percent in two to three years by using an
automated system for buying and selling. Provide secure means of customer purchase and payment over Internet. Build a high availability, moderate confidentiality and moderate integrity unclassified
network (based on The National Institute of Standards and Technology- NIST) Build a classified network with high confidentiality, moderate integrity, and moderate
availability (based on NIST) Allow employee to attach their notebook computers to the WWTC network and wireless
Internet services. Provide state of the art VoIP and Data Network Provide faster Network services Provide fast and secure wireless services in the lobby, conference rooms (100x60), and
the cubical areas.
On the basis of these business goals, your group is responsible for designing, configuring, and implementing a fast, reliable and secure networks (classified and unclassified).
WWTC LAN/WLAN/VoIP:
Propose a Network design that solves the current security audit problems (see security sections), to meet business and technical goals. You are also required to provide a modular, scalable network. Provide redundancy at building core layer and building distribution layer and access
layer and at workstation level to avoid failure at one point. For Building Access layer provide redundant uplinks connection to Building Distribution layer.
Select appropriate Cisco switch model for each part of your enterprise campus model design from the Cisco Products Link, and use the following assumptions in your selection process.
Selecting the Access layers switches:
a. Provide one port to each deviceb. Make provision for 100% growth
Server farm switches
Assume 6 NIC cards in each server and one NIC card uses one port of switch Dual processors and dual power supply
Propose an IP addressing redesign that optimizes IP addressing and IP routing (including the use of route summarization). Provide migration provision to IPv6 protocol in future.
Propose a High Level security plans to secure key applications and servers but encryption of all application is not acceptable. Develop security policy to stop sniffing and man-in-the-middle attack. Your security plan must be based on current industry standards. Multilayer security or defense-in-depth.
Integrate voice and data network to reduce cost. For dialing outside, the World-Wide Trading Company proposes a plan for 100% connectivity with a minimum number of outside lines. For telephone requirements, see the Organization Chart and Telephone Equipment Table.
Provide state of the art VoIP and Data Network.
Provide aggregate routing protocols with hierarchal IP scheme.
Centralize all services and servers to make the network easier to manage and more cost-effective.
Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB.
Provide wireless network access to network users and guest users with a minimum 54 Mbps of bandwidth. (You can assume that site survey is done and no sources of interference or RF were discovered.)
Provide provisions for video conference and multicast services.
Standardize on TCP/IP protocols for the network. Macintoshes will be accessible only on guest notebook but must use TCP/IP protocols or the Apple Talk Filling Protocol (AFP) running on top of TCP.
Provide extra capacity at switches so authorized users can attach their notebook PCs to the network
Install DHCP software to support notebook PCs
The World-Wide Trading Company will use the following applications/services:
Microsoft Office 365 plan (Office 2016, Exchange, Active Directory, SharePoint, One Drive, and Skype for Business)
Sending and receiving e-mail Accessing the library card-catalog File Server application. Adobe Pro Secure Zip
Associate will use the following Custom Applications
Market Tracking Application. This application will provide real-time status of stock and bond market to brokers and their clients.
Stock and Bond Analytical Application. This application will provide analysis of stock and Bond to Brokers only.
On Line Trading. The Company wishes to train new clients in online trading to attract new customer. The Company will sign up new client to receive streaming video and instructions
Assume any information (with proper justification) which you think is missing and critical to the development of the design.
WWTC Security:
WWTC has strong security requirements to ensure strong authentication, data confidentiality and separations between internal protected server and public server.
The security design must ensure:
Internet connectivity and any other unclassified network must be physically separate from the network
E-mail appropriately used to communicate business sensitive information. Confidential business information and public data are not connected to the same physical
network. the use of two-factor authentication mechanism is enabled. Sensitive business information must not be transmitted in clear text between server and
client.
The following is a sample network diagram at another WWTC site
Classified Network
In addition to the required unclassified network, WWTC is requiring a classified network:
1. The classified network must be physically separated from the unclassified network.
2. Only VPs and Department heads are allowed to access the classified network
3. Control should be put in place to prevent local users from accessing the classified network or removing data in any way. This includes removing media, AV recorders, pen and paper, and any form of printer.
4. All data transmitted on the classified network must be cryptographically protected throughout the network (Crypto devices are highly recommended).
5. All classified data must be centrally stored and secured in a physically separate area from the unclassified network.
6. The classified network is used for classified email only. WWTC needs to be able to send classified email from the NYC office to their HQ office.
7. No redundancy, AD, Wireless, or VoIP required for the classified network.
WAN Connectivity
In addition to the cryptographic protections of the data within the classified network, all data crossing wide-area links should undergo another layer of cryptographic protection such as IPSec/VPN/SSL.
Public Servers
All public servers must be configured HTTPS connections and accept all requests that are on valid IP addresses and pass through firewall. Server must ask some identity of the connecting party.
Site-to-site VPN tunnels
All devices must be mutually authenticated and cryptographic protection should be provided.
PSTN dial-up
Dial-up client must authenticate with username and OTP
User Education
All users should undergo periodic user awareness training program on network threats and good security practices.
Other Security Deliverables:
These are only recommendations on the general approach you might take for this project. 1. Determine the most important assets of the company, which must be protected 2. Determine general security architecture for the company 3. Develop a list of 12specific security policies that could be applied.4. Write specific details along with the rationale for each policy 5. Integrate and write up the final version of the Security Policy Document for submittal6. Develop a High availability secure design for this locations addressing above
considerations and mitigating 4 primary networks attacks categories mentioned below.
Project the Network from Four Primary Attack Categories:
Reconnaissance attacks: An intruder attempts to discover and map systems, services, and vulnerabilities.
Access attacks: An intruder attacks networks and systems to retrieve data, or gain access, or escalate access privileges
Denial of Service attacks: An intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, system, or services.
Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny services or access to networks, system or services.
Sample Security Policies:
Policies defining acceptable use Policies governing connections to remote network Polices outlining the sensitivity level of the various types of information held within an
organization Policies protecting the privacy of the network’s user and any customer data Policies defining security baselines to be met by devices before connecting them to the
network. Policies for incident response handling
WWTC Active Directory Design:
WWTC office at New York is largely autonomous and few IT personnel to take care of day-to-day IT support activities such as password resets troubleshoot virus problems. You are concerned about sensitive data store in this location. You want to deploy a highly developed OU structure to implement security policies uniformly through GPO automatically at all domains, OU, and workstations.
At this location Windows Server 2012 R2 is required providing the following 10 AD features:
1. Use BitLocker encryption technology for devices (server and Work station) disc space and volume.
2. Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (on capable Windows Server 2012 R2 networks), reducing internal help desk call volumes for lost PINs.
3. Create group policies settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive.
4. Enable BranchCache in Windows Server 2012 for substantial performance, manageability, scalability, and availability improvements
5. Implement Cache Encryption to store encrypted data by default. This allows you to ensure data security without using drive encryption technologies.
6. Implement Failover cluster services7. Implement File classification infrastructure feature to provide automatic classification
process. 8. IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that
provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network.
9. Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.
10. Implement Windows Deployment Services to enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.
Other AD Deliverables:
Create Active directory infrastructure to include recommended features
Create OU level for users and devices in their respective OU Create Global, Universal, Local group. Each global group will contain all users in the
corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains).
Create appropriate GPO and GPO policies and determine where they will be applied.
Reference:
WWTC Organization Chart
VP of Operation(CIO, CFO, CHRO)Regional VPs: VP NW USA, VP SW USA, VP NE USA, VP SE USA, VP M USA
Note: WWTC is opening an office only at New York location. Please do not confuse Office holder’s title (VP NW USA) with the location.
Table:-1 Sample Equipment Inventory
Subnet Offices Telephone Devices Comment
VP OPR VP OPR Office 2 1 Work Stations
CEO IT 2 1 Work Stations
CEO FIN 2 1 Work Stations
CEO HR 2 1 Work Stations
CEO IT’s Staff 2 1 Work Stations
CEO FIN’s Staff 2 1 Work Stations
CEO HR’s Staff 2 1 Work Stations
VP NW USA, VP Office 2 2 Work Stations
Manager 1 2 2 Work Stations
Manager 2 2 2 Work Stations
Broker 1 2 2 Work Stations
Broker 2 2 2 Work Stations
Broker 3 2 2 Work Stations
Broker 4 2 2 Work Stations
Staff 2 2 Work Stations
VP SW USA VP SW Office 2 2 Work Stations
Manager 1 2 2 Work Stations
Manager 2 2 2 Work Stations
Broker 1 2 2 Work Stations
Broker 2 2 2 Work Stations
Broker 3 2 2 Work Stations
Broker 4 2 2 Work Stations
Staff 2 2 Work Stations
VP NE USA VP NE Office 2 2 Work Stations
Manager 1 2 2 Work Stations
Manager 2 2 2 Work Stations
Broker 1 2 2 Work Stations
Broker 2 2 2 Work Stations
Broker 3 2 2 Work Stations
Broker 4 2 2 Work Stations
Staff 2 2 Work Stations
VP SE USA VP SE Office 2 2 Work Stations
Manager 1 2 2 Work Stations
Manager 2 2 2 Work Stations
Broker 1 2 2 Work Stations
Broker 2 2 2 Work Stations
Broker 3 2 2 Work Stations
Broker 4 2 2 Work Stations
Staff 2 2 Work Stations
VP M USA VP M Offices 2 2 Work Stations
Manager 1 2 2 Work Stations
Manager 2 2 2 Work Stations
Broker 1 2 2 Work Stations
Broker 2 2 2 Work Stations
Broker 3 2 2 Work Stations
Broker 4 2 2 Work Stations
Staff 2 2 Work Stations
Printer 20 At various offices. Exact location to be determined.
Server
WLC and AP ordering Guide
Table 4. Sample Ordering Information for Cisco Wireless LAN Controllers
Product Features Customer Requirements
Part Number
Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controller
• Modular support of 12, 25, 50, or 100 Cisco Aironet access points
• The Cisco 4402 with 2 Gigabit Ethernet ports supports configurations for
• For midsize to large deployments
• High availability
• AIR-WLC4402-12-K9
• AIR-WLC4402-25-K9
• AIR-WLC4402-50-K9
12, 25, and 50 access points
• The Cisco 4404 with 4 Gigabit Ethernet ports supports configurations for 100 access points
• IEEE 802.1D Spanning Tree Protocol for higher availability
• IPSec encryption
• Industrial-grade resistance to electromagnetic interferences (EMI)
• AIR-WLC4404-100-K9
See the Cisco Wireless LAN Controllers Data Sheet for more information.
Cisco 2100 Series Wireless LAN Controller
• Supports up to 6, 12 or 25 Cisco Aironet access points
• Eight Ethernet ports, two of which can provide power directly to Cisco APs
• Desk mountable
• For retail, enterprise branch offices, or SMB deployments
• AIR-WLC2106-K9
• AIR-WLC2112-K9
• AIR-WLC2125-K9
See the Cisco 2106 Wireless LAN Controller Data Sheet for more information.
Cisco Catalyst® 6500 Series /7600 Series Wireless Services Module (WiSM)
• Wireless LAN Controller for Cisco Catalyst 6500 or Cisco 7600 Series Router
• Supports 300 Cisco Aironet access points
• IPSec encryption
• Industrial-grade resistance to electromagnetic interferences (EMI)
• Intrachassis and interchassis failover
• Interoperable with Cisco Catalyst 6500 Series Firewall
• Embedded system for the Cisco Catalyst 6500 Series and Cisco 7600 Series Router infrastructure
• For large-scale deployments
• High availability
• WS-SVC-WISM-1-K9
• WS-SVC-WISM-1-K9= (spare)
See the Cisco Catalyst Wireless Services Module Data Sheet for more information.
and IDS services modules
Cisco Catalyst 3750G Integrated WLAN Controller
• Cisco Catalyst 3750G Series Switch with wireless LAN controller capabilities
• Modular support of 25 or 50 Cisco Aironet access points per switch (and up to 200 access points per stack*)
• IPSec encryption
• Industrial-grade resistance to electromagnetic interferences (EMI)
• For midsize to large deployments
• High availability
• WS-C3750G-24WS-S25
• WS-C3750G-24WS-S50
See the Cisco Catalyst 3750G Integrated Wireless LAN Controller Data Sheet for more information.
Cisco Wireless LAN Controller Module for Cisco Integrated Services Routers
• Wireless LAN controller integrated into Cisco integrated services routers
• Supports 6, 8, 12, or 25 Cisco Aironet access points
• Embedded system for Cisco 2800/3800 Series and Cisco 3700 Series routers
• For retail, small to medium-sized deployments or branch offices
• NME-AIR-WLC6-K9
• NME-AIR-WLC6-K9= (spare)
• NME-AIR-WLC8-K9
• NME-AIR-WLC8-K9= (spare)
• NME-AIR-WLC12-K9
• NME-AIR-WLC12-K9= (spare)
• NME-AIR-WLC25-K9
• NME-AIR-WLC25-K9= (spare)
See the Cisco WLAN Controller Modules Data Sheet for more information.
Please refer to the Cisco Wireless LAN Controller Ordering Guide supplement to learn when to add the following SKUs to track the deployment of voice and context-aware mobility applications.
Table 2. Cisco Aironet Indoor Rugged, Indoor, Wireless Mesh, and Outdoor Rugged Access Points
Product Features Customer Requirements
Part Number
Indoor Rugged Access Points
Cisco Aironet 1250 Series
• Industry's first business-class access point based on the IEEE 802.11n draft 2.0 standard
• Provides reliable and predictable WLAN coverage to improve the end-user experience for both existing 802.11a/b/g clients and new 802.11n clients
• Offers combined data rates of up to 600 Mbps to meet the most rigorous bandwidth requirements
• Designed for both office and challenging RF environments
• Especially beneficial for environments with the following characteristics:
• Challenging RF environments (for example, manufacturing plants, warehouses, clinical environments)
• Bandwidth-intensive applications (for example, digital imaging, file transfers, network backup)
• Real-time, latency-sensitive applications such as voice and video
• Need to support existing 802.11a/b/g and new 802.11n wireless clients
Access point platform with pre-installed radio modules:
• AIR-AP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC
• AIR-AP1252G-x-K9: 802.11g/n-draft 2.0 2.4-GHz Modular Autonomous Access Point; 3 RP-TNC
• AIR-LAP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Unified Access Point; 6 RP-TNC
• AIR-LAP1252G-x-K9: 802.11g/n-draft 2.0 2.4-GHz Modular Unified Access Point; 3 RP-TNC
See the Cisco Aironet 1250 Series Ordering Guide for more information.
Cisco • Second-generation • Ideal for challenging • AIR-AP1242AG-
Aironet 1240AG Series
802.11a/g dual-band indoor rugged access point
• 2.4-GHz and 5-GHz antenna connectors for greater range or coverage versatility and more flexible installation options using the broad selection of Cisco antennas available
indoor RF environments
• Recommended for offices and similar environments
• Ideal for deployments above suspended ceilings
• Recommended for outdoors when deployed in a weatherproof NEMA-rated enclosure
x-K9: 802.11a/g Nonmodular Cisco IOS Software- Based Access Point; RP-TNC
• AIR-LAP1242AG-x-K9: 802.11a/g Nonmodular LWAPP Access Point; RP-TNC
See the Cisco Aironet 1240AG Series 802.11a/b/g Data Sheet for more information.
Indoor Access Points
Cisco Aironet 1130AG Series
Low-profile, enterprise-class 802.11a/g access point with integrated antennas for easy deployment in offices and similar RF environments
Ideal for offices and similar environments
• AIR-AP1131AG-*X-K9
See the Cisco Aironet 1130AG Series Ordering Guide for more information.
Wireless Mesh Access Points
Cisco Aironet 1520 Series
• Next-generation outdoor wireless mesh access point
• Integrated dual band 802.11 a/b/g radios, Ethernet, fiber and cable modem interface
• Provides easy and flexible deployments for outdoor wireless network
• Available in a lightweight version only
• Ideal for outdoors
• Recommended for industrial deployments and local government, public safety, and transit agencies
• AIR-LAP1522AG-X*-K9:
See the Cisco Aironet 1520 Series Lightweight Outdoor Mesh Access Point Ordering Guide for more information.
Cisco Aironet
• Mesh access point that enables cost-effective,
• Ideal for outdoors • AIR-LAP1510AG-*X-K9:
1500 Series
scalable deployment of secure outdoor wireless LANs for metropolitan networks or enterprise campuses
• Available in a lightweight version only
• Recommended for providing wireless services and applications to local government, public safety, and transit agencies
• Cisco Aironet 1510AG Lightweight Outdoor Mesh Access Point, FCC configuration
See the Cisco Aironet 1500 Series Ordering Guide for more information.
Outdoor Rugged Access Points
Cisco Aironet 1400 Series
• High-speed, high-performance outdoor bridging solution for line-of-sight applications
• Offers affordable alternative to leased-line services
• Available in a standalone version only
• High-speed building-to-building or campus connectivity
• Share LAN/Internet access between two or more sites
• Fast installation
• AIR-BR1410A-*X-K9: With integrated antenna
• AIR-BR1410A-A-K9-N: With N-Type connector for use with external antennas
See the Cisco Aironet 1400 Series Bridge Data Sheet for more information.
Cisco Aironet 1300 Series
Outdoor access point/bridge offers high-speed and cost-effective wireless connectivity between multiple fixed or mobile networks and clients
Ideal for outdoor areas, network connections within a campus area, temporary networks for portable or military operations, or outdoor infrastructure for mobile networks
● AIR-BR1310G-X-K9: With integrated antenna
● AIR-BR1310G-X-K9-R: With RP-TNC connector for use with external antennas
● AIR-BR1310G-A-K9-T: For transportation applications
See the Cisco Aironet 1300 Series Ordering Guide for more
information.
*X = regulatory domain
(Source: Curtsy Cisco Web site
http://cisco.com/en/US/prod/collateral/wireless/ps5679/ps6548/prod_brochure0900aecd80565e00_ps2706_Products_Brochure.html)
WLC and AP Placement Templates
Suggested Placement Table Wireless Network
Building Access Point
Requirements
Wireless LAN Controller
Requirements
Total AP Total WLC
Building
Lobby
Cafeteria
Conference room
Suggested Product Table (WLC)
WLC Cisco Part Number Quantity Cost
Cisco 2100 Series Wireless LAN Controller
AIR-WLC2106-K9 2
Suggested Product Table (AP)
AP Cisco Part Number Quantity Cost
Cisco Aironet 1250 Series
AIR-AP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC
20
B: Project Goal
IntroductionA top notch security program starts with security policies as the foundation, along with
processes and procedures for updating the security policies to meet ever changing cyber security
policies faced by all organizations, including WWTC. The following policies are intended as a
starting point. Additional policies must be developed that ensure all information security
concerns are addressed by the company resulting in a secure, defense in depth based security
program. Violation of any security policy is grounds for dismissal.
Information ClassificationOne often overlooked aspect of an all-encompassing security program is the need to
properly classify information so that each type of information is handled properly and according
to best practice (based upon the sensitivity of the information).
Scope: Includes all information stored, processed and/or transported over the WWTC networks.
Public Information: Information that can be safely released outside WWTC without risk of
damage to WWTC.
Confidential: Information that requires controlled release and may be damaging to WWTC if
accessed by unintended audiences.
Minimal Sensitivity: General company information that should stay within the company however
will cause minimal damage if accessed by unintended audiences. Can be transported inside the
company in any format. Only U.S. mail, courier, encrypted file transfer and encrypted email
allowed outside WWTC.
Moderate Sensitivity: Information that would cause serious damage to WWTC if accessed by
unintended audiences. Only encrypted transport approved within the company and only private
courier,
encrypted email and file transfer outside WWTC are permissible. Access is on a need to know
basis, auditing is mandatory, and improper disclosure is grounds for termination.
High Sensitivity: Unintended access of high sensitivity information can result in unrecoverable
damage to WWTC. Only highly encrypted transport including non-repudiation allowed inside
and outside the company. Only private courier allowed outside the company. Need to know
access and auditing mandatory. Improper disclosure is grounds for termination.
Network/InternetScope: Applies to all WWTC personnel and management and systems.
Policy: All web based access must be via secure TLS connections only. Clear text HTTP by
management approval only. Unlicensed copyrighted material not permitted. Password/access
credential sharing not permitted. Network scanning, sniffing and monitoring not permitted.
Bypassing user authentication not permitted. Malware and software that is not approved by
management not permitted.
Acceptable UseThe acceptable use security policy outlines what activities are and are not permitted on
the WWTC networks and systems by employees, partners, and management.
Scope: Applies to all personnel, employees, partners and management that use WWTC networks
and systems.
Policy: All information created using WWTC networks and systems is the property of WWTC.
Personal use of WWTC networks is prohibited. Sharing authentication credentials is prohibited.
All displays/user interfaces must be protected with an automatic lock that triggers after 10
minutes of non-use. All systems must be protected with malware that includes definitions that
are updated daily. System and network protection bypasses of any kind are strictly prohibited.
WAN
AuditScope: Applies to all WWTC owned networks and systems and systems that connect to WWTC
networks.
Policy: WWTC information security team will perform automated scan audits randomly once per
week, manual audits quarterly, and access logging on a continuous basis. Audit logs must be
reviewed immediately following each audit.
High Security Network The WWTC network includes an enclave that stores and processes highly sensitive
information. This network is known as the “high security network.”
Scope: Applies to all systems and network infrastructure within the high security network.
Policy: Systems and network infrastructure within the high security network must comply with
all configuration requirements mandatory for WWTC DMZ networks. Access from remote
networks is prohibited. All systems must comply with 99.99% up time availability. The network
must be protected with ACLs that allow access only from management approved hosts.
Ingress/egress protection must include firewalls with deep packet inspection and IDS sensors.
Access controls must use multi-factor authentication.
Network Infrastructure VPNScope: Applies to all virtual network WAN connections supported by WWTC.
Policy: All virtual network WAN connections utilizing VPN technology must use multi-factor
authentication for session establishment, employing one time passwords with CHAP and
company issued certificates. Furthermore, only FIPS 140-2 compliant encryption algorithms are
to be used for these connections.
Remote Access Scope: Applies to all employees, partners, contractors and management that require remote
access to company networks.
Policy: All remote access connections utilizing VPN technology must use multi-factor
authentication for session establishment, employing passwords with CHAP so that passwords are
not exchanged over the network and company issued certificates. Furthermore, only FIPS 140-2
compliant encryption algorithms are to be used for these connections.
Public Server and DMZScope: Applies to all WWTC publicly accessible server systems.
Policy: Public facing systems must operate within a screened subnet, firewall protected (DMZ).
Only approved ingress traffic must be allowed through the firewall protecting the screened
subnet. The firewalls (one public facing and one facing the private network) must filter OSI
layers 2 up through 7. All server systems must be hardened as bastion hosts in accordance with
current best practices and defense in depth. All servers and systems within the DMZ must be
configured for 99.99% availability with fault tolerant hardware (such as dual power supplies and
RAID 5 or 6), UPS, and software failover (if servers are virtual).
EmailScope: Applies to all employees, partners, contractors and management that require email access
while using company networks.
Policy: All email messages within the company must comply with the information classification
security policy. Email intended for delivery outside the company must be signed digitally and
comply with the company information classification security policy. Email that is unsolicited,
intended for harassment, modified without authorization or non-business related is not permitted.
Employee Security TrainingScope: Applies to all employees, partners, contractors and management that use company
networks.
Policy: All personnel that work within WWTC must attend a company sponsored information
security training session before they can use company networks and must repeat training sessions
on an annual basis. Information security training must cover company policy and how to
recognize and avoid social engineering attempts such as shoulder surfing and phishing, and
recognize and respond to malware activity and security breaches. Training must also cover user
best practices for safe computing and maintenance and support instructions such as how to reset
passwords.
Data EncryptionScope: All WWTC systems must comply with this policy where encryption is required by
company policy.
Policy: All encryption algorithms used must comply with the FIPS 140-2 standard unless not
supported by critical software or hardware systems that cannot be replaced. All other algorithms
which are not compliant must not be used within company networks.
Wireless Scope: All WWTC wireless network systems must comply with this policy.
Policy: Only approved and company registered wireless access points are allowed on WWTC
premises. All wireless systems must comply with company encryption policies and employ the
use of company compliant VPN technologies for all sessions. Authentication must use strong
two factor authentication compliant with the company VPN security policies.
ConclusionBy adhering to the aforementioned security policies WWTC will ensure that the company
networks which are newly designed are secure. However, the proposed policies must be regarded
as a starting point only as full coverage of all systems and networks, contingency planning, and
maintenance and configuration control policies must be in place to ensure that security policies
are both maintained and enforced. Only through due diligence and adherence to best practices
will WWTC ensure that all systems and information remains secure.
References
Cisco, (2005), Network Security Policy: Best Practices White Paper, Web. Retrieved from
http://www.cisco.com/en/US/tech/tk869/tk769/
technologies_white_paper09186a008014f945.shtml
Jarmon, (2002), A Preparation Guide to Information Security, Web. Retrieved from
http://www.sans.org/security-resources/policies/Remote_Access_Policy.pdf
Munior, (2001), Managing Desktop Security, Web. Retrieved from
http://www.sans.org/reading_room/whitepapers/basics/managing-desktop-security_520
SANS, (2012), Information Security Policy Templates, Web. Retrieved from
http://www.sans.org/security-resources/policies/#template
SANS, (2006), Information Sensitivity Policy, Web. Retrieved from
http://www.sans.org/security-resources/policies/Information_Sensitivity_Policy.pdf
SANS, (2012), Audit Security Policy Templates, Web. Retrieved from
http://www.sans.org/security-resources/policies/audit.php
SANS, (2006), Remote Access Policy, Web.
Retrieved from
http://www.sans.org/security-resources/policies/Remote_Access_Policy.pdf
C: Project Scope
Introduction
The earlier proposal focused on the high level network design plan for WWTC, and
touched on each of the requirements WWTC has specified as necessary in order to meet the
company's current and long term growth needs. However, topics such as the equipment list, IP
addressing scheme, and the high level network diagram must also include wireless and VoIP
systems as required by WWTC. In addition, WWTC must have an understanding of how the
WAN will be configured, how fault tolerance will operate, and the link IP address scheme before
accepting and moving forward with the proposal. The following presents these additional design
configurations so that WWTC can move forward with confidence in upgrading their networks.
Equipment List
The following equipment list is an extension of the previous proposal that covers the
additional WWTC requirements mentioned above, including those devices necessary to support
the mandatory VoIP and the LAN to WAN interfaces.
Device Cisco Model # Quantity Comments
Redundant Core Switches
6509-E 2 Fault tolerant support for up to 534 devices, IP services
Distribution layer switches
4503-E 2 Fault tolerant full mesh distribution
layer, IP services
Access layer switches WS-C3850-48U-E 22 UPoE support, 48 Gig ports per switch, IP services, stackable for fault tolerant performance, integrated wireless controller
Firewall with IPS ASA 5508-X 2 Redundant support for dual WAN link designIngress/egress IPS security
Redundant power supply for access switch
PWR-C1-1100WAC 22 Second power supply for each WS-C3850-48U-E
Wireless AP Cisco Aironet 2600 8 450Mbps data rate support, 802.11a/b/g/n, LAN integration, VLAN, 128 client session support
Cisco 6500 switch supervisor
Cisco VS-S2T-10G-XL
4 Provides 10G redundant support at the core
Cisco 6500 switch second power supply
Cisco CAB-AC-2500W-US1
2 Provides redundant power supply support
Cisco 4500 switch supervisor
Cisco WS-X45-Sup 7L-E
4 Provides 10G redundant distribution support
Cisco 4500 series line card
Cisco Catalyst 4500E UPOE Line Card
4 Provides 1G redundant access support
IP Phone Cisco 7941 87 VoIP
Router ASR 1004 2 Screened subnet and VoIP enterprise support
Device Naming Conventions Updated
The following table lists the previously identified devices along with the VoIP device
additions mentioned earlier. It is important to establish a device naming convention that makes
sense to all stakeholders involved, is easy to understand and maintain, as it eases administrative
burden, decreases the chance of error, and enables communications about the network and
infrastructure devices on a level that stakeholders other than the IT staff can easily understand.
Device Type Device Device Configured Name
Placement Connection Comments
Redundant Core Switches
Cisco 6509-E switch
CoreSwitch1CoreSwitch2
Data Center 10G to Distribution
Fault tolerant support for up to 534 devices, IP services
Distribution layer switches
Cisco 4503-E switch
DistSwitch1DisSwitch2
Data Center 10G to Core1G to Access
Fault tolerant full mesh distribution layer, IP services
Access layer switches
WS-C3850-48U-E
Quad1-1Quad1-2Quad1-3Quad1-4Quad1-5Quad2-1Quad2-2Quad2-3Quad2-4Quad2-5Quad3-1Quad3-2Quad3-3Quad3-4Quad3-5Quad3-6Quad4-1Quad4-2Quad4-3Quad4-4Quad4-5Quad4-6
Data Center 1G to Distribution1G to desktop
UPoE support, 48 Gig ports per switch, IP services, stackable for fault tolerant performance, integrated wireless controller
Firewall with IPS
ASA 5508-X Firewall1Firewall2
Data Center 1G to LAN100Mbps to
Redundant support for
WAN dual WAN link designIngress/egress IPS security
Redundant power supply for access switch
PWR-C1-1100WAC
Secondary Supply
Installed in CoreSwitch1 and CoreSwitch2
N/A Second power supply for each WS-C3850-48U-E
Wireless AP Cisco Aironet 2600
WiFi AP Ceiling mount caddy corner half way to center
1G to Access802.11b/g/n to clients
450Mbps data rate support, 802.11a/b/g/n, LAN integration, VLAN, 128 client session support
Cisco 6500 switch supervisor
Cisco VS-S2T-10G-XL
6500 Supervisor
Installed in CoreSwitch1 and CoreSwitch2
N/A Provides 10G redundant support at the core
Cisco 6500 switch second power supply
Cisco CAB-AC-2500W-US1
6500 Secondary Supply
Installed in CoreSwitch1 and CoreSwitch2
N/A Provides redundant power supply support
Cisco 4500 switch supervisor
Cisco WS-X45-Sup 7L-E
4500 Supervisor
Installed in DistSwitch1 and DistSwitch2
N/A Provides 10G redundant distribution support
Cisco 4500 series line card
Cisco Catalyst 4500E UPOE Line Card
4500 PoE Card
Installed in DistSwitch1 and DistSwitch2
N/A Provides 1G redundant access support
IP Phone Cisco 7841 IP Phone 1-87 by office blueprint location
Desktops Ethernet
Router Cisco ASR1004
ASR 1-2 In front of screened subnet and behind firewall
Ethernet Internal device has CUBE enabled for VoIP services
Hierarchical IP scheme and VLAN
The newly presented wireless and WAN hardware requires an updated hierarchical IP
scheme that includes these new portions of the network being proposed. It is especially important
to understand that a separate IP range/subnet for both wireless and WAN facing portions of the
network is essential to the defense-in-depth security strategy that will be applied to the WWTC
network. By establishing separate VLANs for each of these areas, it enables configuration of
ACLs that filter both the ingress and egress traffic flow to and from these areas of the network
that have a higher level of risk from a cyber security perspective.
Location/Dept. VLAN
# of IP Addresses Required
Future Growth Rounded Power of 2
Number of Host Bits
Subnet Address Assigned
OPR 21 21 64 10 172.16.6.1-62/26
NW USA 32 32 128 9 172.16.1.1-126/25
SW USA 32 32 128 9 172.16.2.1-126/25
NE USA 32 32 128 9 172.16.3.1-126/25
SE USA 32 32 128 9 172.16.4.1-126/25
M USA 32 32 128 9 172.16.5.1-126/25
Network IT 50 50 128 9 172.16.0.1-126/25
Wireless 32 32 128 9 172.16.7.1-62/26
High Level Diagram
The following high level diagram depicts the proposed network design with the addition
of the Wi-Fi and VoIP equipment. It is important to keep in mind that the diagram provides a
high level overview rather that the exhaustive accuracy that would be present in the actual
network blueprints.
Exhibit 1: Network device connections with WiFi and VoIP.
Voice and Wireless Design
The wireless network design for WWTC will leverage the aforementioned Cisco access
points as they integrate seamlessly within the proposed network infrastructure, which includes
support for VLANs and infrastructure configured access controls as an essential part of the
defense-in-depth strategy. Within the infrastructure a separate VLAN for wireless will be
configured for ACL filtering purposes primarily. The wireless network infrastructure will be
deployed with ample overlap in mind so that mobile devices such as laptops, tablets and
smartphones that connect to and depend upon the WiFi network will not lose connectivity as
users move from one location (and AP) to another. In addition, the wireless network will be
protected through the use of authentication via RADIUS to an Active Directory network
infrastructure and the 802.1X authentication protocol. The wireless network will also be
configured for WPA2 with AES 256 encryption for the highest level of security and protection
available in current wireless networking standards. The IEEE 802.11n will be configured on the
Cisco access points to ensure ample bandwidth of over 300 Mbps for 802.11n wireless clients.
The network will be configured to not support IEEE 802.11b and 802.11g so that the network
does not step down performance to the lowest common standard (as is the case with IEEE 802.11
WiFi standards), ensuring the highest level of performance for WiFi client systems.
VoIP Support
The VoIP system will consist of all Cisco based devices, and in particular each desk will
be equipped with a Cisco 7841 IP phone that features, among other things, an integral
10/100/1000 based Ethernet switch which eliminates the need to pull an additional cable to each
desk for IP phone support, with a second connection that allows for “loop through” to another
device that can share the same Ethernet connection while also supporting ample bandwidth. The
phones will be configured to support the G.729 voice codec compression protocol which
preserves bandwidth for the network while also providing excellent voice quality and
performance. Since G.729 does not operate well when over 1% of packets are lost it is import to
ensure top priority delivery, which will be ensured by configuring the infrastructure to use the
LLQ or Low Latency Queing QoS mechanism so that VoIP is prioritized above less time
sensitive traffic such as web browser and email traffic. The network infrastructure PoE support
ports will power these devices, eliminating the need for pulling additional expensive power
cables to each desk. The calls will be managed through the deployment of a Cisco CUBE module
installed in the LAN facing ASR1004 router.
Since a total of 87 IP phones are required for the New York office, this will be used as
the basis for bandwidth requirement calculations. Knowing that the total number of calls, both
incoming and outgoing, per device varies on a daily basis, we have determined that the baseline
high point of 100 calls per device would be best for calculations. Furthermore, at the busiest
times of the day around 70% of the phones are active. Hence we can determine the total
bandwidth demanded by the VoIP system (especially important for the WAN application) using
the following formula:
(overhead+ packetization size) x packet rate = bandwidth required
Since cRTP header compression will be used the overhead involved is 8 bytes. Since the G.729
codec will be employed, the packetization size will be 20 bytes. Then with a default Cisco packet
rate of 50 per second, and the overhead + packetization number multiplied by 8 to account for
bandwidth in bits measurement, the total amount of bandwidth required during the busiest time
of the day would be 1280 bits x 50 or 64000 bps or 64 Kbps per call which multiplied by 87
gives us a minimum bandwidth consumption of 5.57 Mbps total. It is for this reason that a DS3
WAN connection is recommended that provides 44 Mbps, with enough bandwidth to handle
VoIP and data during the busiest times of the day.
Conclusion
The WWTC requirements are demanding, and becomes even more challenging with the
mandatory inclusion of both WiFi and VoIP along with the same defense-in-depth security as the
rest of the network infrastructure. However, since Cisco devices are designed with both high
performance and security built-in, the result passed down to the end user (WWTC) is a high
performance network with the ability to meet the demand.
References
Cisco, (2001), Quality of Service for VoIP, Retrieved from
http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/qos_solutions/QoSVoIP/
QoSVoIP.html
Cisco, (2016), Cisco Unified Border Element, Retrieved from
http://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-
border-element/data-sheet-c78-729692.html
Cisco, (2016), Endpoint Matrix, Retrieved from
http://www.cisco.com/c/dam/en/us/solutions/collateral/business-video/business-video/
endpoint-product-matrix.pdf
Cisco, (2016), IP Phones,
Retrieved from http://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-
phones/index.html
Cisco, (2016). Cisco ASA 5508-X with FirePOWER Services. Web. Retrieved from
http://www.cisco.com/c/en/us/support/security/asa-5508-x-firepower-services/
model.html
Cisco, (2016), Cisco Catalyst 6500 Series Switches. Web. Retrieved from
http://www.cisco.com/en/US/products/hw/switches/ps708/index.html
Cisco, (2016). Cisco Catalyst 6509-E Switch. Web. Retrieved from
http://www.cisco.com/c/en/us/products/switches/catalyst-6509-e-switch/index.html
Cisco, (2016). Compare Models. Web. Retrieved from
http://www.cisco.com/en/US/products/hw/switches/ps708/
prod_models_comparison.html#~tab-e,
Cisco, (2016). Interfaces and Modules. Web. Retrieved from
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_relevant_interfaces_and_modules.html
Cisco, (2016). Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series.
Web. Retrieved from
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet
0900aecd803e69c3.html
Cisco, (2016). Cisco Aironet 2600 Series. Web. Retrieved from
http://www.cisco.com/c/en/us/products/wireless/aironet-2600-series/index.html
D: Design Requirements
Introduction
Best practices are necessary for a secure network in order to stabilize and protect
telecommunications within any organization. This document is a proposal for a Cisco network
design in the WWTC building in New York City, United States. Microsoft Active Directory is
also used to back up the system and the network will be designed with a fluid capability to
support all needs of the WWTC building in New York City, United States.
WWTC Requirements
WWTC's very specific list of requirements conveys the expectation that their new
network will be high performance, extremely scalable, cost effective to manage, and very secure.
A Cisco network infrastructure with Microsoft based directory and resource management
features together are fully capable of meeting these expectations. The high performance
requirement means not only that bandwidth is available, but also that protocols and
configurations are in place such as RSTP to prevent traffic loops and broadcast congestion, a
well thought out subnet scheme, VLAN design and robust routing protocols such as EIGRP and
PIM with IGMP Snooping enabled (for Multicast) to ensure that unnecessary traffic (broadcasts
and multi-cast flooding) are contained and required traffic is forwarded over the best path
possible in expeditious fashion. WWTC also expects the network to be designed to accommodate
a growth rate of 100% capacity so that as the company grows and expands they will not have to
invest in network upgrades nor suffer the business disruption that can be caused during network
down time while additions are installed. Along these same lines, modularity is another aspect
that WWTC requires, which would enable changes as well as expansion in the future with a
minimum of disruption, cost, and effort. WWTC expects that sometime in the near future it may
be advantageous or even required to move from the antiquated IPv4 protocol currently in
widespread use to the newer, much improved IPv6, hence all network infrastructure specified on
this project will support both IPv4 and IPv6 along with dual stack and migration capabilities
(such as IPv4 to IPv6 tunneling).
Another requirement is centralized management capability that will enable the company
to manage the new network with minimal IT staff, saving cost and decreasing complexity.
Essential to meeting this requirement are DHCP services for dynamic IP management, as it
enables a large number of IP configurations to be managed centrally for all hosts on the network
in addition to boosting security through the use of Active Directory integration.
Routing requirements for WWTC include a hierarchical IP address design scheme, route
aggregation (which increases network performance by decreasing routing table complexity), and
support for VoIP integrated into the network infrastructure to allow for video and multi-media
support such as the feature rich IP phones Cisco offers that can be installed without requiring a
separate cable infrastructure (as is the case with standard analogue phone systems).
Finally, WWTC has a stringent network security requirement that includes best practice
defense-in-depth layered security countermeasures and defenses which are essential with cyber
crime increasing at an exponential pace. A combination of Microsoft and Cisco managed
infrastructure is fully capable of meeting this expectation.
WWTC Equipment List
As noted above, the equipment and services selected to meet the stated requirements must
be very high performance LAN infrastructure devices along with services designed for
centralized management. Cisco switches, routers (and wireless devices to meet the WWTC
wireless requirement for specific network segments) support the stated requirements when the
models are specified correctly, and using a single vendor for network infrastructure helps ensure
top level performance, ease of administration, and seamless integration. The network devices
listed in the following table will handle over twice the current network capacity requirement,
both in port count as well as bandwidth and performance, while also featuring the required
support such as for VoIP, fault tolerance and high availability, seamless integration with
wireless, and state of the art security features.
Table 1: Proposed devices.
Device Cisco Model # Quantity Comments
Core layer switches -
redundant
6509-E 2 HA/fault tolerant
support for up to 534
devices plus advanced
IP services
Distribution layer
switches
4503-E 2 Supports full mesh
distribution layer plus
advanced IP services
Access layer switches WS-C3850-48U-E 22 UPoE support, 48
gigabit ports per
switch, advanced IP
services, fault tolerant
and stackable with
integrated wireless
controller
Firewall with IPS
services
ASA 5508-X 2 Supprt for redundant
dual WAN link
connections and
egress/ingress IPS
monitoring
Dual power supply for
access switch
PWR-C1-1100WAC 22 Second power supply
for all WS-C3850-
48U-E
Wireless AP Cisco Aironet 2600 8 802.11a/b/g/n, LAN
integration up to
450Mbps data rates,
VLAN support, 128
client session capable
Cisco 6500 switch
supervisor
Cisco VS-S2T-10G-
XL
4 10G redundant support
for the core switch
fabric
Cisco 6500 switch
second power supply
Cisco CAB-AC-
2500W-US1
2 Redundant power
supply support for HA
Cisco 4500 switch
supervisor
Cisco WS-X45-Sup
7L-E
4 10G redundant
distribution layer
support
Cisco 4500 line card Cisco Catalyst 4500E
UPOE Line Card
4 For 1G redundant
access layer support
The network equipment specified above is designed with centralized management, high
level security, and high performance and availability in mind. Throughout the network there is
no single point of failure as the dual power supplies on each device, full mesh interconnection,
dual supervisor engines, and dual uplinks attest. The Cisco ASA firewall with IPS services both
protects the network through advanced deep packet inspection filters as well as through
advanced intrusion detection monitoring that can take action to block access to network
segments where critical information is stored, or shut down access completely if an intrusion or
security breach is detected. The 4500 and 6500 series supervisors also have IPS capability which
will be configured in a similar manner. In addition, a VLAN will be configured for each
department with ACLs (Access Control Lists) setup so that only authorized access is allowed
into each department. At the access layer the Cisco 3850 switches provide seamless wireless
integration through wireless controller support so that mobile devices do not lose connectivity
when moving from one AP to another. The wireless network is designed with plenty of overlap
to prevent dead spots and support the faster speeds up to 450 Mbps. The network switches will
have RSTP configured (for fast spanning tree convergence), EIGRP (for fast routing
convergence), and IGMP snooping with PIM for multi-cast forwarding that minimizes flooding
at layers 2 and 3 of the OSI. All switches also support the most current PoE (Power over
Ethernet) for IP telephones and VoIP, and are modular so that if additional hardware support is
needed (such as fiber to another floor) the infrastructure is ready to accommodate. The following
diagram depicts the network design:
Diagram 1: High level network layout.
Table 2: Proposed network IP scheme and associated VLANs
Location/Dept # of IP
Addresses
Required
Future Growth Rounded
Power of 2
Number of
Host Bits
Subnet
Address
Assigned
OPR 21 21 64 10 172.16.16.1-
62/26
NW USA 32 32 128 9 172.16.11.1-
126/25
SW USA 32 32 128 9 172.16.12.1-
126/25
NE USA 32 32 128 9 172.16.13.1-
126/25
SE USA 32 32 128 9 172.16.14.1-
126/25
M USA 32 32 128 9 172.16.15.1-
126/25
Network IT 50 50 128 9 172.16.10.1-
126/25
Conclusion
The network design presented above will meet all the WWTC requirements for security,
availability, fault tolerance, performance, scalability, and modularity. In addition, centralized
management provided through a combination of Microsoft Active Directory services (such as
DHCP, integrated DNS and role based authentication by group and OU) and AD integrated
management of the Cisco infrastructure leveraging 802.1X and Radius services ensures that all
devices within the new network can all be centrally managed. This robust infrastructure is highly
capable of providing WWTC service for many years into the future.
References
Cisco, (2016). Cisco ASA 5508-X with FirePOWER Services. Web. Retrieved from
http://www.cisco.com/c/en/us/support/security/asa-5508-x-firepower-services/
model.html
Cisco, (2016), Cisco Catalyst 6500 Series Switches. Web. Retrieved from
http://www.cisco.com/en/US/products/hw/switches/ps708/index.html
Cisco, (2016). Cisco Catalyst 6509-E Switch. Web. Retrieved from
http://www.cisco.com/c/en/us/products/switches/catalyst-6509-e-switch/index.html
Cisco, (2016). Compare Models. Web. Retrieved from
http://www.cisco.com/en/US/products/hw/switches/ps708/
prod_models_comparison.html#~tab-e,
Cisco, (2016). Interfaces and Modules. Web. Retrieved from
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_relevant_interfaces_and_modules.html
Cisco, (2016). Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series.
Web. Retrieved from
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet
0900aecd803e69c3.html
Cisco, (2016). Cisco Aironet 2600 Series. Web. Retrieved from
http://www.cisco.com/c/en/us/products/wireless/aironet-2600-series/index.html
E: Current State of the Network:
This section briefly describes the structure and performance of the network. It should
include a high-level network map that identifies the location of connecting devices, server farm,
storage systems, and network segment.
F: Design Solution:
IntroductionThe WWTC IT resource management plan must include an increase in efficiency so that
the IT infrastructure and users it supports can be managed without requiring an accelerated
growth of the IT department staff. IT resource management must also be scalable in order to
avoid frequent redeployment while growing with the company. The IT resource management
plan must also allow for management delegation to address site specific concerns while at the
same time allowing for centralized management. In addition, IT resource management must
provide for seamless system integration in order to minimize the amount of training required for
both IT staff and company personnel. The Microsoft Active Directory structure based upon
Windows Server 2014 is designed to meet all of these objectives.
DiscussionThe WWTC Active Directory design should have at its foundation a scalable domain and
host naming structure that makes both logical and business sense. The wwtc.com domain would
serve as the root domain for the Active Directory network. Underneath the root domain (or AD
Forest) should be OU names that include the department name. Each host will then be identified
by the hostname, followed by the FQDN (Fully Qualified Domain Name) for the local domain.
By using this proposed domain naming convention for all hosts on the network, hosts connected
to the network can be quickly identified through DNS host name resolution to determine the site
where the host is located the domain to which the host object belongs. Configuration and
troubleshooting time and staffing cost savings will be immediately realized when the company
moves to this host naming convention. In the long run this host naming convention will prove
scalable so that Active Directory can be extended with a minimum amount of time and effort,
avoiding costly Active Directory schema changes.
Active Directory policies that apply to the entire domain or all OUs will be configured
and managed by the root domain System Administrator and the OU’s (Organizational Units) will
be configured to inherit these policies from the root domain. System Administrators assigned to
handle OU management responsibilities can configure policies that apply to the OU as necessary
however, inherited policies cannot be blocked. Management of this centralized structure will be
enhanced by leveraging the IPAM feature in Windows Server 2014 that will enable network
administrators to better manage the entire AD network configured using the aforementioned IP
address scheme, (Microsoft, 2012).
Active Directory user login will be centralized and single sign-on that is two factor
(requiring both smart card and username/password credentials) however, local domain
controllers at the NY site will handle login for the domain and name resolution will be performed
within the local site to minimize down time that would otherwise be experienced if attempting to
login over a WAN link. In addition, to maximize uptime, the NY office will have two domain
controllers configured with AD built-in Failover Cluster Services that will enable access to all
services (including over the WAN) should their be a local, catastrophic failure of the servers,
(Microsoft, 2012).
Company file sharing resources will be managed via DFS (Directory File System) so that
daily logs and status report information can be saved locally and automatically synchronized
with headquarters during times when WAN link utilization is low. DFS will also be used to
ensure that important company information is immediately backed up to head quarters from all
locations (through DFS synchronization). BranchCache will be configured to preserve WAN
bandwidth by ensuring that files sent/requested over the WAN multiple times are cached locally,
saving WAN performance and increasing office efficiency, ((Microsoft, 2013).
Storage resources will leverage Windows security services such as Bitlocker to protect
valuable WWTC information both on workstations and servers with full drive encryption that
automatically unlocks when booting onto the network. To ensure confidential information
protection, cache encryption will also be enabled on systems that store WWTC's most critical
information to ensure that such information is fully protected in compliance with company
security policies, (Microsoft, 2012).
All user permissions within each OU and the forest will be handled at the group level.
Roles for each job description will be defined and entered into Active Directory at the root
domain level. Permissions necessary to work within each department will be determined and
configured into Global Groups within Active Directory. User accounts that belong within a
particular department will then be automatically included within Global Groups that include the
permissions necessary to work within the assigned department when the account is created. The
IT department will receive notification from Human Resources when job descriptions change so
that permissions are updated as business needs change and advance. Permissions configured on a
single account basis and the establishment of local groups within a single host on the network
(other than for administrative purposes by IT department personnel) is prohibited. By eliminating
single user and local group administration, the IT burden to manage user and group permissions
and permission related resource access issues will be substantially reduced, saving IT staffing
cost, time and cost to resolve permissions issues, and time to remediate permissions related
security issues. Universal groups will be employed for a very narrow scope of roles that must
have access to resources at all WWTC departments and locations. User accounts that will be
included in Universal Groups must belong to Global Groups that include user accounts, such as
senior executives and root domain IT managers and staff, will be included in Universal Groups
(rather than on an individual account basis) so that permission is granted to access resources in
other OUs according to the role defined for their user account, (Microsoft, 2013).
In addition, since scalability is a concern for WWTC, this AD deployment will also
include WDS (Windows Deployment Services), setup with preconfigured images that will be
delivered over the network for new installations and also leveraged when image redeployment is
necessary (such as drive replacement or software damage), (Microsoft, 2012).
Conclusion Microsoft Active Directory will lower WWTC total cost of ownership and help the
company to achieve its IT objectives. When properly configured from the ground up, Active
Directory provides nearly effortless scalability. Centrally managed groups at the domain and OU
levels minimize cost and effort by decreasing the number of accounts that must be managed (by
managing Active Directory groups rather than local user accounts and groups). Single sign-on to
access network resources minimizes lost password administration and maximizes efficiency by
assigning permissions to roles that are granted via Active Directory Global Groups. DFS
integration with Active Directory ensures that backups are secure and critical information is
available at all sites (while being secured by Active Directory enforced permissions).Finally,
Active Directory provides seamless integration for new hosts through the Windows NOS
(Network Operation System).
References
Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,
Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx
Microsoft, (2011), How DNS Support for Active Directory Works, Retrieved from
http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx
Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,
Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx
Microsoft, (2012), Assigning Domain Names,
Retrieved from
http://technet.microsoft.com/en-us/library/cc731265%28v=ws.10%29.aspx
Microsoft, (2012), How Active Directory Replication Topology Works, Retrieved from
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx
Microsoft, (2013), Group Policy,
Retrieved from http://technet.microsoft.com/en-s/windowsserver/bb310732.aspx
G: Implementation Plan:
IntroductionThe IT infrastructure for the users of the WWTC IT resource management plan must
include a usability that supports the staff. The plan must also be scalable. The plan must also
address concerns that are specific to the site for the WWTC IT resource management plan. The
seamless integration of the system is paramount to the success of the plan. The Microsoft Active
Directory that is based on the Windows Server of 2014 will obtain the goals that are required.
Discussion
The host naming structure should be within the budget of the WWTC Active Directory
design. DNS host name resolution will decide the site where the host is located. Much of the
time-saving of using a good host provider will be provider will be provided by those who work
for the Host Domain Service.
The Organizational Units (OUs) will be designed to work with the root domain of the
host provider. The Windows Server 2014 will help to manage and organize the network for the
WWTC IT resource management plan (Microsoft, 2012). Active Directory user login will be
centralized. The filing system for the company will be administered through the Directory File
System (DFS) (Microsoft, 2013).
The WWTC is cautious about scalability so the AD deployment will also include WDS
(Windows Deployment Services), setup with preconfigured images that will be delivered through
new installations over the network that will employ an image redeployment where leveraging is
necessary, such as when drives or software is damaged (Microsoft, 2012).
Conclusion Microsoft Active Directory will lower WWTC total cost of ownership and help the
company to achieve its IT objectives. When properly configured from the ground up, Active
Directory provides nearly effortless scalability. Centrally managed groups at the domain and OU
levels minimize cost and effort by decreasing the number of accounts that must be managed (by
managing Active Directory groups rather than local user accounts and groups). Single sign-on to
access network resources minimizes lost password administration and maximizes efficiency by
assigning permissions to roles that are granted via Active Directory Global Groups. DFS
integration with Active Directory ensures that backups are secure and critical information is
available at all sites (while being secured by Active Directory enforced permissions).Finally,
Active Directory provides seamless integration for new hosts through the Windows NOS
(Network Operation System).
References
Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,
Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx
Microsoft, (2011), How DNS Support for Active Directory Works, Retrieved from
http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx
Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,
Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx
Microsoft, (2012), Assigning Domain Names,
Retrieved from
http://technet.microsoft.com/en-us/library/cc731265%28v=ws.10%29.aspx
Microsoft, (2012), How Active Directory Replication Topology Works, Retrieved from
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx
Microsoft, (2013), Group Policy,
Retrieved from http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx
H: Project Budget
Project implementation plan
This document details the project implementation plan for the design, installation and testing of WWTC company network. The plan details tasks, sub tasks, the resources required to complete each of the tasks and the estimated time for each task.
Major Project Tasks
The major tasks identified for the project are as follows:
Network design Acquiring of required hardware and software Network security design and implementation Network hardware installation and configuration Software installation and configuration Security policy
Plan detail (tasks, schedule, resources and budget):
1. Network design – this is the initial phase of the plan, which will include the physical and logical network design of the offices. Deciding on the location of critical ICT infrastructure such as DNS servers, active directory Server, file, web and print servers , firewalls, routers and client machines.
Sub-tasks
Physical network design Logical design
Activities
Site visits Sketch Team meetings Network simulation using software Deciding required software and hardware
Resources
Network engineers Computers, printers and simulation software
Writing materials
Estimated budget
$70,000 USD
Estimated time
2 weeks
Deliverable
Complete physical and logical design diagrams2. Acquiring of required software and hardware
Procuring of the following devices- servers (47), switches, routers, firewalls, network operating systems, application software, client o/s, printers, PCs, CAT-6 cables.
Activities
Procurement team meetings Travelling Market survey
Budget
$50M USD
Estimated time
1 week
Deliverable
All software and hardware transported to site3. Network security design
Sub tasks Physical security design Software security design
Activities
Choosing security protocols and encryption mechanisms Decide on security software configurations Physical security design
Deliverable
Secure network configuration design
Resources
Network security hardware- firewalls IT security analyst Network security software
Budget
$45,000 USD
Estimated time
4 days4. Network hardware installation and configuration
Sub tasks
Installing DNS, File, active directory, Print, DHCP, web servers Install active directory server Configuring DHCP server Install and configure firewall Install and configure switches and routers Install desktops Install printers Install and configure wireless access points (Cisco Aironet 1250 Series) Installing CISCO phones (CISCO IP phone 8800 series) Cabling
Resources
Network engineering team Software installation team Networking hardware and software Application software Operating systems software
Deliverables
Installed servers Installed computers, printers
Fully connected network
Budget
$1M USD
Estimated time
14 weeks 5. Software installation and configuration
Sub tasks
Installing server operating systems Installing firewall operating systems Install client machine operating systems Configuring VPN Installing VoIP software Configuring VoIP (cisco phones 8800 series) Installing and configuring mobile device management software Configuring VPN Configuring active directory server Configuring file and print servers Configuring print server and printer sharing
Deliverables
Installed network and client operating systems Shared printers, group policy, and files Functioning cisco phones Secure tunnel (VPN) Installed application softwares
Resources
Software installation teams IT security software Server operating systems Firewalls operating system Installed network hardware
Budget
$300,000 USD
Estimated time
8 weeks 6. Security policy formulation
This task involves the formulation of an IT security policy, which will be followed by employees in the use of all ICT resources. The policy aims at securing IT resources of accidental and malicious actions by employees, customers of suppliers.
Sub tasks
Review existing security policies (COBIT-5, NIST, ISO-27001) Choose compliance body Write policy recommendations Educate staff on policy recommendations
Resources
Policy review team
Deliverables
Policy document Educated staff
Budget
$15,000 USD
Estimated time
3 weeks
Project schedule